European corporate boards agree to create European adaptation of Cyber-Risk Oversight Handbook

May 28, 2019

by Larry Clinton

This week the board of directors of the European Confederation of Directors Associations (ecoDa) agreed to work with the Internet Security Alliance (ISA) on a European adaptation of the Cyber-Risk Oversight Handbook originally published by the National Association of Corporate Directors in the U.S.

This agreement indicates further progress that corporate boards are making to develop increasingly sophisticated, aggressive, and effective approaches to addressing the growing cybersecurity issues faced by industry.

In addition to the NACD’s groundbreaking work in this area (endorsed by the Department of Homeland Security and the Department of Justice), German Directors and the German government collaborated to create a similar program in 2018 and the Organization of American States is scheduled to publish a similar adapted version of the handbook later this year.

This means that corporate directors associations on three continents — North American, South America and now Europe — are coordinating on a common set of principles and adapted tool kits to address cybersecurity.

Although government agencies on three continents are expressing support for these efforts, it’s noteworthy the directors associations are taking on these initiatives independent of regulatory mandates. Indeed, the focus of the directors’ efforts is to adopt methods and practices that have been independently shown to be effective (see PwC’s 2016 Global Information Security Survey) at improving SECURITY — not compliance.

The first Principle articulated in each of these programs is that cybersecurity is NOT an “IT” issue, but rather an enterprise-wide risk-management issue. This principle is an essential, and in many spaces (including some government spaces) still novel, insight that is critical for organizations to embrace in order to comprehensively address cyber threats.

Embracing this insight should lead (and, according to PwC, actually does lead) to rethinking how management ought to be structured to assess cyber risk in line with the overall business goals of the organization. In a field where there is generally little good news, this may be a bright spot worth noting.