10 Tips for Technology in the Boardroom: The Year in Governance

This is the fourth installment in the Year in Governance Series from the In-House Subcommittee of the ABA Business Law Section’s Corporate Governance Committee. Each month, the series will share key tips on a different corporate governance topic. To get involved in the Corporate Governance Committee, please visit the committee’s webpage.

A message from Kathy Jaffari: “As Chair of the Corporate Governance Committee, I would like to extend my sincere appreciation to the authors for this publication. The Corporate Governance Committee has ongoing opportunities for writing and volunteering with various projects, whether it’s an article you want to publish or a CLE that you want to present. Our Committee is dedicated to helping you promote informative resources for corporate governance practitioners. You may contact me at [email protected] to get involved.”

There is an expanding array of technology platforms that facilitate board-related communications and administration of board functions, including some that leverage artificial intelligence (“AI”). Some companies are adopting new technologies, while others are staying with methods that have existed for many years. Regular reviews of the technology used for board-related functions will ensure that companies are weighing the benefits and drawbacks of their current approach while appropriately identifying innovative solutions that could provide enhanced efficiency and flexibility, or reduce risk.

1. Board Management and Communication Platforms: Numerous vendors offer platforms that provide an efficient medium for distribution of board materials, communications, and administration of board functions. Many of these platforms incorporate cybersecurity protections, thus reducing risk, and integrate with internal company systems such as those used for cloud storage and virtual collaboration. They can also help reduce risk by aiding with the administration of company record retention policies. Appropriate training should be provided to ensure consistency in adoption across the board and company stakeholders.
2. Audio and Video Recording: Recording board or committee meetings in audio or video format could present significant litigation risk. It is also inconsistent with the core governance principle that the minutes stand as the only record of such meetings. Even if deleted, recordings may later be recovered via backups. When using collaboration platforms for virtual board or committee meetings, deactivate the recording functionality.
3. Use of AI by Boards: For companies that are considering implementing AI solutions to record and summarize board and committee meetings, see the above tip on Audio and Video Recording. Separately, AI platforms may be able to summarize large amounts of written data, such as board books, which directors and others might find helpful. If considering such a technology solution, ensure that any third-party vendor leveraging AI will treat company information confidentially, has best-in-class cybersecurity controls, regularly tests its models for accuracy, and will not use the company’s data for its own business purposes.
4. Email Communications: Companies should use a secure board management and communication platform/portal for company-related communications. The use of personal email accounts for company business poses heightened cybersecurity concerns and can potentially jeopardize confidentiality. Use of personal or day-job email accounts could also expose those accounts to discovery in litigation. Companies should consider providing directors with company email accounts, on the company’s system and protected by its cybersecurity controls, for purposes of communicating on company business. If it is not possible to avoid directors’ using their everyday email accounts, they should avoid substantive messages and only exchange short, actionable messages like “Call me” or “Check the board portal for new material.”
5. Text Messaging: Companies should caution directors to avoid exchanging substantive text messages regarding company business using personal cell phones or devices. Like use of personal email accounts, use of text messaging via personal devices can give rise to security risks. Text messaging is also often informal, which can lead to the exchange of damaging, embarrassing, or unclear communications that could later become discoverable and misconstrued. If it is impossible to eliminate all text messaging, companies should advise directors that texts related to the company should only be sent for scheduling or administrative reasons (e.g., “I am running 10 minutes late”).
6. Business Continuity and Disaster Recovery: Boards, like companies, should confirm that their business continuity and disaster recovery plans are up to date, tested regularly, and stored in a place where they would be accessible in the event of a significant technology disruption caused by a cybersecurity or ransomware event or a weather disaster. As part of this planning process, boards should confirm that any company technology systems required for the board to communicate or access important information are appropriately backed up and prioritized from a systems resiliency standpoint so that they would be accessible in the event of a significant disruption.
7. Access to Records: Companies should regularly review their access controls, including who has access to electronic board and committee materials and communications. Access should only be granted to those with a “need to know.” Certain employees might only have a “need to know” as it relates to certain committees or matters, and access should be limited accordingly.
8. Destruction of Records: Failure to promptly destroy documents and communications in accordance with the company’s records retention policy, including those relating to the board, raises a company’s risk profile. Documents that could have been properly destroyed can become discoverable in litigation. Overbroad litigation hold orders can also result in companies retaining documents that they could and should have destroyed pursuant to their retention policies. If a company uses a board communications portal, it is advisable to confirm that the portal’s storage settings align with the company’s record retention policy.
9. Technology While Traveling: To address confidentiality and cybersecurity risks, precautions should be taken if the board meets outside of the United States, if directors reside or regularly travel abroad, and if board meetings occur at offsite locations. Companies should consider whether travel or meeting locations abroad present heightened risk of intrusion by state and nonstate actors. They should consider issuing directors with “vanilla” devices for company-related communications (including only software necessary for company business) and/or Faraday bags, which can potentially block signals and provide enhanced security. For offsite board meetings, companies should consider conducting digital sweeps for recording devices.
10. Website Bios and Social Media: Companies, in consideration of their respective risk profiles, should consider whether there is a need to include board (and management) biographies and photographs on company websites and social media sites given that this information could be exploited by bad actors seeking to do harm. It is a good practice to conduct a digital risk assessment periodically to identify what digital information on directors is publicly available so that guidance can be provided to minimize risk.

The views expressed in this article are solely those of the authors and not their respective employers, firms, or clients.