Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...
By Kelsey Penna
July 29 — Introducing a unique collaboration between the private sector and government, the National Association of Corporate Directors and the Department of Homeland Security took steps July 29 to improve cybersecurity governance.
The NACD, DHS, American International Group (AIG) and the Internet Security Alliance announced that NACD's “Directors' Handbook on Cyber-Risk Oversight” will be the first private sector resource to be featured on DHS's US-CERT C3 Voluntary Program website.
“We have moved beyond our first goal, which is cybersecurity awareness. We've now moved onto the harder issue which is actually understanding the problem and then pragmatically working to solve it,” said Larry Clinton, ISA's president and chief executive officer, who prepared the handbook. “It's one thing to talk about how cybersecurity should be a part of the business discussion, but it's another thing to actually do it.”
The NACD handbook, which NACD released with AIG and ISA in June, outlines five broad principles that boards of directors should consider when assessing their understanding of cybersecurity risks. Those principles are:
In addition to the principles, the handbook provides boards with other tools such as sample questions and guidelines to facilitate conversations between the board and management about cybersecurity, said Ken Daly, president and CEO of NACD.
“What we are trying to do is connect the dots between the operational issues that have dominated the cybersecurity discussion and the strategic issues that are actually the things that businesses focus on,” said Clinton. “For too long those of us involved in the cybersecurity movement have talked about the fact that corporate boards need to understand more about cybersecurity, they need to understand our language, which is true. But it is equally important for us to understand their language.”
The partnership between NACD, AIG, ISA and DHS combines each group's expertise in a way that will be broadly applicable throughout the economy.
“We think the government contribution is going to substantially extend the reach of the substantive improvements we are making and also provided added coherence to a broad based national policy and strategy with regard to cybersecurity, linking both the private sector and the public sectors,” Clinton said.
In February, responding to an executive order, the National Institute of Standards and Technology unveiled a cybersecurity framework that the private sector could voluntarily adopt. Experts have said the framework could become the standard of care for companies who face cyber threats.
The handbook builds off this framework and can be incorporated into the overall business context, Clinton said. “We have enterprise risk management, corporate governance, cyber expertise, and the government all pulling together in a coherent fashion in what we truly think is a united common cause.”
On July 28, the House passed the National Cybersecurity and Critical Infrastructure Protection Act, which codifies the DHS National Cybersecurity Communications Integration Center as an entity charged with facilitating real-time cyberthreat information sharing. If the bill is enacted, it would further the notion that cybersecurity is not just an issue for the business community—which has been increasingly focused on cybersecurity in light of recent breaches—but an issue on the national level as well.
Several other congressional bills regarding cybersecurity remain pending, including one that would provide liability protection to companies that voluntarily disclose cyberthreat data to industry or government partners.
“This is a national scale problem and will require efforts by every part of our nation, whether it's the business community—efforts like this handbook—whether it is executive branch of the government or legislative branch of the government,” said Andrew Ozment, assistant secretary of DHS's Office of Cybersecurity and Communications. “You name it, everybody has to be a part of making cybersecurity an understood and managed national level risk.”
“We are definitely on the right track,” Clinton said. “The government and DHS have demonstrated leadership here, but unfortunately this is not going to be easy. There are a lot of difficulties that can still arise in the future.”
To contact the reporter on this story: Kelsey Penna in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Ryan Tuck at email@example.com
The handbook is available for download at http://www.nacdonline.org/Cyber.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)