In recent months, it seems each week brings headlines of a new cyber-attack or electronic data breach, with potentially significant consequences to the company involved. This underscores the importance for public company boards to actively engage with their companies cybersecurity strategies.
To equip directors for this task, the National Association of Corporate Directors recently released a guide to board oversight of cyber-risk. The report proposes five key principles for boards in approaching cyber-risk:
*Cyber-risk is more than just an IT issue: it is a key component of enterprise risk management, requiring board-level oversight.
*Cyber risks have important legal ramifications, which directors need to understand.
*Cyber-risk should be a topic of regular board discussion, and boards need access to the expertise to engage with cyber-risk issues.
*Directors should ensure management implements an effective cyber-risk framework for the company.
*The board and management should assess cyber-risk just like other enterprise-level risks: ensuring a specific determination is made of which aspects of cyber-risk to accept, avoid, mitigate or insure against.
, authored by Larry Clinton, is published in the NACDs Directors Handbook Series, which requires a subscription to access. An executive summaryof the report is available to the public. Additional information about the NACD is available on its website at www.nacdonline.org.