NACD and ISA Release New Guide for Cyber-Risk Oversight

Handbook Equips Boards with Actionable Tools;
Has Become Recognized as Premier Resource for Boards Internationally

WASHINGTON, Feb. 25, 2020 (GLOBE NEWSWIRE) -- The National Association of Corporate Directors (NACD), the authority on boardroom practices representing more than 21,000 directors, and the Internet Security Alliance (ISA), comprising chief information security officers of Fortune 100 companies across critical sectors, today released a new, updated Director’s Handbook on Cyber-Risk Oversight, an essential guidebook to help boards navigate the complex, multifaceted issue of cyber-risk oversight. The handbook, now available on four continents and in five languages, has become the premier source for how boards of directors address cybersecurity and cyber risk.

This third version of the handbook (first issued in 2014) builds on the success of the 2017 handbook. It outlines five “guiding principles” to enhance board oversight of cyber risk and includes tools which provide clear guidance on how best to oversee management of specific cybersecurity issues, including M&A due diligence, insider threats, supply chain management, incident response, personal security, model dashboards and metrics, engagement with the security team, and what to expect from the government.

“Businesses are facing a tension between the need to embrace digital change while at the same time protecting their cyber assets,” said Peter R. Gleason, CEO of NACD. “This is the ‘new normal’ for enterprises of all sizes, and our goal with this handbook is to help build the board’s knowledge and confidence to navigate this new reality.”

The 2019–2020 NACD Public Company Governance Survey revealed the friction that businesses experience between the need to (digitally) innovate and the need to effectively manage cyber risks. Sixty-one percent of directors report that they would be willing to compromise on cybersecurity to achieve business objectives, while 28 percent prioritize cybersecurity above all else.

“Boards must work with their management teams to reconcile the need to transform themselves digitally with the need to ensure underlying data assets are properly secured,” added Gleason.

“Digitization and digital transformation have enhanced exposure to cyber risk across the enterprise, making cybersecurity a strategic risk,” said Larry Clinton, president of ISA. “This handbook underscores the importance of a robust governance approach to cybersecurity. It recognizes the critical role boards play in shaping the overall vision and strategy for the enterprise and in setting a tone of security.”

The Director’s Handbook on Cyber-Risk Oversight was developed in collaboration with the US Department of Homeland Security and the US Department of Justice, and it is applicable to board members of public companies, private companies, and nonprofit organizations of all sizes and in every industry. Directors have turned to earlier iterations of the handbook to gain insight into issues such as how to allocate cyber-risk oversight responsibilities at the board level, the legal implications and considerations related to cybersecurity, how to set expectations with management about the organization’s cybersecurity processes, and ways to improve the dialogue between directors and management on cyber issues.

The digital version of the handbook is free of charge and will be available to US businesses through NACD, ISA, and their partners, including the US Department of Homeland Security and the US Department of Justice. The first and second editions of the handbook have been utilized by thousands of corporate directors and other key stakeholders.

About NACD
The National Association of Corporate Directors (NACD) empowers more than 21,000 directors to lead with confidence in the boardroom. As the recognized authority on leading boardroom practices, NACD helps boards strengthen investor trust and public confidence by ensuring that today’s directors are well prepared for tomorrow’s challenges. World-class boards join NACD to elevate performance, gain foresight, and instill confidence. Fostering collaboration among directors, investors, and corporate governance stakeholders, NACD has been setting the standard for responsible board leadership for 40 years. To learn more about NACD, visit

About ISA
The Internet Security Alliance (ISA) is a trade association with members from virtually every critical industry sector. ISA’s mission is to integrate advanced technology with economics and public policy to create a sustainable system of cybersecurity. ISA pursues three goals: thought leadership, policy advocacy, and promoting sound security practices. In addition to collaborating with NACD and directors’ organizations around the world, ISA’s public policy prescriptions articulated in the “Cybersecurity Social Contract” have been embraced as the model for government policy by both Republicans and Democrats. For more information, visit

Susan Oliver

Josh Higgins
Internet Security Alliance