Recognizing the key role boards can play in reducing cyberattacks, the National Association of Corporate Directors, World Economic Forum, and Internet Security Alliance have joined forces to create cyber safety guidance for volunteer leaders.
According to the 2020 Global Risk Report [PDF], there will be $6 trillion in losses from cyberattacks by 2021, making it a key issue for all organizations with data. To help organizations manage this, the National Association of Corporate Directors, World Economic Forum, and Internet Security Alliance are joining forces to create guidance to on how to best manage cybersecurity from the board level.
“COVID-19 has ushered in an incredibly rapid transfer to working from home for millions of people,” said Friso van der Oord, senior vice president, content, at NACD. “By August 2020, exploitation of openly known vulnerabilities in virtual private networks and other work-from-home tools became so problematic that the National Security Agency issued a rare public advisory [PDF] urging organizations to patch some specific network problems.”
The groups think the collaboration will create effective guidelines for organizations. “By joining the long-running initiatives at NACD and ISA together with the Forum’s groundbreaking cyber resilience programs, we will empower leaders with the knowledge necessary to improve cyber resilience and cyber-risk governance globally,” said Daniel Dobrygowski, head of corporate governance and trust for the Forum, in a press release.
Van der Oord noted that cyber risk is strategic and therefore needs to be on board agendas. “When boards approach cyber risk as a strategic risk rather than as an isolated, information-technology risk, they’re able to contextualize the threat and will approach their oversight of the organization’s security response with the health of the whole business in mind; they are able to think of the risk in familiar terms,” he said.
NACD found in its 2019–2020 Public Company Governance Survey that boards are increasingly more interested in understanding cyber threats, with 66 percent of directors surveyed last year reporting “greater confidence in their ability to oversee the risk, a figure which is up 16 percent over the year before.”
Van der Oord said the combined guidance will focus on five key areas of cybersecurity, asking boards to
- understand and approach cybersecurity as an enterprise risk, not just as an IT risk.
- understand the legal implications of cyber risks.
- have adequate access to cybersecurity expertise and to give discussions about cyber-risk management regular and adequate time on board meeting agendas.
- set the expectation that management will establish an enterprise-wide, cyber-risk management framework with adequate staffing and budget.
- ensure board-management discussions include identification and quantification of financial exposure to cyber risks and which risks to accept, mitigate, or transfer, such as through insurance, as well as specific plans associated with each approach.
The joint guidance is expected to be released in spring 2021. Once completed, the group will focus on getting the information out, so boards can use it in meaningful ways. “We will likely develop implementation tools, case studies, and metrics to help boards tailor these guidelines to their own governance approach,” van der Oord said.