When was the last time you misplaced board papers or an iPad? How often do you communicate board information by email rather than using a secured network? A recent global study conducted by Forrester and Diligent revealed some unsettling board communication practices that could potentially expose today’s organizations to cyber risks.
Boards and governance professionals across 11 countries were surveyed about how they currently use technology in the boardroom. Not only did the survey aim to identify current gaps in board technology use, but it revealed distinct opportunities for technology to fill a void–particularly related to ESG, risk monitoring, and visibility across the organization.
Board Communication Practices
Insight #1: Boards are concerned about data security at their organizations; yet, they don’t always associate their own communication practices (e.g., personal email use) with the company’s cybersecurity posture.
- 87% indicate that it would be “valuable/very valuable” if they had improved visibility of cybersecurity across their organization.
- 87% are at least mildly concerned about the security of their board’s communication and data sharing.
- Nearly half (49%) indicated that “securing documents or board materials” is challenging/very challenging; yet, only 16% said that secure messaging would help them do their job better.
- 50% indicated they still use personal email for internal board communications.
- Nearly 30% of board members said they had lost/misplaced a device in the past year; another 23% reported losing/misplacing paper assets.
- 21% of directors indicated that someone on their board had their identity stolen and used to access sensitive board materials within the last 12 months.
At this point, cyber risk oversight is at the top of board priority lists. Yet, this report reveals that directors and governance professionals don’t always recognize the danger in their individual communication practices.
Popular email services like Gmail, AOL, and Yahoo are not secure. Not only are these common email servers easier to hack, but someone with bad intentions may not have to go to such lengths. In a recent exposé, the Wall Street Journal revealed that private Gmail messages between users can be read by human third parties–something Gmail users technically agree to in the terms and conditions.
Even when used for incidental board communication, personal email can be a point of intrusion. Directors often take comfort in the fact that they primarily use personal email for discussing incidental board matters. However, the reality is that personal email accounts–like any other unencrypted or ill-encrypted, digital gateway–can be used as a point of entry into a person’s computer, tablet, or phone. Furthermore, email communications cannot be remotely wiped on a lost device the way certain board management software allows.
The SEC is expected to take a stronger stance on cyber breaches going forward. In October 2018, the Securities and Exchange Commission (SEC) published an investigative report to assess whether nine public companies, which had recently been exposed to a cyber breach, were at fault for not implementing internal controls related to internal training and employee practices. While the SEC chose not to pursue any enforcement action, it warned companies that the lax oversight around these human-related infractions would be assessed with greater scrutiny going forward. Board members and governance professionals must keep in mind that they are high-value targets for these types of phishing attempts as they are often in possession of the most sensitive company information.
Opportunities for Technology in the Boardroom
Insight #2: Globally, boards indicate that there’s an information gap when it comes to the data they have and the data they need in order to oversee risk, operations, and strategy effectively.
- 76% indicated that it would be “valuable/very valuable” if they had improved visibility of sustainability/ESG issues across their organization.
- Board-support and governance professionals globally indicated that “visibility into sustainability and ESG issues” is their greatest dissatisfier (more so than visibility into cyber risk).
- 86% said that ESG benchmarking (to inform talent acquisition and long-term financial performance) is “important/very important” to them.
- Only 23% of boards said that their current board management software helps them understand the areas of greatest organizational risk.
- Only 19% of boards said that their current board technology solution provides them with a scorecard for key governance categories.
- 40% of boards who experienced a crisis in the past two years received no help from (or were hindered by) their current board software.
The risk environment that today’s boards must oversee continues to grow in size and complexity. Without clear visibility across the organization–and without a dashboard equipped for real-time reporting and threat notification–there are too many opportunities for warning signs to fall through the cracks. Boardroom technology must begin to fill these gaps in the data, which this report clearly defines.
ESG will become increasingly central to board reporting and disclosure. Investors have begun pressing boards to explain how their organization is integrating Environmental, Social and Governance (ESG) considerations into strategy and operations–an approach that major institutional investors see as critical to long-term value creation. At Corporate Board Member’s 2018 General Counsel Forum, State Street’s Rakhi Kumar explained how ESG awareness differs from fluency:
Board members are aware of some of these [ESG] issues, but they’re not always fluent. And that lack of fluency gives it away that they’re not really discussing ESG at the level they should be.
ESG fluency will require a deep understanding of how environmental, social and governance practices are shaping the organization for long-term success, particularly when “an ESG focus” can entail significant upfront investments. Corporate culture is one such ESG-related area that investors will be focused on in the months ahead. How must board technology solutions evolve to help directors catch cracks in corporate culture before they become a flood?
While the technology described above is on its way, the first step is for boards to bring their existing tools (e.g., secure messaging, document sharing, evaluations) under one secure roof–a movement that’s been termed Enterprise Governance Management (ERM).
Don’t miss further insights from this report via Forrester and Diligent. It’s always helpful to understand how your practices measure up to other boards. And don’t miss our recent Board Oversight Series, which sheds light on best practices for data security.