Cyber-Risk Oversight

Citation
National Association of Corporate Directors, Cyber-Risk Oversight: Executive Summary (Director's Handbook Series 2014 ed.) (full-text).

Overview
In this publication, the NACD (in collaboration with the American International Group and the Internet Security Alliance) cited five cybersecurity principles for boards. The principles state:


 * Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
 * Directors should understand the legal implication of cyber risks as they relate to their company's specific circumstances.
 * Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
 * Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
 * Board and management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach.