A cybersecurity expert is calling on company directors to be more proactive in protecting their organisations from cyberthreats.

Lloyd Holder, a chief information security officer and entrepreneur said: “I see a correlation between tech knowledge at the board level, and an organisation’s cyber-risk.“

Mr Holder recently contributed to a panel discussion on board effectiveness, organised by the Association of Bermuda International Companies.

“Often these boards have long standing members,” he later told The Royal Gazette. “They have been there for a long time and they are just keeping a seat warm. They are just ticking boxes.”

In today’s world, he said, that is no longer acceptable. Companies cannot rely on Bermuda’s obscurity for protection from cyberthreats.

“In the past, we could be blissfully ignorant to some of the things going on in the cybersecurity world,” he said. “Now, cyberthreats are hitting closer to home.”

Last year, a cyberattack paralysed parts of the Bermuda Government’s computer systems, affecting them for several weeks.

More recently, the Lindo’s Group of Companies and the Bermuda College also experienced cyber incidents. Meanwhile, there have been whispers of other attacks, never made public.

Mr Holder said the Institute of Directors in Bermuda is putting up more guard rails for directors, and requiring more certifications.

“The IoD is trying to change the mindset,” he said.

Mr Holder said no matter what business a firm is in, having someone on the board with tech knowledge, can provide valuable insight, and help shift an organisation in the right direction in terms of cybersecurity.

As a chief information security officer, Mr Holder often hears clients say they are not in the cybersecurity business, so they do not need cyber expertise at the board level.

A CISO is a senior-level executive who oversees an organisation's information, cyber, and technology security.

The CISO's responsibilities include developing, implementing, and enforcing security policies to protect critical data.

“More organisations need to embrace the impact of cyber to their organisation,” he said. “It is important to have someone who has visibility in the cyber and technology space, especially if you are a publicly traded company.”

With increasing corporate reliance on computers, he pointed out: “If we do our finances for business, that may be operating on an electronic platform,” he said. “It is important to understand your cyber-risk, and then bake that understanding into your risk management strategy.”

Also on the panel was Peter Stephenson, a Toronto-based board effectiveness expert from Hugessen Consulting. He suggested topics such as artificial intelligence and cybersecurity could be too complex to leave to the board.

He argued: “Our belief is that this is changing so quickly, that the expertise probably belongs with management, or even with consultants. It is up to them to educate the board.”

Dr Stephenson said it is more important to look at how the board stays abreast of emerging trends.

“It may depend on the type of business you are in,” he said. “If you are in the finance industry, then cybersecurity has a different material impact on you than someone who is in a different business.”

Another panellist, Jennifer Card, an organisational psychologist and consultant, said cybersecurity is a critical issue for all organisations.

Dr Card said: “I am trying to think of a company that does not use technology in some way. It is probably very rare.”

She suggested that if the board does not have the necessary tech expertise, then an outside consultant could help inform their decisions.

Panel moderator Michelle Cardwell, executive director of the IoD, said ultimate responsibility rests with the board.

“You cannot delegate that responsibility away, so you have to know what the issues are,” she concluded.