2023 Director's Handbook on Cyber-Risk Oversight

Nonmembers can access this publication by creating a guest account.

In brief: The cyber-threat landscape businesses face grows more dangerous and dynamic by the year. As businesses increasingly rely on technology to achieve their strategic objectives and build long-term value, it is a full-board imperative to properly confront the accompanying cyber risks.

The Director's Handbook on Cyber-Risk Oversight updates and builds upon the core consensus principles of past editions to empower boards of public, private, and nonprofit organizations of all sizes improve their organization's cyber-risk oversight. Now in its fourth edition, NACD is pleased to partner with the Internet Security Alliance (ISA), the U.S. Department of Homeland Security, and the Federal Bureau of Investigation to present principle-based guidance on the board's role in securing their organizations.

How directors can use this resource:

  • Learn the core principles of cyber-risk oversight that have been independently validated as a low-cost means to increase security.
  • Explore the sixth principle focused on systemic resilience that was adopted and adapted from Principles for Board Governance of Cyber Risk, a 2021 publication produced in partnership between NACD, ISA, and the World Economic Forum.
  • Gain understanding of the board's role in overseeing cyber risk as a strategic risk; legal and compliance implications related to cybersecurity; and strategies for structuring the board with proper expertise, structures, and information flows.
  • Apply insights with tools that address emerging cyber-risk issues and core governance responsibilities with confidence, such as ransomware, supply-chain and third-party risk oversight, cloud security, M&A due diligence, and building a relationship with your chief information security officer (CISO).
  • Plan how best to collaborate with public- and private-sector actors to build resilience and relationships throughout the broader cybersecurity ecosystem.

Most relevant audiences: Board members of public companies, private companies, and nonprofit organizations, as well as CISOs and other executives who interact with and report to the board on cybersecurity-related matters.