In the deluge of emails, instant messages, and texts generated by employees in your organization each day, it can be difficult to spot fraud — unless you know what to look for. Following our recent examination of email-specific terms and keywords, today we’re looking at social media and text messages.
In 2013, we published a blog post listing the ten most commonly flagged email terms that suggest corporate fraud. Though that post continues to rank among our most popular, the five years since it was written have seen dramatic changes in how people and organizations communicate. In the first part of this series, we focused on email. Today, we’re looking at text messages and social media.
Like our prior list, these red flags have been compiled from organizations currently utilizing the Smarsh Archiving Platform — but they also include terms and keywords revealed in litigation by real-world organizations afflicted by fraud. While none are iron-clad guarantees of fraud, money laundering, or insider trading, they’ve each been shown to indicate an increased likelihood of illicit activity. It would be wise to ensure that each is included in your organization’s lexicon.
New terms likely to be flagged in social media and text messages include:
- Cook me up
- Money was/is illegal
- This is non-public
- Material, non-public information
- Blame freelancers
- Expected to announce
- Do not share
- Earnings report
- Shares will be downgraded
- Is just a lie
- Need to make money
- Deserve to get paid
- Top secret
- Crisis Scenario
- STL my $ (shorthand for “settle my money”)
- Guar (shorthand for “guarantee”)
- delete text
- CN TRST U
- Compl (shorthand for “compliance”)
- Conf (shorthand for “confidential”)
- Imp ? (shorthand for “important question”)
- Don’t tell
- a crook
- Frd (shorthand for “fraud”)
Though we already mentioned it in our prior blog, we’ve also compiled a list of platform-agnostic terms and keywords that should be flagged whenever they appear in official communications:
- Sounds bad
- Confidential information
- Delete this
- Tax haven
- Off-shore account
- Pull earnings forward
- Special fees
- No inspection
- Mitigate investment risk
- Guaranteed to be profitable
- No downside risk
- Borrow money
- Loan cash
- Loan me money
As you probably guessed, this is merely the tip of the iceberg. For our most frequently updated list of terms and keywords, you’ll want to visit Smarsh Central, an intuitive, comprehensive knowledge base bolstered by the unrivaled regulatory knowledge and experience of our team of experts.
In all but the smallest organizations, manually searching for these terms would take an enormous amount of time and leave gaping holes in any supervision program leaving most firms vulnerable to litigation and fines. Fortunately, Smarsh makes it easy with The Archiving Platform. With automated capture and management of messages across a wide variety of content types — including email, text, instant messages, social media, web, and more — and customizable, granular policies, flagging and reviewing messages is fast, simple, and consistent.
Crucial to your supervision team, it also won’t prove a drain on productivity. Our Supervision services include automated message assignment and escalation, issue-oriented, team-based review workflows that can be customized to your unique needs, and defensible, built-in audit trails, which simplify and streamline workflows for human supervisors. Finally, our Supervision Health Check gives your organization access to our team of policy experts who will carefully review and analyze your compliance efforts and offer insightful recommendations to help you further optimize your communications supervision program.
For more, please visit The Archiving Platform.
Changes In The Market
Mobile devices are no longer the future of business, they are its present. The last 30 years have seen mobile devices grow from a bulky, ostentatious luxury reserved exclusively for the wealthy to a ubiquitous tool carried daily by a majority of the population. At the same time, they’ve evolved from simple portable phones that don’t require a landline connection to multi-faceted computing devices capable of replicating almost all the functions of a telephone, home PC, high-definition video camera, and more in a pocket-sized form factor.
Driven by the explosion in popularity of mobile devices, organizations of all shapes and sizes have discovered the myriad benefits of allowing employees to utilize their own personal devices for work. Bring Your Own Device programs empower employees to work where, when, and how they choose, which enhances morale, increases productivity, and ultimately saves time and money. However, these policies also present unique compliance challenges. To reap the significant benefits offered by personal mobile devices, you must first assess how industry compliance requirements intersect with a BYOD program and outline the steps your organization will take to meet them.
A recent webinar featuring Smarsh Vice President of Mobility Strategy Brian Panicko and Smarsh Chief Evangelist Mike Pagani explores why BYOD is gaining popularity at such a rapid rate, and then provides a closer look at the components that make BYOD adoption viable and compliant. Finally, the webinar offers insights into how you can institute your own BYOD program, and the concerns that you must address before allowing employees to use their personal devices for work.
The first part of the webinar focuses on the reasons behind the surge in personal mobile devices used for work, namely potential productivity benefits and the shifting demographics of the professional world.
As mentioned previously, the ability to use personal devices for work offers employees freedom; the freedom to use a device of their choosing, the freedom to communicate in the fashion most comfortable to them, and the freedom to work when, how, and where they want. Not only does that save time and improve productivity — a recent Cisco study found that employees using their own devices saved an average of 81 minutes per week — it’s also an attractive selling point for any business hoping to attract members of the burgeoning millennial generation to their employ. More than any prior generation, millennials have come of age in a portable, digital world, which relies on wholly new communications channels, and they want to work for employers who recognize and leverage the benefits of these communications tools. If you’re an employer that does not allow the use of personal devices, your employees will seek out an employer that does.
While a wide swath of employers have been quick to recognize this, instituting a BYOD program is not as simple as just allowing employees to use their own devices for work, especially in regulated industries. Without a thoughtful BYOD plan in place, you can quickly run into compliance issues.
While nearly all organizations have compliance plans in place for email, more modern communications methods lag behind. The 2017 Smarsh Electronic Communications Compliance Survey Report found that while 98 percent of organizations surveyed had an archiving/supervision solution in place for email, that number drops to a mere 52 percent when it comes to text messages. If you look solely at work-related text messages sent through employee-owned personal devices, that compliance figure drops even further, to 32 percent — a sobering figure given that 90 percent of employees use their own mobile devices for work. Even worse, a worrying number of those organizations lacking a solution for supervising text messages were assuming they didn’t need to create a compliance solution because they could simply request the communications from mobile carriers or ask employees to pull conversations from a device’s archives. This is not a viable solution. Mobile carriers only maintain messages for a limited time, and device archives are unreliable at best with search functionality that is inconsistent (and grows more inconsistent as additional data is added to the device). Plus, putting the onus on employees to retain and retrieve their communications creates a conflict of interest where an employee may choose to suppress evidence of any fraud they might be involved in. Regardless of the communications platform you’re using, if your organization isn’t capturing and archiving communications, finding the data may not be possible.
The seemingly simple answer to closing this compliance gap is prohibiting personal devices, but that’s been repeatedly shown to be unsustainable. Whether you like it or not, your employees will use their mobile devices for business communications. If you’re prohibiting mobile devices in lieu of making proper preparations for archival and supervision of mobile communications, you will be stuck playing the risk mitigation game when an employee inevitably goes against your wishes.
Financial Services Adoption
Text messaging is increasingly seen as the lowest common denominator when it comes to communications in the United States. Almost everyone uses it, and most people text often enough that it comes as second nature. Recognizing this, major financial institutions are beginning to adopt BYOD programs to appeal to both employees and clients. Not only do mobile devices allow employees to collaborate with colleagues and internal resources more efficiently, it also gives them the ability to interact with clients faster, more easily, and in the communications medium clients find most familiar
and comfortable — and that’s in addition to the key benefit of a properly deployed BYOD program: Regulatory compliance that does not come at the cost of productivity.
Technology Stack Basics for BYOD
Two key technologies are at the heart of a successful BYOD program: Mobile Device Management (MDM) and Containerization. MDM refers to the ability to remotely manage a device, whether that means uploading or downloading data, changing settings, or even wiping its memory. Containerization, meanwhile, is deployed alongside MDM and creates a secure workspace that exists within a device but remains separate from all personal data. Essentially, in lieu of employees carrying two separate phones, containerization splits their personal device into sections, one identical to their personal phone, and another, work-focused section, where messages are archived and supervised. This container can even have its own unique phone number. How your organization utilizes MDM and containerization will vary depending on your goals and the regulatory requirements facing your industry.
Fortunately for Smarsh customers, alongside our archiving and supervision products for more traditional business communications, we also offer BYOD management solutions that work with every device and operating system available.
Key Considerations for BYOD Adoption
Thinking of embracing the benefits of BYOD in your organization? Finding the answers to the following questions will put you on the right track:
- What types of devices will be allowed, and will you need an MDM or Containerization solution?
- What apps and types of messaging will you allow your employees to use for business?
- What requirements need to be in place for employee–client communications?
- Will your security checklist require PEN testing?
- How will you develop, train your employees on the organizational BYOD use policy and enforce compliance violations?
- Which archiving solution will meet your organizations compliance needs for ingesting and monitoring all mobile/text communications data in addition to the rest of your electronic communications?
An excellent primer on why BYOD has grown so popular and the immense benefits it can provide, this webinar should be required viewing for anyone hoping to introduce a BYOD program to their organization. Regardless of industry or business size, it should give you the information necessary to ensure you’re walking the right path to BYOD deployment and compliance.
Watch the on-demand version of the Building The Compliant Mobile Ecosystem webinar here.
As follow up on the earlier post that described the collision of supervision and surveillance as ‘Superveillance,’ we want to dive deeper into key principles and attributes that firms should consider as they seek solutions that go beyond the boundaries of traditional supervisory and surveillance tools.
As a starting point, we’d like to suggest a common definition that would uniquely describe it as a solution to address today’s communication patterns and information risks. This definition must recognize that a variety of market disciplines are converging upon a holistic view of information risks (as discussed in a recent blog and report located here). These disciplines include:
- Technologies to manage employee communications (e.g. messaging, archiving, unified communications, etc.);
- Voice, video and other rich media-centric technologies (e.g. PBX and VOIP-enabled communications, voice recorders and transcription, etc.);
- AI, machine learning, behavioral and sentiment analysis technologies; and
- Products designed to manage structured data and transactional activity
Each of these areas of technology provides an important component to meeting broad regulatory mandates such as MiFID II that requires that all communications leading to a transaction be captured and reconciled. However, in order to address each of the elements discussed in the previous post, we’d like to offer the following as a definition for Superveillance to address these requirements:
Superveillance = Holistic insight into conduct across activities and communications channels, using a continuous feedback loop of pre-defined rules (Supervision) and identification of anomalous behavior (Surveillance).
Superveillance can be expressed visually as delivering capabilities that cover the spectrum – from the known, regulatory-driven supervisory requirements to the unknown and hidden risks that are uncovered through the use of advanced analytics. It encompasses the compliance fundamentals of policy management and storage, to the ability to use behavioral and sentiment analysis to uncover actions of high-risk brokers requiring heightened supervision. Very importantly, the outcomes in uncovering unknown risks should be fed back to build into new policies and rules for use in future supervisory tasks. Superveillance should also treat each content source natively, so the breadth of email, social media, unified communications and other sources can be normalized and delivered to external systems for trade reconciliation.
Defining the Ideal Superveillance Solution Attributes
Given the number of specialized technology domains touched by superveillance, don’t expect a ‘one-size-fits-all’ solution. Many firms have already invested in specific components, and are more concerned about how new technologies will interoperate or feed those existing solutions. Superveillance should be a critical element of the risk management fabric within an organization and, accordingly, firms should be prioritizing the following attributes when evaluating solutions or writing RFPs:
- Openness and extensibility: Superveillance requires the ability to deliver content downstream, and return insights back upstream to further inform policies. Doing so requires fully accessible APIs, connectors, and SDKs to address custom content sources. The benefits of leveraging cloud technologies are greatly diminished if utilizing technology that cannot communicate or collaborate with other vital systems
- Ability to preserve all content sources: firms today are using a multitude of communications sources, each of which must be captured and preserved to meet regulatory mandates. Modern superveillance solutions will handle each of those sources natively, with conversations preserved for more efficient review and analysis – unlike legacy supervisory tools that convert non-email sources into an email format
- Coverage for the Compliance Fundamentals: Solutions touching superveillance processes must be purpose-built for compliance and ensure that content is captured with the appropriate chain-of-custody, immutable storage, and policy management capabilities required by any SEC, FINRA, or MiFID II regulated firm. Superveillance should be thought of as extending the boundaries of traditional supervisory review – it does not replace or diminish the importance of managing the day-to-day tasks more efficiently or effectively.
- Scale and performance: Give the large volume of transactions requiring reconciliation, as well as the overwhelming volume of communications data in general, superveillance solutions must be designed for enterprise-scale, and not restricting the use of analytics to defined sub-sets of data applying only to registered representatives. Today’s information risks can reside anywhere, and having the ability to broaden the supervisory lens to cover all corners and edges of the risk perimeter is paramount
- Security and Privacy by Design: clearly, superveillance solutions will touch some of the most sensitive and important assets governed by a firm. Any solution designed for use in today’s world of increasingly complex security threats and evolving data privacy mandates must provide the audited protocols, third-party attestations, and accompany in-house expertise to reveal and respond to any risk that is exposed in its everyday use. As we see across the industry – compliance must work in harmony with other functions to create a more effective response to today’s information risks.
Where to Go from Here
Given the significant differences between traditional supervisory and surveillance tools, a good place to start is to check your vocabulary and definitions to make sure you are speaking the same language as your vendor. Once the proper nomenclature is established, firms should explore whether those traditional capabilities are equipped to address their current communications patterns and today’s information risks – or whether defining the requirements for a Superveillance solution is the better path toward a holistic approach to achieving insights across activities and communications networks.
Contributors to this post include: Robert Cruz, Gregory Breeze and Shaun Hurst
Congrats to FINRA on yet another tremendous Annual Conference! As always, it was a terrific opportunity to catch up with clients, prospects and colleagues from around the industry. This year’s conference marked a major milestone for us, our first as a joined team of Smarsh + Actiance. We were thrilled to hear extremely positive feedback and excitement over the breadth of capabilities we will bring to market.
The energy level at our booth, suite, and receptions was high throughout the entire conference, with several key themes dominating our discussions.
- Text messaging: Beginning with our full-house executive briefing on Monday, we spoke with many firms seeking solutions to address the use of text messaging by registered representatives in response to FINRA’s guidance on the use of social media in April 2017. Unsurprisingly, many firms continue to update their mobility strategies and BYOD policies and are beginning to shift their focus toward technological solutions that can facilitate and enforce those changes.
- Archiving replacement: Many firms we spoke with are actively investigating solutions to help migrate data from legacy on-premises and first-generation cloud archiving tools to solutions designed to address today’s messaging, social, and collaborative applications. The discussions here focused on a common set of issues: approaches to create more predictability in migration project costs, identifying defensible methods to delete unneeded data prior to moving to a new archive, and strategies to overcome the difficulties created by cloud archiving vendors who de-prioritize migration projects and attempt to extract exorbitant fees from their customers to export their data.
- High risk activities: Following the issuance of FINRA’s recent guidance on Heightened Supervision and discussed here, many conversations focused on how Smarsh + Actiance can aid compliance when working with high risk brokers and activities designed to avoid supervisory controls. It appears that many firms are exploring how they can move beyond simple random sampling and basic lexicon-based supervision in the direction of more sophisticated approaches toward content surveillance.
- GDPR and Data Privacy: What happens when you conduct your annual conference at 11:59:59 in front of the launch of a major piece of data privacy regulation? TONS of questions and discussion! How do we product EU citizen data? Can we respond to the 72-hour breach notification? How does GDPR potentially conflict with regulatory retention requirements? We believe that the elevation of data privacy is terrific news for our industry (as we’ve extensively discussed) as it will create further differentiation between technology vendors, separating those that have been constructed with data privacy “By Design and Default” from those who weren’t.
Conference keynotes and break-out sessions also produced interesting perspectives from across the industry, including more cryptocurrency, block chain, and cybersecurity discussions than one could consume. Additional topics of interest included:
- Examples of how firms are attempting to apply artificial intelligence to big data problems. These include detection of money laundering activities, using natural language processing to search 1 billion messages consisting of more than 1 trillion words, and using contextual search methods to identify communications in over 1 million trades in an average day. Clearly, large financial services firms are big data, and innovative use of AI in this market will continue to lead the way for other industries.
- In a session on social media, a survey of attendees revealed that 55% of respondents continue to prohibit the use of social media beyond publishing static profiles and using pre-approved content. This was a surprisingly large percentage which suggests that firms have not yet identified meaningful solutions to address the perceived risks of broader social media adoption.
- In the same social media session, FINRA signaled that firms would soon see new guidance covering messaging apps to address the growing use of tools such as SnapChat, WeChat, and WhatsApp.
Clearly, the financial services industry is living in very dynamic times with new forms of client communications encountering new threats, new regulations, and emerging analytically-driven technologies that are attempting to help mitigate the risks. This year’s FINRA Conference provided an excellent forum to bring together the practitioners, regulators, and vendors to engage on these important topics. The team at Smarsh + Actiance is excited to be a part of the discussion.
Last month, the SEC and FINRA fined several firms for failure to establish reasonably designed supervision programs to ensure compliance with applicable securities laws and regulations. Individuals were also fined for failing to comply with securities laws and regulations pertaining to electronic communications.
The SEC penalized a bank $3.7 million for failing to reasonably supervise traders who made false and misleading statements while negotiating bond prices. The investigation found the bank did not have compliance procedures in place designed to detect the misconduct that increased the firm’s profits on commercial mortgage-backed securities. The SEC specifically pointed to several communications made over Bloomberg message and other electronic communication channels like instant message. In the communications at issue, traders and salespeople misrepresented the bid and offer prices on one or both sides of the transaction, where the information was important to the customer’s buying decision. The bank failed to detect damaging communications such as, Trader B saying to Salesperson X, “this is just a lie, right?” Salesperson X replied, “well, I don’t care.” The bank’s communication surveillance did not sufficiently incorporate search terms unique to market securities fraud or misconduct risks.
FINRA fined a firm $20,000 because its supervisory system for email review was deficient. The firms Written Supervisory Procedures (WSPs) did not specify how the firm would conduct reviews of its securities-related emails. The findings stated that the firm’s written procedures stated only that a compliance principal would review all emails it received and sent, and that reviews would occur no less than annually. The firm’s procedures failed to set forth a methodology to review emails, establish a percentage of emails to be reviewed, or set forth an escalation process for problematic emails. In addition, the firm failed to conduct any supervisory email reviews for eight of its registered representatives, and it failed to document the email reviews that it did conduct.
Another firm was fined $10,000 by FINRA for failing to retain and supervise emails. The findings stated that during an approximately four-year period, the firm failed to review approximately 25,000 emails captured by the firm’s third-party electronic storage media provider for five of the firm’s registered representatives. During the same period, the firm did not review or retain in the manner required by the Securities Exchange Act of 1934 Rule 17a-4 any of the emails for 11 representatives who were dually employed by the firm’s affiliated investment advisory firm. These representatives used an email address provided by the investment advisory firm to conduct business for the firm. FINRA found that the firm failed to test its system of supervisory controls, it failed to prepare an annual report detailing its system of supervisory controls, and it failed to prepare an annual certification of the firm’s compliance and supervisory processes for four consecutive years.
FINRA also fined a firm $65,000 for failing to maintain and enforce a supervisory system reasonably designed to ensure compliance with laws and regulations pertaining to electronic retail communications. The firm failed to maintain and enforce a supervisory system reasonably designed to ensure adequate due diligence was performed on private placement offerings recommended to customers. The findings also stated that the firm sent an email concerning one of the private placements to a list of investors compiled by a contracted marketing and advertising company. The email and a linked PowerPoint presentation contained misleading statements concerning the private offering including representations about the company’s past performance and projected future performance, and did not contain any disclosures regarding the speculative, illiquid and risky nature of the investment opportunity.
FINRA fined a broker $5,000 for using an unapproved personal email account to communicate with a customer of his member firm about securities-related matters. The findings stated that the firm did not have access to the broker’s personal email account and as a result was not able to preserve, maintain, and perform timely review of these communications, in accordance with its own procedures and supervisory obligations. The findings also stated that the broker sent emails to individuals containing inaccurate, exaggerated, unwarranted or promissory representations pertaining to a single security.
Another broker was fined $5,000 for sending unencrypted emails from his firm email address to his personal email address, and to a third party that included attachments containing nonpublic personal information for firm customers. The findings stated that by transmitting nonpublic personal information to his personal email address and to a third party, the broker placed the customers’ information at risk and caused his firm to violate Regulation S-P of the Securities Exchange Act of 1934.
A broker was assessed a deferred fine of $7,500 for setting up online account access for four customers’ accounts held at outside institutions and providing her firm email address to be used as the customer’s email address for these accounts. In doing so, the broker falsely represented that her firm-provided email address was the email address for her customers. As a result, the institutions sent four emails intended for the broker’s customers to her firm provided email account. The broker’s actions misled these outside institutions into believing that they were communicating with their customers and cut off a direct channel of communication that was supposed to exist between these firms and their customers.
Takeaway: Set forth a methodology to capture and review all electronic communications
It’s important to review the adequacy of your electronic communications policy and supervisory systems, especially as new rules and areas of priority are published. Electronic communications must be easily accessible, indexed, and stored on non-erasable and non-rewriteable media as required by Rule 17a-4(f). Engage an archiving vendor that is compliant with the regulatory rules and has the technical ability to capture instant messaging conversations including Bloomberg, Facebook, and Slack, as well as text messages. Firms must be able to capture conversations the instant they happen, so information can’t be deleted. It’s recommended to periodically test and audit your reviews of electronic communication channels to ensure that all are being captured in supervisory systems.
You want to track, manage, log, and audit all electronic communications. The policies and procedures must provide for adequate electronic communication reviews, the methods of review, the frequency, escalation process, and documentation procedures. Your reviewers should know how to detect and report potential violations. There is no prescribed formula for determining how many messages to review. However, enough messages should be reviewed for a firm to be able to defend it as a reasonable review sample. Most importantly, enforce the policies and document the reviews—simply having a set of policies is not enough.
Firms must also have compliance procedures in place designed to detect fraud and misconduct. The good news is there are compliance tools available to help firms enhance their supervisory systems. You can set up your archiving platform to detect risk with lexicons focused on misconduct, flagging terms focused on fraud, unethical sales practices or anti-money laundering and get instant notifications when a user is non-compliant. Supervisory systems related to electronic communications must be dynamic.
Incorporate search terms aligned with the types of business the firm engages. Be mindful of jargon and acronyms used by employees and clients. A great way to create a dynamic keyword list is to use enforcement actions and the quoted conversations. As in the above bank enforcement case, “is just a lie,” “need to make money,” “deserve to get paid” are all examples of language indicative of misconduct risk. The timely review of electronic communications is a first line defense against improper conduct by employees. If the bank had sufficiently captured and monitored the Bloomberg messages and other electronic communication channels, they could have prevented the regulatory sanctions and reputational damage.
With increasing governance and regulatory oversight, the harsh penalties and punitive consequences for failing to comply with retention and supervision requirements outweigh the cost of implementing technology solutions.
Organizations today are faced with an unprecedented volume and variety of information risks that have enterprise-wide impact, including:
- Increased frequency of data breach carried out by advanced, targeted attacks
- Leaks of sensitive or high value information from departing employees
- Aggressive sanctions from regulators over the lack of supervisory compliance controls
- Business use of social and messaging tools that are not under IT and security controls
Unfortunately, organizational scale and complexity has forced some organizations to continue to rely upon existing technologies, buying processes, and functionally-driven priorities that have plagued companies for the past 15-20 years and have resulted in solution overlap, IT redundancy, and ineffective risk management processes.
These opposing forces lead to a question about information risk: are organizations becoming more functionally siloed and specialized or are we moving toward a shared view of risk?
To answer this question, Actiance issued a survey that generated over 150 responses from IT, Security, Compliance and other risk management stakeholders. Highlights from the survey results include:
- As expected, managing the impact of data breach was the highest priority across all functions, with the only exception being Risk/Compliance titles who ranked the loss of sensitive customer information slightly higher
- In terms of what is working well in managing risk today, respondents across all functions overwhelming pointed toward clearly defined policies as an area working well. Risk/Compliance titles again differed from others in highlighting monitoring and alerting process controls as an area that is working well today
- On the flip side, all functions reported that the lack of budget and sufficient resources as an area not working well, with negative responses being led by Security titles
- Collaboration across functions in the evaluation and selection of risk management solutions appears to be a practice applied by the vast majority of responses, with only 5% of respondents that their function alone is responsible for those tasks
- In terms of future collaboration, all functions highlight the definition of common control processes as a top priority. Security respondents again differ from others in highlighting the definition of business requirements for technology solution selection as top priority.
So, what can we conclude about convergence versus specialization?
This survey indicates that the views of information risk held by Security and Compliance stakeholders continue to converge. This is not unexpected, given the organization-wide concern over data breach and cyber security, and as was demonstrated by the survey question that all stakeholders are prioritizing solutions that can reduce the probability of a bad event from occurring over those that provide improved productivity or promises of cost reduction.
The survey also highlighted the importance placed on collaboration – with IT playing a critical role in coordinating with both Security and Compliance stakeholders. The fact that only 5% of respondents indicated that their function alone is responsible for the evaluation of risk management solutions indicates that we may have finally arrived in an era when siloed, departmental-level decision making is done only on an exception. The fact that the evaluation of most enterprise-grade risk management solutions must now proceed through security assessments, review of policy enforcement capabilities, and inspection by those involved in eDiscovery attests to this new reality.
Originally published on Actiance.com February 21, 2018.