Charities regulator zeroes in on cyber risk

Posted on 20 Mar 2024

By Greg Thom, journalist, Institute of Community Directors Australia

The ability of charities to manage cyber security threats will be a key focus of the Australian Charities and Not-for-Profits Commission’s approach to compliance and enforcement over the coming year.

ACNC commissioner Sue Woodward described cyber security as a “key governance risk for charities”.

“In our reviews we work with charities to better understand how they protect themselves from cyber risks and manage cyber security incidents.”

Ms Woodward said the regulator would consider three key questions when assessing the challenges faced by charities relating to cyber security:

what makes charities vulnerable to cybercrime
how charities manage and mitigate cyber security risks
how charities ensure third parties manage risk on their behalf

Ms Woodward’s comments follow several high-profile cyber security breaches involving the charity sector in 2023.

One of the largest related to Brisbane-based telemarketer Pareto Phone, which was the victim of a ransomware attack that affected more than 70 Australian and New Zealand charities.

The incident resulted in the details of tens of thousands of donors to charities including WWF Australia, the Australian Conservation Foundation and Plan International being splashed across the dark web.

“At the rarer and more extreme end, we are concerned about entities that may deliberately use complex corporate structures to try and obscure illegal activities.”

ACNC commissioner Sue Woodward.

Ms Woodward said there were some matters considered so detrimental they would always be an enforcement priority for the regulator, including:

conduct that harmed people, particularly children and vulnerable adults
misuse of a charity for terrorist purposes or to foster extremism, indirectly or directly
financial mismanagement including fraud and significant private benefit
activities that put a charity at risk of having a disqualifying purpose, so they were no longer eligible to be registered with the ACNC

Speaking at the Australian Governance Summit in Melbourne, Ms Woodward outlined the ACNC compliance and enforcement focus for 2024–2025.

High on the list was increasing concern about charities’ misuse of complex corporate structures to conceal non-compliance with the ACNC Act and Regulations.

The ACNC was particularly concerned about organisations deliberately using complexity as a cover for wrongdoing.

“At the rarer and more extreme end, we are concerned about entities that may deliberately use complex corporate structures to try and obscure illegal activities.”

“We will … continue to refer matters to other appropriate government agencies when we have concerns about suspected breaches of other laws,” she said.

Ms Woodward said charities were free to use a variety of structures to suit their purpose and the regulator acknowledged there can be legitimate reasons to do so.

However, the decision to use complex structures, or the gradual and perhaps ad hoc development of complex structures, also came with more complex governance obligations.

“While many charities are well advised and adhere to robust compliance regimes, there are others which may not appreciate that complex structures bring associated governance complexity and risk,” said Ms Woodward.

“Inadvertent non-compliance is more likely because there may not be clear delineation in the oversight of each entity, including the required focus on each charity’s particular charitable purpose.”