How to protect your board from third-party data risks
A late-night text to the external auditor. An email chain forwarded to outside counsel. Spreadsheet transfers — including sensitive compensation data — via free commercial software to the compensation consultant.
These channels are all convenient, especially when a filing deadline, audit or time-sensitive strategic decision looms. But are they safe?
You know the answer. One misguided email or account breach could trigger regulatory penalties, private legal action and confidentiality violations — costing your company millions in fines, damaging legal standing, and eroding corporate reputation and stakeholder trust. Yet third-party information-sharing often lacks the rigor of internal board communications.
Read on for a look at why such lapses happen, the potential consequences and what your board can do to run a tighter ship.
Rising repercussions for discoverability and privilege
When boards use insecure channels to share sensitive information, data protection isn’t the only risk — legal protections like discoverability and attorney-client privilege may be lost as well.
In WeWork v. SoftBank (2021), the Delaware Chancery Court ruled that emails sent through Sprint accounts — used by SoftBank representatives on WeWork’s board — were not protected by attorney-client privilege. Because Sprint was a third party, those communications weren’t considered confidential.
As law firm Fenwick & West noted, the case underscores the need for companies to closely examine how outside directors and others communicate, especially when using non-private, third-party accounts.
Subsequent cases reinforce the premise: Sensitive board business conducted via corporate or personal email accounts raise eyebrows. In Twitter v. Musk, a case disputing the billionaire’s purchase of the social media platform, a Delaware court pondered whether Elon Musk could claim privilege over communications sent from his SpaceX and Tesla email accounts.
The court ultimately ruled in Musk’s favor, but not all cases end up with such an outcome. In the 2022 bankruptcy of Asia Global, the trustee discovered emails about financial mismanagement sent and received through company accounts and stored on company servers. “The use of the corporate email system waived any privileges that otherwise existed,” the trustee declared.
Why smart leaders default to risky business
Even amid these high-profile cases, lax third-party communications persist.
One all-too human reason: Email is the path of least resistance. When time is ticking and outside counsel or auditors need a quick answer, a well-used corporate email account timely response at a busy director’s fingertips.
For some boards, technology is the issue. They might not have a dedicated platform for sensitive documents or secure messaging. Or, if such software exists, they may not feel comfortable using it, reverting back to tried-and-true (and insecure) channels when the pressure is on.
In other scenarios, board members may subconsciously see the portal as “for directors only.” Perhaps no mechanism exists for looping external parties into board business — or perhaps the process to get these parties on board is so cumbersome that everyone eventually gives up.
Finally, secure third-party communications might not be official board policy. In many boards, the rules only cover internal exchanges. For some, email/file-sharing protocols may not exist at all.
Spot the gaps before attackers do
Get the guide that every boardroom needs to identify the weak spots in its communications, and secure your governance ecosystem before a breach makes the decision for you.
Show me how6 practical tips for closing the gaps
Outside counsel, accountants, auditors and other third parties are essential parts of the governance ecosystem. How can your board maintain timely communications with these important partners while reducing the risks?
1. Incorporate secure, savvy collaboration into official board policy
Set clear expectations andrules aroundwhat’s allowed and what’s not for board communications, especially in the case of external parties who regularly deal with sensitive issues.
2. Reinforce these policies with the right technology
Consider an online board portal for housing all official documents related to board business—a single “source of truth” accessible via multiple accounts. Look for built-in security features like encrypted communications and secure cloud-based storage.
3. Give your advisors seamless access
Set key contacts up with their own accounts. Make the system easy to use. Encourage adoption with official policies and your own directors’ behaviors as good examples.
4. Get a data room
Now when exchanging sensitive files and reports internally and externally, you're able to trade in email attachments and commercial cloud file-sharing apps for a self-contained, access-controlled, secure virtual data room (which should always come included, and fully integrated, with your chosen board portal).
5. Set up communications guardrails
Insist that third party advisors and directors use dedicated email accounts for board business, with passwords and authentication set to the organization’s cybersecurity standards, and messaging instead of email threads for legal or sensitive collaboration. Forbid use of these accounts and channels for anything other than board business.
6. Keep on learning
Equip directors and partners alike with on-demand education about cybersecurity, data protection, best practices and the evolving legal environment. Consider a range of formats and delivery vehicles, like short courses, certifications, templates and videos.
Diligent is built to help
Diligent brings everything together in a single, secure, streamlined governance ecosystem. Diligent Boards houses sensitive information, board policies, and director education, while virtual data rooms enable secure file-sharing with features like controlled distribution, watermarking and audit trails.
See for yourself how Diligent helps boards close the loop on third-party risk. Get the guide to Securing Your Governance Ecosystem today.
More to explore
Stop risking your data: Why secure file sharing is non-negotiable
Discover why secure file sharing is essential for protecting your organisation's confidential data. Learn about the risks of traditional methods and how to build trust with stakeholders. Read more.
The problem with free file-sharing solutions
Your businesses data is the lifeblood of the business & by using free file-sharing solutions, you open your board and executive team to risks
The Cyber Leadership Playbook
Learn how to bridge the gaps between cybersecurity, legal and board leadership for smarter cyber risk management & governance. Download the guide today.
