NACD handbook elevates supply chain duty
- NACD and the Internet Security Alliance released the fifth edition of their cyber-risk handbook on April 16, making board oversight the central message. - The handbook adds expanded guidance on supply-chain risk and third-party oversight, alongside six board principles and a 15-tool director toolkit. - It lands after SEC cyber-governance rules raised disclosure expectations for boards and management. (sec.gov)
The National Association of Corporate Directors and the Internet Security Alliance updated their cyber-risk handbook on April 16, pushing supply-chain cyber risk deeper into board oversight. (nacdonline.org) The fifth edition says cyber risk is now a core component of directors’ fiduciary oversight duties, not a problem boards can leave to information-technology teams. (nacdonline.org) NACD said the new edition includes expanded guidance on emerging technologies, supply-chain risk, incident-response coordination, and third-party risk oversight. It also packages six oversight principles with 15 boardroom tools. (nacdonline.org 1) (nacdonline.org 2) The handbook’s framing is blunt: cyber risk is business risk, and effective governance is a direct board responsibility. Its introduction ties that shift to new regulations, artificial intelligence, and a threat environment that now reaches suppliers and partners. (nacdonline.org) One example in the text describes a 2025 ransomware attack that hit a major retailer through its supply chain and was expected to erase one-third of annual profits. Another points to an automaker that halted production at multiple sites after a ransomware attack disrupted thousands of suppliers. (nacdonline.org) The foreword, written by Cybersecurity and Infrastructure Security Agency official Nick Andersen, says cyber risk is “no longer just an information technology concern” and calls it an enterprise-wide boardroom issue. It also says legacy systems can push risk outward into supply chains, partners, and end consumers. (nacdonline.org) NACD and ISA released the handbook into a market already shaped by the Securities and Exchange Commission’s 2023 cyber-disclosure rules. Those rules require annual disclosures about how companies assess and manage cyber risk and how boards oversee it. (sec.gov 1) (sec.gov 2) The handbook does not create new law, but it does raise the benchmark boards will be measured against when companies describe cyber governance to investors, regulators, and plaintiffs’ lawyers. NACD said expectations from regulators, investors, and stakeholders are already intensifying. (nacdonline.org)
