Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

Deluge of Paperwork Blamed for Board-Based Security Risks

Joe Mont | February 11, 2013

Buried in paperwork and burdened by regulations and increasing responsibilities.

That's the description Thomson Reuters' annual board governance survey attaches to boards, and a big part of the reason nearly one-fourth of them are finding it difficult to adequately set “appropriate risk management cultures” within their organizations, even though regulators are demanding it. How boards treat all that data is also creating security vulnerabilities.

The survey included more than 125 general council and company and corporate secretaries across a wide-ranging cross-section of industries and geographies. It builds upon a survey of conducted in September 2011.

Key findings include:

  • On average organizations prepare 92 board books annually; each an average of 116 pages. This amounts to over 10,000 pages per year, a 50% increase from the average of 5,940 pages reported the prior year. Several organizations surveyed said they prepare more than 300 board books per year.
  • In the interest of “good governance,” more than 70 percent of respondents said they still needed additional competitor insights, financial analytic,s and industry information that go beyond traditional board materials.
  • Nearly 25 percent of respondents said their boards don't actively engage in risk oversight. This contrasts to the 55 percent of boards that actively set a risk culture and cascade its policy to management

Major corporations surveyed were also found to have significant security gaps that leave sensitive board-level information open to theft and hacking. The majority of respondents admitted they regularly send confidential board material to their members via courier, or through unsecured, non-commercial email addresses. The percentage of respondents reporting a board member's loss of computing devices or mobile devices, by either misplacement or theft, grew by nearly 100 percent.

Board members are expected to deal with a wide range of issues at both a local and global level and their responsibility for cross-border issues continues to grow. As a result, the majority of board documents and communications are likely contained across a variety of devices and servers (68 percent this year), up from 52 percent in 2011. Board materials are also put at risk by the common practice of printing and carrying documents originally sent electronically.

Through related questions, the survey found that:

  • Almost half of the respondents indicated that they never encrypt their board materials, and 18 percent indicated that they only occasionally encrypt their information.
  • Only 30 percent of respondents were confident that board members destroy all copies of board-related emails and documents in accordance with document retention policies
  • Over half of the respondents indicated that they had been in a situation where board members had left sensitive documents in public places, or had heard of such instances.
  • Private mobile devices dominate the use of mobile technology by boards. Over 70 percent of respondents indicated a BYOD (Bring Your Own Device) reality at the board level, as organizations did not supply Board members with mobile devices specifically for the purpose of board communications.