Imagine that criminals broke into headquarters and bugged your executive offices for insider information--and then made millions trading on that information. That's what can happen if you jump into a Board Communication Systems too quickly. It has already happened: They silently monitor your Board of Directors communications until they hear insider information that they can use to strike it rich on the stock market.
A Board Communication System, often called a Board Portal, is supposed to be a secure cloud system that your CEO, CFO and board of directors use to communicate with one another to make sure any highly sensitive information about the company is protected--from insiders, the IT department, and bad guys. Information that is shared between board members can range from company strategy, to M&A plans, to non-public financial performance details. Imagine the havoc that could ensue if anyone was able to access sensitive knowledge and then use it to their advantage.
As I have been speaking with other CSOs the subject of a Board Portal is coming up more and more frequently, especially within publicly traded companies. The Securities and Exchange Commission (SEC) has now issued guidance mandating that public companies disclose privacy and data breaches because they can be material events. A material event is an incident that can impact your company in a financially meaningful way.
When faced with the problem of protecting board member communications from threats, your immediate reaction might be to implement a Board Portal. Well, here's the problem: Most Board Communications Systems are set up by Legal and Investor Relations teams--without the CSO's knowledge and approval. This is a recipe for disaster.
Why BCSs Need Proper Security Measures
We've all read the surveys and reports on the high cost of data breaches and the associated remediation, lawsuits, and penalties. The cost could also increase as a result of the precedent set by Krottner v. Starbucks. As I understand it, in order to get a class action suit to trial, plaintiffs don't need to show actual harm from a breach. They just have to show an increased risk of harm. If a Board Portal is breached, this could mean every one of your shareholders is a potential plaintiff (arguing that their investment has been placed at increased risk of harm due to insider trading or other stock price manipulation).
And this doesn't just affect public companies. Private companies that do business with public companies may need to start disclosing breaches to keep corporate customers as clients.
I examined some of the Board Portal companies--many of which are startups offering cloud-based services. The barriers to entry are low and new ones keep popping up. That raises a warning flag to me; I am a bit concerned with the ability of these companies to safeguard sensitive data. Many aren't making security the top priority--even though it's mission-critical. The Board Portals are a gold mine for organized crime looking to make a large quick profit. This is not speculation; it has already happened.
Sign up for CIO Asia eNewsletters.