Nasdaq Regulation Banner
Reference Library - Advanced Search


** To make multiple selections, select the first criterion and then press and hold the Ctrl Key **
1- 10 of 10 Search Results for:
Libraries:   Governance Clearinghouse
Filters:   Within Last 60 days; Board Composition/Committee Assignments, Company Spotlight, Cybersecurity, Disclosure, Diversity, Hearings and Appeals, Issues and Trends, Listing Center, News, Outside Insight, Proxy Season, Public Policy, Q&A, Regulation, Shareholder Engagement, Survey;
Search   Clear

Collapse All
Printer Friendly View
Mailto Link 
Page: 1 of 1
Frequently Asked Questions
  Four Essential Elements for Optimizing Your Board's Meeting Agenda
Identification Number 1629
Four Essential Elements for Optimizing Your Board's Meeting Agenda
Publication Date: August 13, 2018

As board portal tools streamline—or in some cases completely eliminate—administrative tasks on the board's meeting agenda, valuable meeting time is recaptured for the board to focus on core fiduciary duties. A well-structured meeting agenda leverages that additional time to maximize productivity in the boardroom.

In this post designed to help Chief Governance Officers build a better governance framework, Joan Conley, Nasdaq Senior Vice President and Corporate Secretary, shares the four essential elements of an effective board agenda.

Each company's optimal board agenda is dependent upon a variety of factors, including how often the board meets, how long the board meets, and how prepared board members typically are. At Nasdaq, we find that these variables can be transcended by making executive and chairman sessions standard protocol for each meeting. We also utilize an extended agenda for every board and committee meeting.

Board meeting agendas at Nasdaq are of course built within the company's secure board portal, where they are accessible to the board (and committee) chairs and archived as part of the corporate record. Nasdaq's playbook for creating an effective board agenda includes the following essential elements.

1. Executive sessions. Nasdaq board members have a standing invitation to hold executive sessions before and/or after the general board meeting. These brief sessions (typically 30 minutes or less) are attended by independent directors only, without the CEO or a corporate governance officer in attendance.

Executive sessions provide an opportunity for board members to discuss internal issues that may have cropped up since the previous meeting, or recent developments impacting corporations on a national or global level. If the consensus is that certain areas of concern or particular interest merit deeper discussion, the directors then share those with the CEO during the chairman session or general session.

2. Chairman sessions. These sessions may be longer than executive sessions, lasting up to 60 minutes. Chairman sessions at Nasdaq are attended by all directors (including the CEO) and by the Corporate Secretary.

During the chairman session, each committee chair reports on matters discussed and issues of importance to the committee. The CEO highlights key areas of focus for the board meeting, and then asks directors to candidly share any current concerns. The CEO is debriefed on topics of interest raised during the executive session so he or she can offer perspective on which items are relevant to the company and should be added to the general session agenda. Committee meeting reports, which are highly confidential, are an important component of the chairman session.

3. Regular session. This general board session includes the participants of the chairman sessions, as well as any executive staff or department heads called upon provide reports and/or updates. The board reviews the corporate strategy, receives updates on strategic initiatives, reviews quarterly or annual financials, and discusses new and emerging issues.

The goal of optimizing the board meeting agenda is to ensure directors receive all pertinent information required to carry out their fiduciary duties, that they have a voice in the decision-making process, and they make the highest and best use of meeting time. The order and length of each session within a board meeting agenda will differ from company to company and even meeting to meeting, depending upon the scheduling needs of the board and topics to discuss.

4. Extended agenda. An "extended agenda" is a highly effective tool that keeps board discussions focused and ensures directors are fully engaged.

The extended agenda is the basic meeting agenda with a script and attendance list embedded into it. This tool is used by the chair as he or she presides over meetings. The script outlines what should take place, the order of meeting sessions, and who should be there. It references specific page numbers of board materials and slide decks, and includes the standard template language required to process through the meeting agenda, including opening remarks, motions, action items, invitations for additional questions, and dismissal of staff between committee reports. The extended agenda is finalized during meeting prep sessions with the board chairman, the CEO, and each committee chairman.

The extended agenda facilitates better board meetings by allowing meeting chairs to participate in discussions without the distraction of keeping Roberts Rules of Order top of mind. Nasdaq's extended agenda is a tool our board chairs find so useful, they often carry it over to other corporate boards on which they serve. It has a tangible benefit to the chief governance officer as well, serving as a robust outline for drafting the board meeting minutes.

For more insights from Joan Conley, read:

Seven Tactics to Engineer Better Boardroom Dynamics >>

Onboarding New Directors: Beyond the Board Manual >>

Joan Conley is Senior Vice President and Corporate Secretary of Nasdaq and its global subsidiary organizations and, in that role, is responsible for the Nasdaq Corporate Governance Program and Nasdaq Ethics Program. She also serves as Managing Director of the Nasdaq Educational Foundation and is a Director of the Nasdaq Entrepreneurial Center Board.

Publication Date*: 8/13/2018 Mailto Link Identification Number: 1629
Frequently Asked Questions
  Invitation to Participate in ISS' Annual Policy Development Process
Identification Number 1628
Invitation to Participate in ISS' Annual Policy Development Process
Publication Date: August 6, 2018

Institutional Shareholder Services Inc. (ISS), has launched its two-part Annual Policy Survey which will look at potential changes to ISS's proxy voting policies for 2019. Part one will cover topics including auditors and audit committees, director accountability, board gender diversity and the "one-share, one-vote" principle. This part of the survey will close on August 24, 2018. The second part of the survey is the ISS Policy Application Survey, a more expansive and detailed set of questions, broken down by region, which will remain open for responses until September 21, 2018. Institutional investors, companies, corporate directors and other market constituents are all invited to respond.


Take the ISS Governance Principles Survey >>
Publication Date*: 8/6/2018 Mailto Link Identification Number: 1628
Frequently Asked Questions
  Get a Handle on Critical Audit Matters
Identification Number 1627
Get a Handle on Critical Audit Matters
Publication Date: July 30, 2018

Cindy Fornelli is the Executive Director of the Center for Audit Quality.

Last year, following approval by the Securities and Exchange Commission, the Public Company Accounting Oversight Board (PCAOB) adopted a new auditing standard that significantly changes the auditor's report—with equally significant implications for investors, audit committees and others. The new standard is now moving through an implementation period.

The identification and communication of critical audit matters (CAMs) is the most significant change required by the new standard. If you feel like you don't fully have a handle on CAMs yet, you're not alone. Here are some FAQs to help.

What is a CAM?

The CAMs requirement adopted by the PCAOB is intended to make the auditor's report more informative and relevant to investors and other users of financial statements. According to the new standard, a CAM is "any matter arising from the audit of the financial statements that was communicated or required to be communicated to the audit committee" and that:

  • relates to accounts or disclosures that are material to the financial statements, and;
  • involved especially challenging, subjective, or complex auditor judgment.

How will auditors determine whether a matter is a CAM?

The determination of whether a matter is a CAM is principles based, and the new standard does not specify that any matter would always be a CAM. The new standard specifies that an auditor, in determining whether a matter involved especially challenging, subjective, or complex auditor judgment, should take into account, alone or in combination, certain nonexclusive factors (as specified in the new standard), such as the auditor's assessment of the risks of material misstatement, including significant risks.

What impact will CAMs have on the communication between the auditor and audit committee?

The source of CAMs are those matters communicated or required to be communicated to the audit committee. PCAOB auditing standards already require a wide range of topics to be discussed and communicated with the audit committee, which in most cases means most, and that it is likely that all of the matters that will be CAMs are already being discussed with the audit committee. However, not every topic that is discussed with the audit committee will rise to the level of a CAM. The PCAOB Board believes there should not be a chilling effect or reduced communications to the audit committee because the requirements for such communications are not changing.

Could a significant deficiency in internal control be a CAM?

The determination that there is a significant deficiency in internal control over financial reporting cannot be a CAM because such determination in and of itself is not related to an account or disclosure. However, a significant deficiency could be among the principal considerations that led the auditor to determine a matter is a CAM. For example, if a significant deficiency was among the principal considerations in determining that revenue recognition was a CAM, then the auditor could describe the relevant control-related issues over revenue recognition in the broader context of the CAM without using the term "significant deficiency."

Will CAMs only relate to the current audit period?

The PCAOB requires the communication of CAMs identified in the current audit period. While most companies' financial statements are presented on a comparative basis, requiring auditors to communicate CAMs for the current period, rather than for all periods presented, will provide relevant information about the most recent audit and is intended to reflect a cost-sensitive approach to auditor reporting. In addition, investors and other financial statement users will be able to look at prior years' filings to analyze CAMs over time; however, the standard permits the auditor to choose to include CAMs for prior periods.

Will the auditor be the original source of information about the company in the auditor's CAM communication?

The new standard includes a note explaining that the auditor is not expected to provide information about the company that has not been made publicly available by the company, unless such information is necessary to describe the principal considerations that led the auditor to determine that a matter is a CAM or how the matter was addressed in the audit. The SEC has stated that they believe that situations where auditors would be required to provide information about the company that management has not already made public would be exceptions, arising only in limited circumstances, and not a pervasive occurrence.

What impact are CAMs expected to have on financial reporting?

Increased attention on CAMs could result in an incremental focus on aspects of management's related disclosures. This could result in discussion between and among management, the audit committee, and the auditor on how CAMs are described, and that may have an impact on management's consideration of the information to disclose in the financial statements related to that particular matter. Early dialogue among auditors, management, and the audit committee will be important.

These questions and much more are covered in a new publication from the Center for Audit Quality (CAQ), Critical Audit Matters: Key Concepts and FAQs for Audit Committees, Investors, and Other Users of Financial Statements. I invite you to read that report and to find more resources on auditor reporting at the CAQ website.


A securities lawyer, Cindy Fornelli has served as the Executive Director of the Center for Audit Quality since its establishment in 2007.

The views and opinions expressed herein are the views and opinions of the author at the time of publication and may not be updated. They do not necessarily reflect those of Nasdaq, Inc. The content does not attempt to examine all the facts and circumstances which may be relevant to any particular company, industry or security mentioned herein and nothing contained herein should be construed as legal or investment advice.

Publication Date*: 7/30/2018 Mailto Link Identification Number: 1627
Frequently Asked Questions
  2018 Investor Corporate Governance Report
Identification Number 1626
2018 Investor Corporate Governance Report
Publication Date: July 26, 2018

The CMi2i 2018 Annual Investor Corporate Governance Report surveyed institutional shareholders representing $8 trillion of Assets under Management to find out which Environmental, Social and Governance ("ESG") areas they believe will be key issues in 2018, and the impact of this on shareholder behavior. Respondents were comprised of individuals responsible for corporate governance, responsible investment and proxy voting from U.S. and European institutions. The report highlights the desire for increased transparency from shareholders and other stakeholders on how companies are approaching, assessing and managing their ESG risk and opportunities.


Read the 2018 CMi2i Report >>
Publication Date*: 7/26/2018 Mailto Link Identification Number: 1626
Frequently Asked Questions
  It's Never Been a Better Time to Open Up the Boardroom: Here's Why
Identification Number 1625
It's Never Been a Better Time to Open Up the Boardroom: Here's Why
Publication Date: July 24, 2018

Coco Brown is founder and CEO of The Athena Alliance, a non-profit organization dedicated to building the modern boardroom and advancing women in the top ranks of leadership. Alison Davis is co-founder of Fifth Era and an Investor, Board Director and Author.

Time to Open Up The Boardroom

Companies today are surrounded by an unprecedented level of transformation. They're operating in the age of disruptive innovation that we call the Fifth Era - Cloud Computing, IoT, Artificial Intelligence, Robotics, Genetic Editing, Blockchain and much more. Furthermore, they're doing it all in a connected digital global marketplace, where customers expect more, share more and talk more—where public opinion spreads like wildfire. This is the hard reality of doing business in the twenty-first century: it's fast-moving, inherently high-tech, and operates in an unforgiving, digital world.

To overcome these modern challenges, businesses must rely on their boards, the highest level of leadership within an organization, to help the CEO steward long-term competitive advantage and relevance. However, despite these technological advances and radically new ways of doing business, most boards today look like they did decades ago, mostly CEOs and CFOs near or having reached retirement.

As a result, much of the board agenda today is focused on topics that were the same focus of the last few decades - operations, compliance, and risk management as well as too often narrowly defined economic value creation goals established within the context of yesterday's products and businesses - rather than the topics that will drive tomorrow's success. Many boards spend little of their time focused on new and emerging external competitive threats, longer term strategy and building innovation capabilities to succeed in this new era. Irrespective of gender, these backgrounds and areas of focus are too narrow to address the key challenges and opportunities that can quickly undermine or boost a business, including innovation and strategy as it relates to technology, employees, customers and community.

It's time to re-think and open up the boardroom. That means widening the aperture to include career experiences beyond CEO and CFO, and widening the age range to incorporate greater exposure to modern business models and innovation. A board with diverse capabilities and more relevant committees is essential to the strategy and innovation discussions that must be had around the board table in the twenty-first century.

Diverse boards are good for business.

By now we know that diverse boards are a competitive advantage. Harnessing the capabilities, experience and perspectives from across a broad range of leaders solidifies a company's place in the world. Yet, many conversations about boardroom diversity tend to overly focus on women, fixating on a supposed pipeline challenge. The hypothesis is simple: there just aren't enough women CEOs and women financial experts out there to fill board seats.

If the board is to be focused on today's operations, financials, compliance and risks, then perhaps this narrower criteria for participation at the board level might be appropriate. Appointing people that have proven themselves is the board model of the past. But we are not just talking about making smart decisions about today's business models and products and services. Companies must also consider this rapidly changing world of new innovations and possibilities and the new and emerging needs and expectations of the customer, the community, and the environment.

Companies need to define their purpose for existing in the first place, and how they offer meaning to human lives—beyond making a profit. They need a diverse board to achieve this broader view.

In his annual letter to CEOs, Larry Fink, chairman and CEO of BlackRock, called on leaders to define their purpose, and to engage their boards in doing so. He stated: "We also will continue to emphasize the importance of a diverse board. Boards with a diverse mix of genders, ethnicities, career experiences, and ways of thinking have, as a result, a more diverse and aware mindset. They are less likely to succumb to groupthink or miss new threats to a company's business model. And they are better able to identify opportunities that promote long-term growth."

CEOs don't last. Boards do.

While the median tenure for a CEO is just five years, board tenures can far exceed that. Board directors may serve for five years, or as long as 10 or 20 years. Indeed, a company's board leadership is more likely to withstand the highs and lows of a company's trajectory, while CEOs will come and go at a much more rapid pace.

At the same time, boards often state that their "responsibility is to the shareholder," yet boards often support CEOs focused on driving or maximizing short term returns, often to a degree that is unsustainable and can hurt the business longer term. Because many shareholders come and go at a rapid pace (a shareholder holds a stock for an average of just four months in the U.S.), the conversation with the long-term shareholder becomes lost. These shareholders, for example pension funds investing for their ultimate clients' retirement accounts, or parents investing for children's college education, are seeking solid long-term returns. They don't want returns that come with a heavy social and societal cost that will hurt them and future generations. Such shareholders are relying on the board of directors, even more than the CEO, to oversee the long term success and sustainability of the returns.

And so, boards, not just CEOs, must be thinking about a company's future and purpose and meaning for the community.

It's time to widen the aperture.

What if companies today approached board diversity with the aim of crafting a board that is capable of confronting complex threats and embracing (and creating) new and innovative opportunities? Getting more women into board seats is a start. But boards should also evaluate younger board candidates. By looking to roles beyond the CEO and CFO, boards will ensure they are thinking about capabilities and skill sets, not just titles. This may include adding board directors with experience in such areas as talent management, culture transformation, customer experience, digital marketing and more.

When one does open the aperture to these other roles, the gender diversity issue we are trying so hard to address becomes less challenging: women hold 55% of chief human resource officer roles, 35% of chief customer officer roles, and 32% of chief marketing officer roles. Even in the technology realm, women are better represented than they are in CEO or CFO roles (19% of CIOs are women, versus 6% of CEOs and 11% of CFOs).

Finally, consider this: many of the most valuable companies in the world didn't exist 20 years ago. And some businesses that have managed to survive are under scrutiny for reasons one would not have expected ten or 20 years ago. They struggle with issues related to employees, customers, culture, and ethics -- issues not focused on nearly enough in today's boardrooms. If these companies want to be around in another 20 years, they must re-evaluate their board competencies and committees.

It's never been a better time to open up the boardroom.


Coco Brown is the founder and CEO of The Athena Alliance. She leads a network of more than 1500 C-Level women, VCs, and CEOs from over 200 companies including Microsoft, Autodesk, Intuit, OpenView Venture Partners, Accenture, Deloitte, and PwC. In just two years, Athena has secured almost 200 board interviews for women, with over fifty boards working with Athena today. Coco has extensive experience in serving as an advisor to c-suite executives and their teams, guiding strategy and execution. Prior to The Athena Alliance, Coco served as President, COO and Board Director of Taos, a prominent in IT Services business serving hundreds of F1000 companies such as Apple, Cisco, eBay, Facebook, and Silicon Valley Bank.

Alison Davis is co-founder of Fifth Era. She is an experienced corporate executive, public company board director, an active investor in growth companies and a best-selling author (Her most recent book "Corporate Innovation in the Fifth Era" profiles the innovation approaches of, Alphabet/Google, Apple, Facebook and Microsoft). She was CFO and Head of Strategy at BGI (Blackrock), Managing Partner at Belvedere Capital, and a strategy consultant at McKinsey and A.T. Kearney. Alison has degrees from Cambridge (MA/BA) and Stanford (MBA). She was born in Sheffield, UK and now lives in the San Francisco Bay Area with her husband, Matthew C. Le Merle, and their five children.

The views and opinions expressed herein are the views and opinions of the author at the time of publication and may not be updated. They do not necessarily reflect those of Nasdaq, Inc. The content does not attempt to examine all the facts and circumstances which may be relevant to any particular company, industry or security mentioned herein and nothing contained herein should be construed as legal or investment advice.

Publication Date*: 7/24/2018 Mailto Link Identification Number: 1625
Frequently Asked Questions
  House Passes Bipartisan "JOBS & Investor Confidence Act"
Identification Number 1624
House Passes Bipartisan "JOBS & Investor Confidence Act"
Publication Date: July 19, 2018

In a near unanimous vote of 406-4, the House passed the bipartisan "JOBS and Investor Confidence Act of 2018," aimed at helping small businesses, entrepreneurs and investors by reforming our capital markets. The critical legislation includes provisions to: make it easier for companies to go public by extending on-ramp exemptions for emerging growth companies to give them more time to financially sustain costs and requirements associated with full compliance; ease regulations on Initial Public Offerings to increase opportunities for everyday investors; and expand the definition of "accredited investors" to make it easier for startup companies and small businesses to attract investments.

Publication Date*: 7/19/2018 Mailto Link Identification Number: 1624
Frequently Asked Questions
  SEC Rule Changes
Identification Number 1623
SEC Rule Changes
Publication Date: July 16, 2018

The Securities and Exchange Commission approved several rule changes that reflect progress towards the Commission's priorities. Most significantly, the Commission voted to adopt amendments to the "smaller reporting company" (SRC) definition to expand the number of companies that qualify for certain existing scaled disclosure accommodations. A company now qualifies if its public float is less than $250 million, which represents a $175 million increase over the prior $75 million threshold. SEC Chairman, Jay Clayton, stated: "These amendments to the existing SRC compliance structure bring that structure more in line with the size and scope of smaller companies while maintaining our long-standing approach to investor protection in our public capital markets." The Commission also approved a requirement to use the Inline XBRL format in certain filings.

Publication Date*: 7/16/2018 Mailto Link Identification Number: 1623
Frequently Asked Questions
  Meet the Architects of Nasdaq's Next Generation of Regulation
Identification Number 1622
Meet the Architects of Nasdaq's Next Generation of Regulation
Publication Date: July 16, 2018

Nasdaq is looking forward to the next generation of regulatory technologies and processes that will enhance the integrity and transparency of the markets of the future. In order to ensure it fully leverages its regulatory expertise, Nasdaq is reorganizing its various compliance functions under one umbrella: Nasdaq Regulation.

We recently spoke with Nasdaq Senior Vice President, John Zecca, who is leading this initiative, to find out how this new framework will benefit investors and listed companies.

Q: Why is Nasdaq consolidating its regulatory functions under one umbrella?

A: Regulation has been an integral part of Nasdaq since we introduced electronic trading to the capital markets in 1971. Companies list with us, and investors have confidence in us, because they trust the integrity of our markets. Integrity and transparency in capital markets foster confidence with investors and issuers, deter bad actors and accelerate growth.

This reorganization will elevate our regulatory group to make it easier for Nasdaq's listed companies and investors to reach out with questions, concerns, or tips. We are making it clear to bad actors that our first priority is ensuring the integrity of our markets for issuers and investors—that we are watching and prepared to take action if necessary.

Innovation is also core to Nasdaq's brand, and we are positioning Nasdaq's regulatory team to become the architects of the next generation of regulation. The capital markets are evolving every day: new listing products are in development and technology is transforming transaction and surveillance models. By creating a more cohesive regulatory team structure, we can leverage all of our expertise to better focus on regulatory strategic planning.

Q: How is Nasdaq's regulatory function going to evolve with this reorganization?

A: We made the conscious decision years ago to separate Nasdaq's regulatory programs from its business operations to minimize the potential for conflicts of interest—both real and perceived. That separation will continue going forward.

Nasdaq currently operates seven self-regulatory organizations (SROs) in the United States and we believe there is much to be gained from a more holistic approach to regulation. By virtue of this new framework, our team will have additional opportunities to work more closely together - to share ideas, concerns, and insights - and to ensure that there is no knowledge gap across our markets.

In keeping with Nasdaq's identity as a technology innovator, our regulatory technologists will continue to be critical to the integrity and smooth functioning of our markets. As markets become more automated, technologists become as integral to regulation as lawyers, economists, and accountants. Nasdaq recognized this early on. In fact, Nasdaq was the first market to implement an ongoing internal regulatory testing program to ensure our trading platforms were in compliance with new rules and regulations.

Q: How is the newly-reorganized Nasdaq Regulation team going to benefit investors and companies trading on Nasdaq exchanges?

A: By working more closely together, we will give our SRO regulatory teams more exposure to, and a better understanding of, all facets of Nasdaq's regulatory program. In bringing our regulatory teams and functional areas together, our regulatory team becomes more efficient and more collaborative, and they can focus on regulatory concerns for the future, while staying ahead of the game on technology. We will become smarter and better-informed regulators.

We are also bringing greater visibility of our regulatory group to the public, to act as a deterrent to bad actors. It will be easier for companies and investors to contact the right people with concerns or tips. In fact, anyone with tips or concerns about conduct occurring on our markets should call our new Investigations and Enforcement Hotline at +1 301 978 8310 or email our Investigations and Enforcement Team at

Q: How else will this reorganization benefit regulation?

A: By giving our regulatory team broader exposure, I want to enable us to think more strategically and focus on new and emerging risks. As the markets are evolving, as new listing products are developed, we've got to change with the times. I want the team to think about what surveillance will be like 10 years down the line: How will automation impact our markets? What do the markets of the future look like? By creating cross-functional teams, we can better leverage the vast resources and broad scope of talent within Nasdaq's regulatory arm.


John Zecca is Senior Vice President, General Counsel North America, and Head of Nasdaq Regulation for U.S. Markets. Mr. Zecca previously served as Nasdaq's senior corporate counsel and was responsible for public company compliance and mergers and acquisitions. He is a frequent speaker on market regulation and corporate governance. Prior to joining Nasdaq, Mr. Zecca served as legal counsel to an SEC Commissioner and in the SEC's Office of General Counsel.

Publication Date*: 7/13/2018 Mailto Link Identification Number: 1622
Frequently Asked Questions
  Society for Corporate Governance Complimentary Directors' Cut Newsletter
Identification Number 1621
Society for Corporate Governance Complimentary Directors' Cut Newsletter
Publication Date: July 11, 2018

The Society for Corporate Governance is now offering complimentary access to its Society Alert - Directors' Cut® newsletter. This quarterly online newsletter is a compilation of governance-related news from the preceding quarter's weekly Society Alerts, with a view toward a director and C-suite audience. Each issue covers a range of relevant developments and guidance in areas such as audit/financial reporting, board composition/refreshment, board and key committee oversight, and shareholder engagement/activism - as well as institutional investor developments & perspectives.

Read the Society Alert - Directors' Cut for 2018 Q2 >>

Subscribe to the newsletter >>
Publication Date*: 7/11/2018 Mailto Link Identification Number: 1621
Frequently Asked Questions
  10 Ways to Secure the Forgotten Endpoints—Mobile Devices
Identification Number 1620
10 Ways to Secure the Forgotten Endpoints—Mobile Devices
Publication Date: July 10, 2018

Vijaya Kaza is Chief Development Officer at Lookout, Inc., a mobile security company included in the 2017 Forbes Cloud 100, which recognizes the best private companies in cloud computing.

Did you remember to include mobile device security in your budget? If your company is like the majority of organizations in the world, the priority of your security budget is securing your company's network, data centers, email and endpoint devices such as laptops and desktops. Too often, cyber security plans overlook a significant risk that arises from the organization's new cyber-attack surfaces: mobile devices and tablets.

Mobile devices are rapidly becoming primary enterprise computing devices for employees. In fact, more than half of internet traffic originates on mobile devices. Users likely have access to important corporate data and other cyber crown jewels through their mobile devices. On top of that, by putting the user's two-factor authentication token on these devices, they may become the key to unlocking access to corporate and other critical data including bank accounts, credit cards and medical records as well.

It would be unfathomable to leave corporate laptops and desktops without antivirus software and other endpoint protection mechanisms, yet, that is exactly what the majority of organizations are doing with mobile devices. By largely ignoring the risks they pose, companies are leaving themselves (and in turn, often their customers) unprotected. According to a survey conducted by Gartner, only 3% of enterprises have anti-malware protection on mobile Android devices and only 1% on iOS devices.

When developing a cyber security strategy that includes smart phones and tablets, keep in mind that mobile devices are configured and used differently from other traditional endpoints, and therefore should be secured differently. For example:

  • Mobile devices are widely used by employees outside of the corporate perimeter. This makes traditional perimeter security mechanisms like IPS, firewalls and email security solutions irrelevant in protecting these devices.
  • Mobile devices are often owned by the users. They are unmanaged in most cases, with users choosing which applications to run on these devices. This is in contrast to the corporate issued and controlled laptops, which are often managed tightly.
  • Mobile devices are always connected and on. This makes them more available and susceptible to attacks.
  • Mobile devices have limited battery and CPU. The security solutions that an organization uses to protect laptops and other traditional endpoints are not applicable for these devices.
Mobile devices can be targeted from many different angles:
  • Mobile devices can be jailbroken or rooted into. Bad actors can take control of unprotected mobile devices and circumvent any security measures put in place by the OS vendors.
  • Vulnerabilities in the OS can be exploited. Discovering and patching such vulnerabilities is just as important—if not more important—on mobile devices as compared to other traditional endpoints.
  • Many different types of malware specifically target mobile devices. Malware is downloaded to these devices through seemingly innocuous and legitimate apps that the users willingly download for various purposes. Mobile malware is expected to comprise one-third of total malware by 2019.
  • Even legitimate, non-malicious apps may be collecting too much personal information. Music streaming apps, games, work organizers and social media platforms often access sensitive resources on a user's phone that they are not meant to, including the device's camera, calendar and contacts.
  • Mobile devices connect to multiple public networks. As employees leave the corporate network and connect to various public Wi-Fi networks, their mobile devices are susceptible to man-in-the-middle attacks from rogue Wi-Fi access points.
  • Phishing is rapidly becoming a prevalent problem for mobile devices. Sophisticated and intelligently-crafted phishing messages come through various mobile apps like SMS and social messaging, fooling and enticing the users to click on malicious links embedded in them. Users cannot always hover on the links or check the validity of the certificates on mobile devices, making it almost impossible to determine if the links are malicious. This makes phishing a bigger challenge for mobile devices than other traditional endpoints.
These security risks have made mobile devices a prime attack surface for hackers seeking to target the data and networks of enterprise systems. Many enterprises may not be well prepared to deal with these challenges, because most do not invest in adequate measures to protect their systems on the mobile front. If your organization allows access to important corporate data from mobile devices, then these endpoints cannot be ignored in your cyber security plan.

10 Ways to Secure Mobile Endpoints
Once your organization determines the extent of its vulnerability to the security risks discussed above, the following measures can be taken to mitigate mobile threats and secure mobile endpoints:

  1. Define the mobile deployment model of your organization. Do you issue corporate owned devices to employees or do you allow employees to bring their own devices (BYOD model)?
  2. Assess the threat profile and posture of your mobile fleet. How many Android/iOS devices are in your fleet? What OS versions are running on the devices and what vulnerabilities are present in them?
  3. Develop a security strategy for mobile endpoints. Base the strategy on the deployment model, the threat profile and the risk assessment.
  4. Make mobile endpoint security a priority in the cyber security budget. Many cyber security officers feel their budgets aren't adequate. In EY's 2017-2018 Global Information Security Survey of enterprise CIOs and CISOs, 87% reported that they need up to a 50% increase in their budgets, but only 12% expected to receive more than a 25% increase.
  5. Invest in mobile threat defense solutions. The feature capabilities and maturity of these products vary between different vendors in the market. Look for products that offer holistic solutions to each of the potential security attack vectors discussed above, including device, OS, network, application and phishing protection.
  6. Look beyond solutions that offer phishing protection just for corporate email. The email security solutions only filter out potential phishing emails and malicious URLs before they hit the corporate email server, but do not protect against malicious links that may come in through various mobile apps like SMS and social messaging.
  7. Put a strong security and compliance policy in place. A good mobile threat defense solution will identify vulnerabilities that are present in the current OS and send an alert if the OS is out of date or if the mobile device is out of compliance. Incentivize users to upgrade their OS to the latest version and address any compliance violations quickly. For example, block access to corporate data from any mobile device that hasn't been updated to the most recent OS versions or isn't compliant.
  8. Stay current on mobile cyber security risks and solutions. CISOs and Security Steering Committees should review the policies and compliance stance on a regular basis to ensure the organization stays ahead of mobile security threats.
  9. Train employees to defend their mobile devices from bad actors. Conduct mock phishing campaigns and training programs for employees to educate them on phishing on mobile devices.
  10. Partner with a mobile cyber security expert. Chose a vendor to help your organization stay on top of emerging trends and new security threat discoveries and continue to evolve your security strategy.


Vijaya Kaza is the Chief Development Officer at Lookout, Inc. Ms. Kaza previously served as Senior Vice President of Cloud Engineering at FireEye, Inc. (Nasdaq: FEYE), and prior to that worked for 17 years in multiple executive and leadership roles at Cisco (Nasdaq: CSCO).

The views and opinions expressed herein are the views and opinions of the contributor at the time of publication and may not be updated. They do not necessarily reflect those of Nasdaq, Inc. The content does not attempt to examine all the facts and circumstances which may be relevant to any particular company, industry or security mentioned herein and nothing contained herein should be construed as legal or investment advice.

Publication Date*: 7/10/2018 Mailto Link Identification Number: 1620
material_search_footer*The Publication Date reflects the date of first inclusion in the Reference Library, which was launched on July 31, 2012, or a subsequent update to the material. Material may have been previously available on a different Nasdaq web site.
Page: 1 of 1
App Store       Google Play       Windows Store       Governance Clearinghouse RSS Feed
The Nasdaq Stock Market, Nasdaq, The Nasdaq Global Select Market, The Nasdaq Global Market, The Nasdaq Capital Market, ExACT and Exchange Analysis and Compliance Tracking system are trademarks of Nasdaq, Inc.
FINRA® and Financial Industry Regulatory Authority, Inc.® are registered trademarks of Financial Industry Regulatory Authority, Inc. OTCBBTM and OTC Bulletin BoardTM are trademarks of FINRA