September 17, 2019


Susan Oliver

Josh Higgins
Internet Security Alliance

WASHINGTON, D.C. (September 17, 2019) – The National Association of Corporate Directors (NACD), the authority on boardroom practices representing more than 20,000 directors, and the Internet Security Alliance (ISA) today announced they will develop an updated version of the Director’s Handbook on Cyber-Risk Oversight that will be released in early 2020.

This third edition of the NACD handbook is a comprehensive resource to guide boards’  understanding of cyber risk, along with board-level toolkits to assist in their collaboration with management. It will be offered free of charge and distributed to US businesses through NACD, ISA, and their partners including the US Department of Homeland Security and the US Department of Justice.

The NACD principles for board oversight of cyber risk have been adapted for and by NACD’s counterparts in Germany and the United Kingdom and the updated handbooks will also serve as the model for international handbooks on cyber risk and corporate boards. They will be distributed in part through the Global Network of Director Institutes (GNDI), an international collaboration focused on governance and director development, currently chaired by NACD president and CEO Peter Gleason.

“NACD has been working to close the board’s knowledge gap on cyber risk by educating its members on leading practices, convening key stakeholders, and engaging the director community in an ongoing dialogue,” said Peter R. Gleason, president and CEO of NACD. “We are pleased to again partner with ISA on this important resource for the director community.”

The Director’s Handbook on Cyber-Risk Oversight is built around five core principles that are applicable to board members of public companies, private companies, and nonprofit organizations of all sizes and in every industry sector. Directors have used this resource over the last five years to:

  • Learn foundational principles for board-level cyber-risk oversight that have been vetted and praised by cybersecurity leaders in the public and private sectors, and
  • Gain insight into issues including how to allocate cyber-risk oversight responsibilities at the board level, legal implications and considerations related to cybersecurity, how to set expectations with management about the organization’s cybersecurity processes, and ways to improve the dialogue between directors and management on cyber issues.

“NACD’s involvement in enhancing cybersecurity is critical in numerous ways,” said ISA president Larry Clinton. “The traditional way cybersecurity has been managed is to work from the bottom up with a primary focus on IT controls and business operations. What NACD is demonstrating is that it is just as important—maybe more so—to address cyber risks from the top of an enterprise. The board has a critical role in shaping the overall vision and strategy for the enterprise. This in turn can set the tone for the prerequisite culture of security throughout the organization.”

NACD’s 2018–2019 Public Company Governance Survey showed that the vast majority of directors (81%) believe that their boards’ understanding of cyber risks has improved over the last two years. More than half of directors (52%) are confident that they sufficiently understand cyber risks to provide effective cyber-risk oversight. Nearly 60 percent (58%) believe their boards collectively know enough about cyber risk to provide effective oversight.

About NACD
The National Association of Corporate Directors (NACD) empowers more than 20,000 directors to lead with confidence in the boardroom. As the recognized authority on leading boardroom practices, NACD helps boards strengthen investor trust and public confidence by ensuring that today’s directors are well prepared for tomorrow’s challenges. World-class boards join NACD to elevate performance, gain foresight, and instill confidence. Fostering collaboration among directors, investors, and corporate governance stakeholders, NACD has been setting the standard for responsible board leadership for 40 years. To learn more about NACD, visit

About ISA
The Internet Security Alliance (ISA) is a trade association with members from virtually every critical industry sector. ISA’s mission is to integrate advanced technology with economics and public policy to create a sustainable system of cybersecurity. ISA pursues three goals: thought leadership, policy advocacy, and promoting sound security practices. In addition to collaborating with NACD and directors’ organizations around the world, ISA’s public policy prescriptions articulated in the “Cybersecurity Social Contract” have been embraced as the model for government policy by both Republicans and Democrats. For more information, visit