NACD and ISA Launch 2023 Cyber-Risk Oversight Handbook Featuring CISA and FBI
Latest Edition Underscores Value of Collaboration to Address Cybersecurity Risk and Enhance Resilience
WASHINGTON, DC (MARCH 22, 2023) – The National Association of Corporate Directors (NACD), the authority on boardroom practices representing more than 23,000 directors, and the Internet Security Alliance (ISA), comprising chief information security officers of Fortune 100 companies across critical sectors, today released the 2023 Director's Handbook on Cyber-Risk Oversight. This essential guide helps boards navigate the complex, multifaceted challenges associated with cyber-risk oversight. The handbook, now available in various editions on four continents and in five languages, continues to serve as the premier source of best practices for cybersecurity and cyber risk board governance.
This fourth version of the handbook (first issued in 2014) reflects the complex, dynamic, and highly interconnected environment in which we operate. It expands on the previously identified five core principles for board oversight of cybersecurity, with associated guidance that has been updated considering the changing cyber-threat landscape. This edition of the handbook offers a framework and suite of tools that can be tailored to any organization's unique characteristics and needs. The 2023 handbook includes a forward written by the current director of the Cybersecurity and Infrastructure Security Agency (CISA) Jen Easterly. This edition also adds an important sixth principle that NACD and ISA developed in conjunction with the World Economic Forum in 2021.
"Organizations today are beginning to understand the high risk of cascading impacts stemming from a single cyberattack," said Peter Gleason, president and CEO of NACD. "Helping industry and government break down barriers to information sharing between organizations, law enforcement, regulators, and communities will be critical to achieving long-term resilience."
According to the 2022 NACD Public Company Board Practices and Oversight Survey, business leaders rank changing cybersecurity threats among the top five topics that could impact their company in the coming year. Additionally, the World Economic Forum's Global Risk Report 2023 again ranked cybersecurity failure and widespread cybercrime as top-ten critical global threats and as possible blind spots in risk perceptions.
"These handbooks clarify the distinct roles boards and management must coordinate to create a truly effective cyber-risk management program," said Larry Clinton, president/CEO of the Internet Security Alliance. "One of the most unique aspects of the handbooks is that they have been independently assessed, by PwC and MIT, and have proven to produce significant security outcomes. As such, they constitute a de facto international standard of care for board oversight of cyber risk," Clinton said.
This latest edition of the handbook also underscores the critical value of collaboration between government, law enforcement, and industry, including a sixth core principle for board oversight—the need for boards to encourage systemic resilience through collaboration.
"As cyberattacks continue to grow each year, we must do more to advance a strong culture of corporate cyber responsibility. Cyber risk must be seen as a fundamental business risk—one that is owned and managed by the CEO and Board of Directors as a matter of good governance," said Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA).
The NACD-ISA Cyber-Risk Oversight Handbook was developed in collaboration with the US Department of Homeland Security and the US Department of Justice. It applies to board members of public companies, private companies, and nonprofit organizations of every size and in every industry. Previous iterations of the handbook have helped directors gain insights into issues such as allocating cyber-risk oversight responsibilities at the board level, legal implications and considerations related to cybersecurity, setting expectations with management about cybersecurity processes, and improving dialogue between directors and management on cyber issues.
The digital version of the handbook is free of charge. It will be available to US businesses through NACD, ISA, and their partners, including the US Department of Homeland Security and the US Department of Justice. Earlier editions of the handbook have been used by thousands of corporate directors and other key stakeholders.
For more information and to download your copy, visit the 2023 Director's Handbook on Cyber-Risk Oversight page.
The National Association of Corporate Directors (NACD) is the premier membership organization for board directors who want to expand their knowledge, grow their network, and maximize their potential.
As the unmatched authority in corporate governance, NACD sets the standards of excellence through its research and community-driven director education, programming, and publications. Directors trust NACD to arm them with the relevant insights to make high-quality decisions on the most pressing and strategic issues facing their businesses today.
NACD also prepares leaders to meet tomorrow's biggest challenges. The NACD Directorship Certification® is the leading director credential in the United States. It sets a new standard for director education, positions directors to meet boardroom challenges, and includes an ongoing education requirement that prepares directors for what is next.
With an ever-expanding community of more than 23,000 members and a nationwide chapter network, our impact is both local and global. NACD members are driven by a common purpose: to be trusted catalysts of economic opportunity and positive change—in business and in the communities we serve.
To learn more about NACD, visit www.nacdonline.org.
About the Internet Security Alliance (ISA)
The mission of the Internet Security Alliance (ISA) is to integrate advanced technology with economics and public policy to promote a sustainably secure cyber system. The ISA board consists of cyber leaders (typically chief information security officers) from virtually every critical industry sector. For more than 20 years, ISA has created a comprehensive theory and practice for cybersecurity covering both enterprise risk management and government policy. ISA's consensus principles and practices, developed in collaboration with NACD and the World Economic Forum, are the foundation of this program and are contained in ISA's numerous Cyber-Risk Handbooks.
The ISA board has created a companion book Cybersecurity for Business (with a foreword from NACD president and CEO Peter Gleason) that translates the board level principles into roles and practices for a corporation's management team.
ISA has also defined a new approach to public policy on cybersecurity in its new book, Fixing American Cybersecurity: Creating a Strategic Public Private Partnership. Many of the proposals ISA makes in Fixing American Cybersecurity are integrated into the new National Cybersecurity Strategy recently released by President Biden.
More information regarding ISA can be found at isalliance.org.