DarkReading.com reported that “Threat actors target nonprofits due to security gaps and highly coveted information, but a lack of sufficient data makes it difficult to grasp the entire picture.” The March 13, 2026 report entitled ” The Data Gap: Why Nonprofit Cyber Incidents Go Underreported” (https://www.darkreading.com/threat-intelligence/data-gap-why-nonprofit-cyber-incidents-go-underreported) included these comments:
Unlike heavily regulated industries like healthcare or finance, nonprofits don’t have consistent reporting requirements when breaches occur. The result is a fragmented picture that obscures the real danger these organizations face. It also makes it harder for them to build a case for increased support and resources.
In March 2025, Abnormal Security reported that advanced email attacks on nonprofit organizations grew by 35% over the previous year. During the same time frame, the email security company found a 50% increase in phishing attacks targeting nonprofits.
Okta’s “Nonprofits At Work 2025”report weaved a similar story; nonprofits ranked as the “second-most targeted industry” across the identity and access management (IAM) vendor’s customer ecosystem.
Despite tidbits of nonprofit statistics, comprehensive data is tough to come by, explains Kelley Misata, Ph.D., CEO and founder of Sightline Security, which helps nonprofits bolster security by providing tools and education. Cybersecurity incidents against nonprofits are “significantly underreported” due to a range of factors, often appearing in the data as collateral damage from third-party attacks rather than as direct targets, she adds.
No surprise!
First published https://www.vogelitlaw.com/blog/nonprofits-are-not-reporting-cyber-incidents-anyone-surprised