ACNC’s 2026 Cyber Push — What Australian Charities Should Actually Do This Quarter

The Australian Charities and Not-for-profits Commission (ACNC) is again asking every registered charity to review and lift its cyber security in 2026, in updated guidance issued through its Cyber Security Governance Toolkit. The framing is deliberately practical: identify the risks, prevent and mitigate, engage your people and third parties, and respond when something goes wrong. It’s a polite way of saying that smaller charities still aren’t getting the basics right — and ACNC reviews keep finding it.

Why this matters for Australian NFPs specifically: charities sit on exactly the data attackers love. Donor names, payment histories, beneficiary case files, volunteer records, sometimes child or health-related information. Under the Privacy Act, most registered charities with turnover above $3 million are APP entities, but even those below that threshold are increasingly held to the same standard by funders, peak bodies and the Notifiable Data Breaches scheme when health records are involved. The 2023 Pareto Phone breach that hit Cancer Council, Canteen and Fred Hollows showed how quickly a third-party telemarketer can pull your donors into a dark web leak — and it’s the charity, not the vendor, that wears the fundraising fallout.

Three things every NFP board should do this quarter. First, turn on multi-factor authentication on every account that touches donor data, finance or email — it’s free, and ACNC calls it out as the single highest-leverage control. Second, write down who decides what when there’s an incident, and make sure that document doesn’t only live with one volunteer who’s away on Christmas leave. Third, audit your vendors: fundraising platforms, CRMs, accounting tools, telemarketers. Ask them what happens to your data if they’re breached.

Charities running on tight budgets often think enterprise-grade security is out of reach. It’s not — most of the meaningful uplift sits inside the Microsoft 365 or Google Workspace licences you’re already paying for. Our NFP team can walk through your current setup and show you the gaps without a sales pitch.