← Patterns / SP-022

Board of Directors Room

Board of directors communications represent some of the most sensitive information in any organisation. Board packs contain strategic plans, M&A proposals, financial results before public disclosure, legal opinions, personnel matters involving senior executives, and regulatory correspondence. A leak of board materials can move share prices, trigger regulatory investigations, compromise competitive advantage, or cause reputational damage. Yet board members themselves are often the weakest link in the security chain: they are typically non-technical, use personal devices, access materials from home networks, and expect simplicity above all else. This pattern addresses the specific challenge of securely distributing and accessing board documents in an environment where the endpoint cannot be trusted. The original design assumed board members would read documents on personal computers that may be compromised by generic malware, and proposed a hardened USB device with a secure browser as the access mechanism. While the specific technology has evolved -- modern implementations use dedicated board portal applications (Diligent, BoardEffect, Nasdaq Boardvantage) with mobile device management -- the underlying security architecture remains relevant: protect the document at every stage from creation through distribution to consumption, and assume the access environment is hostile. The pattern is built around a small, known user population (typically 10-30 board members plus board secretaries) which enables security controls that would not scale to larger populations. Hardware token distribution, individual key management, and personal onboarding are feasible at this scale. The board secretariat creates and uploads documents to a secured web application; board members authenticate with strong multi-factor credentials and access documents through a controlled viewing environment that resists data extraction. Cryptographic controls are central to this pattern. Documents must be encrypted at rest and in transit. The viewing environment should prevent or deter local storage, printing, and screen capture where technically feasible. Non-repudiation controls ensure that document access is attributable to specific individuals -- critical for insider trading compliance and regulatory audit. The entire lifecycle from document creation through board review to archival or destruction must be covered by the security architecture. The pattern also addresses the governance dimension: board document security is not just an IT problem. It requires policies approved by the board itself, handled by a trusted board secretariat function, and subject to periodic security review. The reputational and regulatory consequences of a board document leak are severe enough to justify investment that would be disproportionate for less sensitive use cases.

Release: 26.02 Authors: Aurelius, Vitruvius Updated: 2026-02-06

Assess

ATT&CK This pattern addresses 313 techniques across 12 tactics View on ATT&CK Matrix →

Click any control badge to view its details. Download SVG

Key Control Areas

Access Control and Account Management

AC-01 AC-02 AC-03

Given the extreme sensitivity of board materials, access control must be rigorous and granular. Access control policies (AC-01) should be board-approved and define who can create, upload, view, and administer board documents. Account management (AC-02) covers a small, well-defined population: board members, board secretaries, and a minimal number of IT administrators. Accounts should be individually provisioned with formal approval, promptly disabled when a director leaves the board, and subject to regular review -- at minimum after every board composition change. Access enforcement (AC-03) should implement need-to-know at the document level: not all board members need access to all materials (e.g., audit committee papers may be restricted to committee members). Role-based access should distinguish between full directors, committee-specific access, observers, and administrative roles.

Strong Authentication and Cryptographic Identity

IA-02 IA-04 IA-05 IA-07

Board portal authentication must go beyond passwords. Multi-factor authentication is mandatory, ideally using hardware tokens, certificate-based authentication, or biometric verification on managed devices. Identifier management (IA-04) ensures each board member has a unique, non-transferable identity. Authenticator management (IA-05) covers the lifecycle of tokens, certificates, or other credentials: secure distribution during onboarding, replacement procedures for lost devices, and prompt revocation when a member departs. Cryptographic module authentication (IA-07) ensures that the cryptographic components used for authentication and document protection meet appropriate standards (FIPS 140-2/3 for US-regulated entities). The authentication architecture should resist credential sharing -- a board member handing their token to an assistant should not grant that assistant access.

Transmission Security and Cryptographic Protection

SC-08 SC-09 SC-12 SC-17

All communications between the board member's device and the board portal must be encrypted. Transmission integrity (SC-08) ensures documents are not modified in transit. Transmission confidentiality (SC-09) prevents eavesdropping on board document content. These controls require TLS 1.2+ at minimum, with consideration of end-to-end encryption for the most sensitive materials. Cryptographic key management (SC-12) is critical: encryption keys for board documents must be properly generated, stored, rotated, and destroyed. PKI certificates (SC-17) used for authentication or document signing must be issued by a trusted authority with appropriate certificate lifecycle management. Where documents are encrypted at rest on the portal, key management must ensure that departed board members can no longer decrypt archived materials they previously accessed.

Comprehensive Audit and Non-Repudiation

AU-03 AU-08 AU-09 AU-10 AU-11

Board document access must be fully auditable with forensic-grade detail. Audit record content (AU-03) should capture who accessed which document, when, from what device, and what actions were taken (view, download, print). Timestamps (AU-08) must be accurate and synchronised to a trusted time source -- critical for insider trading investigations where minutes matter. Audit records must be protected from tampering (AU-09), including by IT administrators, since the insider threat at board level is an existential concern. Non-repudiation (AU-10) ensures that a board member cannot deny having accessed a document -- essential for regulatory compliance and fiduciary duty. Audit record retention (AU-11) must align with corporate governance requirements, which often mandate retention for years or decades. These audit logs may be subject to regulatory examination and must be preserved accordingly.

External System and Endpoint Controls

AC-20

Board members typically access documents from personal devices that the organisation does not manage. The architecture must assume these endpoints are compromised by generic malware. Controls include: using a dedicated secure application or hardened browser rather than the device's native browser; preventing document download to local storage where feasible; implementing document watermarking with the viewer's identity to deter photography or screen capture; session timeouts that automatically close documents after inactivity; and remote wipe capability for mobile applications if a device is lost or stolen. The trade-off between security and usability is particularly acute here: board members will not tolerate complex procedures, and the security architecture must be nearly invisible during normal use.

When to Use

Use this pattern when distributing highly sensitive documents to a small group of senior stakeholders who access materials from personal, unmanaged devices. Applicable for board packs, audit committee papers, remuneration committee documents, M&A due diligence materials, and other governance documents where a leak would have material regulatory, financial, or reputational consequences. Appropriate where compliance requirements demand non-repudiation and detailed audit trails of who accessed what and when. Also applicable for similar small-group, high-sensitivity scenarios outside the boardroom: executive committee communications, regulatory correspondence, or legal privilege materials.

When NOT to Use

This pattern is not suitable for large user populations -- the security model relies on individual provisioning, hardware token distribution, and personal onboarding that do not scale beyond tens of users. Not appropriate for ad-hoc collaboration where participants change frequently; the Realtime Collaboration pattern (SP-021) is more suitable for that scenario. Not applicable where all participants use organisation-managed devices with full endpoint security, as the pattern's core value proposition is protecting content on untrusted endpoints. The overhead of this pattern is not justified for documents at normal business sensitivity levels. Not suitable where real-time co-authoring is required -- this is a document distribution and viewing pattern, not a collaborative editing pattern.

Typical Challenges

The fundamental challenge is securing document access on endpoints the organisation does not control. Board members use personal laptops and tablets, often shared with family members, running consumer-grade security. They expect the same ease of use as reading email -- any friction in accessing board packs will result in complaints to the CEO and pressure to weaken controls. Technology literacy varies widely across the board: some directors are digitally fluent, others struggle with basic authentication procedures. Lost or forgotten tokens cause access failures at critical moments (the evening before a board meeting). Screen capture and photography cannot be technically prevented on unmanaged devices -- a director can always photograph their screen. Maintaining security awareness among a population that meets quarterly and views security as someone else's problem is difficult. The board secretariat must balance security procedures with the practical reality of tight timelines for distributing updated papers, sometimes hours before a meeting. Successor and emergency access procedures must exist for the scenario where the board secretary is unavailable and materials must be distributed urgently.

Threat Resistance

The pattern is specifically designed to resist generic trojan horse and keylogger malware on the endpoint where board members read documents. By using a dedicated secure application or hardened browser environment, the attack surface is reduced compared to accessing documents through the device's standard browser. The pattern defends against unauthorised document redistribution through access controls, watermarking, and download restrictions, though it cannot fully prevent a determined insider from photographing the screen. Eavesdropping on network communications is prevented through mandatory TLS encryption for all document transport. Credential theft is mitigated through multi-factor authentication with hardware tokens or certificates. The non-repudiation controls (AU-10) provide forensic evidence if board materials are leaked, supporting investigations and deterring misuse. Residual risks that this pattern acknowledges but cannot fully eliminate include: a board member taking screenshots or photographs of displayed documents; a board member deliberately sharing their secure access device with unauthorised persons; and a targeted, purpose-built trojan specifically designed to attack the board portal application rather than generic malware.

Assumptions

The user population is small and well-defined, typically 10-30 board members plus a small number of board secretaries and administrators. Board members will access documents from personal devices (laptops, tablets, smartphones) that the organisation does not manage and must assume may be compromised by generic malware. The computers used by board secretaries to create and upload documents are within the organisation's managed environment and are secured to an appropriate standard. The organisation can distribute hardware tokens or managed applications to board members during an onboarding process. Board materials are classified at the highest sensitivity level and justify security investment that would be disproportionate for general business use.

Developing Areas

Deepfake impersonation of executives on video calls is an emerging and rapidly maturing threat to board-level communications. AI-generated video and voice cloning technology can now produce real-time impersonations convincing enough to deceive colleagues, with documented cases of CFO impersonation leading to fraudulent wire transfers exceeding $25 million. Countermeasures including liveness detection, out-of-band identity verification protocols, and AI-based deepfake detection in video streams are developing but not yet widely deployed in board portal or video conferencing platforms.
CEO fraud and business email compromise using AI voice cloning has escalated beyond email to include phone calls and voicemail. Attackers can clone an executive's voice from a few minutes of publicly available audio (earnings calls, conference presentations) and use it to authorise urgent financial transactions or sensitive data transfers. The security architecture for board communications must now account for voice channel compromise alongside traditional document and email threats, but most board security programmes have not extended their controls to cover voice authentication.
Personal device use by board members remains architecturally intractable. Board members are typically the most senior and least technically constrained individuals in an organisation, and they routinely access board materials on personal iPads, phones, and laptops shared with family members. The gap between the security posture achievable on a managed corporate device and the reality of an unmanaged personal tablet used by a non-technical director remains wide, and board portal vendors are investing heavily in app-level containerisation to provide data protection independent of the device security posture.
Secure video conferencing for classified or highly sensitive board discussions is an emerging market segment driven by geopolitical tensions and increased state-sponsored corporate espionage. Traditional board portals secure document access but do not address the security of the video conferencing platform used for board meetings themselves. Purpose-built secure conferencing solutions with hardware-rooted encryption and air-gapped processing are appearing, but they face the same fundamental tension between security assurance and the frictionless experience board members demand.

Related Patterns

Patterns that operate within or alongside this one. Click any to view.

SP-010 Identity Management SP-013 Data Security SP-014 Awareness and Training SP-018 ISMS SP-021 Realtime Collaboration SP-025 Advanced Monitoring and Detection

AC: 4AU: 5IA: 4SC: 4

AC-01 Access Control Policies and Procedures

AC-02 Account Management

AC-03 Access Enforcement

AC-20 Use Of External Information Systems

AU-03 Content Of Audit Records

AU-08 Time Stamps

AU-09 Protection Of Audit Information

AU-10 Non-Repudiation

AU-11 Audit Record Retention

IA-02 User Identification And Authentication

IA-04 Identifier Management

IA-05 Authenticator Management

IA-07 Cryptographic Module Authentication

SC-08 Transmission Integrity

SC-09 Transmission Confidentiality

SC-12 Cryptographic Key Establishment And Management

SC-17 Public Key Infrastructure Certificates