Why Boards Need to Pay Attention to Cybersecurity

Nicholas J Price
Financial regulators and lawmakers have directed much of their recent attention to high-profile cybersecurity incidents. Media stories over data breaches are creating serious concerns over protecting investors and customers.

The Securities and Exchange Commission (SEC) is sounding an alarm of fair warning for public companies with weak cybersecurity controls. The regulator also presents a clear indication of the type of internal controls that they expect from publicly traded corporations.

Most boards welcome guidance from the SEC, but protection for boards doesn't need to stop there. Technology is available that protects boards' sensitive work and enhances enterprise governance management, but the reality is that boards just aren't using it. With the level of regulatory and legal scrutiny increasing, it's more important than ever for corporate boards to be investing in board governance management software solutions.

High-Profile Incidents Lead to SEC Investigations

One of the more notable incidents that caught the attention of the SEC was the 2017 Equifax data breach. The credit reference company was victimized with the loss of personal information of over 145 million individuals.

Social media giant Facebook has been no stranger to public scandals, also became a victim of cybercrime in recent months. Hackers confiscated data from over 29 million Facebook accounts, causing far-reaching concern among users and investors.

The SEC Issues a Warning About Increasing Cybersecurity Measures

According to the FBI, cybersecurity scams have led to $5 billion in corporate losses since 2013. The media reports prompted the SEC to conduct an investigation of nine unidentified companies that were victims of cyber-related fraud. Their goal was to assess whether the companies had implemented internal accounting controls with sufficient fortification to comply with federal laws.

The SEC focused its investigation on business emails that cybercriminals tapped into. The hackers, who posed as corporate executives, deceived staff into sending company funds to hacker-controlled bank accounts.

In this activity, the hackers took a slightly unusual approach. The SEC notes that hackers used technology to detect human vulnerabilities in the companies' internal control systems. The investigation learned how the attack ensued after they detected that there was nonpayment on an unusual number of outstanding invoices.

For now, the SEC has not imposed fines or penalties on companies. However, they've made it clear that companies have obligations to maintain adequate and appropriate internal accounting controls. They've also made it explicit that their concerns lie specifically with cybercrime.

The Equifax data breach prompted the SEC to issue guidance on how and when they expect companies to disclose cybersecurity risks and breaches, including any known or potential weaknesses in their systems. With the SEC on high alert, corporations can expect to see fines or worse if they don't heed the SEC's recent warning.

Current Governance Habits and Practices in the United States and Canada

We can learn much about the habits of board communication habits from the April 2018 Forrester Consulting study of 411 governance professionals from 11 countries in North America, Europe and Asia Pacific. As noted in their thought leadership paper, Forrester reports that most corporations don't associate their communication practices with their cybersecurity postures.

The study revealed that board directors communicate board-sensitive information using their personal email accounts about 50% of the time, as reported by all respondents. In North America, board directors use personal email accounts for internal board communications about 53% of the time. The study also showed that 87% of boards were concerned about sharing data over insecure communication platforms.

The SEC's warning makes it clear that boards can't continue to rely on poor security practices and haphazard approaches to protecting their board materials and communications from cyberattacks. Every publicly listed company should be using a board portal and communications platform that has the highest levels of security available.

How Boards Can Take the Lead on Cybersecurity

Corporate boards need board management technology that provides end-to-end governance management. Integrated technology helps boards learn where their greatest areas of risk lie. Technology also allows boards to view scorecards of governance categories and gain insight on company operations. Integrated technology leads boards to identifying potential areas of risk faster and more completely. Working together, and with the aid of a top-notch board governance management software system, boards and managers can tackle the company's vulnerabilities with confidence. Still, too few companies are taking advantage of this valuable technology.

With Diligent Messenger, boards can ditch their bad habits of using free and insecure personal and business emails. The right formula for board technology is to implement a secure board portal with fully integrated apps and solutions that support the full spectrum of governance activities, including the use of Virtual Deal Rooms (VDR). In fact, the Forrester study showed that the United States and Canada have been the slowest to get on board with VDR technologies. Only 16% of North American boards are using Virtual Deal Rooms.

The right solution is Governance Cloud by Diligent. It's a fully integrated suite of board management governance solutions with high levels of security across the platform. The Forrester thought leadership report showed that North American boards most need minute-taking software, project management features, archiving and search functionality to do their jobs better.

Companies may have to face compliance violations and reputational loss as a result of a devastating data breach. Many corporations may be able to handles fines, but the loss of customers can be difficult to come back from.

Digital solutions eliminate worries about important board books and papers getting lost or misplaced. About 29% of the companies stated that they still use paper packets for board meetings. About a quarter of respondents in the Forrester study said that their boards had lost paper packets over the last year.

While paper-based documents are quickly becoming antiquated, board directors have also been known to lose or misplace cell phones, tablets and laptops. About 45% of North American governance professionals admitted to losing or misplacing one of their electronic devices. Loss of an electronic device easily generates worry over fraud, corruption and cybercrime.

Diligent offers a remote wiping capability that erases all information on a lost or stolen electronic device that contains sensitive board information, keeping data and other information out of the hands of hackers.

An enterprise governance management system like Governance Cloud won't solve every problem that boards have ' at least not yet. Diligent promises to continue providing the latest innovations in enterprise governance management. Strong security practices will make it less likely that corporations will face a cyber-related crisis in the future. Companies that employ fully integrated governance solutions like Governance Cloud send the message to the SEC that they're taking the strongest steps possible to ward off cyberattacks.
Related Insights
Nicholas J. Price
Nicholas J. Price is a former Manager at Diligent. He has worked extensively in the governance space, particularly on the key governance technologies that can support leadership with the visibility, data and operating capabilities for more effective decision-making.