NACD Director's Handbook on Cyber-Risk Oversight

Businesses around the world depend increasingly on technology, a digital revolution that has created both enormous rewards and exponentially expanding risks. The cyber-threat landscape we face today is more complex and dangerous than ever, with cybercrime expected to cost the world some $8 trillion dollars in 2023.1 With corporate reputations and revenue on the line—and given the broader implications for our national security, economic prosperity, and public safety—we must think differently. 

Consider this hypothetical—but very possible—scenario: Imagine that a CISO at a US pharmaceutical company recommends that the company fund a phishing-resistant multifactor authentication (MFA) tool for all employee accounts. Company leadership declines, calculating that the enhanced MFA would be more costly than warranted in the near term, based on their judgment about the likelihood of a cyberattack. The decision is reviewed and approved by the board. Later, when an attacker tricks a user into revealing their login credentials, data is exfiltrated and systems are shut down by ransomware, with the following cascading impacts:

• Delayed shipment of critical pharmaceuticals, resulting in delayed surgeries across the country
• Theft of sensitive customer data, resulting in identity theft and personal financial impact to millions of customers
• Theft of critical intellectual property, eventually sold to an overseas company owned by an adversarial nation, which brings several competing drugs to market years ahead of schedule, with downstream effects on market share
• Over time, the US health care system begins to rely heavily on the overseas company for the pharmaceuticals, which ultimately damages US competitiveness and its leverage in the event of a geopolitical conflict 

From a short-term business perspective, the financial impacts of the cyberattack are tolerable, though the company, which finds itself in the headlines over a period of several weeks, takes a reputational hit. In the longer term, however, the attack results in significant harm to individuals, other businesses, national economic competitiveness, and technological innovation.

For decades, cyber risk was considered part of information technology (IT) risk, and its oversight was largely delegated to engineering and security teams within an organization. More recently, however, in large part thanks to the five principles highlighted in previous versions of this thoughtful handbook, corporate leaders have begun to see cyber risk for what it is: a strategic, enterprise risk, which they—not their CISOs—own. Today, given our complex, dynamic, and highly interconnected environment, boards and company leadership must now consider the broader picture and the critical role they play in their company’s and in society’s resilience. 

We need a new model of sustainable cybersecurity. One that starts with a commitment at the board level to incentivize a culture of corporate cyber responsibility in which managing cyber risk is treated as a fundamental matter of good governance and good corporate citizenship, a recognition highlighted in these pages with the inclusion of a sixth core principle for board oversight—the need for boards to encourage systemic resilience through collaboration.

Board members have unique power to drive such a culture of corporate cyber responsibility: 

• They should ensure that CISOs are fully empowered, with the influence and resources necessary to drive decisions where cybersecurity is effectively prioritized, not subordinated to cost, performance, and speed to market.
• They should ensure that their peers and the senior executives that they oversee are well-educated on cyber risk, that cybersecurity considerations are appropriately prioritized in every business and technology decision, and that decisions to accept rather than mitigate cyber risks are scrutinized and revisited often.
• They should review their company’s cyber-risk management framework and ensure the development of a common set of standards which their businesses can use to determine and measure their exposure to cybersecurity risk.
• They should ensure that the thresholds for reporting potential malicious activity to senior management are not set too high; rather, they should be briefed on “near misses” as well as those intrusion attempts that succeed, as such near misses are among the most important signals to assess the quality of a company’s defenses and its reaction to incidents.
• Finally, board members should actively champion a model of collaboration that presumes a default position in which information about malicious activity is shared proactively with expectations that government will be responsive and add value, and that industry will not suffer punitive sanctions for sharing. 

As the nation’s cyber defense agency, CISA’s goal is to advance a new model of sustainable cybersecurity by working collaboratively with our partners to drive down risk to our nation, enabling the broader safety of consumers. Since our establishment in 2018, CISA has been expanding our resources and capabilities, as well as growing our field forces around the country. You can read more about our offerings in Tool L, including how to have a probing conversation with your CISO so that you can better understand how to support the cybersecurity team. 

CISA commends NACD and the Internet Security Alliance (ISA) for producing this handbook. Not only is it chock-full of clear and practical suggestions that will enable an organization to create a modern and comprehensive cyber-risk program, but also and more important: it works. As detailed within, Cybersecurity at MIT Sloan found that adopting the measures featured in this handbook would materially reduce cyber events without significantly increasing cost. Separately, this handbook is clear evidence that robust public/private operational collaboration is the pathway to creating a sustainably secure cyber ecosystem. In this fight, we are all on the same side and must work together. 

Safer and more resilient critical infrastructure is possible, but it requires us to take deliberate ownership for our collective cyber defense. Corporate cyber responsibility must be a key pillar of this effort.

Jen Easterly
Director, CISA

Read the Full Report