DeepSec2021 Talk: On Breaking Virtual Shareholder Meetings: How Secure is Corporate Germany? – Andreas Mayer

Sanna/ October 29, 2021/ Conference

The Covid-19 pandemic has had a major impact on annual general meetings (AGMs) of shareholders worldwide. Due to existing gathering restrictions the vast majority of AGMs shifted from physical to online voting events. Therefore, purely virtual AGMs emerged to the new normal where shareholders approve critical company decisions. But how secure are those virtual events really?

In this talk, I will present a systematic large-scale study on the security of 623 virtual AGMs held by German companies in 2020 including corporations listed in stock indices such as DAX and MDAX. In 72% of all virtual AGMs analyzed, at least one of the three CIA triad security goals was compromised. Join my talk and I will take you on an enthralling journey through the nitty gritty details and pitfalls that lead to the severe vulnerabilities found in real-world online voting portals. All issues were responsibly disclosed and fixed.

We asked Andreas Mayer a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  1. To my best knowledge, my research is the first large-scale security analysis of virtual annual general meetings (vAGMs)
  2. You get to know the critical vulnerabilities I´ve found in 6 out of 8 online voting portals that may have led to severe real-world attacks
  3. Learn how to mitigate these vulnerabilities
  4. My talk should entertain too 😊. I enriched it with personal insights and anecdotes.
  5. The findings presented, helped to increase the security of vAGMs

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

The initial spark was the Covid-19 pandemic that forced companies to shift their annual general meetings from physical to virtual voting events. Being a security researcher and a passionate stock investor, I was really curious about the security of the underlying online voting portals. So, I investigated them shortly after the first German vAGM in April 2020. Therefore, this research was my personal “pandemic project”.

Why do you think this is an important topic?

At an AGM shareholders vote on critical company issues, such as dividend payments, mergers, liquidations, and the election of the company’s board of directors. In 2020 about 78% of the German stock companies conducted a vAGM. This trend has proliferated in 2021. Given the market capitalization of German stock companies with 2.2 trillion USD in 2020 along with the importance of vAGMs as decision-making body, the security of these online voting events is system critical.

Is there something you want everybody to know – some good advice for our readers maybe?

When I started my research I thought it wouldn’t be easy to find vulnerabilities. My take-away is, it is often easier than you think or in other words, always expect the unexpected 😉

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

Speaking for Germany, it seems that politics consider vAGMs as permanent alternative. Therefore, it has to be ensured that the security of these online voting events is on an adequate level. As there is never something like 100% security, I would also recommend to implement end-to-end verifiability into online voting portals. With this cryptography-based mechanism in place, shareholders can verify that their votes were cast correctly and independent auditors can verify the accuracy and integrity of the election results.


Andreas Mayer is professor for IT security at Heilbronn University of Applied Sciences with more than 15 years working experience in planing, implementing, and operating secure systems and networks in large environments. His mission is to make the world more secure by finding/fixing vulnerabilities and educating students. In his free time, he is a passionate buy and hold investor since 1998.

Share this Post