The NACD announced on July 29 the availability of the handbook, which was developed in collaboration with the Internet Security Alliance, a trade group, and insurer American International Group.
"As the intricacy of attacks increases, so does the risk they pose to corporations," says Mark Camillo, AIG's head of cyber products for the Americas region. "Conscientious and comprehensive oversight of cyber-risk at the board level is essential."
The handbook focuses on board-level cybersecurity oversight and is organized around five key principles:
- Directors need to understand and approach cybersecurity as an enterprisewide risk management issue, not just an IT issue.
- Directors should understand the legal implications of cyber-risks as they relate to their company's specific circumstances.
- Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
- Directors should set the expectation that management will establish an enterprisewide, cyber-risk management framework with adequate staffing and budget.
- Discussion of cyber-risks between boards and senior managers should include identification of which risks to avoid, accept, mitigate or transfer through insurance as well as specific plans associated with each approach.