The National Association of Corporate Directors (NACD), the authority on boardroom practices representing more than 20,000 directors, and the Internet Security Alliance (ISA) today announced they will develop an updated version of the Director’s Handbook on Cyber-Risk Oversight that will be released in early 2020.
This third edition of the NACD handbook is a comprehensive resource to guide boards’ understanding of cyber risk, along with board-level toolkits to assist in their collaboration with management. It will be offered free of charge and distributed to US businesses through NACD, ISA, and their partners including the US Department of Homeland Security and the US Department of Justice.
The NACD principles for board oversight of cyber risk have been adapted for and by NACD’s counterparts in Germany and the United Kingdom and the updated handbooks will also serve as the model for international handbooks on cyber risk and corporate boards. They will be distributed in part through the Global Network of Director Institutes (GNDI), an international collaboration focused on governance and director development, currently chaired by NACD president and CEO Peter Gleason.
“NACD has been working to close the board’s knowledge gap on cyber risk by educating its members on leading practices, convening key stakeholders, and engaging the director community in an ongoing dialogue,” said Peter R. Gleason, president and CEO of NACD. “We are pleased to again partner with ISA on this important resource for the director community.”
The Director’s Handbook on Cyber-Risk Oversight is built around five core principles that are applicable to board members of public companies, private companies, and nonprofit organizations of all sizes and in every industry sector. Directors have used this resource over the last five years to
- learn foundational principles for board-level cyber-risk oversight that have been vetted and praised by cybersecurity leaders in the public and private sectors, and
- gain insight into issues including how to allocate cyber-risk oversight responsibilities at the board level, legal implications and considerations related to cybersecurity, how to set expectations with management about the organization’s cybersecurity processes, and ways to improve the dialogue between directors and management on cyber issues.
“NACD’s involvement in enhancing cybersecurity is critical in numerous ways,” said ISA president Larry Clinton. “The traditional way cybersecurity has been managed is to work from the bottom up with a primary focus on IT controls and business operations. What NACD is demonstrating is that it is just as important—maybe more so—to address cyber risks from the top of an enterprise. The board has a critical role in shaping the overall vision and strategy for the enterprise. This in turn can set the tone for the prerequisite culture of security throughout the organization.”