Director’s Handbook on Cyber-Risk Oversight

The National Association of Corporate Directors (NACD) released an updated edition of its “Director’s Handbook on Cyber-Risk Oversight.” The Handbook is part of the NACD’s Director Handbook series, which reports and comments on widespread governance practices to help directors discharge their duties appropriately.

The 2017 edition improves on the previous version by clarifying several points for board directors to help them understand the strategic importance of cyber risks and the complexity of threats.

The Handbook covers five key principles for board-level cyber-risk oversight:

  1. Understand and Approach Cybersecurity as an Enterprisewide Risk Management Issue, Not Just an IT Issue
  2. Understand the Legal Implications of Cyber Risks as They Relate to the Company’s Specific Circumstances
  3. Have Adequate Access to Cybersecurity Expertise and Give Cyber Risk Management Regular and Adequate Time on Board Meeting Agendas
  4. Set the Expectation That Management Will Establish an Enterprisewide Risk Management Framework With Adequate Staffing and Budget
  5. Management Discussions Should Include Identification of Which Risks to Avoid, Which to Accept and Which to Mitigate or Transfer Through Insurance

Boards are expected to understand cybersecurity as an enterprise-wide risk management issue and to address this issue like they would any other enterprise-wide risk.
Additionally, the Handbook urges directors to adopt an affirmative and forward-looking strategy to manage the organization’s cyber-risk, which requires more than reacting to incidents. Such a strategy requires management to create a cyber-risk management team with cross-departmental authority. The risk management team can then conduct an enterprise-wide risk assessment while accounting for the jurisdictional differences in cybersecurity regulations. The team also may develop an incident response plan, which includes a strategy for internal communications, and create a cyber-risk budget to meet the organization’s security needs.