When a cyberattack hits your nonprofit, do you know what to do? Cybersecurity expert Michael Nouguier, Partner at Cybersecurity Services at Richey May, walks us through the essential steps every nonprofit must take—before, during, and after a cyber event. As host Julia Patrick notes, it's not a matter of if, but when, and being unprepared is no longer an option.

From clarifying what cyber insurance actually covers to practicing realistic incident response exercises, Michael offers a pragmatic and step-by-step guide tailored for nonprofit leaders. He points out, “Failure to plan is planning to fail,” and urges organizations to move beyond hope and into action.

The conversation dissects misconceptions, such as thinking IT alone can handle a breach or believing cyber insurance is a comprehensive solution. Instead, Michael recommends building internal resilience with tabletop exercises that include the board, C-suite, legal, and communications staff. These scenario-based run-throughs help teams build muscle memory and prevent panic when disaster strikes.

Third-party vendors—often a hidden weak spot—are addressed in detail. Michael reminds us, “You are the trusted data collector,” meaning nonprofits must ensure their vendors share the same security culture, including notification clauses and accountability.

What if the worst happens? Michael stresses calm, communication, and preservation of evidence. “Don’t delete anything,” he cautions, as doing so can sabotage forensic investigations and potential fund recovery. He also reminds leaders to report incidents to local authorities and the FBI’s IC3.gov, reinforcing the legal and ethical responsibility to act swiftly and transparently.

Perhaps one of the most human insights is around fostering a blame-free culture. Employees fearing punishment won’t report mistakes, making things worse. “Everyone—even me—has clicked a phishing link,” Michael admits, highlighting the importance of openness and psychological safety within teams.

This is a call to action for NPO leaders to shift from avoidance to preparedness. Cyberattacks are not just technical disruptions—they can financially and operationally dismantle an organization. With the right mindset, strategy, and comms plan, your nonprofit can weather the storm!

00:00:00 Welcome and Episode Overview  

00:02:00 The Evolution of Richie May's Cybersecurity Services  

00:04:00 What Cyber Insurance Really Covers  

00:08:00 Third-Party Vendor Risks and Due Diligence  

00:12:00 Real-World Impact of Cyberattacks on Nonprofits  

00:15:00 Why Response Planning Beats Hoping for the Best  

00:17:00 Tabletop Exercises: Practicing Incident Response  

00:20:00 Who to Call When a Breach Happens  

00:23:00 First Response Steps: Breathe, Engage, Preserve Evidence  

00:26:00 Creating a Culture Where Mistakes Are Reported  

00:29:00 Episode Recap and Takeaway 

#TheNonprofitShow #CyberResilience 

Find us Live daily on YouTube!

Find us Live daily on LinkedIn!

Find us Live daily on X: @Nonprofit_Show

Our national co-hosts and amazing guests discuss management, money and missions of nonprofits!
12:30pm ET 11:30am CT 10:30am MT 9:30am PT

Send us your ideas for Show Guests or Topics: HelpDesk@AmericanNonprofitAcademy.com
Visit us on the web:The Nonprofit Show