Last year the email of Colin Powell, a member of Salesforce’s board, was infiltrated in a phishing scam. It wasn’t pretty. Cringe-worthy revelations of his feelings about Donald Trump, the Clintons, and a raft of embarrassing Sand Hill Road gossip made headlines across the business world, not to mention leaked lists of acquisition targets and other confidential company information.
The contents may have been a surprise, but the fact that Powell himself was the target was not, at least not to Dottie Schindlinger, VP and governance technology evangelist at Diligent. In the shadow of vast data breaches at companies like Yahoo and Equifax, “board members themselves are in the crosshairs of bad actors,” she says, “precisely because directors have access to high value data and tend to have the least amount of oversight by the data security team.
“The days when directors could just rely on the IT team to ‘handle cybersecurity’ are long over,” she adds. A recent survey by Diligent and NYSE Governance Services shows just how vulnerable board members can be. Nine out of 10 directors surveyed about cyber risk practices use an unsecured personal email account (such as Gmail, Yahoo or Outlook) at least occasionally to communicate with fellow directors and management. In many cases, oversight of cybersecurity measures is similarly lacking.
This gaping security hole exists despite new regulations, including the EU’s draconian General Data Protection Regulation (GDPR), set to take effect in May 2018, that will hold directors and officers personally liable, in some cases including jail time if there is willful
“The days when directors could just rely on the IT team to handle cybersecurity are long over.”
It’s hard to imagine that directors will be dragged away in handcuffs for failing to adequately safeguard data. Still, regulations like the GDPR and a mandate by the New York State Department of Financial Services that requires lead directors to personally certify that an effective cybersecurity policy is in place are a sign that regulators are starting to demand greater vigilance.
What should boards be doing? Schindlinger offers these suggestions.
Demand Training: Directors, as much as any employee, can unwittingly open a backdoor to sensitive information, yet most receive little training on security measures. In fact, 62 percent of directors participating in the Diligent/NYSE survey reported that they don’t receive any cybersecurity training. Directors should take the time to learn about cybersecurity protocols and get refresher training on at least an annual basis.
Lock Down Communications: Board members routinely receive and send critical company information on everything from intellectual property to competitive strategy to briefs about ongoing litigation—much of it via email. According to the cyber risk survey, 60 percent use personal email for board-related communication on a regular basis. By now, thanks to incessant headlines about hacked email and personal servers, most of us know the risks this entails, yet convenience and inertia still tend to win out over safety.
“There are lots of good, secure messaging applications out there, many of which integrate directly into your secure board software,” Schindlinger says. “It’s better to get away from email entirely and use tools purpose-built for this reason that are designed for directors. Yes, it will be a change at first, but if you think about what’s at stake, it’s well worth making the transition.”
Bring IT to the Table: Chances are, your board is composed of executives with specific areas of expertise, such as finance and marketing. If you haven’t already, it’s time to add a digital native steeped in cybersecurity to the mix. “You would be hard-pressed to find any other component of the job of a director where basically competent would fly,” says Schindlinger. “You want rock stars.” Having a CIO at the table will help ensure that security practices are on the agenda at every board meeting—as they should be.
Demand a Post-Breach Plan: No matter how well a company guards its data, breaches are inevitable—which means that boards need to ensure that management not only has an action plan in place, but has rehearsed it. “One of the things Target learned was to conduct regular ‘let’s pretend something is happening’ testing,” says Schindlinger. “Here’s what happened, now what do you do? That means covering everything from simply knowing which branch of law enforcement to call to understanding when and how to communicate the situation.”
Understand Your Insurance: As with any insurance policy, it’s always better to understand your coverage before you actually need it. Cybersecurity coverage is complicated and rarely covers the full extent of a company’s costs, which can run into the billions. “It’s not just the stock price and the company’s reputation that take a hit after a breach,” says Schindlinger. Since cyber-related litigation can name board members and company management personally, understanding what’s covered, and what’s not, is key.
Develop Director Directions: While board members are unlikely to be front and center in the event of a data security crisis, there should be a policy in place about when they will be briefed on the situation and what they should share. “They should assume they will get calls, and know what to say to reporters,” says Schindlinger. “Everyone in the company, from the lowest to the highest level, needs to be prepared that way. This is not a matter of if something will happen, it is unfortunately a matter of when—and how well you’re going to deal with it.”