Revealed: The truth about board portals and cyber security

Whether small or large, any company can fall victim to electronic warfare.

According to PwC’s ‘Global economic crime survey 2011’, cybercrime now ranks as one of the top four economic crimes globally, along with asset misappropriation, accounting fraud and bribery. Roughly 60 percent of those surveyed claim their organization does not keep a close eye on social media activities, while a staggering 40 percent of respondents admit that reputational damage is their biggest fear. Cybercrime is expected to increase in 2012, and remains a serious threat to all organizations.

The threat is real because hackers and ‘hacktivist’ groups continue to proliferate, making electronic espionage a scourge that all companies must defend against. Recent high-profile security breaches at Sony, Epsilon, Citigroup and NASA have put a spotlight on the need to improve information security on the internet. Making matters worse, last year’s cyberattacks on the New York Stock Exchange (NYSE) and NASDAQ provide a glimpse into the potential mayhem that can be created when companies that other firms rely on for critical data transfer are affected by cybercrime.

In October, the NYSE’s website was apparently hacked twice as part of the anti-Wall Street protests, according to news reports. A notorious group of hackers known as Anonymous claimed to have slowed the NYSE website in an attempt to make it crash, but trading was uninterrupted.

According to Reuters, a security breach at NASDAQ OMX was discovered in February 2011 when investigators revealed that hackers had infiltrated NASDAQ’s board portal technology, Directors Desk, an electronic boardroom cloud service that stores critical information for more than 15,000 board members of several hundred Fortune 500 corporations. The breach potentially gave hackers access to confidential documents of directors who logged into the Directorsdesk.com website before the malicious software was removed.

The company said that through its normal security monitoring systems, it had detected suspicious files on its US servers. It immediately removed the suspicious files and launched an investigation, stating, ‘at this point there is no evidence any Directors Desk customer information was accessed or acquired by hackers.’

‘No company is immune to hacktivists, as they are constantly looking to hit corporate systems and websites,’ says Joan Conley, pictured left, senior vice president and corporate secretary at NASDAQ. ‘At NASDAQ, we are aware of the role we play within the national infrastructure and we take it very seriously. We have taken considerable measures to enhance and protect the physical and software environment of all of our systems, including Directors Desk.’

Of course, NASDAQ is not alone in its fight to stop cybercriminals from breaching its systems. ‘Eighty percent of organizations suffered network breaches in the past 12 months,’ says Melissa Krasnow, a corporate partner with global business law firm Dorsey & Whitney. ‘Smaller breaches, in addition to these high-profile ones, are occurring frequently.’

 The impact of breaches

According to ‘Perceptions about network security’, a Ponemon Institute survey released last June that tracked security breaches in the US, the UK, France and Germany, roughly 90 percent of the 583 companies polled claim to have experienced a network security breach by hackers at least once in the past year. The survey also suggests that these attacks can be costly, as 41 percent of respondents say their company spent $500,000 or more to repair the damage incurred.

On a larger scale, electronic breaches can have other negative impacts on a corporation, including:

(i) Short-term drops in the company share price after a reported breach.

(ii) Erosion of investor, customer and public confidence in company management.

(iii) Reputational damage and negative impact on the company brand – if a cyberbreach happens once, it can happen again, and that will impact the way stakeholders view the affected company’s image. A tarnished reputation can lead to more investigations and a drop in sales.

(iv) Legal liability for loss or mishandling of customer information – once a customer’s information is taken during a breach, it could be handed over to competitors or thieves. Even employee information can be compromised and used for recruiting or other purposes.

(v) Should a company’s earnings and stock price dramatically decline following a data breach, board members might find themselves dealing with serious fallout, including shareholder lawsuits and fines by regulators. Click on image below to find out more.

Click on image above to find out more.

Most breaches come from within

Data security firm Imperva released a survey in 2011 indicating that most companies do not know the exact number of sensitive files they have, where these files are stored or who has access to them. The study says a startling 65 percent of respondents are unsure who has been granted access to the company’s sensitive files. Even more incredibly, 82 percent of the survey’s respondents said they were unsure of their company’s data security policies.

This lack of awareness has made it easy for insiders to perpetrate a significant number of the information breaches and cybercrimes reported over the last year. Julian Assange, the founder of WikiLeaks, claimed that more than half of the documents that were funneled to his website about corporate misconduct were delivered by employees who worked in the scandal-ridden corporations and governmental agencies the documents came from.

‘Major breaches like WikiLeaks happen because of a lack of effective file security controls,’ says Amichai Shulman, co-founder of Imperva. ‘So many respondents are unsure of how many sensitive files they have and how accessible those files are – this indicates a general lack of control over sensitive data, which increases the likelihood of an insider breach.’
Indeed, concerns about in-house security breaches have been evoking fear in the hearts and wallets of corporate leaders around the country and the world.

Last April, the SEC slammed three former brokerage executives of now-defunct firm GunnAllen for failing to protect confidential information about the company’s customers.
After announcing he would be leaving to head a new company, GunnAllen’s outgoing president Frederick Kraus authorized the firms’ then national sales manager, David Levine, to transfer information on more than 16,000 accounts to his new company, which Levine then joined after also stepping down from GunnAllen.  

Levine downloaded names, asset values, addresses and account numbers to a thumb drive and passed the information along to Kraus’ new firm. 
The case marks the first time the SEC has brought charges and levied financial penalties against individuals charged solely with violations of a rule that requires financial firms to protect confidential customer data from unauthorized release to unaffiliated third parties. Even GunnAllen’s chief compliance officer was charged for failing to ensure customer information was protected.

As a result of cases like these, investors are now considering the impact of a previous cyberbreach prior to making an investment. ‘Investors want confidence and transparency,’ Conley says. ‘They need to know that a company’s board is taking risk management seriously, because preparation for a cyberattack is important.’
 
Enhancing security at NASDAQ

As a result of the intrusions last February, industry observers and some users of Directors Desk started questioning the credibility of the product. ‘After we uncovered the breach, we reached out to the government and to our clients to discuss precautions and continued enhancements,’ says Conley. ‘Internally, the work began immediately, as we gathered and briefed the appropriate stakeholders, put together a plan of action, communicated with the appropriate audiences and continued to enhance our security features by working with some of the best security consultants in the world.’

The main challenge is emerging from a crisis. Occasionally, companies get caught in a breach and neglect tweaking internal controls or enhancing their security systems. ‘As corporate secretaries are looking at the 2012 proxy season, they tend to be focused on Glass Lewis and ISS,’ says Conley. ‘It is essential that companies concentrate on enhancing their security features consistently throughout the year.’

In NASDAQ’s case, the company sought to align various committees, designate groups to monitor the relevant systems, and communicate with clients. Since the breach, the company has developed several new protocols and enhancements to protect its portal and continues to use Directors Desk company-wide. ‘We take the security of our infrastructure very seriously,’ says Conley. ‘Our constant focus is to ensure that we are closely monitoring, evaluating and enhancing our security systems and proactively communicating with our internal and external stakeholders.’

 Click on image above to find out more.

The corporate secretary’s role

Conley faces additional challenges in her day-to-day activities. Since technology is the driving force behind her daily projects, the veteran corporate secretary with over 15 years of experience feels that the ability – or inability – of users to adopt new systems and processes sometimes serves as a minor stumbling block. Despite being a somewhat new user to these technologies herself, Conley makes sure she stays acquainted with the ever-changing products she needs to fulfill her duties. Every morning, she updates the board’s materials on Directors Desk and provides all of the information that the board may need, including minutes from previous meetings.

‘As a corporate secretary you have to be able to understand these relevant technologies and how the board members interact with them,’ she says. ‘We deal with the early adopters and those who need ‘conversion time’ – we avoid leaving anyone behind.’

By providing regular hands-on training, Conley helps directors make the transition to Directors Desk. ‘Even though some firms mandate the use of board portals, we try to educate and encourage the use of this system by slowly taking the training wheels off for our board members,’ she explains.

When Conley joined NASDAQ in 2001, there were massive amounts of paper being reproduced everyday, and as the company’s corporate secretary, one of her main roles was preparing and storing board materials. In 2007, when NASDAQ OMX Corporate Solutions purchased Directors Desk, Conley played an integral part in driving the development and implementation of the product, which is constantly being enhanced to better support boards and mitigate risk.

In August, NASDAQ OMX Corporate Solutions launched Directors Desk HD, an iPad app that provides directors and executive managers with access to their timely information on the go. ‘Boards can now access the information and materials they need 24/7,’ says Conley. ‘The iPad has revolutionized board portals. Now, board members can prepare, distribute and access important information, as well as collaborate, from anywhere in the world on Directors Desk.’