By Raj Patel
Bank Directors routinely access some of the Bank’s most sensitive information such as strategic plans, regulatory reports, audit findings, risk assessments, financial data, customer loan documents, and personnel records. Many organizations, including community banks, now prepare a digital board package, which is a single collection of documents directors review before each meeting. A well-organized board package helps directors prepare effectively, ask informed questions, and make stronger decisions for the organization.
This information carries significant value, making Bank Directors prime targets for cybercriminals.
Many rely on personal or secondary devices to access the board package, which may not have strong security controls or current software updates. Directors may also be traveling and using public Wi-Fi, or they may forward materials to an assistant for printing—each of which introduces additional security risks.
Directors often come from diverse professional backgrounds, including CEOs and leaders from other organizations. Their biographies are widely available through public sources, including the institution’s website. Criminals can exploit this information to craft highly targeted phishing emails or even digitally impersonate a Director in an attempt to gain access to confidential bank information.
Best Practices to Protect Board Packages
Banks need strong security practices that protect the full life cycle of information shared with Directors, from preparation and distribution to access, storage, and retention. Banks should consider the following:
Use a secure, Bank-approved secure portal. Confirm your portal has the following controls:
Remote lock and wipe so the Bank can quickly contain a cyber incident
Restrictions on forwarding, downloading or any external sharing so the Bank does not lose control of its data.
Restrictions on printing and copy and paste to prevent information from being moved to an unsecured location or personal device.
Detailed logs showing access and documents viewed. These records may be needed to support investigations and to provide accurate reporting to regulators, law enforcement, and cyber insurance. Controls that limit when and where the package can be accessed. These settings require careful planning if Directors travel frequently or spend time overseas.
Device compliance checks that ensure the Director’s device and connection point meets minimum security standards.
Make sure the portal has been fully reviewed and tested by the Bank’s cybersecurity team. Confirm that your board package software has undergone the same level of vendor due-diligence required for your most critical third party relationships.
Make Multi-factor Authentication (MFA) mandatory. MFA adds an essential layer of protection beyond a password and provides valuable logs showing who accessed the data and when. My personal preference is one-time use password, where the Director is provided with a unique passcode each time they access the package.
Most Board package software encrypts the data, make sure yours does too.
Ensure automatic document expiration after 90 days so older board packages cannot be accessed indefinitely.
Provide separate login credentials. If a Director needs an assistant or another authorized person to access the package, provide a separate login credentials. Ensure this access is formally approved using the same process you apply to any other user account.
Do not share any information via secure email. Once the Director downloads the package, the Bank has no visibility into how the information is handled or whether it remains secure. The Director may store the documents on private devices or cloud storage, print the materials for later review, forward them to a personal email account or share them with an administrative assistant.
No need to provide the Director with a Bank email account. Some Banks provide Directors with a bank issued email account, and many Directors request one. However, this creates an additional target for attackers. Directors can fall victim to phishing attempts, and managing multiple email accounts increases the chances of password reuse or weak password practices. Directors may also share their passwords with assistants or others who help manage their schedules, which further reduces security.
No need to provide Bank-owned iPads. With secure cloud portals with robust security controls, including MDA, Directors can access board packages securely with their personal email IDs.
How secure is AI for preparing and analyzing board packages?
AI can be used securely to support the preparation of Board materials, but only when it is implemented with the same discipline and controls required for any technology that handles sensitive bank information. Modern AI tools can streamline drafting, summarizing and organizing content, yet the security of these tools depends entirely on the environment in which they operate. Banks should use AI solutions only within secure, governed platforms that meet regulatory expectations for data protection. This includes ensuring that data is never shared outside the Bank’s controlled systems, restricting internal access strictly on a need-to-know basis and enforcing data-scrubbing or automatic deletion after 90 days to minimize long-term exposure.
Examples of AI use with board packages include:
The CFO uses AI to create meaningful dashboards from financial data and reports, helping Directors focus on key trends and variances.
The preparer uses AI to review the Board package for unclear language, overly technical explanations and opportunities to improve readability and consistency.
AI provides a second-level review of audit reports and management responses, highlighting themes, summarizing issues and suggesting insightful questions for Directors to ask auditors or management.
The Board Risk Chair attempts to use a secure AI tool to stress-test high-risk loans.
A Director uses a secure, bank-approved AI-enabled device to generate meeting summaries and action-item lists, keeping content within the Bank’s controlled environment.
AI should enhance efficiency, not introduce risk. If the Bank cannot secure the AI tools being used, neither management nor the Board should rely on AI for preparing or reviewing Board content.
About the Author
Raj Patel is a Partner with FinCyberTech. Raj has 27 years of experience in cybersecurity and has worked with over 100 financial institutions. For additional guidance on secure use of AI, contact raj@fincybertech.com or 248-935-0329.