Most major corporations have "significant security gaps that leave sensitive board-level information open to information theft and hacking," according to the governance, risk and compliance unit of Thomson Reuters.
In a survey of board members, corporate secretaries and company lawyers conducted in August and September, Thomson Reuters says it found that information provided to members of corporate boards of directors is often in unencrypted email accounts and computers, or otherwise provided in forms that are easily lost, misplaced or stolen.
In February, a ‘web facing’ application run by Nasdaq OMX Group, known as Directors Desk, was possibly compromised by hackers.
The service promised more than 10,000 directors of corporate boards that they wouldn't have to worry about their communications "being posted on the Web or landing in someone else's inbox." But it had "potentially" been hacked.
Here are the issues faced by the corporations surveyed by Thomson Reuters that involve security and the information used to guide the firms:
- Unencrypted board communications 85%
- Board documents stored on personal computers at home or work 79%
- Board documents stored on personal mobile devices 75%
- Documents sent to board members via personal, non-commercial email 73%
- Board documents accessible via wi-fi or unsecured networks 71%
- Have reported computer, mobile devices, or sensitive company documents lost, stolen or left in public places 10%
Also, most corporations are not accounting for all of the computing devices that board members are using to access and store board documents, Thomson Reuters said.
This would require canvassing all board members for computers, files and other data storage they use, at their homes or businesses.
"Communications and information handling with board members represents a weak link in the chain of corporate information security," said David Craig, president, Thomson Reuters Governance, Risk & Compliance. "Boards of directors handle some of their companies' most critical and sensitive information, including business strategies, discussion of executive hiring and compensation, legal issues, internal investigations and more.’’
The irony: Companies go to great lenths to protect information shared with executives and employees.
But board members, particularly outside directors, “operate largely outside of a corporation's secure computer networks and many of their strict internal security policies,’’ Craig noted.
The findings can be downloaded here.
-- This article first appeared on Securities Technology Monitor.