Principle Six: Encourage Systemic Resilience and Collaboration

In today’s hyper-connected economy, cybersecurity is no longer confined to a single organization. To manage this exposure, Principle Six of the Director’s Handbook on Cyber-Risk Oversight encourages boards to see cybersecurity as a shared responsibility requiring active participation in industry-wide threat intelligence and robust public-private cooperation. 

Case for Action

In the current hyper-connected digital economy, cyber risk is not confined within a single organization or threat vector. The architecture of the internet and business ecosystems enables vulnerabilities in one enterprise to cascade into large-scale, systemic failures in a similar way to how systemic risks can impact financial systems and markets. Organizations must appreciate systemic resilience as a core component of organizational security that depends on fostering public-private cooperation, dismantling silos, and promoting active participation in industry-wide and government-inclusive threat intelligence sharing.

Cybersecurity should be governed with an understanding that it is a shared responsibility that extends beyond corporate boundaries. A resilient enterprise requires resilient partners, sectors, and systems. Emerging technologies such as AI and quantum computing further amplify systemic vulnerabilities. These technologies increase the attack surface while tightening interconnectivity, creating new points of failure and escalation.

Collaboration also aligns with growing regulatory expectations and stakeholder demands for responsible governance. Proactively building resilience through partnerships enhances trust, reduces risk exposure, and positions the organization as a leader in cyber maturity. Cybersecurity cannot evolve in isolation; but develops with shared information, collaborative defense, and a commitment to protecting the broader digital environment.

Board Activities

To fulfill their fiduciary and strategic obligations under this principle, boards can pursue the following core activities — many of which are already in place or emerging in leading organizations — to promote systemic resilience and collaboration:

Champion Ecosystem-Wide Risk Awareness

Boards can request risk assessments that go beyond enterprise boundaries and account for interdependencies with critical third parties, shared infrastructure providers, and industry-specific cyber threats. Some companies are beginning to map their digital supply chain exposures, which boards can leverage as a foundation for broader ecosystem oversight.

Engage Ecosystem Partners

Ensure management is participating in industry forums or ISACs (Information Sharing and Analysis Centers) to share threat intelligence and learn of sector specific threats and risks. Directors can validate management’s engagement effectiveness by requesting updates on actionable intelligence gained, information contributed, and how collaboration is enhancing resilience. In less-regulated industries, boards may need to initiate management’s participation.

Oversee Systemic Resilience Planning

Boards can expand oversight to include how resilience planning extends to shared services, upstream and downstream vendors, and systemic weak points (e.g., reliance on a single software supplier) and ensure management is aware of and addressing these risks. Some leading organizations are incorporating systemic risk simulations into board-level tabletop exercises.

Foster Peer Governance Networks

Directors can leverage cross-board peer networks such as NACD chapter roundtables and industry governance groups, sharing insights from these forums among board members and with management and using them to benchmark their organization’s cyber governance maturity. Peer exchanges can also drive alignment on sector-wide standards and response expectations.

Promote Cyber Defense from an Eco-system Perspective

Directors can assess if management has successfully integrated cyber stewardship into their organization’s culture. Boards should seek metrics and narratives on how the company is supporting the cyber resilience of customers, suppliers, and the broader digital ecosystem.

Success Indicators

Boards can evaluate their organization’s progress in promoting systemic resilience and collaboration by observing the following behaviors, structures, and results:

• Endorsing Shared Responsibility: The organization embraces the view that cyber resilience is a shared responsibility. Language in board materials and management reports reflects systemic thinking rather than an inward-only focus.
• Active Industry Participation: The company is recognized as a leader or active participant in sector-specific ISACs, cross-sector partnerships, or cyber defense alliances. Management regularly shares intelligence and participates in multi-entity simulations.
• Collaborative Incident Response Readiness: Resilience and crisis response planning explicitly incorporate cross-organizational communication and interdependent response protocols. Contracts with third parties include clauses that support joint incident notification and mitigation. Vendor contracts include clear cyber requirements, with audits showing 90 percent and greater compliance.
• Expanded Risk Visibility: Board dashboards include metrics on systemic risk exposure, such as concentration of digital dependencies, critical software reliance, and shared vendor relationships, alongside enterprise-specific risks.
• Regulatory and Governmental Engagement: The board encourages constructive engagement with public sector agencies, including voluntary information sharing with law enforcement and regulatory bodies. These relationships are maintained such that they can be contacted in the event of an incident. The company participates in national or regional critical infrastructure resilience programs. The company receives positive feedback from regulators or no findings in compliance audits (e.g., CISA, SEC).
• Enhanced Market Trust and Stakeholder Recognition: The organization is viewed by customers, partners, and regulators as a responsible ecosystem steward — valued for transparency, proactive cooperation, and its role in elevating collective cybersecurity outcomes.
• Resilience Metrics: Tabletop exercises or simulations show improved response times (e.g., < 24 hours to isolate a breach) and recovery capabilities.
  
  

Previous: Principle FiveNext: Toolkit For Action