HONG KONG (Reuters) - Investors are facing major challenges in assessing cyber security risks because companies are wary of disclosing breaches fearing they could make them more vulnerable, according to BlackRock’s (BLK.N) head of investment stewardship for Asia Pacific.
Over the past two years the world’s largest asset manager has stepped up pressure on companies to ensure they have robust procedures in place for managing cyber risks, but it is tough to engage boards on this sensitive issue, Pru Bennett told the Reuters Financial Regulation Summit.
”Disclosure is a challenge for companies on cyber security. It could attract attention. We’re not pushing for disclosure, but who has responsibility and where in the board does the accountability lie. The most important thing is to keep up to date.
“It’s a real challenge for boards, there’s no question about it, and it’s a challenge for us as well in engaging with boards on the issue.”
The global financial system is still reeling nearly two months after a still-unidentified group was able to use malware to hack the SWIFT bank messaging network and steal $81 million from the Bangladesh central bank.
The February heist prompted Mary Jo White, chair of the U.S. Securities and Exchange Commission, to warn on Wednesday that cyber security is the biggest risk facing the financial system.
Bennett said cyber security had become a corporate governance concern for investors and that boards needed to ensure companies have controls in place to keep on top of the risks.
“I‘m not saying every board has to have a cyber expert, but if you’ve got competent people who understand the issues, can listen to an expert, assimilate that information, and make decisions accordingly, that’s what we want on the board,” Bennett told the summit in Hong Kong.
In many Asian markets, issuers are required to provide only minimal information on their board members, but BlackRock has been pushing for greater disclosure on board members’ experience and skill sets.
Bennett suggested that listing rules in the region should be changed to require companies to provide this extra information. “I think that is a fairly simple and quite unobjectionable change.”
Follow Reuters Summits on Twitter @Reuters_Summits
For more summit stories, see
Reporting by Michelle Price; Editing by Muralikumar Anantharaman