Cyber-Risk Oversight

Key Principles and Practical Guidance for Corporate Boards in Europe

WHY A CYBER-RISK OVERSIGHT HANDBOOK FOR EUROPEAN CORPORATE BOARDS?

In 2019, the European Union Agency for Network and Information Security (ENISA) reported that the previous year saw significant changes in the cyberthreat landscape.

Cybersecurity is the fastest growing, and perhaps most dangerous, threat facing organizations today. Boards are increasingly focused on addressing these threats.

In 2014, the Internet Security Alliance (ISA) and the National Association of Corporate Directors (NACD) created the first Cyber-Risk Oversight Handbook for Corporate Boards to provide a coherent approach to deal with the issue at the Board level. In 2018, the Internet Security Alliance published editions of the handbook for Boards of Directors in the United Kingdom, Japan, and Latin America.

The cyber-risk handbooks are an attempt to provide Board members with a simple and coherent framework to understand cyber risk, as well as a series of straightforward questions for Boards to ask management to assure that their organization is properly addressing its unique cyber-risk posture.

Independent research on previous editions of the cyber-risk oversight handbook – focused on the same core principles – has shown that use of these principles results in better cybersecurity budgeting, better cyber-risk management, increased alignment of cybersecurity with business goals, and helps create a culture of security.

This handbook has been put together by cybersecurity experts from multiple governments and industry sectors, working together on a voluntary basis. It remains generic and general and non-sector-specific. No one is being paid to contribute to this effort and there is no charge for the handbook.

This handbook—developed in partnership between ISA, ecoDa, and AIG—will promote continued adoption of uniform cybersecurity principles for corporate Boards not only in Europe but across the globe.