Vulnerability at the Highest Level: Corporate Boards

Eric Vanderburg

Imagine a boardroom a generation ago.  Smoke fills the air and sidebar discussions thrive while the board members wait for the presentation to begin.  Manila packets filled with research, financials and other sensitive information are distributed around the table.  The meeting progresses; a decision might be made, and afterwards the packets would be collected in their entirety and destroyed lest they end up falling into the wrong hands, compromising company research or spilling sensitive secrets.

So what happens today where technology is so prevalent?  In a recent August-September 2011 study, Thomson Reuters conducted a survey of general counsel and corporate secretaries to understand how company information is secured when provided to corporate board members.  The survey titled “Better board governance: Communication, security and technology in a global landscape of change” looked at a global cross section of companies from a variety of industries.  These companies ranged in size from under $500 million to over $10 billion.  The results indicated a lack of secure procedures for corporate board information management.

Board Communication and Security

In today’s world of technology board members can be distributed across the globe and meetings are sometimes virtual.  Surprisingly though, a majority of companies, 61%, still utilize paper and courier to transmit information to board members.  Another 49% transmit documents through email.  Unless encryption is used, email is generally not a secure method for transmitting confidential documents.  Only 10 % of companies use specific email accounts set up for board members to deliver information.  Instead, a whopping 65% said they never use the corporate email network.  In these situations the email is usually sent to a private email account where security rules are not defined by the organization so security cannot be controlled.

A scant, 21% of companies surveyed utilize a secure portal for transmitting board documents.  This method is the most secure of the three but sadly it is the smallest percentage.  Secure portals use an encrypted channel to transmit information so data is protected against eavesdropping.  Additionally, in secure portals Digital Rights Management (DRM) settings can be applied to information so that it does not leave the portal and access to information within the system can be audited.

           

Document Retention

With 61% of companies using paper to distribute documents, the next logical question would be whether or not a policy is in place for the destruction of such documents after they have been used.  The survey found that 63% of companies require their members to destroy copies of board related documents.  However, only 30% of all companies surveyed suspected that the board members actually did delete, shred, or destroy them.  Also, 60% suspected that at least one or more board members retain documents on their personal devices whether it is a computer, smartphone, or tablet.  Not only is this a risk for data disclosure, it also creates additional efforts for eDiscovery since the personal devices of board members could contain information related to litigation.

 

Board Scrutiny

On a more positive note, 64% of companies surveyed are experiencing more scrutiny within their board practices when compared to last year.  This increase falls into line with more strict governing guidelines and regulations.  The Thomson Reuters reports showed that the most difficult challenge with relation to board governance are regulatory flux, global boards, effective controls, and time.  The governance breakdown shows that 44% attempt to adhere to local governance norms and another 39% adhere to global governance norms.  A small percentage, 17%, is trying to go beyond minimal governance requirements.

 

Summary

Security is important for the protection of vital information within companies.  As such, companies do a lot to protect themselves and their information.  However, serious deficiencies in security are seen in the processes surrounding information given to corporate boards.

Many corporations are still using unencrypted or personal email accounts or snail mail to send confidential board documents and policies for document destruction are routinely not followed potentially allowing for information to be being lost or stolen.  Board members operate mostly outside of the organization but when handling corporate information they should treat it in the same way organizational employees do such as observing corporate data retention and destruction policies.  If you are concerned about information leakage from board members, consider training on secure information handling procedures and create a method such as a secure portal for distributing information to the board.

 

For more information

Many Corporate Boards Are Pretty Much Waiting to Get Hacked

Better board governance: Communication, security and technology in a global landscape of change

Request Info

TCDI | Computer Forensics | Cybersecurity | Litigation Technology