Earlier this year, the National Association of Corporate Directors (NACD) released an updated version of its Director’s Handbook on Cyber-Risk Oversight (Handbook). The updates add 16 pages of content to the previously 28-page document, including four additional appendices. While the use of and compliance with the Handbook is not mandatory, the Handbook is influential in shaping governance practices and thus it is prudent for those involved in corporate governance to familiarize themselves with the changes.
The Handbook, first released in 2014, provides Boards of Directors with guidance on implementing board-level cyber-risk oversight programs. The Handbook is part of the NACD’s Director Handbook series, which reports and comments on widespread governance practices to help directors discharge their duties appropriately.
The NACD’s issuance of an update to its Handbook in just three years signals that cybersecurity-related governance expectations of companies and directors are evolving.
Like the 2014 version, the Handbook offers five key principles for board-level cyber-risk oversight. These principles are intended to be adapted by each board based on the organization’s unique characteristics, such as size, industry, business plans, and strategy. The five principles are as follows:
- Principle 1: Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
- Principle 2: Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
- Principle 3: Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.
- Principle 4: Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
- Principle 5: Board-management discussions about cyber risk should include which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.
In addition to the five principles, the Handbook offers nine appendices of tips, templates, and frameworks.
Board-level Cyber-Risk Oversight
Whereas the 2014 Handbook recommended boards oversee cyber-risk management, the new edition is unequivocal: Boards are expected to understand cybersecurity as an enterprise-wide risk management issue and to address this issue like they would any other enterprise-wide risk. The 2017 Handbook supports this conclusion by demonstrating that the threats facing companies are growing. In 2014, the predominant corporate cybersecurity threat was a single exfiltration; now, however, organizations are contending with highly sophisticated and multi-staged attacks from various actors, including actors associated with nation states. This extends to merger and acquisition phases, in which the 2017 Handbook now specifically calls for “confirmatory cybersecurity due diligence” and evaluation of cybersecurity risk on a transaction’s value and viability.
The Handbook cites the annual NACD Public Company Governance Survey (NACD Survey), which asks public company directors about their board practices, to suggest that boards have already made strides in overseeing cybersecurity. According to the 2016–2017 NACD Survey, 89 percent of boards discuss cybersecurity on a “regular basis” as opposed to fewer than 40 percent in 2012. Directors do more than discuss cybersecurity. Indeed, the Handbook reports that boards apply, to a varying degree, fifteen distinct cyber-risk oversight practices. The most adopted practice is reviewing the organization’s approach to securing critical data assets; the least is participating in a test of the organization’s incident response plan.
While engagement in cyber-risk oversight is now expected of directors, the Handbook also highlights that many boards feel unprepared and insufficiently knowledgeable about cybersecurity. The NACD Survey found that only 14 percent of directors believe that their board has a “high” level of knowledge about cybersecurity risks. The Handbook suggests methods to increase this knowledge: recruiting directors with cybersecurity expertise, hiring independent and objective third parties to thoroughly examine cybersecurity programs, relying on external auditors and outside counsel, and participating in director-education programs.
Board Role in Guiding Management Reports About, and Actions on, Cybersecurity
According to the NACD Survey, directors view management’s reports on cybersecurity as the lowest quality of all the reports received, with nearly 25 percent of directors stating they are dissatisfied with the quality of information and fewer than 15 percent indicating they are “very satisfied.” This discrepancy may arise for several reasons: difficulty in using the information to benchmark performance, insufficient transparency about performance, and difficulty interpreting the information. To address this issue, the Handbook recommends that directors “set clear expectations with management about the format, frequency, and level of detail” they wish to receive. The Handbook’s appendices include tips for selecting cybersecurity performance metrics and offers questions that the board can ask management regarding the organization’s cyber-risk program.
Additionally, the Handbook urges directors to adopt an affirmative and forward-looking strategy to manage the organization’s cyber-risk, which requires more than reacting to incidents. Such a strategy requires management to create a cyber-risk management team with cross-departmental authority. The risk management team can then conduct an enterprise-wide risk assessment while accounting for the jurisdictional differences in cybersecurity regulations. The team also may develop an incident response plan, which includes a strategy for internal communications, and create a cyber-risk budget to meet the organization’s security needs.
* * *
Organizations are advised to assess their cyber-risk oversight practices against the updated Handbook and to confirm appropriate cybersecurity risk management activities are in place and operating effectively, including throughout the transactional lifecycle.