In contemplating your governance career, you may recall practices that were considered appropriate and even progressive at one point in time, only to be supplanted by superior approaches. This is true not only of governance itself; it also applies to board operations. As we continue to witness, and participate in, the evolution of best practices in this digital age, it's only logical that the manner in which we support a board's capacity to govern effectively should also advance ' ideally in tandem.
That's not always the case, however. There will be some reading this whose organizations have yet to make the shift from manually preparing and sending off hard copy agenda packages (board books) for each and every committee and board meeting.
I remember ' and do not miss ' those days of the governance assembly line. Not only was this approach inefficient in terms of productivity and the financial resources invested in my compensation package, but confidentiality was a core concern. Independent of the need to be thoughtful in terms of how or when I photocopied stacks of assorted documents before making my way to the privacy of the boardroom and the long tables on which I'd begin building board books layer by layer, it wasn't unrealistic to anticipate late submissions.
Dealing with hard copy documents, we needed to safeguard against data breaches. It wasn't simply a case of ensuring that sensitive materials weren't inadvertently exposed to colleagues or office guests who shouldn't be privy to such documents. There was also the potential for data leaks should a director unexpectedly be away when the courier stopped by to deliver a voluminous board package. Directors respected the confidentiality of the materials sent them, but they undertook meeting preparation in a variety of settings. Each act of lugging materials from home to office to boardroom and back, or in the course of air travel, exposed the board to potential data leaks.
One fine day, after advocating for the acquisition of board portal software, the days of physical board books came to a close. While this represented progress, it was merely incremental. We launched an intranet with password-protected meeting packages. There were limitations, and different inefficiencies came to light. Nor was the system, while progressive for its day, as user-friendly as directors should reasonably expect.
Whether you and your board chair also championed the case for portal acquisition, or you were fortunate enough to join an organization that demonstrated such foresight prior to your recruitment, governance professionals with secure portals doubtless have a leg up on cybersecurity. From an operational perspective, however, it's important to note that governance professionals can make even better use of their portals to mitigate the risk of data breaches.
This is all the more relevant since it's not only the world of governance that's evolving. The University of Cambridge's Global Risk Index 2019 Executive Summary, published by the Cambridge Centre for Risk Studies, notes the raised risk of cyberattack, '...as the frequency and scale of cyber events is growing year on year.' This not-for-bedtime reading also informs us that the severity of cyberattack losses are on the rise, '...with several recent attacks showing the potential for systemic impacts with global reach.'
PwC's survey report drew attention to a refashioning of ransomware in light of the acceleration of geopolitical cyber activity. It noted the potential for digital daggers. That's daggers as in 'cloak and dagger'; in this context, we're talking about the potential targeting of organizations that operate or own critical infrastructure. That could also impact the organizations that rely on targeted companies. The survey report stated that, 'Without warning, lurking adversaries can unsheathe concealed, silent weapons to undermine economies, critical infrastructure, and public trust in vital systems.'
As if such observations weren't enough to demand that a good governance professional re-examine board operations in the context of the potential for data breaches, some governments have begun establishing accountabilities for resilience to cyberattacks. In 2016, the European Parliament adopted the Directive on security of network and information systems, also known as the NIS Directive. European Union (EU) members were given until 2018 to incorporate the Directive into their respective legislations.
In November 2018, the UK's National Cyber Security Centre (NCSC) published cybersecurity guidelines, objectives and principles, including statements against which boards and management can assess their effectiveness. The NCSC has tasked companies with the responsibility to take those lessons learned from cyber incidents to update and retest their respective response plans as necessary. This national body has also published a Board Toolkit, which eliminates any potential for confusion as to the board's role in cybersecurity.
It would be na?'ve to anticipate that the EU and the UK will be the only governments whose agencies continue to assess cyber risk management and assign responsibilities. It's early days, but there's already comparable work underway elsewhere. In the US, the 2019 'cyber sweep' being undertaken by the Securities and Exchange Commission's (SEC's) Office of Compliance Inspections and Examinations (OCIE) is but one illustration of expectations.
If you and your board have continued to share sensitive information by email, apps or text messages, you're in good company. Consider, though, the ramifications of a single data breach and how your board can turn to technology to mitigate such a risk.
Making the shift to a board portal represents a significant step forward for any board. Making a commitment to secure file-sharing technology will, for some, represent another bold change. Modern governance implies re-examining the current governance structure, including processes. It also implies avoiding easy cyber mistakes.
Raise the discussion of secure file-sharing technology with the full knowledge that some will resist the shift, even though such practices are, in and of themselves, a form of risk mitigation. Pay attention to those resisters and address their concerns, and those individuals may well become your greatest champions.
That's not always the case, however. There will be some reading this whose organizations have yet to make the shift from manually preparing and sending off hard copy agenda packages (board books) for each and every committee and board meeting.
I remember ' and do not miss ' those days of the governance assembly line. Not only was this approach inefficient in terms of productivity and the financial resources invested in my compensation package, but confidentiality was a core concern. Independent of the need to be thoughtful in terms of how or when I photocopied stacks of assorted documents before making my way to the privacy of the boardroom and the long tables on which I'd begin building board books layer by layer, it wasn't unrealistic to anticipate late submissions.
Paper in the Boardroom? Make It a Thing of the Past
Whether justifiable or simply frustrating, every late submission resulted in the insertion of a physical placeholder in each and every book before transferring multiple incomplete packages back to my office for secure storage until all the deliverables were in. Corporate secretaries and other governance professionals will recognize the understatement when I say that the workflow was cumbersome.Dealing with hard copy documents, we needed to safeguard against data breaches. It wasn't simply a case of ensuring that sensitive materials weren't inadvertently exposed to colleagues or office guests who shouldn't be privy to such documents. There was also the potential for data leaks should a director unexpectedly be away when the courier stopped by to deliver a voluminous board package. Directors respected the confidentiality of the materials sent them, but they undertook meeting preparation in a variety of settings. Each act of lugging materials from home to office to boardroom and back, or in the course of air travel, exposed the board to potential data leaks.
One fine day, after advocating for the acquisition of board portal software, the days of physical board books came to a close. While this represented progress, it was merely incremental. We launched an intranet with password-protected meeting packages. There were limitations, and different inefficiencies came to light. Nor was the system, while progressive for its day, as user-friendly as directors should reasonably expect.
Creating Document Ease With Secure-File Sharing
We recognized that we had to do better and became one of the first boards in our sector and region to acquire externally sourced board portal software. We established confidence that meeting materials were secure and made the system friendly to busy people. After synching materials, directors could access board books with or without internet access ' and without the multiple passwords we'd required in our intranet days! As a governance professional, the capacity to digitally assemble board books was akin to a gift from the time gods. Hours previously allocated to cumbersome book building and then intranet management were now far better invested in attention to strategic matters.Whether you and your board chair also championed the case for portal acquisition, or you were fortunate enough to join an organization that demonstrated such foresight prior to your recruitment, governance professionals with secure portals doubtless have a leg up on cybersecurity. From an operational perspective, however, it's important to note that governance professionals can make even better use of their portals to mitigate the risk of data breaches.
This is all the more relevant since it's not only the world of governance that's evolving. The University of Cambridge's Global Risk Index 2019 Executive Summary, published by the Cambridge Centre for Risk Studies, notes the raised risk of cyberattack, '...as the frequency and scale of cyber events is growing year on year.' This not-for-bedtime reading also informs us that the severity of cyberattack losses are on the rise, '...with several recent attacks showing the potential for systemic impacts with global reach.'
Secure Meeting Workflow: Preventing Data Breaches
Keep those thoughts in mind while contemplating the results of PwC's 22nd Annual Global CEO Survey, which reflects the views of 3,000 business leaders in 81 territories. Released in March 2019, the results showed that, globally, 72% of the surveyed CEOs say their companies may be affected by geopolitical cyber activity. In North America, that percentage climbed to 76%. Despite this, only 15% of the surveyed CEOs were able to assert strongly that their companies are cyber resilient.PwC's survey report drew attention to a refashioning of ransomware in light of the acceleration of geopolitical cyber activity. It noted the potential for digital daggers. That's daggers as in 'cloak and dagger'; in this context, we're talking about the potential targeting of organizations that operate or own critical infrastructure. That could also impact the organizations that rely on targeted companies. The survey report stated that, 'Without warning, lurking adversaries can unsheathe concealed, silent weapons to undermine economies, critical infrastructure, and public trust in vital systems.'
As if such observations weren't enough to demand that a good governance professional re-examine board operations in the context of the potential for data breaches, some governments have begun establishing accountabilities for resilience to cyberattacks. In 2016, the European Parliament adopted the Directive on security of network and information systems, also known as the NIS Directive. European Union (EU) members were given until 2018 to incorporate the Directive into their respective legislations.
In November 2018, the UK's National Cyber Security Centre (NCSC) published cybersecurity guidelines, objectives and principles, including statements against which boards and management can assess their effectiveness. The NCSC has tasked companies with the responsibility to take those lessons learned from cyber incidents to update and retest their respective response plans as necessary. This national body has also published a Board Toolkit, which eliminates any potential for confusion as to the board's role in cybersecurity.
It would be na?'ve to anticipate that the EU and the UK will be the only governments whose agencies continue to assess cyber risk management and assign responsibilities. It's early days, but there's already comparable work underway elsewhere. In the US, the 2019 'cyber sweep' being undertaken by the Securities and Exchange Commission's (SEC's) Office of Compliance Inspections and Examinations (OCIE) is but one illustration of expectations.
Next Steps For the Board
Where does all this leave you and your board? In addition to providing effective oversight of organizational cybersecurity, directors ' along with you and your management colleagues ' need to walk the walk. Think about the scope and sensitivity of information shared between you, management and your directors ... and how you share it. With Diligent, you and your board can take advantage of board portal technology for secure, end-to-end data sharing and collaboration. You can rely on Diligent's strong encryption, access controls and auditing capabilities for your board and committee meetings. Consider it time to take full advantage of protected data rooms, secure messaging tools and more as you transfer your other governance communications to Diligent's private, cloud-based network.If you and your board have continued to share sensitive information by email, apps or text messages, you're in good company. Consider, though, the ramifications of a single data breach and how your board can turn to technology to mitigate such a risk.
Making the shift to a board portal represents a significant step forward for any board. Making a commitment to secure file-sharing technology will, for some, represent another bold change. Modern governance implies re-examining the current governance structure, including processes. It also implies avoiding easy cyber mistakes.
Raise the discussion of secure file-sharing technology with the full knowledge that some will resist the shift, even though such practices are, in and of themselves, a form of risk mitigation. Pay attention to those resisters and address their concerns, and those individuals may well become your greatest champions.
