Securing the board – The risks and rewards of cloud-based communication
Compliance practitioners and company secretaries who have
an influence over their organisation’s board communication practices will inevitably have considered the possibility of moving to a board portal platform. Board portals entail great potential for secure and cost-effective access to documents, suggests Nathan Lynch, Head Regulatory Analyst, Australasia, Thomson Reuters GRC, but there are still security issues to be managed.
Board portals are a growth area. They allow board members to communicate securely and collaboratively, and to share documents across a range of devices, including tablets and mobile telephones. While these software tools promise significant benefits for boards, and for governance, risk and compliance teams, they also present a number of possible pitfalls for the unwary.
The main issue is information security. Organisations that move to an electronic communication portal are inevitably seeking a more efficient and more secure way to share documents between board members. While the move to a cloud- based system offers significant benefits in terms of cost and accessibility, it also means that organisations need to conduct their own due diligence and make sure that their provider has appropriate controls in place.
According to Cameron Abbott, a Partner specialising in technology and privacy law at K&L Gates, there are myriad reasons why an organisation would want to move to
a cloud-based board portal. He said some of the vital challenges for organisations today include board members who travel frequently, sit on numerous boards and need to have access to board documents from various devices and working sites. Old paper-based communication methods do not have the flexibility and sophistication that they require.
On the other hand, Abbott said some organisations, particularly those in the public sector, were reluctant to be seen as ‘early adopters’ in this area. Organisations typically wanted to embrace change without blazing a trail, he said.
‘We had one public sector client that didn’t give much thought to using a cloud programme, until they were congratulated on being so brave to be the first one to do this,’ Abbott said.
‘This caused them to worry that maybe board portals weren’t an appropriate product for public-sector bodies. They had to have a think about whether they wanted to be so “brave”. We talked them through all of the issues and helped them negotiate a very favourable agreement with a provider that gave them enough protections that they now felt safe using the product.’
A cloud-based storage solution is essentially an internet-based facility operated by a third-party provider who hosts the services on its off-site servers. Depending on the provider these may be located either offshore or within your local jurisdiction. The ‘industry standout’ applications offer iPad support, offline access to board book materials, handwritten note-taking ability, 24/7 customer support and secure data and encryption.
Boards that move in this direction are typically trying to take advantage of three main benefits: reduced costs (pay for what you use, and avoid the capital expenditure of building a system), flexibility (use it anytime, anywhere in the world) and ease of deployment (cloud-based solutions can be rolled out immediately). They are also often taking the view that a specialist provider will have better security procedures in place than they can roll out ‘in house’. This is especially true for small to medium-sized organisations.
Some of the key facilities that board portals allow include:
• access control (who can see what)
• version control (updates or amendments to papers), and
• annotation capabilities.
They also typically allow the administrators to purge documents, annotations and highlights remotely, which can be extremely important from a risk management and compliance perspective. Any notes can generally be private or shared across the board and electronic signatures are usually supported. The most feature-rich platforms allow:
• online and offline functionality
• confidential email functionality with ability to delete emails
• ring-fenced security, and
• permission-based access to materials.
The chief concern is the security risk of sending extremely sensitive information outside the organisation and ‘into the cloud’. Despite these concerns, research by Thomson Reuters in 2012 (Meeting expectations of board governance: board oversight, communications and technology in a global landscape, available online at: http://accelus.thomsonreuters. com/content/meetingexpectations-board- governance) found that three-quarters of businesses were already emailing sensitive board documents to board members using non-secure email platforms, such as Hotmail or Gmail accounts. Only 24 per cent of respondents said they never sent documents to ‘private, non-commercial addresses’. Almost half said they did not encrypt their communications.
Abbott said that many organisations were bumbling their way through the electronic era without having a comprehensive strategy or sophisticated solution in place to manage their risk.
‘People might say that they have reservations about using a cloud-based storage system. The problem is, if they’re mailing to a web-based email account then they are already using a cloud-based solution, it’s just a really bad one,’ he said. ‘The last thing that you will want is your strategic thinking spread all over the internet, or used for private gain. Even if you’re not getting sued.’
Companies need to evaluate the security and privacy of the information that is being stored and transferred via a board portal. In most cases they need to understand how the provider will protect their information from both internal and external threats. Only once they thoroughly understand any potential risks can an organisation can reach an informed decision about the merits of using a particular board portal.
Abbott said most organisations concluded that the benefits were immense and far outweighed the risks, provided those
risks were acknowledged and managed properly. ‘Managing information in the cloud does have particular risks, and
you should be aware of these when negotiating an agreement with a provider. If properly addressed, these risks should not prevent you from empowering your board to remain effective, agile and connected wherever they are in the world,’ he said.
Organisations also need to treat security risk management as an ongoing issue. It is not simply a task of putting in place a secure system and then leaving it to a third party to operate. Technology experts take the view that companies need to remain vigilant to ensure they are staying ahead of emerging threats.
Some of the issues to consider
• Authorisation – How does the application designate and manage different levels of access and permissions?
• Encryption – Does the software ensure that the information stored within the board portal remains confidential, even from those who manage the systems and application?
• Man-in-the-middle attacks – When information is sent over a network there is always a risk that someone will intercept that data and reassemble it. Board portals need to ensure that all information sent to and from the server remains confidential, including credentials, by implementing network level security.
• Offline access – Does the board portal offer the same protection for online and offline access?
• Multiple boards – How does the software prevent ‘leakage’ between different boards that a user may sit on (assuming they access their board papers on the same device).
Abbott said that organisations also need to make sure that their implementation of a board portal does not open up vulnerabilities. He was aware of one organisation that tested and then implemented a board portal but did not turn off the trial accounts that the IT team had used to test the products. As a result, members of the IT team potentially had access to the board documents.
‘One risk with board portals is they may allow people other than the board members to access board documents, which would typically not be the case when hard copy documents are distributed. Organisations may ask their IT department to set up, test or run the programme, without thinking they may be giving their IT department access to confidential board documents,’ he said.
Abbott stressed that discussing these risks was not meant to dissuade people from using technology. Rather, it was important to remember that there are risks associated with storing material on any computer, or emailing it between board members. ‘The benefit of a cloud solution is that you can reach an agreement
with your provider about the level of security that is required. Security in cloud agreements should be at least as good
as in traditional systems. You should be requiring a provider to agree to security policies,’ he said.
As part of any security review, firms should also ensure:
- that they check the controls around the creation of administration accounts
- that strategies for dealing with malware, phishing prevention and regular penetration testing are in place
- that the cloud provider is using the strongest form of encryption
- that the organisation’s data will be physically or virtually segregated from data which belongs to other customers, and
- the provider’s security measures are audited annually by an independent party and that it can provide bulletproof data backup and business continuity solutions.
Firms should also consider whether the provider will only host the company’s data on servers in countries agreed by the organisation. This ensures that, prior to making a decision, the organisation is able to assess what laws may apply to their data. As an example, if the information is hosted in the US, the USA PATRIOT Act could give an overseas government the right to access their data. ‘The PATRIOT Act only applies to US companies or companies trading in the US, but this can extend to US companies trading in Australia and potentially the Australian subsidiaries of US companies. This creates a few issues that need to be worked through,’ Abbott said.
Approach to annotations
Another critical issue is how to deal with annotations. This varies between organisations and between entities in the public and private sectors. ‘Some organisations decide to retain all annotations while others take the view that everything should be deleted. Abbott said this had been a hot topic in governance circles ever since the HIH Insurance meltdown, where a board member had sketched a picture of a sinking ship on his board papers. This sketch was ultimately recovered during legal proceedings and used against the board.’
The more advanced board portals include features like version control, which ensures papers are up-to-date, and the ability for the organisation to either retain or permanently delete annotations. This decision can be made on a case-by- case basis, depending on whether the organisation believes the individual views of board members should be retained.
For public sector organisations there are also other factors to consider, including whether they could become subject to a freedom of information (FOI) request. ‘Before public sector boards start using online board portals they need to consider if their ability to comply with any laws will be compromised, depending on the configuration of the system. For example, they may be bound by laws requiring them to retain public records, or laws requiring them to disclose documents under FOI requests. If you will be required to provide documents under FOI, it’s important that they reflect agreed positions rather than unofficial ones,’ Abbott said.
Head Regulatory Analyst, Australasia, Thomson Reuters GRC
Nathan Lynch can be contacted on (61) 2 8004 0867 or by email at firstname.lastname@example.org. This article was first published in the March 2013 issue of ‘Keeping Good Companies’, the journal of Chartered Secretaries Australia. Reprinted with kind permission of the publisher.