Scroll to top
Request Consultation
Security for Board Directors and Non-Executive Directors

Security Intelligence

Security for Board Directors and Non-Executive Directors

Board members and NEDs face security risks that differ from executive protection. A senior security consultant examines the specific threat profile and protective measures for board-level principals.

Executive Protection 1 May 2026

Written by James Whitfield

Speak to the Team

Non-executive directors occupy an unusual position in the security landscape. They carry the public responsibilities of board membership – their names appear in company filings, they are accountable to shareholders and regulators, and they may attract the same attention as executive directors when a company comes under scrutiny. But they often do so without the security infrastructure that large organisations maintain for their senior executives.

This article examines the specific security risk profile for board members and NEDs, and what proportionate protective measures look like.

The NED Threat Profile

Board membership creates a particular category of personal risk, distinct from the threat profile of most senior executives.

Public identification. Every director of a UK-registered company is listed at Companies House. Every director of a US-listed company is named in SEC filings and proxy statements. This is a legal requirement of corporate governance. The practical security implication is that any individual or group that is hostile to a company – activist investors, NGO campaigns, protest organisations, former employees pursuing grievances – can identify every board member by name and, unless suppressed, their registered address.

Association risk. A NED who joins a board inherits the controversy associated with that company. A director who sits on the board of a pharmaceutical company, a mining group, an arms manufacturer, or a financial services firm accused of mis-selling may attract personal targeting from campaigns that predate their appointment. The connection between a NED’s personal threat profile and the company’s public controversy can be substantial, even where the individual director had no involvement in the decisions that generated the controversy.

Information access without information security. NEDs receive the same board packs as executive directors: financially sensitive information, M&A plans, regulatory exposure assessments, personnel matters. They often access this information on personal devices, in personal workspaces, and without the information security infrastructure that the company provides for employees. This creates both a legal exposure (board papers typically contain inside information for market abuse purposes) and a security exposure.

Travel without corporate security support. Executive directors in large organisations who travel to high-risk locations typically do so with corporate security support: pre-travel briefings, vetted ground transport, emergency contact arrangements. NEDs attending the same board meetings in the same locations may be travelling independently without any equivalent support.

Companies House and the Residential Address Issue

The single most common security failure for UK board members is the exposure of their residential address in public company filings. Under the Companies Act 2006, directors are required to provide an address for service. Many directors register their home address, which then appears on every company filing and is freely accessible to anyone who searches the registry.

The Companies Act 2006 provides a mechanism for suppression: under sections 156 and 156A, directors can apply to Companies House to suppress their residential address from the public register. This requires providing a service address (a solicitor, accountant, registered agent, or company registered office) for public filings.

For NEDs who are already on the public register with a home address, a retrospective application to suppress is available. This does not erase historical filings that may have already been archived or scraped by third parties, but it stops new public exposure.

This is a basic protective measure that costs almost nothing and is frequently not taken.

Digital Exposure and OSINT Profile

Board members have a typically higher public profile than most individuals, which means their OSINT profile – the information available about them from open sources – is correspondingly detailed. A determined researcher can compile: their directorships (Companies House), their company shareholding (regulatory filings), their property ownership (Land Registry), their earlier career (LinkedIn, alumni databases), their family connections (social media, school records where public), and their public statements (press reports, conference records).

This compiled profile can be used for:

Reputational attack. Short sellers and hostile media have refined the use of director OSINT profiles to build personal attack campaigns designed to undermine confidence in a company or individual.

Physical targeting. The same profile that supports a reputational campaign can support a physical targeting operation – informing a surveillance approach, identifying residential addresses, mapping routine movements.

Social engineering. A detailed personal profile supports social engineering attacks: impersonation of the director (CEO fraud), targeted phishing that references genuine personal details to achieve credibility, or approaches to close contacts of the director.

For a detailed framework on OSINT exposure and mitigation, see our OSINT and personal security guide for executives.

Information Security for Board Members

Board papers contain among the most legally sensitive information that a company generates. The information security measures appropriate to that sensitivity are rarely applied consistently by NEDs.

Device security. Personal devices used to access board portals should be encrypted, have current operating systems and security patches, and use strong authentication (biometric or 16-character minimum passphrase). Board matters should not be accessed on shared or public devices.

Board portals versus email. Board papers distributed by email are as vulnerable as any other email. The major corporate governance platforms – Diligent, BoardVantage, Nasdaq Boardvantage – provide encrypted, access-controlled alternatives. If a company still distributes board papers by email, the NED should raise this as a governance risk with the company secretary.

Physical documents. Printed board papers are a persistent physical security risk. They should be destroyed after use (crosscut shredding) rather than disposed of in general waste.

Travel and device use. For NEDs travelling to jurisdictions with elevated state espionage risk (China, Russia, and others), the clean device protocol that applies to executive directors applies equally: access board materials only on a device that will not cross the border, and assume that any device that enters the jurisdiction may be forensically inspected. For the full international travel device security framework, see our executive digital security guide.

Travel Risk for NEDs

The most common unmanaged security risk for NEDs is international travel to board meetings without security support.

A NED attending a board meeting in Lagos, Karachi, or Manila may be:

  • Arriving at an unfamiliar airport without vetted ground transport
  • Staying in a hotel without understanding the security implications of room selection
  • Moving between locations without any counter-surveillance awareness
  • Having no emergency contact or response plan in the event of an incident

The corporate security programme that covers the CEO and executive directors at the same meeting may or may not cover the NEDs. This is a question that should be asked explicitly – before travel, not after an incident.

Where corporate security support is not available, NEDs should either request it or arrange it. For NEDs who travel regularly to high-risk locations, a personal security briefing tailored to each destination – from a specialist provider or from resources such as OSAC and FCDO travel advisories – is a minimum precaution.

Summary

Board members and NEDs hold public-facing roles with significant information access and reputational exposure. The security measures proportionate to this profile – residential address suppression, OSINT footprint management, device security for board information, and travel security support for high-risk locations – are not complex or disproportionate. They are basic risk management for individuals whose position creates a specific and identifiable threat profile.

Source: Companies Act 2006 (UK), sections 156 and 156A. Companies House: Director Address Suppression Guidance 2024. UK Governance Code 2024 (Financial Reporting Council). UK GDPR and Data Protection Act 2018. OSAC Global Security Report 2024. Control Risks RiskMap 2025. NCSC: Cyber Security for Board Members 2024. ICSA – The Governance Institute: Board Security Guidance 2024.

James Whitfield is a Senior Security Consultant with 20 years of experience in executive protection, corporate security, and board-level security programmes across the UK and internationally.

Summary

Key takeaways

1
1
NEDs face security risk without the corporate security infrastructure executives have

Executive directors in large organisations typically benefit from a corporate security function. Non-executive directors are often independent contractors who may not be covered by corporate security programmes and who have no security infrastructure of their own.

2
2
Controversial corporate positions create targeted personal risk

Board membership in organisations associated with controversy -- environmental impact, regulatory investigation, corporate governance failure, activist campaigns -- creates targeted threat to individual directors. The reputational and physical risk can attach to a NED who had little involvement in the decisions that generated the controversy.

3
3
Board-level information exposure creates both security and legal risk

Board members receive highly sensitive information: M&A plans, financial forecasts, regulatory exposure, personnel matters. The security of that information -- on devices, in communications, and in printed board papers -- is both a legal obligation and a security requirement.

4
4
Travel without corporate security support is the primary physical vulnerability

An executive director who travels on the corporate security programme is protected. A NED who travels independently to attend a board meeting in a high-risk city has no equivalent support. The risk is the same; the coverage is not.

5
5
Digital targeting of board members is increasing

Activist investors, short sellers, and hostile media increasingly use OSINT and digital investigation to build profiles of individual board members. The information compiled is used for reputational attack campaigns, which can have physical security implications when they generate hostile public attention.

FAQ

Frequently Asked Questions

Non-executive directors face three primary security risk categories: First, targeted risk arising from board membership in organisations associated with controversy – environmental, social, governance, or regulatory issues. NEDs are publicly named in company filings and Companies Act disclosures, creating identifiable targets for activist campaigns, hostile shareholders, or protest groups. Second, information security risk: board members receive board packs containing highly sensitive corporate information, typically by email or on a board portal. The security of that information is a legal obligation (UK GDPR, Companies Act 2006) and a security requirement. Third, travel risk: NEDs attending board meetings in high-risk locations are often travelling without corporate security support, which may be available to executive directors but not to NEDs who are independent contractors.

This varies significantly by company. Most large FTSE 100 companies with formal corporate security functions extend some coverage to board members, particularly for travel in high-risk jurisdictions. However, non-executive directors are typically independent contractors, not employees, which means the company’s duty of care obligations under UK employment law may not apply in the same way. NEDs should explicitly ask the company’s company secretary or risk function what security coverage is available to them and, if none is provided for specific high-risk activities (international travel to elevated-risk locations, attendance at contentious public events), they should either negotiate coverage or arrange it independently.

Board papers typically contain price-sensitive information, M&A plans, and strategic matters that are legally protected and commercially sensitive. Security measures should include: using a company-provided board portal (Diligent, BoardVantage, or equivalent) rather than email for board paper distribution; ensuring personal devices used to access board portals are encrypted and have current software; avoiding printing and retaining physical board papers beyond meetings; using VPN and avoiding public Wi-Fi when accessing board materials; and treating verbal discussion of board matters in public spaces (trains, restaurants, public transport) as a security risk. For NEDs who are also board members of multiple organisations, the risk of inadvertent information bleed between roles is an additional governance and security concern.

Activist campaigns directed at corporate boards have increasingly targeted individual directors rather than the organisation as a whole. Tactics include: publishing individual directors’ home addresses sourced from Companies House or Land Registry; organising protests at directors’ residential addresses; social media campaigns that generate hostile public attention; and, in some cases, direct harassment. In the UK, sections 156 and 156A of the Companies Act 2006 allow directors to suppress residential addresses from the public register. Individual company filings identify directors by name and registered address – directors should use a service address (solicitor, accountant, or registered agent) rather than their residential address for all public filings. For directors facing active campaigns, specialist protective measures – residential security survey, removal from people-finder databases, communication monitoring – may be appropriate.

First, raise the concern formally with the company secretary or the board’s lead independent director. The organisation has governance responsibilities that extend to board member safety and should be the first resource. Second, review what information is publicly available about you as a director – Companies House filings, Land Registry ownership records, social media, alumni databases – and take steps to suppress or remove unnecessary personal information. Third, if the concern involves a credible and specific threat (targeted activist campaign, specific threatening communication, overseas travel to a high-risk location without security support), engage a specialist security consultant for a personal threat assessment. Fourth, ensure your personal insurance arrangements cover any security-related expenses that the company does not – some professional indemnity and directors’ and officers’ (D&O) insurance policies include personal protection provisions.
Get in Touch

Request a Consultation

Describe your security requirements below. All enquiries are confidential and handled by licensed consultants.

Confidential. Your details are never shared with third parties.