Security Focus at the Corporate Board Level

Imagine a boardroom a generation ago.  Smoke fills the air, and sidebar discussions thrive while the board members wait for the presentation to begin.  Manila packets filled with research, financials and other sensitive information are distributed around the table.  The meeting progresses; a decision might be made, and afterward, the packets would be collected in their entirety and destroyed lest they end up falling into the wrong hands, compromising company research or spilling sensitive secrets.

So what happens today where technology is so prevalent?  In a recent August-September 2011 study, Thomson Reuters conducted a survey of general counsel and corporate secretaries to understand how company information is secured when provided to corporate board members.  The study titled “Better board governance: Communication, security, and technology in a global landscape of change” looked at a global cross-section of companies from a variety of industries.  These companies ranged in size from under $500 million to over $10 billion.  The results indicated a lack of security procedures for corporate board information management.

Board Communication and Security

In today’s world of technology, board members can be distributed across the globe and meetings are sometimes virtual.  Surprisingly, though, a majority of companies, 61%, still utilize paper and courier to transmit information to board members.  Another 49% transfer documents through email.  Unless encryption is used, email is not a secure method for transmitting confidential documents.  Only 10 % of companies use specific email accounts set up for board members to deliver information.  Instead, a whopping 65% said they never use the corporate email network.  In these situations, the email is usually sent to a private email account where security rules are not defined by the organization so security cannot be controlled.

A scant, 21% of companies surveyed utilize a secure portal for transmitting board documents.  This method is the most secure of the three but sadly it is the smallest percentage.  Secure portals use an encrypted channel to transmit information, so data is protected against eavesdropping.  Additionally, in secure portals, Digital Rights Management (DRM) settings can be applied to information so that it does not leave the portal and access to information within the system can be audited.

Document Retention

With 61% of companies using paper to distribute documents, the next logical question would be whether or not a policy is in place for the destruction of such documents after they have been used.  The survey found that 63% of companies require their members to destroy copies of board-related documents.  However, only 30% of all enterprises surveyed suspected that the board members did delete, shred, or destroy them.  Also, 60% suspected that at least one or more board members retain documents on their personal devices whether it is a computer, smartphone, or tablet.  Not only is this a risk for data disclosure, but it also creates additional efforts for eDiscovery since the personal devices of board members could contain information related to litigation.

Board Scrutiny

On a more positive note, 64% of companies surveyed are experiencing more scrutiny within their board practices when compared to last year.  This increase falls into line with more strict governing guidelines and regulations.  The Thomson Reuters reports showed that the most difficult challenge with relation to board governance is regulatory flux, global boards, effective controls, and time.  The governance breakdown shows that 44% attempt to adhere to local governance norms and another 39% adhere to global governance norms.  A small percentage, 17%, is trying to go beyond minimal governance requirements.

Security is necessary for the protection of vital information within companies.  As such, companies do a lot to protect themselves and their information.  However, serious deficiencies in security are seen in the processes surrounding information given to corporate boards.

Many corporations are still using unencrypted or personal email accounts or snail mail to send confidential board documents and policies for document destruction are routinely not followed potentially allowing for information to be being lost or stolen.  Board members operate mostly outside of the organization but when handling corporate information they should treat it in the same way organizational employees do such as observing corporate data retention and destruction policies.  If you are concerned about information leakage from board members, consider training on secure information handling procedures and create a method such as a secure portal for distributing information to the board.