CISA Director Jen Easterly said that the updated cyber-risk oversight handbook aligns with the agency’s goal of “advancing corporate cyber responsibility.”
Corporate boards play an important role in mitigating digital threats to critical services, but they need to collaborate more closely with public and private sector partners to further enhance the cyber resilience of their operations, according to an updated governance handbook on cyber-risk oversight released on Wednesday.
The fourth edition of the Director’s Handbook on Cyber-Risk Oversight, published by the National Association of Corporate Directors and the Internet Security Alliance, outlines six core principles “for board oversight of cybersecurity.”
Both organizations partnered with the Cybersecurity and Infrastructure Security Agency and the FBI to develop the latest version of the guide, which was first published in 2014 and has served as an important tool for boards to enhance oversight and implementation of cyber-risk policies across their respective companies. CISA and the FBI also drafted toolkits for the latest edition of the guide to help boards understand their role in supporting national security, as well as how to respond to and report cybersecurity incidents to law enforcement.
The principles outlined in the report include approaching cybersecurity as a strategic risk, understanding the legal and disclosure implications of cyber threats, having boards prioritize cybersecurity expertise and oversight, establishing an enterprisewide framework for managing cyber risks and holding board-management discussions about cybersecurity that include “identification and quantification of financial exposure to cyber risks and which risks to accept, mitigate or transfer.”
A sixth principle—that boards “should encourage systemic resilience through collaboration with their industry and government peers and encourage the same from their management teams”—was developed in 2021 by the National Association of Corporate Directors and the Internet Security Alliance in collaboration with the World Economic Forum.
During an event on Wednesday announcing the release of the updated handbook, CISA Director Jen Easterly—who penned the forward for the latest guide—said that the outlined principles align with major agency priorities, including “advancing corporate cyber responsibility” and “the importance of business leaders and board members embracing cyber risk management as a fundamental matter of good governance.”
“We have to have an approach to securing the digital ecosystem that is sustainable,” she said. “And I think that model starts with a commitment at the board level and by senior executives to create and incentivize a culture of corporate cyber responsibility.”
Easterly added that “the need for boards to encourage systemic resilience through collaboration,” as outlined in the handbook’s sixth principle, was important for strengthening the ability of organizations to counter growing threats from nation state actors and cyber criminals moving forward.
“We know boards have unique power to be able to drive such a culture by empowering their CISOs and ensuring that cybersecurity is always appropriately prioritized when it comes to business and technology decisions,” she said, adding that “actively championing a model of persistent collaboration, where that collaboration is taking priority over self-preservation” is critical when it comes to “recognizing that a risk to one is a risk to all.”