.webp)
By Nupur Anand, Associate Partner – Forensic Investigation Services,
Forvis
Mazars in India
The
Boardroom, once considered the trust circle, has transformed. The way its
proceedings and meetings are now conducted has seen a drastic shift. Thanks to
the evolving regulatory landscape, the rules of engagement have been overhauled
to give way to newer ways. With tightening regulations, the stakes of strategic
decisions have grown; Boardroom conversations are no longer confined to four
walls or a handful of executives. With the change, threats pertaining to
information leaks have significantly increased. Boardrooms are now threatened —
not just from cyberattacks, but also from insiders with privileged access. Threats
can originate from both outside cyber attackers and, alarmingly, from insiders
with privileged access. As sensitive conversations shift from strategy to
execution, the risks pertaining to Boardroom leaks grow more complex. This demands
a robust forensic readiness framework to counter insider threats.
Protecting
insider information as a result of discussions in the boardroom is critical and
the need is driven by various reasons - regulatory mandates, contemplation of investors
and maintaining public trust.
Sectors
that play an important role in the economic growth are often prioritised in
strategic deals are vulnerable to various threats. Access to confidential
board-level discussions about restructuring, investment strategies, or deliberation
on financing plans can tarnish not just organisation’s reputation but also disrupt
investor confidence and economic continuity.
What
is really happening?
Boardroom
leak threats are escalating in deal-heavy sectors, where the foundation of
success depends on confidentiality, strategic foresight, and maintaining a
competitive edge. A single incident of leakage of confidential information can
compromise bidding strategies, reveal sensitive financial data, or expose
future business plans, giving competitors an unfair advantage. Financial
sensitivity, competitive edge and market volatility are the top three reasons
that propel us to protect boardroom discussions. Let us look at these reasons
in detail:
a)
Financial sensitivity:
Leaks on undisclosed financial information on valuation can impact stock
prices, disrupt deals, and lead to failed negotiations
b)
Competitive Edge:
Access to confidential data on business propositions, bidding information or proprietary
data can be exploited by competitors for various benefits
c)
Market volatility:
Premature disclosures such as senior management exits, auditor’s resignations
or litigation cases may impact investor trust and trigger speculation in
financial markets
Boardroom
discussions often cover sensitive topics such as mergers and acquisitions,
restructuring plans, fundraising, management transitions, and responses to
crises.
These
discussions have far-reaching implications.
- Regulatory
Mandates: Many sectors operate under
stringent legal frameworks that mandate the protection of non-public,
material information to prevent insider trading and market manipulation.
- Investor Protection: Investors, especially those making early bets, rely on
a level playing field. Leaks may distort market confidence and can lead to
legal ramifications.
- Public Trust: The integrity of boardroom confidentiality underpins
public trust in corporate governance and market stability.
In 2021, the Securities and Exchange Board of India (SEBI) –
the Indian market regulator – alleged that a director of a listed entity had
shared unpublished price-sensitive information related to the acquisition of an
entity prior to its official announcement. The incident triggered regulatory
scrutiny and significantly undermined investor confidence, raising serious
concerns around corporate governance practices. Similarly, disclosures
regarding equity dilution, sources of funding, or whistleblower complaints
discussed during board meetings, if made public, can have adverse implications
for companies.
Predators
are often seen as using sophisticated ways to get access to confidential
discussions, threats have evolved from Dictaphones to Digital Espionage. Gone
are the days when physical recorders planted under tables posed the biggest
risk. Today’s threats are far more sophisticated:
·
Cyber Compromise:
Boardroom systems, virtual meeting platforms, and even the personal devices of
executives are targeted.
·
Social Engineering:
Insiders may be coerced, manipulated, or incentivized into leaking information.
·
Physical Security
Gaps: Unmonitored visitor access, misplaced
devices, or unsecured conference rooms remain weak links.
Situations
wherein organisations take up multiple rounds of due diligence, overlapping
stakeholder engagement, financial reviews, pre-deal interactions can create ambiguity
amongst employees and other stakeholders. This often leads to a desire for
deeper insights beyond what is publicly disclosed, inadvertently creating
opportunities to exploit confidential information.
It
is possible to identify any potential boardroom leak in an organization prior
to its occurrence:
a.
Unusual share market
activity before announcements: Unexpected increase
or drops in stock prices before official disclosures suggest insider leaks
influencing investor decisions.
b.
Media or Competitor
knows information prematurely: Reporting on confidential
information through undisclosed sources by media/ news reports.
c.
Unusual access pattern
to sensitive files/information: Repeated or
unauthorized access to confidential documents.
d.
Regulatory or legal
inquiries after internal discussions
Tip offs to regulatory authorities and legal scrutiny after key boardroom
discussions.
e.
Competitor matching
the pricing: Competitor consistently submits
bids/ tenders just under your price and matches your technical capabilities.
In India, leaks of confidential information from boardrooms
often fall outside the scope of mandatory reporting requirements, resulting in
many such incidents going unreported. Nevertheless, companies are recognising
the importance of investigating these breaches internally to identify
weaknesses in governance practices.
The first step in addressing such leaks typically involves creating
a robust incident response plan. This includes updating internal policies and
procedures that will allow companies to initiate investigations, strengthening
data protection protocols, and conducting thorough investigations to trace the
source of the breach.
A lesson can be learned from a 2006 case involving an IT
solutions Enterprise, which was entangled in a boardroom scandal
after sensitive details about its acquisition strategy were leaked to the
media—allegedly by one of its board members. In response, the Company hired a
private investigative firm that employed questionable and potentially illegal
tactics, including "pretexting"—impersonating individuals to obtain
telephone records of board members.
The
incident triggered regulatory scrutiny and led the company to disclose in a
filing with the U.S. Securities and Exchange Commission (SEC) that it was cooperating
with an official inquiry into the investigators’ conduct. The case remains a
cautionary example of the need for ethical boundaries in internal
investigations and reputational risks associated with lapses in corporate
governance.
How
can organisations prepare themselves to protect, detect and respond to insider
leaks before they cause irreversible damage? Here are some measures:
a)
Establish
Confidentiality Policies: Implement clear and enforceable
confidentiality policies tailored to the need of protecting sensitive
board-level information and clearly outlining their responsibilities and
consequences for violations
b)
Enhance physical
security measures: Implement
physical security protocols around sensitive meeting areas and data handling
practices such as restricted access to boardrooms, conduct physical inspections
to detect any unauthorized devices for surveillance, etc.
c)
Risk Assessment: Create
a risk assessment based on individuals with access to sensitive data and evaluate
potential insider risk:
d)
Restrict information
access control: Recommend least privilege access
policies and only authorized individuals can view or handle sensitive boardroom
data, helping to trace and prevent leaks by limiting exposure and maintaining
audit trails.
Develop a forensic incident plan that clearly defines the roles and responsibilities of all stakeholders in the event of a suspected boardroom leak. Organizations should implement an IT infrastructure that maintains logs of all access, modifications, and downloads of sensitive data.
g)
Organisations must
define policies and procedures that will allow them to preserve evidence and allow
them to respond to damages.
h)
Employee awareness and
training: Awareness programs for directors and
employees on the importance of confidentiality, recognizing insider threats,
and reporting suspicious behaviour.
As organisations grow more
consequential and complex, the need to protect boardroom confidentiality has
never been greater. Boardroom leaks not only jeopardize companies but can
disrupt investor trust, impact public markets, and erode economic stability.
Forensic readiness is no longer a
reactive approach — it is a core pillar of governance. Organizations that embed
robust prevention, detection, and response mechanisms today will be better
positioned to protect their integrity tomorrow.