ISA, in conjunction with the NACD, is pleased to publish the fourth edition of the Cyber-Risk Oversight Handbook for corporate boards. This fourth version of the handbook (first issued in 2014) builds on the success of the 2020 handbook. It outlines six “guiding principles” to enhance board oversight of cyber risk and includes tools which provide clear guidance on how best to oversee management of specific cybersecurity issues, including M&A due diligence, insider threats, supply chain management, incident response, personal security, model dashboards and metrics, engagement with the security team, and what to expect from the government.
In 2014, NACD published the first edition of the “Cyber-Risk Handbook” in conjunction with the ISA and AIG.
The Handbook has proven to be one of NACD’s most popular publications and was the first private-sector resource featured on the Department of Homeland Security’s C3 Voluntary Program’s Getting Started for Business website.
We issued a significantly updated version in 2020 that includes the new sixth principle that we call the “ESG principle.”
This publication has been independently assessed by PricewaterhouseCoopers and shown to dramatically improve enterprise cybersecurity.
“Guidelines from the NACD advise that Boards should view cyber-risks from an enterprise-wide standpoint and understand the potential legal impacts. Boards appear to be listening to this advice. This year, we saw a double-digit uptick in board participation in most aspects of information security. Deepening board involvement has improved cybersecurity practices in numerous ways. As more boards participate in cybersecurity budget discussions, we saw a 24% boost in security spending. Other notable outcomes cited by survey respondents include identification of key risks, fostering an organizational culture of security and better alignment of cybersecurity with overall risk management and business goals.”
PricewaterhouseCoopers Global State of Information Security Survey 2016 (pdf)
Working together, NACD and ISA have produced a unique and successful program that addresses cybersecurity as a board-level issue – not simply an IT operational issue.
Directors can leverage the handbook in a few ways:
Enter your email to be added to our email list: