NEW YORK–Three fourths of corporate board of director membersview cyber breach as a serious operational threat, said panelistshere at Advisen's Cyber Risks Conference.

Until they plug into a cyber risk management framework, however,data breach remains a live wire of exposure.

According to Jody Westby, CEO of Global Cyber Risk, in 2008Carnegie Mellon University reported around 6 percent of board ofdirector members were looped in to the gravity of cyber risks. By2012, the number had jumped to 56 percent. Today, three fourths ofdirectors note it as a concern, but “have no real plan to manageprivacy and security.”

“From a carrier perspective, there isn't much crosscommunication between cyber and management guidelines,” saidKirstin Simonson, underwriting director at Travelers.

The need is there. Chubb has calculated that each lostrecord costs $188, and breach victims can expect to face hundredsto thousands of leaked records per event.

Furthermore, scrutiny of cyber risk management will “inevitablybe pushed into regulation,” said Ben Beeson, partner at LocktonCompanies. Securities and Exchange Commission (SEC) guidelines,effective February 2014, calls for increased cyber risk informationsharing between U.S. companies and the federal government, andseeks to create by February of next year a common cyber securityframework for all organizations.

The SEC is interested not only in the amount of personallyidentifiable information (PII) lost in a breach, but business andservice interruption factors and scenarios. It regards seniormanagement as the responsible party for setting mitigatingstrategies for these scenarios, said the panelists, and it is theboard of director's responsibility to supervise senior managementin their efforts.

“If anyone argues about the importance of creating a cyber riskplan, the SEC has already sent over 50 letters to board of directormembers about their unsatisfactory frameworks,” said GeraldFerguson, CEO of Universal Solutions International. “This is theway enforcement initiatives start–with polite letters from thestaff.”

Cyber risk is not just a regulation issue, but also a reputationissue, says Westby, since at the end of the day, there is “nothingmore damaging to a company than reporting to customers that theirPII has been leaked.”

The panelists said that pushing the importance of cyber riskmanagement onto corporate clients falls on insurers, by developingcost/benefit analysis for buying cyber insurance, and to focus onthe market impacts of cyber breaches. This is a challenge, as muchof the fallout of data theft, such as loss of business secrets andclient trust, is uninsurable.

Insurers can look back to Y2K, said Ty Sagalow, president ofInnovation Insurance Group, when the industry pulled together toface a looming, more than multi-million dollar threat. Someunderwriters even developed special Y2K policies, and thosecompanies that didn't look into Y2K exposure managementstrategies ended up with an exclusion for losses caused by theevent if the event came to pass.

“It was a combination of underwriting and innovation that pavedthe way to serving client's needs while ensuring (policy)profitability,” said Sagalow.