Printed from BusinessInsurance.com

Corporate boards urged to devote more resources to cyber security

Posted On: Feb. 5, 2015 12:00 AM CST

NEW YORK — The potential fallout from cyber-related losses is devastating, and boards of directors need to spend much more time on this issue, said Mary L. Schapiro, the former chairman of the U.S. Securities and Exchange Commission.

Ms. Schapiro, who served as SEC chairman from 2009-2012, the period that encompassed the financial crisis, discussed cyber risks during a keynote address Wednesday at the 2015 Professional Liability Underwriting Society D&O Symposium in New York.

Cyber losses have reputational, operational and financial implications, and lead to a loss of consumer confidence, Ms. Schapiro said. Boards need to encourage their companies' employees to develop expertise in this area and establish a system of reporting to the board, but this should not alleviate board members' responsibility to be up to speed on this issue, she said.

“Boards really need to drive management on this issue,” said Ms. Schapiro, whose current positions include serving as a board director at Fairfield, Connecticut-based General Electric Co. They should be knowledgeable about data inventories, where data is located and if it is protected, and use third-party services to test its safety, she added.

Companies also should have a response plan in place in the event of a data breach, Ms. Schapiro said. “There can be no excuse today not to have a response plan” in the event of a cyber threat, she said.

“Boards need to make sure there are resources going to this” and that employees working on this issue are supported, Ms. Schapiro said during a question-and-answer session with Stasia Kelly, co-managing partner at law firm DLA Piper in Washington.

Ms. Schapiro said those dealing with cyber threats in the company should know to whom to turn, with “clear lines of responsibility” outlined.

Ms. Schapiro also said there now is pressure on Capitol Hill to codify the SEC's guidance on companies' disclosure of cyber threats, which was issued in 2011.