NACD and Internet Security Alliance Release 2026 Cyber-Risk Oversight Guide for Corporate Boards as expectations on boards intensify
WASHINGTON, April 16, 2026 /PRNewswire/ — Cyber risk is a defining test of board oversight. Yet many directors are still working to keep pace with a threat landscape that is accelerating in scale, sophistication, and consequence.
More than 600 million cyberattacks are tracked each day, and cybercrime losses are projected to approach $20 trillion annually in the coming years, according to research cited in the fifth edition of the Director’s Handbook on Cyber-Risk Oversight, which was released today. At the same time, regulators, investors, and stakeholders are raising expectations for how boards oversee cybersecurity strategy, disclosure, and resilience.
The latest edition of the Handbook sets out six core principles to guide board oversight of cyber risk, along with practical tools to help directors engage with management, assess organizational preparedness and oversee incident response. Developed by National Association of Corporate Directors® (NACD®) and the Internet Security Alliance (ISA), the resource helps corporate boards strengthen their governance and oversight of cybersecurity risk. It builds on more than a decade of work aimed at strengthening board-level cyber governance.
“Cyber risk has become a central governance issue for boards,” said Peter Gleason, NACD president and CEO. “Directors today must oversee cybersecurity in the same disciplined way they oversee financial, operational, and strategic risks. Our Handbook provides boards with practical frameworks to strengthen oversight and help organizations navigate a rapidly evolving threat environment.”
“The Journal of Cybersecurity has called the Director’s Handbook on Cyber-Risk Oversight the de facto international standard for cyber-risk oversight,” said Larry Clinton, ISA president and CEO. “It is the only set of best practices that has been independently assessed and found to produce substantial security outcomes.”
The updated edition features a foreword from the Cybersecurity and Infrastructure Security Agency (CISA) and expanded guidance on emerging technologies, supply chain risk, and incident response coordination. It also includes a practical toolkit for directors covering ransomware preparedness, quantum computing, cybersecurity reporting metrics, and third-party risk oversight.
The Handbook outlines six principles for effective board oversight of cyber risk:
- Treat cybersecurity as a strategic risk
- Monitor legal and disclosure implications
- Establish board oversight structures and access to expertise
- Adopt an enterprise framework for managing cyber risk
- Guide cybersecurity risk measurement and reporting
- Encourage systemic resilience and collaboration
The Director’s Handbook on Cyber-Risk Oversight, Fifth Edition is intended for directors of public, private, and nonprofit organizations and is available here.
About NACD
The National Association of Corporate Directors® (NACD®) is the leading member organization for corporate directors who want to expand their knowledge, grow their network and maximize their potential. For more than 48 years, NACD has helped boards and the business community elevate their performance and create long-term value. Our leadership continues to raise standards of excellence and advance board effectiveness at thousands of member companies.
NACD’s value insights, professional development events and resources, such as the NACD Directors Summit™ and the NACD Directorship Certification® program, support boards in navigating complex challenges. With a growing network of more than 24,000 members across more than 20 Chapters, boards are better equipped to make well-informed decisions on the critical, strategic issues facing their businesses today. Learn more at www.nacdonline.org.
About ISA
ISA‘s mission is to integrate advanced technology with economics and public policy to promote a sustainably secure cyber system. The ISA board consists of cyber leaders (typically chief information security officers) from virtually every critical industry sector. Over the last 25 years, ISA has created a comprehensive theory and practice for cybersecurity for both enterprise risk management and government policy. ISA’s consensus principles and practices, developed in collaboration with NACD and the World Economic Forum, are the foundation of this program and are contained in ISA’s numerous Cyber-Risk Handbooks now available on four continents and in five languages. The Journal of Cybersecurity has labeled this work as the “de facto international standard for cyber-risk oversight.” ISA’s companion book Cybersecurity for Business translates the board-level principles into roles and practices for the management team.
ISA has also called for a broad re-thinking of cybersecurity public policy in response to the elevated cyber risk coming from sophisticated actors using AI and other advanced technologies. This alternative approach—articulated in ISA’s new book, Fixing American Cybersecurity: Creating a Strategic Public Private Partnership—would reform the unsuccessful cybersecurity regulatory paradigm in favor of a market-oriented approach, addressing the economics as well as the technology of cybersecurity. Many of ISA’s proposals are being reflected in updated National Cybersecurity Strategies.
Media Contact
Shannon Bernauer
[email protected]
571-367-3688
Kat Caleca
[email protected]
SOURCE National Association of Corporate Directors
