“Directors don’t need to be technologists to play an effective role in cyber risk oversight — but every board can take the opportunity to improve the effectiveness of their cyber oversight practices.”Peter Gleason, NACD President

In January 2017, the National Association of Corporate Directors (NACD) released an updated edition of its “Director’s Handbook on Cyber-Risk Oversight.” In light of increasing pressures from regulators and ongoing cyberattacks, board directors have a key role to play to ensure proper oversight of cyber risks for their organizations.

The 2017 edition improves on the 2014 version by clarifying several points for board directors to help them understand the strategic importance of cyber risks and the complexity of threats. It also includes several appendices that both chief information security officers (CISOs) and directors will find useful when preparing for mergers and acquisitions (M&A). The appendices also contain information about metrics and dashboards, and the relationship between boards and CISOs.

Five New NACD Principles for Board Directors

1. Understand and Approach Cybersecurity as an Enterprisewide Risk Management Issue, Not Just an IT Issue

“The reality is that if a sophisticated attacker targets a company’s systems, they will almost certainly breach them,” the handbook warned. It goes on to cite the challenge of detecting the presence of attackers in an organization’s systems and networks. On average, it takes 146 days before an organization realizes it has been breached. In about half the cases, the breach is reported by law enforcement or third parties, not internally

A sidebar titled “Why Would They Attack Us?” provides good examples to help new directors understand why their organization could be an appealing target for cybercriminals. The list includes M&A plans, contracts, sensitive HR information and client data.

2. Understand the Legal Implications of Cyber Risks as They Relate to the Company’s Specific Circumstances

The handbook pointed out the severe consequences of cyberattacks, specifically noting that companies and directors can find themselves exposed to legal risks following an attack. Directors are under tremendous pressure to appear to be doing something to get a handle on cyber risks. In many cases, this is manifested by the questions boards are asking CISOs and other managers. For example, the handbook warned that employees and contract workers, while indispensable assets, can also become easy vectors of attack for external actors, highlighting the need for regular security awareness training, strong controls and a strong organizational culture.

According to NACD, only 42 percent of public directors are confident or very confident that their company is properly secured against a cyberattack, versus 29 percent for private companies. Similarly, just 42 percent of public directors are moderately confident, in contrast with 39 percent for private companies. Finally, 15 percent of respondents from public companies said they were slightly or not at all confident, while 32 percent of private companies reported the same.

When it comes to boards’ own oversight of cyber risks, cyber continues to be a partial-board issue. When NACD surveyed boards about which group had oversight of cyber risks, 51 percent of respondents listed the audit committee, while only 41 percent reported that risks were reviewed at the full board level. In 11 percent of cases, risk management was an issue for a dedicated risk committee.

Listen to the podcast: Directors Are From Mars, CISOs Are From Venus

While boards have taken control of “big picture risks,” the numbers for cyber risks speak for themselves. Many boards don’t see this as a full-board issue, which could open them up to significant legal complications in the event of a breach.

The NACD survey results clearly showed that there is a lot of room for improvement to help board directors properly secure their organizations with confidence. Some of this pressure stems from investors, who are anxious to be kept in the loop regarding the cyber resilience of their investments. The Council on Institutional Investors created a list of five questions for directors to address:

  1. How are the company’s cyber risks communicated to the board, by whom and with what frequency?
  2. Has the board evaluated and approved the company’s cybersecurity strategy?
  3. How does the board ensure that the company is organized appropriately to address cybersecurity risks? Does management have the skill sets it needs?
  4. How does the board evaluate the effectiveness of the company’s cybersecurity efforts?
  5. When did the board last discuss whether the company’s disclosure of cyber risk and cyber incidents is consistent with SEC guidance?

3. Have Adequate Access to Cybersecurity Expertise and Give Cyber Risk Management Regular and Adequate Time on Board Meeting Agendas

While a number of CISOs reported spending time educating their top leaders about cybersecurity issues, the third principle in the handbook encouraged boards to have frequent, timely discussions about cyber risks and seek expertise beyond the confines of the boardroom. When needed, directors should look to outside experts to help them evaluate the assertions made by management and security leadership. This is akin to a doctor seeking advice from other medical professionals before signing off on a particular solution to a problem.

The handbook urged boards to schedule “deep-dive briefings” for independent third-party experts to help validate the extent to which the cybersecurity program is meeting objectives. Having adequate access to external expertise is key to enabling boards to address the questions raised by the Council on Institutional Investors. Without access to external expertise, boards would find it quite difficult to challenge or critically analyze the effectiveness of cybersecurity activities.

When it comes to boards’ access to the right internal resources during discussions on cyber risks, however, the NACD survey revealed a disconnect. The chief information officer (CIO) is the person most often in charge of reporting cybersecurity issues to the board (62 percent of cases), followed by the head of internal audit (38 percent), the CEO (37 percent) and, finally, the CISO (31 percent).

4. Set the Expectation That Management Will Establish an Enterprisewide Risk Management Framework With Adequate Staffing and Budget

The NACD handbook specifically mentioned the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), originally released in 2014. NIST created the framework to enable “organizations — regardless of size, degree of cybersecurity risk or cybersecurity sophistication — to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.” The CSF “focuses on using business drivers to guide cybersecurity activities and [considers] cybersecurity risks as part of the organization’s risk management processes.”

The NIST CSF framework has already been adopted by 29 percent of organizations, with future adoption rates projected as high as 70 percent. NACD reported even higher levels of adoption, with over 50 percent currently using the framework. In the case of federal agencies, adoption rates are over 80 percent.

Obviously, the NIST CSF isn’t the only framework out there. For example, many global organizations started adopting ISO 27001 years ago. Regardless of the particular framework chosen, boards need to ensure that it is fully and deeply implemented across all levels of the organization.

The handbook also recommended regular reviews of the effectiveness of the organization’s cyber risk management. This is meant to provide a sense of assurance that the organization can display an appropriate level of cyber resilience in the face of near-certain attacks.

5. Management Discussions Should Include Identification of Which Risks to Avoid, Which to Accept and Which to Mitigate or Transfer Through Insurance

With this principle, the board must answer questions such as what type of data and how much of it is the organization willing to expose? How are investments in mitigation efforts balanced, since the organization can’t possibly protect everything with the same level of vigilance?

Directors must also review cyber risk insurance options to transfer the risks that are not economically feasible to mitigate. In addition, they must define the organization’s cyber risk appetite, and the process for escalating and communicating during and after an incident.

Final Takeaways From the 2017 NACD Handbook

All in all, the 2017 edition of the handbook provides a solid foundation for both new and seasoned board directors to grasp the intricacies and complexities of the cybersecurity landscape. However, the handbook is valuable beyond the boardroom. C-suite executives will find it useful and relevant to them, especially the appendix titled “Questions for the Board to Ask Management About Cybersecurity.” CISOs can easily point to this document as a reference when presenting to top leadership and align their requests with one of the five principles.

Hear more from Chris Veltsos: Directors Are From Mars, CISOs Are From Venus

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…