1. Directors should understand and approach cybersecurity as anenterprise-wide risk management issues, not just an IT issue.
2. Directors should understand the legal implications of cyber riskas they relate to their company’s specific circumstances.
3. Boards should have adequate access to cybersecurity expertise,and discussion about cyber-risk management should be given regular and adequate time or board meeting agendas.
4. Directors should set the expectation that management willestablish an enterpise-wide cyber-risk management framework with adequate staffing and budget.
5. Board-management discussions about cyber-risk should include identification of which risks to avoid, which to accept, and whichto mitigate or transfer through insurance, as well as specific plans associated with each approach.“Cyber-Risk Oversight - Director’s Handbook Series”, NACD (National Association of Corporate Directors) 2017