In Partnership With Private Sector, DHS Looks to Improve Cyber Risk Awareness

Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...

By Kelsey Penna  

July 29 — Introducing a unique collaboration between the private sector and government, the National Association of Corporate Directors and the Department of Homeland Security took steps July 29 to improve cybersecurity governance.

The NACD, DHS, American International Group (AIG) and the Internet Security Alliance announced that NACD's “Directors' Handbook on Cyber-Risk Oversight” will be the first private sector resource to be featured on DHS's US-CERT C3 Voluntary Program website.

“We have moved beyond our first goal, which is cybersecurity awareness. We've now moved onto the harder issue which is actually understanding the problem and then pragmatically working to solve it,” said Larry Clinton, ISA's president and chief executive officer, who prepared the handbook. “It's one thing to talk about how cybersecurity should be a part of the business discussion, but it's another thing to actually do it.”

Best Practices

The NACD handbook, which NACD released with AIG and ISA in June, outlines five broad principles that boards of directors should consider when assessing their understanding of cybersecurity risks. Those principles are:

  •  understanding that cybersecurity is not just an IT issue;
  •  knowing the legal implications of cyber risks;
  •  ensuring adequate access to cybersecurity expertise;
  •  establishing an enterprise-wide cyber risk management framework with adequate staff and budgeting; and
  •  identifying which risks to avoid, accept, mitigate or transfer through insurance.

    In addition to the principles, the handbook provides boards with other tools such as sample questions and guidelines to facilitate conversations between the board and management about cybersecurity, said Ken Daly, president and CEO of NACD.

    “What we are trying to do is connect the dots between the operational issues that have dominated the cybersecurity discussion and the strategic issues that are actually the things that businesses focus on,” said Clinton. “For too long those of us involved in the cybersecurity movement have talked about the fact that corporate boards need to understand more about cybersecurity, they need to understand our language, which is true. But it is equally important for us to understand their language.”

    Partnership Brings Change

    The partnership between NACD, AIG, ISA and DHS combines each group's expertise in a way that will be broadly applicable throughout the economy.

    “We think the government contribution is going to substantially extend the reach of the substantive improvements we are making and also provided added coherence to a broad based national policy and strategy with regard to cybersecurity, linking both the private sector and the public sectors,” Clinton said.

    In February, responding to an executive order, the National Institute of Standards and Technology unveiled a cybersecurity framework that the private sector could voluntarily adopt. Experts have said the framework could become the standard of care for companies who face cyber threats.

    The handbook builds off this framework and can be incorporated into the overall business context, Clinton said. “We have enterprise risk management, corporate governance, cyber expertise, and the government all pulling together in a coherent fashion in what we truly think is a united common cause.”

    Still a National Security Issue

    On July 28, the House passed the National Cybersecurity and Critical Infrastructure Protection Act, which codifies the DHS National Cybersecurity Communications Integration Center as an entity charged with facilitating real-time cyberthreat information sharing. If the bill is enacted, it would further the notion that cybersecurity is not just an issue for the business community—which has been increasingly focused on cybersecurity in light of recent breaches—but an issue on the national level as well.

    Several other congressional bills regarding cybersecurity remain pending, including one that would provide liability protection to companies that voluntarily disclose cyberthreat data to industry or government partners.

    “This is a national scale problem and will require efforts by every part of our nation, whether it's the business community—efforts like this handbook—whether it is executive branch of the government or legislative branch of the government,” said Andrew Ozment, assistant secretary of DHS's Office of Cybersecurity and Communications. “You name it, everybody has to be a part of making cybersecurity an understood and managed national level risk.”

    “We are definitely on the right track,” Clinton said. “The government and DHS have demonstrated leadership here, but unfortunately this is not going to be easy. There are a lot of difficulties that can still arise in the future.”

    To contact the reporter on this story: Kelsey Penna in Washington at

    To contact the editor responsible for this story: Ryan Tuck at

    The handbook is available for download at