2020 NACD Cyber-Risk Handbook What You Need to Know

As the world continues to rely on digital operations, cybersecurity remains an overwhelming concern—affecting how companies strategize, function, and grow. Cyber-risk is ever-evolving, and can cause financial and reputational damage if not adequately managed.

Recently, the National Association of Corporate Directors (NACD) released its 2020 Director’s Handbook on Cyber-Risk Oversight to assist board members in defining their cybersecurity responsibilities and executing effective oversight strategies. The guidance is intended to aid boards of public companies, private companies, and nonprofit organizations across all industries in their cybersecurity endeavors, providing timely advice and proven strategies to mitigate cyber-risk. It outlines five key principles:

1. Cybersecurity as a Strategic Risk

Directors need to understand and approach cybersecurity as a strategic, enterprise risk—not just an IT risk.

2. Legal and Disclosure Implications

Directors should understand the legal implications of cyber-risks as they relate to their company’s specific circumstances. The handbook dives into the specifics of public disclosures and reporting, as well as Securities and Exchange Commission (SEC) disclosure guidance.

3. Board Oversight Structure and Access to Expertise

Boards should have access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas. The handbook suggests ways to build better relationships with the security team and the Chief Information Security Officer (CISO), and methods to engage management regarding cyber-risk.

4. An Enterprise Framework for Managing Cyber-Risk

Directors should set the expectation that management will establish an enterprise-wide, cyber-risk management framework with adequate staffing and budget.

The handbook describes two models for enterprise risk management: the “Multistakeholder Model” and the “Three Lines of Defense” model. It also suggests and explains various technical frameworks that help address cybersecurity risks.

5. Cybersecurity Measurement and Reporting

Board-management discussions about cyber-risk should include identification and quantification of financial exposure to cyber-risks, along with which risks to accept, mitigate, or transfer. They should also discuss specific plans associated with each approach.


These principles reflect a focus on higher-level enterprise risk management that’s appropriate for board attention, while recognizing that detail-level cybersecurity functions are implicit in the measurement and control of these risks. The 2020 version of the NACD cyber-risk oversight handbook offers new guidance for each of the five principles and includes an extensive toolkit to help boards adopt and operationalize them—emphasizing cyber-risk as an integral part of an institution’s risk and a crucial component of your organizational strategies.

For an in-depth look at the Handbook, explore our most recent whitepaper, where we thoroughly review this critical information and summarize its entirety