(This speaks to their maturity of Web Application Security. Ask if you can see a copy of the report.)
How do you protect the data and know where it is going? Are you using DLP technology? What kind of encryption scheme do you use to protect my data? How is my data segregated from other customers?
(You want to make sure data is only going to approved users. Make sure the data is encrypted at every stage in the transaction, not just via SSL while in transit.)
What systems do you have in place to prevent spear phishing?
(Any breach is an invitation to phish your executives, Board, and others. Bad guys take advantage of user trust and will make an email look like it is coming from the BCS platform)
Where are the servers physically located? What type of physical security is in place to protect these servers?
(If you wouldn't put your intellectual property there, you don't want your Board communications there either. You will be surprised in some of the answers you get to this question.)
Does the contract state that customers must be informed of any data breach, regardless of whether there are local laws require it?
(Some states and countries don't have data-breach disclosure laws. You need to make sure that you are notified immediately if your data is exposed.)
Have you ever had a problem with malware before?
(This is a bit of a trick question. Everyone has dealt with a malware issue at some point. If the service says they have never had a problem, there are two possibilities, and both are bad signs. One, you know they aren't being candid, or two, they have no idea that they have a malware issue. This calls into question their other responses.)
Note: All the BCS solutions seemed to have a decent level of application controls within the communication app itself. The main concerns I found were around the infrastructure that the application (and your company's data) sits on.
We all know the importance of securing intellectual property (IP). Securing Board of Directors communications is absolutely essential. You have to take the time to do it right.
Remember, many organizations have put these systems in place without speaking to IT, and many of the companies that provide these services are just getting off the ground. While some of these portal providers may be built with the highest security in mind, many will not. You can't afford to be with one that has not built upon a strong security foundation.
Sign up for CIO Asia eNewsletters.