The new 2023 edition of the Director’s Handbook on Cyber-Risk Oversight from the National Association of Corporate Directors (NACD) and the Internet Security Alliance (ISA) educates board members on upgrading their oversight capability for cyber risk and makes a strong endorsement of financial quantification and management of cyber risk.
The NACD and ISA released the new handbook on March 22 at a press conference in Washington, DC, attended by Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), Peter Gleason, President and CEO of the NACD, and Larry Clinton, President and CEO of the ISA. The handbook is the result of the collaboration of many contributors including from members of CISA, the FBI, and several ISA board members, including FAIR Institute President Nick Sanna.
"As cyberattacks continue to grow each year, we must do more to advance a strong culture of corporate cyber responsibility,” Jen Easterly said. “Cyber risk must be seen as a fundamental business risk—one that is owned and managed by the CEO and Board of Directors as a matter of good governance.”
“The NACD Handbook clarifies the responsibilities that boards and management have in creating effective cyber risk management programs,” shares Nick Sanna. “The handbook’s success stems from demystifying key core cyber risk governance concepts in easy-to-understand terms and from providing practical tools for exercising proper cyber risk oversight.”
The NACD Handbook Lays Out Cyber Risk Governance Principles
The principles of good board governance presented by the handbook all align with the FAIR™ approach to effective risk management starting with Principle 1: “Directors need to understand and approach cybersecurity as a strategic, enterprise risk, not just an IT risk.” By quantifying cyber risk into financial terms, the standard FAIR risk model bridges enterprise risk and cyber risk through the common language of business.
Two other principles from the NACD Director’s Handbook are particularly relevant to risk management programs running on quantitative and financially-driven analysis:
Principle 4: Directors should set the expectation that management will establish an enterprise-wide, cyber-risk management framework.”
Principle 5 “Board-management discussions about cyber risk should include identification and quantification of financial exposure to cyber risks and which risks to accept, mitigate, or transfer.”
Download the Director’s Handbook on Cyber-Risk Oversight now.
Guidance and Tools in the Handbook Will Help Directors Set Cyber Risk Oversight Agendas
The handbook gets down to cases, suggesting in detail how directors might question and assess management’s performance on cybersecurity risk.
For Principle 4, the handbook covers an Enterprise Framework for Managing Cyber Risk, and suggests that board members ask management for tools that track metrics for “progress of implementing various technical best practices along various scales of maturity and deployment” along with “financially oriented tools (that) measure the effectiveness of those best practices in reducing risk and can be used to prioritize risks based on business impact” (a common role for FAIR).
Principle 5, Cybersecurity Measurement and Reporting, goes into detail urging boards to demand cyber risk quantification (CRQ) as the reporting method of choice: “Companies should select the CRQ method, tools, and services that best meet their needs and that can provide defensible results.” Many organizations have selected CRQ based on FAIR for its defensibility as an open standard maintained by The Open Group
The handbook also advises boards to clearly define with management a risk appetite based on “quantifiable risk”.
Diligent directors will also want to check the appendix of the handbook for Tool F, a questionnaire to be answered by management that expands on Principle 4, with topics that are directly in line with FAIR practice, such as:
--What are the top cyber risks we have as a company?
--What is the probable frequency and the probable magnitude of these top cyber events?
--What are the forms of loss that we can experience, and how are we measuring and reporting on those losses? (For example, productivity, response costs, replacement costs, fines and judgements, reputation loss)
Two Useful Resources for Board Cyber Risk Reporting from RiskLens, the FAIR Institute’s Technical Advisor
RiskLens My Cyber Risk Benchmark Tool
Principle 5 states that directors can drive their organizations forward by asking 5 key questions. The first two are “How are we measuring the threat environment” and “What is our cyber risk profile?”
The Handbook suggests independent security ratings benchmarked against peers as an answer. The RiskLens My Cyber Risk Benchmark tool provides a boardroom-ready assessment of your company’s loss exposure (risk) to the industry’s top seven threats in financial terms and benchmarks your readings against peer companies, leveraging empirical data.
RiskLens Executive Board Reporting Service
Other key suggested questions are: “What is our cyber risk profile as defined by management?”, “What is our cyber-risk exposure in economic terms?”, and “Are we making the right business and operational decisions?”
The RiskLens Executive Board Reporting Service offers organizations tangible answers to these questions. This Service is an annual subscription that provides organizations with quarterly board reports on top cyber risks expressed in financial terms. Additionally, the Service provides cost-benefit analysis of key projects and can include the definition of measurable risk appetite statements that drive actionable decision-making.
The RiskLens Executive Board Reporting Service offers these advantages:
- The results are defensible and can be trusted as they are based on the FAIR standard, an open, proven and transparent risk model that allows RiskLens to provide full visibility into all reporting assumptions
- The Service is aligned with the NACD Cyber Risk Oversight and the WEF Cyber Risk Governance principles, calling for assessment and management of cyber risk in financial terms.
- The analysis is grounded in empirical industry benchmark data.