The National Association of Corporate Directors(NACD) and the Internet Security Alliance (ISA) release a new, updated Director’s Handbook on Cyber-Risk Oversight, an essential guidebook to help boards navigate the complex, multifaceted issue of cyber-risk oversight.
The handbook, now available on four continents and in five languages, has become the premier source for how boards of directors address cybersecurity and cyber risk.
This third version of the handbook (first issued in 2014) builds on the success of the 2017 handbook. It outlines five “guiding principles” to enhance board oversight of cyber risk and includes tools which provide clear guidance on how best to oversee management of specific cybersecurity issues, including M&A due diligence, insider threats, supply chain management, incident response, personal security, model dashboards and metrics, engagement with the security team, and what to expect from the government.
“Businesses are facing a tension between the need to embrace digital change while at the same time protecting their cyber assets,” said Peter R. Gleason, CEO of NACD. “This is the ‘new normal’ for enterprises of all sizes, and our goal with this handbook is to help build the board’s knowledge and confidence to navigate this new reality.”
The 2019–2020 NACD Public Company Governance Survey revealed the friction that businesses experience between the need to (digitally) innovate and the need to effectively manage cyber risks. Sixty-one percent of directors report that they would be willing to compromise on cybersecurity to achieve business objectives, while 28 percent prioritize cybersecurity above all else.
“Boards must work with their management teams to reconcile the need to transform themselves digitally with the need to ensure underlying data assets are properly secured,” added Gleason.
“Digitization and digital transformation have enhanced exposure to cyber risk across the enterprise, making cybersecurity a strategic risk” said Larry Clinton, president of ISA. “This handbook underscores the importance of a robust governance approach to cybersecurity. It recognizes the critical role boards play in shaping the overall vision and strategy for the enterprise and in setting a tone of security.”
The Director’s Handbook on Cyber-Risk Oversight was developed in collaboration with the US Department of Homeland Security and the US Department of Justice, and it is applicable to board members of public companies, private companies, and nonprofit organizations of all sizes and in every industry. Directors have turned to earlier iterations of the handbook to gain insight into issues such as how to allocate cyber-risk oversight responsibilities at the board level, the legal implications and considerations related to cybersecurity, how to set expectations with management about the organization’s cybersecurity processes, and ways to improve the dialogue between directors and management on cyber issues.
The digital version of the handbook is free of charge and will be available to US businesses through NACD, ISA, and their partners, including the US Department of Homeland Security and the US Department of Justice. The first and second edition of the handbook have been utilized by thousands of corporate directors and other key stakeholders.