CLS Blue Sky Blog

Sullivan & Cromwell Discusses Hacking and Cyber Threats to Director Communications

The growth in cybersecurity threats combined with the increasing demands placed on outside directors create challenges that often go beyond the risks that public companies face from employee and client communications.  If public companies cannot communicate quickly with directors or directors cannot easily share information and discuss options, corporate governance will suffer.  On the other hand, outside directors often have professional responsibilities to multiple organizations and, accordingly, are more likely to rely on electronic communications that are outside of any particular company’s technology resources.

Recent hacking incidents highlight the need for public companies to review their director communication practices to ensure that they are current and that they appropriately balance security and efficiency.  In this regard, public companies may wish to consider exploring or re-exploring alternatives that fit with their information security framework, such as dedicated company email addresses and/or board portals.  Each of these options has benefits, as well as some drawbacks in terms of residual security, record-keeping or efficiency.  Regardless of the particular approach taken, public companies should periodically review their director communications practices in light of ongoing cybersecurity developments, regularly update directors on information security risks, company practices and response protocols in the event of compromise, and consider providing technology and security support for personal devices and home offices maintained by outside directors.

BACKGROUND

Corporations have various alternatives for electronic communications with directors.  Many common means of communication, however, have been subject to highly publicized cyber incidents.  Most recently, former Secretary of State Colin Powell and campaign strategist John Podesta became the victims of intrusions into their web-based email accounts through a deceptive email that requested login credentials.[1]  These intrusions revealed politically and commercially sensitive information, including acquisition targets and strategies for Salesforce.com, where Secretary Powell was an outside director, and private email addresses of other outside directors.  Although online board portals are generally accepted as more secure than web-based email accounts, several years ago a board portal reportedly was infiltrated by malicious code that allowed collection of confidential data stored on the platform.  These incidents and the seemingly continuous advancements in computer hacking techniques emphasize that no technology should be considered immune from intrusion and that company practices relating to electronic communication with directors would benefit from periodic review and refreshment.

POTENTIAL ENHANCEMENTS

As companies have continued to evaluate their practices, they have considered different systems for director communications, including the exclusive use of company email accounts by directors, and the adoption, or enhanced use, of online board portals.  Each of these systems and policies has benefits and drawbacks and each company will need to strike the right balance for itself and its directors. Additionally, companies have explored general IT policies such as providing regular updates to directors on information security risks, company practices and appropriate protocols in the event information is compromised, and providing technology and security support for personal devices and home offices maintained by outside directors.

Corporate Email Accounts for Directors.  Assigning company email addresses to directors has the advantage of placing director communications under the same information security framework that applies to employee emails.

Some of the limitations often encountered with this approach are:

Board Portals for Director Communications. Many companies have adopted, or are exploring the use of, online board portals to facilitate director communications, either exclusively or in combination with other communication methods.  Board portals are specialized web applications that disseminate board materials and communications through a web interface that may have several advantages.

Some of the limitations often encountered with this approach are:

TRAINING AND SUPPORT

Cybersecurity threats have become a persistent concern for companies and, as the body responsible for oversight and as users of technology themselves, board members may benefit from periodic IT training and briefings regarding the company’s communication systems, and from ongoing IT support in the use of those tools.

OBSERVATIONS AND IMPLICATIONS

The information security landscape is evolving rapidly, and, while it seems clear that virtually all electronic communications systems are subject to intrusions, commercial, legal and regulatory considerations dictate that companies should periodically review their director communications policies and procedures with an eye toward an appropriate balance among user convenience, administrative flexibility and data security.  This review should include the board, senior management and IT personnel so that the applicable communication system and polices provide reasonable security while respecting the practical needs of directors.  Directors and company employees would also benefit from periodic updates regarding the company’s IT policies and recommended practices for information handling as well as developments in cybersecurity and cyber risk management.[2]

ENDNOTES

[1]     See, e.g., Lorenzo Franceschi-Bicchierai, How Hackers Broke Into John Podesta and Colin Powell’s Gmail Accounts, Motherboard/Vice Media (Oct. 20, 2016).

[2]     A summary of our firm’s Cybersecurity Group and related resources is available at https://sullcrom.com/cybersecurity.  On December 1, 2016, Sullivan & Cromwell LLP will host the 2016 Sullivan & Cromwell LLP / RANE Risk Management Summit to discuss pragmatic and proactive ways management and boards can mitigate enterprise cybersecurity risks.  Details are available at https://ranenetwork.com/2016-sullivan-cromwell.

This post comes to us from Sullivan & Cromwell LLP. It is based on the firm’s memorandum, “Recent Hacking Incidents and Cyber Threats to Director Communications,” dated November 15, 2016, and available here.

Exit mobile version