Avoiding Technological Risks in the Boardroom

Nicholas J Price
Technology is a wonderful thing when it opens up new opportunities for corporations to create efficiency, promote growth and improve communications. Board directors are aware that advances in technology have not only created opportunities, but they've created newer and more complex risks. As cyberattacks become the norm, board directors are learning how to move their knowledge of cyber risk from awareness to action.

Cyber risks can come in multiple forms. Most boards are aware that hackers have the technical knowledge to tap into their systems and confiscate private data. In their quest to protect the corporation's major assets, an area that many boards overlook is the risk of cyber hackers tapping into their intellectual property, such as silently visiting a board meeting through video or teleconferencing equipment.

Fortunately, where there is cyber risk, there is often an equally matched cyber solution. Diligent Corporation has become an industry leader in developing software solutions with the latest in cybersecurity enhancements that protect board communications and activity around-the-clock.

The Evolution of Boards' Knowledge of Cybersecurity

According to a February 2018 Deloitte report, boards' knowledge of technology and cybersecurity evolves in three stages ' acceptance, understanding and action.

Boards that are in the acceptance stage are learning to identify threats and actors and how they could impact risk and the business. They're gaining information from their board peers in the same and different industries on their approaches to cybersecurity. Board directors are also engaging the help of cyber experts and learning what steps other corporations are taking to combat risk. Accepting cyber risk as part of their risk oversight activities means assessing risk management relative to the whole business framework.

Boards in the understanding stage know where their cyber exposure lies and understand the controls their company implemented. They have started the work of creating a cyber risk management plan and are engaging the help of management to help manage risk on an ongoing basis.

Boards that are in the action stage typically already have either a board director with technology experience or they've appointed a technology committee. Such boards have a good idea of their risk tolerance in relation to their budget. They're engaging in independent testing and have processes in place to respond appropriately to cyberattacks.

Key Concepts Concerning Technological Risks

Boards need to place a high priority on two key concepts regarding technological risks. The key concepts are understanding the basic ways that cyber attacks can negatively affect their business and have a keen understanding of what a good cybersecurity program looks like. Cyberattacks may adversely affect a business in the following ways:

  • Financial loss, which includes fraud, identity theft and loss of intellectual property.
  • Reputational loss, which affects the strength of branding and breaches trust with customers, regulators, vendors and shareholders.
  • Operational loss, which disrupts operations and process that call the business to a halt.
  • Loss or destruction of data or assets, including cyber criminals holding systems hostage for ransom.
  • Regulatory impact, which includes fines due to negligence and supervised remediation for not complying with disclosure expectations or requirements.
  • Life and safety consequences, whereby cyberattacks can shut down vital life and societal services, such as healthcare, energy and utilities, thus damaging or destroying quality of life.

A good cybersecurity program enlists the guidance of cybersecurity experts who can help to address the points listed above and continue to monitor systems and operations for vulnerabilities.

Technological Risks Invade Corporate Boardrooms Globally

Perhaps the biggest threat to a corporation's intellectual property is an invisible visitor to a corporate boardroom. H.D. Moore, a CIO for Rapid7, a cybersecurity company, conducted an experiment in 2012 to demonstrate how easily someone with technological expertise could hack into a corporate board meeting and see and hear everything that was going on.

Moore developed a software program that allowed him to scan the internet for videoconference systems that were running outside of firewalls that were also configured to automatically answer call-ins for the meetings. In less than two hours, Moore had already scanned 3% of the internet. During that small window of time, Moore detected 5,000 conference rooms at law firms, medical companies, oil refineries and universities that were wide open to anyone who had the appropriate technical knowledge to call in.

To further demonstrate the technological vulnerabilities of board meetings, Moore successfully hacked into a meeting between an inmate and his lawyer at a prison and also made a virtual visit to an operating room at a university medical center. Moore also tapped into a venture capital pitch meeting and zoomed in on the company's financials as they appeared on a screen.

The experiment led to the discovery of cybersecurity vulnerabilities of certain manufacturers' video and teleconferencing equipment. Moore was even able to zoom in closely enough to read documents sitting on the conference table in front of board directors.

Moore's demonstration exposed the ease of penetrability into corporate boardrooms across the globe. His findings revealed that the video and teleconferencing equipment that corporations relied on for convenience were designed with visual and audio clarity in mind, with little or no regard for security. In addition, while some of the equipment had built-in security features, administrators often set up the equipment outside firewalls, which allowed access to corporate meeting rooms to anyone who knew a meeting was being held there. The lesson here is that companies need to be sure their video and teleconferencing equipment has a 'gatekeeper' that easily connects calls from outside the firewall.

Using Technology to Avoid Technological Risks in the Boardroom

The best way to combat cyber risks is with cyber solutions. Diligent Corporation takes the lead in software development for boards of directors with a suite of products called the Governance Cloud.

Diligent Boards is a highly secure portal that Diligent designed with the workflow and security needs of board directors in mind. With Diligent Boards, board directors can work online or offline anywhere in the world. Diligent Boards provides a system for board directors that has iron-clad physical security and robust encryption.

Diligent knows how important secure communications are for board directors. Diligent Messenger lets board members communicate in real time using software that offers the same high level of security as that of Diligent Boards.

Diligent Minutes is another software product that includes the same vigorous security measures for minute takers to record and preserve meeting minutes without fear of unknown intruders getting hold of sensitive information.

Another important area of board management where security is of the utmost importance is entity management. Diligent's Entity Management software offers a single source for all entity-related information to ensure that corporations meet their legal obligations and requirements with precision, accuracy and timeliness.

Regardless of whether your corporation is in the stage of acceptance, understanding or action, Diligent offers a highly secure technological solution for every governance process, including board business, messaging, minute taking, D&O questionnaires, evaluations, entity management and voting. Diligent Boards and the products in the Governance Cloud protect your boardroom from invisible visitors and ensure that your boardroom activities remain secure.
Related Insights
Nicholas J. Price
Nicholas J. Price is a former Manager at Diligent. He has worked extensively in the governance space, particularly on the key governance technologies that can support leadership with the visibility, data and operating capabilities for more effective decision-making.