Log In

Reset Password

Board members challenged to step up on cyber-risk

Changing the mindset: Abic executive director Wayne Smith, centre, with panellists Lloyd Holder, left, Michelle Cardwell, Jennifer Card and Peter Stephenson (Photograph by Jessie Moniz Hardy)

A cybersecurity expert is calling on company directors to be more proactive in protecting their organisations from cyberthreats.

Lloyd Holder, a chief information security officer and entrepreneur said: “I see a correlation between tech knowledge at the board level, and an organisation’s cyber-risk.“

Mr Holder recently contributed to a panel discussion on board effectiveness, organised by the Association of Bermuda International Companies.

“Often these boards have long standing members,” he later told The Royal Gazette. “They have been there for a long time and they are just keeping a seat warm. They are just ticking boxes.”

In today’s world, he said, that is no longer acceptable. Companies cannot rely on Bermuda’s obscurity for protection from cyberthreats.

“In the past, we could be blissfully ignorant to some of the things going on in the cybersecurity world,” he said. “Now, cyberthreats are hitting closer to home.”

Last year, a cyberattack paralysed parts of the Bermuda Government’s computer systems, affecting them for several weeks.

More recently, the Lindo’s Group of Companies and the Bermuda College also experienced cyber incidents. Meanwhile, there have been whispers of other attacks, never made public.

Mr Holder said the Institute of Directors in Bermuda is putting up more guard rails for directors, and requiring more certifications.

“The IoD is trying to change the mindset,” he said.

Mr Holder said no matter what business a firm is in, having someone on the board with tech knowledge, can provide valuable insight, and help shift an organisation in the right direction in terms of cybersecurity.

As a chief information security officer, Mr Holder often hears clients say they are not in the cybersecurity business, so they do not need cyber expertise at the board level.

A CISO is a senior-level executive who oversees an organisation's information, cyber, and technology security.

The CISO's responsibilities include developing, implementing, and enforcing security policies to protect critical data.

“More organisations need to embrace the impact of cyber to their organisation,” he said. “It is important to have someone who has visibility in the cyber and technology space, especially if you are a publicly traded company.”

With increasing corporate reliance on computers, he pointed out: “If we do our finances for business, that may be operating on an electronic platform,” he said. “It is important to understand your cyber-risk, and then bake that understanding into your risk management strategy.”

Also on the panel was Peter Stephenson, a Toronto-based board effectiveness expert from Hugessen Consulting. He suggested topics such as artificial intelligence and cybersecurity could be too complex to leave to the board.

He argued: “Our belief is that this is changing so quickly, that the expertise probably belongs with management, or even with consultants. It is up to them to educate the board.”

Dr Stephenson said it is more important to look at how the board stays abreast of emerging trends.

“It may depend on the type of business you are in,” he said. “If you are in the finance industry, then cybersecurity has a different material impact on you than someone who is in a different business.”

Another panellist, Jennifer Card, an organisational psychologist and consultant, said cybersecurity is a critical issue for all organisations.

Dr Card said: “I am trying to think of a company that does not use technology in some way. It is probably very rare.”

She suggested that if the board does not have the necessary tech expertise, then an outside consultant could help inform their decisions.

Panel moderator Michelle Cardwell, executive director of the IoD, said ultimate responsibility rests with the board.

“You cannot delegate that responsibility away, so you have to know what the issues are,” she concluded.

You must be Registered or to post comment or to vote.

Published June 18, 2024 at 8:00 am (Updated June 19, 2024 at 8:16 am)

Board members challenged to step up on cyber-risk

What you
Need to
1. For a smooth experience with our commenting system we recommend that you use Internet Explorer 10 or higher, Firefox or Chrome Browsers. Additionally please clear both your browser's cache and cookies - How do I clear my cache and cookies?
2. Please respect the use of this community forum and its users.
3. Any poster that insults, threatens or verbally abuses another member, uses defamatory language, or deliberately disrupts discussions will be banned.
4. Users who violate the Terms of Service or any commenting rules will be banned.
5. Please stay on topic. "Trolling" to incite emotional responses and disrupt conversations will be deleted.
6. To understand further what is and isn't allowed and the actions we may take, please read our Terms of Service
7. To report breaches of the Terms of Service use the flag icon