Company Secretaries and Secure Communication
Company Secretaries today are in charge of a number of key board communications channels. They connect board members with other directors and with the board chair, manage communications with management for the board, work with the general counsel and stay in touch with important third-party advisors. Each of these channels involves sensitive information about the company and the work of the board. Making these channels secure is not just a question of applying some quick fixes; a full-scale and high-grade security policy must be maintained right across the organisation to properly protect boardroom communications. To ensure that channels are protected, the Company Secretary must have a basic understanding of security for boardroom communications.
Company Secretaries that send confidential information to board directors’ personal email accounts are risking data breaches.
Read our report: ‘The Importance of Using Secure Communications Technology in the Boardroom‘
Secure Messaging Tools and Board Communications
The most basic need for secure communications is safe messaging. More communication goes on via messaging than via any other channel. Secure messaging tools ensure that what needs to remain private, stays private. This secure board communication tool should be adapted to working in any industry or sector context. It should help bankers talk to each other, and allow non-executive directors to text the CEO or the chairman from any place, at any time, with the assurance that the communications are safe.
It should also be easy to use, with an interface like that of a smartphone or a popular messaging app like the ones those directors already use. By moving confidential board communications out of personal and corporate email systems, your board can ensure that there is an easy way to communicate with the right people at the right time.
Who Has Access to Board Documents?
Another issue that a Company Secretary should understand about boardroom communications is that access to materials must be controlled. If you post a document on the company website, anyone can read it. If you post it in a private section of the website, a large number of employees and directors can read it.
Working with the board, there are some documents to which only the chair and the Company Secretary should have access. There are also board member-to-board member discussions, perhaps on an internal chat, that only those two board members should be permitted to see.
All of this means that control of access is an essential part of any boardroom communications application. Ideally, the Company Secretary should be able to assign access to any document on a person-by-person basis. For committees, access should be restricted to the specific group, and then additional board members and others may be added. The board chair should be able to assign access as well.
“The threat landscape is constantly changing”
Security experts recommend a holistic approach. “Rather than relying on a mandated checklist, companies will be better able to mitigate losses by performing organisation-wide risk management activities on a regular basis,” writes one security expert. “Vulnerabilities are system weaknesses that can be exploited. Threats are events that have negative consequences. Threats and vulnerabilities for all systems, not just those within scope for compliance audits, are identified. Threats and vulnerabilities are then prioritised and fixed to limit risk to an acceptable level
(241). Constant re-evaluation is required as the threat landscape is always changing.”
To manage security at this level, it’s important that the devices used by board members and management be controlled with cyber security. Materials stored on shared spaces should be encrypted at the highest grade possible. It is useless to have a secure laptop if the board member who uses it leaves it open on a restaurant table.
Devices used by executives should be equipped with remote wiping, so that a lost or stolen device can be wiped clean wherever it may be.
Diligent’s Modern Governance solutions bring together historically disparate tools into one secure product suite.
Diligent Governance Cloud and Secure Board Communications
Diligent, as the long-standing market leader for modern governance software, is uniquely positioned to offer Company Secretaries the highest level of assurance around security measures. Diligent’s unique position in the marketplace allows for investment in best-in-class security practices at a level that is greater than most players’ annual revenue.
With Diligent’s ongoing investment and dedication to security technology, resources and infrastructure that no other provider can match, Diligent clients gain a strategic partner that truly puts security first. For example, Diligent offers the facility to remotely wipe devices if they are lost or stolen.
All members of Diligent’s Security Team are active participants in the information security community in order to maintain up-to-date knowledge and expertise. This means that they are aware of nearly anything that hackers have available, ready to thwart all the most sophisticated techniques of attack.
Diligent has established a security program based on industry standard frameworks that is dedicated to ensuring customers have the highest confidence in our custodianship of their data. Our Information Security Management System (ISMS) is ISO 27001:2013 certified and our cyber-security framework is based on NIST standards.
Diligent Boards data is housed in a world-class hosting infrastructure. Co-location data-hosting facilities are operated at Tier 3 equivalent or higher standards. Diligent owns and operates its own equipment. Data stored by customers in the Diligent Boards solution is not hosted by any third-party cloud providers. Instead, it is stored on Diligent’s own secure servers and protected by strong physical security. Access to these data centres is limited to authorised personnel and is verified by two-factor authentication.
Data is encrypted at rest, in transit and on the users’ devices. The Diligent Boards service supports the current recommended secure cipher suites to encrypt customer data in transit and at rest. Customer data is encrypted at rest on Diligent’s storage systems and on the customer’s mobile devices that run the Boards apps. Customer data encryption keys are stored in a tamper-proof FIPS 140-2 L3 certified Hardware Security Module.
Diligent has a documented Security Incident Response Program in place to handle a security incident. Incident response procedures are tested and updated at least annually. All incidents are managed by Diligent’s Security Incident Response Team. Diligent classifies the event and determines the incident response process. In the event of a security breach, Diligent will promptly notify customers of any unauthorised access to customer data.