Internet Security Alliance and National Association of Corporate Directors Release Guide for Cyber-Risk Oversight

February 26, 2020

The National Association of Corporate Directors (NACD) and the Internet Security Alliance (ISA) released a new, updated Director’s Handbook on Cyber-Risk Oversight, a guidebook to help boards navigate cyber-risk oversight.

The handbook is available on four continents and in five languages. The handbook outlines five “guiding principles” to enhance board oversight of cyber risk and includes tools with guidance on how best to oversee management of specific cybersecurity issues, including M&A due diligence, insider threats, supply chain management, incident response, personal security, model dashboards and metrics, engagement with the security team and what to expect from the government.

“Businesses are facing a tension between the need to embrace digital change while at the same time protecting their cyber assets,” said Peter R. Gleason, CEO of NACD. “This is the ‘new normal’ for enterprises of all sizes, and our goal with this handbook is to help build the board’s knowledge and confidence to navigate this new reality. Boards must work with their management teams to reconcile the need to transform themselves digitally with the need to ensure underlying data assets are properly secured."

“Digitization and digital transformation have enhanced exposure to cyber risk across the enterprise, making cybersecurity a strategic risk” said Larry Clinton, president of ISA. “This handbook underscores the importance of a robust governance approach to cybersecurity. It recognizes the critical role boards play in shaping the overall vision and strategy for the enterprise and in setting a tone of security.”

The Director’s Handbook on Cyber-Risk Oversight was developed in collaboration with the US Department of Homeland Security and the US Department of Justice, and it is applicable to board members of public companies, private companies and nonprofit organizations of all sizes and in every industry. Directors have turned to earlier iterations of the handbook to gain insight into issues such as how to allocate cyber-risk oversight responsibilities at the board level, the legal implications and considerations related to cybersecurity, how to set expectations with management about the organization’s cybersecurity processes, and ways to improve the dialogue between directors and management on cyber issues.

The digital version of the handbook is free of charge and will be available to US businesses through NACD, ISA and their partners, including the US Department of Homeland Security and the US Department of Justice

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.