Principles for Board Governance of Cyber Risk

In brief: Cyber risk remains among the top risks facing business organizations today. The World Economic Forum’s Global Risk Report 2021 lists cybersecurity failure as a top “clear and present danger” and critical global threat. As with any major enterprise issue, it is important for the board of directors and leadership to set the tone at the top and define how their organizations must address cybersecurity. This document is the result of a collaboration between the World Economic Forum, National Association of Corporate Directors (NACD), Internet Security Alliance (ISA), and a working group of industry professionals. These organizations came together to build a set of consensus principles that recognized up-to-date techniques for cyber-risk governance. Building off existing cyber-risk oversight guidance that is captured in the NACD-ISA Handbook for US company directors, and through an iterative development process, this group developed six consensus principles for cybersecurity board governance.

How to use: 

• Strengthen board oversight of cyber-risk
• Advance engagement with the CEO, CTO, and CISO on the state of current cybersecurity programs
• Enhance the quality of cyber-risk reporting and allocation of resources
• Review the efforts of your company to engage other key stakeholders, including investors and the public sector, on cybersecurity threats.

Key audiences: board chairs, audit and risk committee members, CTO and CISO-level executives, and General Counsel