Winter is coming. As it approaches, people in many locales routinely check that they’re prepared for the inclement weather that almost inevitably arrives with the season. Booking flights to dry, sunny climes may be one inspired solution, albeit a temporary one. Whether other preparations are as routine as installing winter tires on your car, caulking window and door frames or ensuring that the roof over your head won’t leak, it’s simply common sense to protect your assets.
Have you and your directors ever considered whether, when it comes to the security of your governance data, you may have a potentially leaky board?
As cybercrime continues to accelerate and evolve, it’s worth assessing whether you and your board are being proactive and adopting common sense measures to take care of your organization. This goes beyond matters historically considered in discussing enterprise risk management (ERM) reports and risk registers. I’m referring here to protecting your organization against data leakage and against cyberattacks, which have become even more prevalent than extreme winter weather.
Inadvertent data leakage is a risk that can present in multiple manners. Let’s start by considering how you assemble and circulate your meeting books/packages. As of Spring 2018, slightly less than a third of North American boards (32%) rely on board portal software as part of their governance operations.
This is just one of the findings of Forrester Consulting’s October 2018 report, Directors’ Digital Divide: Boardroom Practices Aren’t Keeping Pace With Technology. The report follows Forrester’s April 2018 study, commissioned by Diligent Corporation in order to evaluate the technology used for board governance.
After surveying 411 governance professionals across 11 countries in North America, Europe and the Asia Pacific region, Forrester found that the rate at which boards incorporate secure software into their governance operations varies from region to region. While barely a third of North American boards have board portal software, the usage rate climbs to 48% among European boards. In Asia Pacific, 54% of boards rely on such software.
Secure Board Management Software
If your board is among those that haven’t invested in a portal/secured board software package, how do you make meeting packages available to your board members (directors)?
At more than a few organizations, it’s routine for the corporate secretary (governance professional) to send PDF documents, ideally password-protected, via email. Other governance professionals continue to produce hard copy agenda packages and then entrust external directors’ packages to courier services. When it comes to internal recipients, you may hand deliver their packages or rely on inter-office distribution. Such hard copy meeting packages are not only time- and labor-intensive to produce and circulate; they may be less than secure in terms of data protection.
However, it’s not only hard copy meeting packages that pose the risk of potential data leakage. If you send PDFs of meeting packages care of directors’ personal email addresses, that practice also poses an element of risk. This is because hackers are known to specifically target directors and those who support C-level executives.
Recognition of the risks associated with potential data leakage may serve as the tipping point when it comes to your directors determining if the time has come to allocate resources for board management software. If the term Enterprise Governance Management (EGM) is new to you and your board, it may also be one that you’ll collectively welcome. EGM is the application of technical tools and resources to address governance needs; a portal itself is one component of EGM. As a governance professional, you not only achieve efficiencies when you shift from hard copy or PDF agenda packages to a board portal, you’re mitigating cyber risks for your directors and the organization itself.
It’s one thing to have a portal/board management software for your meeting packages, but then you also have myriad governance communications that take place independent of board meetings. Once there’s shared recognition that directors and those who support them are potential phishing (“whaling”) targets, you may look at your respective email practices in an entirely new light.
Mitigating Risk With a Board Portal
Let’s think risk mitigation. Take a bit of time to reflect on the substance of the governance-related emails and attachments you sent and received in the last quarter. If any of those communications involved director evaluations, retreat, succession, agenda or strategic planning, external or labor relations, legal issues, a risk register, prospective acquisitions or even certain minutes, and if you sent any of these communications to or from a personal email address, your board and organization are vulnerable. You’re vulnerable not only to hacking, but also to inadvertent data leakage should a director’s hardware go missing. Hardware loss is not uncommon; Forrester reported that 30% of directors lost or misplaced a hardware device in the previous year.
If your governance communications have been transmitted to or from a personal email address, you’re not alone in your practices. Forrester reported that 56% of directors use personal email rather than business-regulated email to communicate with fellow directors and their contacts within the organizations they lead. Fifty-one percent of C-level executives take the same approach.
Forrester found that, across all regions, even directors whose boards provide board portal software use their personal email accounts for board communications. The study also illuminated misperceptions when it comes to communication vulnerabilities: While a significant percentage of boards are concerned about the security of data sharing and board communications, directors and governance professionals alike don’t necessarily recognize that use of personal email addresses presents a risk. These savvy leaders may think they’re protecting privacy in bypassing business-regulated email systems and relying on personal email, but they’re inadvertently opening up a different can of privacy risks.
Identifying this exposure to vulnerability may be among the more crucial services you can do your board and corporation or organization. The next logical step is presenting your board with potential solutions, and Diligent Messenger is a practical innovation that serves as one more layer of EGM. It’s a tool that enables you and your board to write to one another securely – much like texting – and to share attachments. You can choose to send a message and attachments to the board as a whole, or to a specific committee, group or individual.
Improving Board Communication
Those communications that you know your directors circulate solely among themselves? They can also be communicated privately within Diligent Messenger. You, management and your board are able to communicate in real time, and the system can integrate seamlessly with Diligent Boards™ or function as a stand-alone product for your board.
If you support the board of a public company that reports to the US Securities and Exchange Commission (SEC), then Directors and Officers (D&O) questionnaires are a fact of life. They support your completion and submission of annual Form S-1 filings in compliance with the Securities Act of 1933. Independent of SEC compliance, boards may require prospective directors to complete D&O questionnaires in order to assess director independence as well as financial expertise relative to federal securities legislation. How many directors send you their completed questionnaires, which contain portfolio and personal information, via email?
If you and your directors want the peace of mind afforded through secure data transmission, this is another area in which Enterprise Governance Management (EGM) can help. Directors and executive officers are able to complete the Diligent D&O Questionnaire within the board portal. You and your individual directors also benefit from efficiencies. Busy directors will appreciate that the Diligent D&O Questionnaire presents solely those questions that apply to an individual director, as opposed to requiring individuals to invest time reviewing a traditional questionnaire and assessing which questions apply to them.
People aren’t always necessarily receptive to new ideas or technology, and so it may be reassuring to know that directors themselves recognize that there are security issues. Forrester reported that 87% of boards are mildly to extremely concerned about the security of their board communications and data sharing. It’s telling that a full 41% of boards landed at the high end of that spectrum, reporting that they are very concerned. Once informed on the specifics of these risks, and the available solutions, your board may be more receptive than you’d think to investing in EGM components that will better protect its data.