Thomson Reuters Survey Reveals Increased Cyber Security Risk to Boardroom Communications. Annual corporate governance survey reveals company boards lack security structures to protect board information
Thomson Reuters surveyed more than 200 corporate and company secretaries across Europe, the Americas, Australia, Asia, Africa and the Middle East to canvass their views on some of the key challenges faced by the board today. Respondents represented firms from a wide set of industries including financial services, manufacturing, government, education, life sciences, energy and other highly-regulated industries.
Key findings from the report include:
- Over half of organizations indicated they had been in a situation where board members had left sensitive documents in public places or had heard of such instances
- Two thirds (67%) of corporate boards are very concerned about cyber security risk, whilst only 44% claimed they actually make decisions on the topic
- 60% of organizations never or only occasionally encrypt their board communications, and only a quarter indicated that they always do so
- More than half (56%) of board members still print and carry around board documents
- Half (51%) of organizations surveyed do not utilize a secure purpose-built board portal
- Cyber security information is the least frequently requested information by the board, with only 32% of board frequently or very frequently requesting such information
- An increasing proportion of respondents are not confident board members destroy sensitive printed board documents, while a staggering 60% of organizations are not confident or unsure if their board members do so
“In this digital age it’s alarming that so many organizations don’t have structures in place to safeguard their information from security and cybersecurity threats,” said Phil Cotter, managing director, head of Risk, Thomson Reuters. “What’s disheartening is that information on cybersecurity remains the least frequently requested information by corporate boards, which leaves significant uncertainty around their ability to effectively oversee security management, particularly if they aren’t taking steps to keep fully informed on security matters.”
Security and cybersecurity risk
Private computing devices are now commonly used by most board members for board communications but only a third of them are provided by the company itself. Furthermore, there has been an increase in these computing devices that are used for board communications being stolen or lost. 10% of organizations reported they have had a board member to whom this has happened to and 5% of organizations stated they have had sensitive board materials left in a public place.
Many organizations continue to use non-secure commercial email accounts to send board information to board members with 43% of respondents claiming they always or regularly do this. With 60% of organizations never or only occasionally encrypting board communications, many could be leaving their board communications liable to hacking and their organization at risk of a serious data breach.
A third of organizations continue to print and courier materials to board members and 56% of board members print and carry materials around. There is also a considerable lack of confidence that these materials are disposed of securely with only 28% of respondents reporting that they are confident that their board members do so.
Communications and technology
The geographical dispersion of corporate boards also continues to be an issue for organizations, with 34% of board member spread across a number of countries. In 2014 the number of boards meeting monthly or quarterly has risen to 78%, meaning boards that use manual processes to share board material are likely to be experiencing increases in the cost of printing and couriering board books.
About: Thomson Reuters Accelus is a market-leading solutions for enterprise Governance, Risk and Compliance (GRC) management, enterprise risk management, policy management, audit management, global regulatory intelligence, financial crime, anti-bribery and corruption, supply chain risk, enhanced due diligence, training and e-learning, and Board of Director and disclosure services.