NACD: Cyber-Risk Oversight 2020

Jointly published on 25 February 2020 by the National Association of Corporate Directors (NACD) and Internet Security Alliance (ISA), this report focuses on five core principles that apply to boards of public companies, private companies, and nonprofit organizations of all sizes and in every industry sector:

  1. Directors need to understand and approach cybersecurity as a strategic, enterprise risk - not just as an IT risk. 
  2. Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
  3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.
  4. Directors should set the expectation that management will establish an enterprise-wide, cyber-risk management framework with adequate staffing and budget. 
  5. Board-management discussions about cyber risk should include identification and quantification of financial exposure to cyber risks and which risks to accept, mitigate, or transfer, such as through insurance, as well as specific plans associated with each approach. 


This handbook was the first non-government resource to be featured on the U.S. Department of Homeland Security’s US-CERT C3 Voluntary Program website.

Where does it come from?

Contrary to popular belief