Cyber Risks and Corporate Governance: Is your Board Compromising Your Security?
2016 was dubbed the “year of the hack” by the Guardian last year, in light of the increasing pervasiveness and high profile nature of major cyber-attacks. Massive attacks on major public, service providers such as Yahoo, and infrastructure operators like Dyn, compromised large corporations from Facebook to the Wall Street Journal, and exposed delicate and sensitive corporate information with no encryption or contingency for limiting the damage potential of such a breach.
And while cybersecurity ranked as a top political and global issue that corporate directors cared about, following only the economy and regulatory environment, few are addressing the threats and their own companies’ vulnerability to such attacks. Cybersecurity is seen as one of the few key strategic factors affecting a company, yet it takes the back seat to what boards view as more material threats to the operation, including talent acquisition and retention, competition and innovation, as well as keeping up with technological trends.
With the wealth of sensitive information being passed and made available on the internet, security concerns are no longer confined to localised, proximity threats, but instead free-for-all attacks on a global scale from professional hackers to deceptively innocuous e-mail phishing scams. Gaining access to a company’s top management and their most sensitive information is at an all-time high, which as a result, presents a salient need to exercise greater cybersecurity awareness and corporate governance, from the top-down.
“Board members are different kinds of users than we would expect, because they have access to the most sensitive information that companies would have, but they also sit outside of its firewall. They frequently use free email providers such as Gmail, and Yahoo accounts to receive information, and there is no way to ensure that these systems are secure. A company employee would have a mobile device management software on their phone or laptop that allows someone to access it and lock the device down in case of loss. But with board members, such precautionary measures don’t exist,” says Brian Stafford, CEO of Diligent Corporation.
The company recently partnered the Singapore Exchange (SGX) to make available its board portal services to address these major weaknesses around email and secure documents. Brian shares, “In many cases, documents are printed out and couriered to board members, and you don’t know who ends up getting that information. We modernise that whole process and put a security wrapper around the process of information sharing and dissemination.”
To learn more about the risks and accessibility of such solutions to cyber threats, we speak to him on why Diligent is the world’s most widely used board portal.
HNW: What does Diligent’s partnership with SGX offer public-listed companies in Singapore?
Brian Stafford: It was very important to SGX that all the companies which go public on it have access to the most important corporate governance tools. They wanted to provide the best-in-class tools, and felt we were the best player who could offer that.
How would using Diligent’s solutions solve a busy CEO’s schedule?
Our solution is highly effective for any multinational company, and especially when you have directors in different countries. It provides the easiest and safest way to get information and material across to them simultaneously. We take material that normally gets emailed or couriered to board members and CEOs, and remove it from there and onto our secure application. You can upload background information that you need, like bios of the people that you are meeting, as well as calendar entries and access this information that has been linked together on mobile devices.
In the event of a corporate emergency, how would using Diligent help?
The role of board members keeps getting more and more difficult, given the current environment. All the uncertainty that exists, whether it is political uncertainty, the threat of cyber risk, there are increasing compliance concerns no matter which market you are in, and pressure on boards to deliver great results. In such an environment, you have more meetings, phone calls, and need to be more active than previously, where boards met on average, 4 times a year, and you would courier the materials out to each member before each call. Our solution is the easiest way to put together and distribute the materials when a company’s board needs to react quickly to a situation, by modernising and simplifying processes like updating the information, changing page numbers, printing and eliminating having to courier hard copies out. Now they just open up their tablet or PC, all the information they need is there. Voting on, approve things, resolutions, can all be done through our solutions, and members don’t even need to meet in person for major decisions such as a big acquisition or sale.
Why should customers trust Diligent’s security? What ensures it against an attack?
We’re a global business with presence in 74 countries around the world. We’re used by 4000 of the largest companies in the world, including some of the largest banks, and they all trust that our solution is secure. Some of those banks have spent a multiple of what our software costs trying to hack in, and we’ve gotten feedback from these clients that our system is very secure. We have the top people in this space to build our security from ground-up. All of our application is custom built and doesn’t use any free software, and we’re the only people who touch our cloud-based operating system, so any information that is put on it is secure from the moment that it goes in, straight to you.
Who are your competitors in this field?
We’ve a good number of competitors, but they are all much smaller and regionally-focused. We are more than 3 times the size of the next largest competitor, so we have quite a bit of scale, people and investment around this, which allows us access to best-in-class of infrastructure and security—like having more data centres around the world than anybody else.
What’s the biggest challenge that Diligent faces?
Our biggest challenge is facing resistance to the new way of working and dealing with change. Most board members were previously the CEO or CFO of successful companies, and they expect to keep doing things the way they’ve always done so, like printing out the materials for you to annotate. But boards are responsible for the cyber risks and governance security of an entire organisation, and it is time for our boards to begin to practise what they preach: do the things that they are asking the rest of the company to do. Our application is simple to use, and it resonates well with people who were reluctant to shift from pen, paper and printing things out, to digital solutions.
What kind of support do you provide when you are introducing your system to users?
I think one of the reasons why we’ve been so successful is because we offer a very high level of support. Every board member gets trained one-to-one. This support matters a lot because most of our users are at least in their sixties and above, and having someone walk through the product with them is very much appreciated. One of our team members will show up in person, or sit on the phone with the client, to ensure that they know how to use the product very well. We also have a 24-hour support system available for any questions or challenges you might have, available 365 days of the year. These are real people in our offices around the world, and not call centres. We make sure that every call is answered in less than 2 rings and that your problem is resolved on that same call. We’ve a new product that does secure messaging allowing board members to use all the compliant rules of the company to message, and we’re starting to roll out text-based support too.
What kind of feedback have you received and worked on to improve your business?
Service provision is important to us and we think that really matters to our users. Our users are the chairpersons of banks, CEOs of large companies, and they don’t want to sit on hold to get a problem solved. We talk to thousands of them in a year when they call in, and they are individuals who have no qualms telling you what they like and dislike about your service. [laughs] I get this feedback on a daily basis from our customer service team, and I read through them every morning to find out what people love and what kind of changes they want. There are way more things that people love, but I’m especially attentive to what people don’t like. We’ve won every service award there is in the software industry and when we had a small dinner recently with board members who use our products, they could remember the members of our team who sat and helped them through when they were using our application.
Is there anything unique to the way corporate governance is run in Singapore, that you feel your product particularly addresses?
The growth in the Singapore market, the maturity in the companies and emerging appreciation for the need for cybersecurity, whether it is in large corporations or professionalising family businesses is something we are excited about.
Are there any unique challenges working with the boards in Asia versus elsewhere?
BRIAN: Yes and no. No in that most boards function in very similar ways: they want to get their information, they want to be highly prepared, they are highly smart and they want productive meetings. They want things to be done well and the best service… that holds true, globally. We do see a higher adoption of our solutions in the U.S. and Europe, and I think the environment there is more regulated and compliant. It’s much harder as a company to not be using the technology, which I think will end up happening here, once we penetrate 30 to 50% of the market. We’re not at that point of penetration yet, but hope to within the next 2 years, because board members do sit on multiple boards and people share information.
Are there going to be any defining developments in your industry that you foresee in the near future?
Right now our members use our application maybe 4 times a year, depending on the meeting frequencies, and we provide static content, documents and information that get uploaded every quarter. We intend to start to provide more content to make you want to visit the app more frequently, like when you are sitting in the airport lounge, waiting for your flight. There is a lot of content on corporate governance from sources like Deloitte, PWC and Mckinsey, but it is very fragmented. We’ll have it all in one simple, easy location, and knowing the committee you are on, what different elements of the business you are concerned with, we can give you targeted, tailored information. Companies can also evaluate how efficiently their board performs or functions, and we’ve done a big report on cyber risk for the New York stock exchange, and many of their members who were clients of ours, helped participate in it. We can send surveys on our application to collect information on usage, trends, we’d be happy to provide and publish such findings in the market here.
Besides Singapore, are you planning to expand elsewhere in Asia?
We have an office in Hong Kong, so we serve most of Asia through Hong Kong or Singapore, and we are actively looking to expand into Japan. Singapore is the tier 1, leading country in the region in terms of technology adoption, so this will provide a bit of a benchmark for adoption in the rest of the ASEAN region.