Introduction
Since the release of the third edition of this handbook in early 2020, companies have been embattled by
the challenges of working from home to protect workforces from COVID-19, systemic cyberattacks such as the SolarWinds incident, and the economic ramifications of Colonial Pipeline’s struggle with a ransomware actor, to name only a few headwinds. Despite these significant events in the cyber-threat landscape and challenges facing organizations, some board-level oversight practices stand the test of time. Boards of directors, with their attending fiduciary duties, continue to be responsible for overseeing management’s strategy and their approach to enterprise-wide risk, and cybersecurity matters inherently
span the enterprise.
As cybersecurity challenges grow, the board’s duties may also expand, as regulators and rule makers in state and federal governments scrutinize the role of the board in oversight of information security risks—and boards are rising to the challenge to provide sound oversight in this realm. According to the 2022 NACD Public Company Board Practices and Oversight Survey, 83 percent of boards have significantly improved their understanding of cyber risk compared with two years ago.1
But directors do still feel the need for more expertise on boards. The survey also revealed an increase in boards’ desire to recruit “cybersecurity-savvy directors,” suggesting that while directors feel more confident in their understanding, boards are struggling to keep pace with overseeing the onslaught of changing cyber threats.
And keep pace they must, as the nature of corporate value also continues to shift away from the physical and toward the virtual. The rapid digitization of corporate assets has resulted in a corresponding transformation of strategies, business models, and attendant risks.
Organizations are taking advantage of entirely new ways to connect with customers and suppliers, engage with employees, and improve the efficiency and effectiveness of internal processes. It has become a virtual necessity for most organizations to engage in digital transformation.
The competitive need to deploy new and emerging technologies as a means to lower costs, improve customer service, and drive innovation is now felt more deeply by companies than ever before.
Adopting these technological innovations and capabilities may offer strong returns but can also increase cyber risk. They may also subject the organization to increased risk resulting from the loss of intellectual property such as trading algorithms, destroyed or altered data, decline in public confidence, and risk from evolving global regulatory sanctions that emerge in response to these incidents.
In addition, attacks against organizations that are linked to critical infrastructure can result in a series of cascading consequences on other organizations in the supply chain that can lead to systemic risk. This edition of the handbook includes the adoption of a sixth principle, which highlights board members’ responsibility to consider cyber risk in relation to the shared business ecosystem.
These competing pressures—competitive opportunity and potential risk exposure—mean that fiduciary and comprehensive oversight of cybersecurity at the board level is essential, requiring ongoing strategic dialogue with management.
About the Handbook
I n 2014, NACD, in conjunction with AIG and the Internet Security Alliance, published the first edition of the handbook. Subsequent editions addressed the shifting cyber-risk environment and reflected increased governance expectations from key stakeholders, including investors and regulators.
This handbook is one of the very few sets of board oversight practices in the cybersecurity field that has been independently assessed and found to generate important, improved, security outcomes. PwC’s review of the handbook noted that use of the handbook was related to improved budgeting as well as improved cyber-risk management, closer alignment of cybersecurity with business goals, and the generation of a culture of security within the organization. A study by Cybersecurity at MIT Sloan (CAMS) conducted in 2022 used a different methodology and found that “the CEO who follows the consensus Cyber Risk Principles is predicted to have up to 85% fewer cyber incidents . . . compared to the traditional CEO,” and that adopting the principles “can significantly improve . . . cyber resilience without raising costs.”1
This fourth edition retains the previously identified five core principles for board oversight of cybersecurity, with associated guidance that has been updated considering the changing cyber threat landscape. However, this edition adds an important sixth principle that NACD and ISA developed in conjunction with the World Economic Forum in 2020. The expanded set of principles covered in the handbook follow:
1.Directors need to understand and approach cybersecurity as a strategic, enterprise risk, not just an IT risk.
2.Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
3.Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.
4.Directors should set the expectation that management will establish an enterprise-wide, cyber-risk management framework and reporting structure with adequate staffing and budget.
5.Board-management discussions about cyber risk should include identification and quantification of financial exposure to cyber risks and which risks to accept, mitigate, or transfer, such as through insurance, as well as specific plans associated with each approach.
6.Boards should encourage systemic resilience through collaboration with their industry and government peers and encourage the same from their management teams.
This edition of the handbook offers new guidance for each of the principles and includes an extensive toolkit section to help boards and management teams adopt the principles. The tools focus on the role a director has in overseeing cyber-specific issues such as addressing insider threats, incident response, and third-party risk management and offers guidance for understanding new methods that management teams are using to measure cyber risk in empirical and economic terms.
While some language in this handbook refers to public companies, these principles are applicable to—and important for—directors of organizations of all types and sizes, including members of private-company and nonprofit boards. Every organization has valuable data and related assets that are under constant threat from cybercriminals or other adversaries. No organization is immune.
The six principles for effective cyber-risk oversight detailed in this handbook are presented in a generalized form in order to encourage discussion and reflection by boards of directors. Boards are encouraged to adapt these recommendations based on their organization’s unique characteristics, including size, life-cycle stage, strategy, business plans, industry sector, geographic footprint, and culture.
