In the deluge of emails, instant messages, and texts generated by employees in your organization each day, it can be difficult to spot fraud — unless you know what to look for. Following our recent examination of email-specific terms and keywords, today we’re looking at social media and text messages.
In 2013, we published a blog post listing the ten most commonly flagged email terms that suggest corporate fraud. Though that post continues to rank among our most popular, the five years since it was written have seen dramatic changes in how people and organizations communicate. In the first part of this series, we focused on email. Today, we’re looking at text messages and social media.
Like our prior list, these red flags have been compiled from organizations currently utilizing the Smarsh Archiving Platform — but they also include terms and keywords revealed in litigation by real-world organizations afflicted by fraud. While none are iron-clad guarantees of fraud, money laundering, or insider trading, they’ve each been shown to indicate an increased likelihood of illicit activity. It would be wise to ensure that each is included in your organization’s lexicon.
New terms likely to be flagged in social media and text messages include:
- Cook me up
- Money was/is illegal
- This is non-public
- Material, non-public information
- Blame freelancers
- Expected to announce
- Do not share
- Earnings report
- Shares will be downgraded
- Is just a lie
- Need to make money
- Deserve to get paid
- Top secret
- Crisis Scenario
- STL my $ (shorthand for “settle my money”)
- Guar (shorthand for “guarantee”)
- delete text
- CN TRST U
- Compl (shorthand for “compliance”)
- Conf (shorthand for “confidential”)
- Imp ? (shorthand for “important question”)
- Don’t tell
- a crook
- Frd (shorthand for “fraud”)
Though we already mentioned it in our prior blog, we’ve also compiled a list of platform-agnostic terms and keywords that should be flagged whenever they appear in official communications:
- Sounds bad
- Confidential information
- Delete this
- Tax haven
- Off-shore account
- Pull earnings forward
- Special fees
- No inspection
- Mitigate investment risk
- Guaranteed to be profitable
- No downside risk
- Borrow money
- Loan cash
- Loan me money
As you probably guessed, this is merely the tip of the iceberg. For our most frequently updated list of terms and keywords, you’ll want to visit Smarsh Central, an intuitive, comprehensive knowledge base bolstered by the unrivaled regulatory knowledge and experience of our team of experts.
In all but the smallest organizations, manually searching for these terms would take an enormous amount of time and leave gaping holes in any supervision program leaving most firms vulnerable to litigation and fines. Fortunately, Smarsh makes it easy with The Archiving Platform. With automated capture and management of messages across a wide variety of content types — including email, text, instant messages, social media, web, and more — and customizable, granular policies, flagging and reviewing messages is fast, simple, and consistent.
Crucial to your supervision team, it also won’t prove a drain on productivity. Our Supervision services include automated message assignment and escalation, issue-oriented, team-based review workflows that can be customized to your unique needs, and defensible, built-in audit trails, which simplify and streamline workflows for human supervisors. Finally, our Supervision Health Check gives your organization access to our team of policy experts who will carefully review and analyze your compliance efforts and offer insightful recommendations to help you further optimize your communications supervision program.
For more, please visit The Archiving Platform.
Changes In The Market
Mobile devices are no longer the future of business, they are its present. The last 30 years have seen mobile devices grow from a bulky, ostentatious luxury reserved exclusively for the wealthy to a ubiquitous tool carried daily by a majority of the population. At the same time, they’ve evolved from simple portable phones that don’t require a landline connection to multi-faceted computing devices capable of replicating almost all the functions of a telephone, home PC, high-definition video camera, and more in a pocket-sized form factor.
Driven by the explosion in popularity of mobile devices, organizations of all shapes and sizes have discovered the myriad benefits of allowing employees to utilize their own personal devices for work. Bring Your Own Device programs empower employees to work where, when, and how they choose, which enhances morale, increases productivity, and ultimately saves time and money. However, these policies also present unique compliance challenges. To reap the significant benefits offered by personal mobile devices, you must first assess how industry compliance requirements intersect with a BYOD program and outline the steps your organization will take to meet them.
A recent webinar featuring Smarsh Vice President of Mobility Strategy Brian Panicko and Smarsh Chief Evangelist Mike Pagani explores why BYOD is gaining popularity at such a rapid rate, and then provides a closer look at the components that make BYOD adoption viable and compliant. Finally, the webinar offers insights into how you can institute your own BYOD program, and the concerns that you must address before allowing employees to use their personal devices for work.
The first part of the webinar focuses on the reasons behind the surge in personal mobile devices used for work, namely potential productivity benefits and the shifting demographics of the professional world.
As mentioned previously, the ability to use personal devices for work offers employees freedom; the freedom to use a device of their choosing, the freedom to communicate in the fashion most comfortable to them, and the freedom to work when, how, and where they want. Not only does that save time and improve productivity — a recent Cisco study found that employees using their own devices saved an average of 81 minutes per week — it’s also an attractive selling point for any business hoping to attract members of the burgeoning millennial generation to their employ. More than any prior generation, millennials have come of age in a portable, digital world, which relies on wholly new communications channels, and they want to work for employers who recognize and leverage the benefits of these communications tools. If you’re an employer that does not allow the use of personal devices, your employees will seek out an employer that does.
While a wide swath of employers have been quick to recognize this, instituting a BYOD program is not as simple as just allowing employees to use their own devices for work, especially in regulated industries. Without a thoughtful BYOD plan in place, you can quickly run into compliance issues.
While nearly all organizations have compliance plans in place for email, more modern communications methods lag behind. The 2017 Smarsh Electronic Communications Compliance Survey Report found that while 98 percent of organizations surveyed had an archiving/supervision solution in place for email, that number drops to a mere 52 percent when it comes to text messages. If you look solely at work-related text messages sent through employee-owned personal devices, that compliance figure drops even further, to 32 percent — a sobering figure given that 90 percent of employees use their own mobile devices for work. Even worse, a worrying number of those organizations lacking a solution for supervising text messages were assuming they didn’t need to create a compliance solution because they could simply request the communications from mobile carriers or ask employees to pull conversations from a device’s archives. This is not a viable solution. Mobile carriers only maintain messages for a limited time, and device archives are unreliable at best with search functionality that is inconsistent (and grows more inconsistent as additional data is added to the device). Plus, putting the onus on employees to retain and retrieve their communications creates a conflict of interest where an employee may choose to suppress evidence of any fraud they might be involved in. Regardless of the communications platform you’re using, if your organization isn’t capturing and archiving communications, finding the data may not be possible.
The seemingly simple answer to closing this compliance gap is prohibiting personal devices, but that’s been repeatedly shown to be unsustainable. Whether you like it or not, your employees will use their mobile devices for business communications. If you’re prohibiting mobile devices in lieu of making proper preparations for archival and supervision of mobile communications, you will be stuck playing the risk mitigation game when an employee inevitably goes against your wishes.
Financial Services Adoption
Text messaging is increasingly seen as the lowest common denominator when it comes to communications in the United States. Almost everyone uses it, and most people text often enough that it comes as second nature. Recognizing this, major financial institutions are beginning to adopt BYOD programs to appeal to both employees and clients. Not only do mobile devices allow employees to collaborate with colleagues and internal resources more efficiently, it also gives them the ability to interact with clients faster, more easily, and in the communications medium clients find most familiar
and comfortable — and that’s in addition to the key benefit of a properly deployed BYOD program: Regulatory compliance that does not come at the cost of productivity.
Technology Stack Basics for BYOD
Two key technologies are at the heart of a successful BYOD program: Mobile Device Management (MDM) and Containerization. MDM refers to the ability to remotely manage a device, whether that means uploading or downloading data, changing settings, or even wiping its memory. Containerization, meanwhile, is deployed alongside MDM and creates a secure workspace that exists within a device but remains separate from all personal data. Essentially, in lieu of employees carrying two separate phones, containerization splits their personal device into sections, one identical to their personal phone, and another, work-focused section, where messages are archived and supervised. This container can even have its own unique phone number. How your organization utilizes MDM and containerization will vary depending on your goals and the regulatory requirements facing your industry.
Fortunately for Smarsh customers, alongside our archiving and supervision products for more traditional business communications, we also offer BYOD management solutions that work with every device and operating system available.
Key Considerations for BYOD Adoption
Thinking of embracing the benefits of BYOD in your organization? Finding the answers to the following questions will put you on the right track:
- What types of devices will be allowed, and will you need an MDM or Containerization solution?
- What apps and types of messaging will you allow your employees to use for business?
- What requirements need to be in place for employee–client communications?
- Will your security checklist require PEN testing?
- How will you develop, train your employees on the organizational BYOD use policy and enforce compliance violations?
- Which archiving solution will meet your organizations compliance needs for ingesting and monitoring all mobile/text communications data in addition to the rest of your electronic communications?
An excellent primer on why BYOD has grown so popular and the immense benefits it can provide, this webinar should be required viewing for anyone hoping to introduce a BYOD program to their organization. Regardless of industry or business size, it should give you the information necessary to ensure you’re walking the right path to BYOD deployment and compliance.
Watch the on-demand version of the Building The Compliant Mobile Ecosystem webinar here.
Last month, the SEC and FINRA fined several firms for failure to establish reasonably designed supervision programs to ensure compliance with applicable securities laws and regulations. Individuals were also fined for failing to comply with securities laws and regulations pertaining to electronic communications.
The SEC penalized a bank $3.7 million for failing to reasonably supervise traders who made false and misleading statements while negotiating bond prices. The investigation found the bank did not have compliance procedures in place designed to detect the misconduct that increased the firm’s profits on commercial mortgage-backed securities. The SEC specifically pointed to several communications made over Bloomberg message and other electronic communication channels like instant message. In the communications at issue, traders and salespeople misrepresented the bid and offer prices on one or both sides of the transaction, where the information was important to the customer’s buying decision. The bank failed to detect damaging communications such as, Trader B saying to Salesperson X, “this is just a lie, right?” Salesperson X replied, “well, I don’t care.” The bank’s communication surveillance did not sufficiently incorporate search terms unique to market securities fraud or misconduct risks.
FINRA fined a firm $20,000 because its supervisory system for email review was deficient. The firms Written Supervisory Procedures (WSPs) did not specify how the firm would conduct reviews of its securities-related emails. The findings stated that the firm’s written procedures stated only that a compliance principal would review all emails it received and sent, and that reviews would occur no less than annually. The firm’s procedures failed to set forth a methodology to review emails, establish a percentage of emails to be reviewed, or set forth an escalation process for problematic emails. In addition, the firm failed to conduct any supervisory email reviews for eight of its registered representatives, and it failed to document the email reviews that it did conduct.
Another firm was fined $10,000 by FINRA for failing to retain and supervise emails. The findings stated that during an approximately four-year period, the firm failed to review approximately 25,000 emails captured by the firm’s third-party electronic storage media provider for five of the firm’s registered representatives. During the same period, the firm did not review or retain in the manner required by the Securities Exchange Act of 1934 Rule 17a-4 any of the emails for 11 representatives who were dually employed by the firm’s affiliated investment advisory firm. These representatives used an email address provided by the investment advisory firm to conduct business for the firm. FINRA found that the firm failed to test its system of supervisory controls, it failed to prepare an annual report detailing its system of supervisory controls, and it failed to prepare an annual certification of the firm’s compliance and supervisory processes for four consecutive years.
FINRA also fined a firm $65,000 for failing to maintain and enforce a supervisory system reasonably designed to ensure compliance with laws and regulations pertaining to electronic retail communications. The firm failed to maintain and enforce a supervisory system reasonably designed to ensure adequate due diligence was performed on private placement offerings recommended to customers. The findings also stated that the firm sent an email concerning one of the private placements to a list of investors compiled by a contracted marketing and advertising company. The email and a linked PowerPoint presentation contained misleading statements concerning the private offering including representations about the company’s past performance and projected future performance, and did not contain any disclosures regarding the speculative, illiquid and risky nature of the investment opportunity.
FINRA fined a broker $5,000 for using an unapproved personal email account to communicate with a customer of his member firm about securities-related matters. The findings stated that the firm did not have access to the broker’s personal email account and as a result was not able to preserve, maintain, and perform timely review of these communications, in accordance with its own procedures and supervisory obligations. The findings also stated that the broker sent emails to individuals containing inaccurate, exaggerated, unwarranted or promissory representations pertaining to a single security.
Another broker was fined $5,000 for sending unencrypted emails from his firm email address to his personal email address, and to a third party that included attachments containing nonpublic personal information for firm customers. The findings stated that by transmitting nonpublic personal information to his personal email address and to a third party, the broker placed the customers’ information at risk and caused his firm to violate Regulation S-P of the Securities Exchange Act of 1934.
A broker was assessed a deferred fine of $7,500 for setting up online account access for four customers’ accounts held at outside institutions and providing her firm email address to be used as the customer’s email address for these accounts. In doing so, the broker falsely represented that her firm-provided email address was the email address for her customers. As a result, the institutions sent four emails intended for the broker’s customers to her firm provided email account. The broker’s actions misled these outside institutions into believing that they were communicating with their customers and cut off a direct channel of communication that was supposed to exist between these firms and their customers.
Takeaway: Set forth a methodology to capture and review all electronic communications
It’s important to review the adequacy of your electronic communications policy and supervisory systems, especially as new rules and areas of priority are published. Electronic communications must be easily accessible, indexed, and stored on non-erasable and non-rewriteable media as required by Rule 17a-4(f). Engage an archiving vendor that is compliant with the regulatory rules and has the technical ability to capture instant messaging conversations including Bloomberg, Facebook, and Slack, as well as text messages. Firms must be able to capture conversations the instant they happen, so information can’t be deleted. It’s recommended to periodically test and audit your reviews of electronic communication channels to ensure that all are being captured in supervisory systems.
You want to track, manage, log, and audit all electronic communications. The policies and procedures must provide for adequate electronic communication reviews, the methods of review, the frequency, escalation process, and documentation procedures. Your reviewers should know how to detect and report potential violations. There is no prescribed formula for determining how many messages to review. However, enough messages should be reviewed for a firm to be able to defend it as a reasonable review sample. Most importantly, enforce the policies and document the reviews—simply having a set of policies is not enough.
Firms must also have compliance procedures in place designed to detect fraud and misconduct. The good news is there are compliance tools available to help firms enhance their supervisory systems. You can set up your archiving platform to detect risk with lexicons focused on misconduct, flagging terms focused on fraud, unethical sales practices or anti-money laundering and get instant notifications when a user is non-compliant. Supervisory systems related to electronic communications must be dynamic.
Incorporate search terms aligned with the types of business the firm engages. Be mindful of jargon and acronyms used by employees and clients. A great way to create a dynamic keyword list is to use enforcement actions and the quoted conversations. As in the above bank enforcement case, “is just a lie,” “need to make money,” “deserve to get paid” are all examples of language indicative of misconduct risk. The timely review of electronic communications is a first line defense against improper conduct by employees. If the bank had sufficiently captured and monitored the Bloomberg messages and other electronic communication channels, they could have prevented the regulatory sanctions and reputational damage.
With increasing governance and regulatory oversight, the harsh penalties and punitive consequences for failing to comply with retention and supervision requirements outweigh the cost of implementing technology solutions.
Great discussion this last week with Amy McIlwain, Financial Industry Principal at Hootsuite. Thank you to those who joined us, for those that didn’t, you can find the link to the recording here.
The webinar highlighted the power of our partnership – encompassing how financial services firms can use social media to deepen engagement with clients across every touchpoint. Amy highlighted the compelling ROI that firms have generated though the use of social when it is in the hands of executives, registered representatives, and internal social advocates – in one case producing nearly $3M in incremental value to a financial service firm through the use of the Hootsuite platform.
Actiance followed with an overview of the unique challenges created by the use of rich, dynamic and – increasingly – multimodal social content. These challenges include the capture and preservation of this emerging content sources, the need to identify, track and control the variety of social channels that are in use by registered representatives, the need to enforce policies uniformly through these tools, and the complexities that arise in reviewing social content in tools designed for email. We followed with a review of best practices that firms are adopting to ensure that the proliferation of social – and other rich new communications tools – are not creating additional compliance risks. The bottom line is straight forward: 1) your customers are increasingly demanding that you engage on these communications channels and firms need to be prepared by applying good governance strategies to ensure that policies can be enforced through any communications touch point, and 2) engaging legal, compliance, and security stakeholders is critical to ensure that your firm is creating a holistic view of the benefits and risks of social media and messaging tools.
One interesting question was raised that produced a good amount of follow-on discussion that I’d like to explore further here: should financial services firms only capture information from registered representatives or their broader user base?
As one might expect, the answer to this question is not always straight forward and opposing philosophies can easily collide:
- The ‘Preserve as little as Possible’ camp: from a policy perspective, the business use of social media is no different than the logic underlying existing retention policies: capture and retain communications only if explicitly required by regulation in order to avoid unnecessary risks created by having too much data around. In this scenario, only social content from registered representatives falling under FINRA 3110 (or similar IIROC or FCA requirements) should be captured and retained.
- The “Its About Content and Context” crowd: This perspective the logic that the content and context of a conversation determine its relevance – not the specific communications technology used. So, in this scenario, social is no different than how firms have treated email and other potential business records for the past 10+ years – if the content potentially has business value or creates compliance risk it should be retained. This camp would advocate the capture and retention for a broader set of employees.
The 2 options are not mutually exclusive – some firms have opted for a modified version of #2, where retention polices are applied against registered representatives, senior executives, authorized users of company-branded social media tools (i.e. those with “keys to the car”) as well as those whose jobs may entail communications of sensitive information.
So, how can you determine the best approach?
Well, as one might expect, policies are not always fluid and dynamic – they can be rigid, sticky, and deeply embedded into the corporate fabric. However, what we’ve seen many firms do to address this situation include the following:
- Dust off the company communications and retention policies – like technology, policies written long ago for email many not be suitable for today’s communications. In fact, recent surveys from our friends at the IGI (https://iginitiative.com/) indicate the policy updating was one of the most common IG projects undertaken by firms in 2017
- Examine where communications leading to ‘business transactions’ are happening – companies can leverage the language of the recently enacted MiFID II in the EU that states that “all communications that lead to a transaction must be recorded and captured”. When ‘business transactions’ or records/events are interpreted broadly to include signing of business agreements, communications to investors, customer support updates, etc. – you will likely find that social tools are now becoming embedded into business processes and require control for user groups that are engaged in high value or high-risk activities
- Monitor the ‘Not-Exactly-Best Practice’ cases – there is an increasing body of court decisions and regulatory fines/sanctions that stem from the misuse of social. The variety of mishaps is overwhelming, but common themes are emerging, namely that 1) firms need to have a mechanism to be able to capture and preserve social content as they do for any form of information (independent of whether the method is proactive or reactive capture), and 2) failing to take reasonable steps to preserve content that is relevant for discovery or to respond to a regulatory inquiry is never good. Spoliation is not a happy concept.
- Stay engaged with business users of social – A simple, yet critical step that can easily be taken by compliance teams is to be aware of how specific users are leveraging social to improve the ways to do their jobs. New social and multi-modal messaging and collaboration tools are emerging almost on a daily basis, so knowing how they can be harnessed by your business will give you greater insight into the importance of information being delivered through those channels, which is vital to adjust and update policies.
- Look beyond regulations – as with any effective governance initiative, the assessment of information value and risk needs to a product with components provided by compliance, infosec, legal, HR, IT, and business. Determine the right approach to the capture and retention of social should follow those same principles.
Originally published on Actiance.com, March 12, 2018
Before social media gained popularity, Registered Investment Advisers (“RIAs”) launched a website and often did little else to market their firms. In many instances, the website content remained stagnant for years. Each firm’s Chief Compliance Officer (“CCO”) was to preapprove all content posted and to review it periodically. As RIAs now rely more on communications and advertisements using social media, CCOs’ compliance responsibilities are increasing dramatically.
The most recent version of the Form ADV took note of the growing use of social media by RIAs. Firms must disclose all of their websites, as well as any publicly available social media platforms they utilize. These disclosures must be updated promptly as changes occur.
General compliance rules may not fit specific facts and circumstances
Though investment advisers usually understand broad compliance principles, there are nuances to the rules that govern RIAs’ activities that may be overlooked. Most CCOs are aware that advertisements must not contain testimonials and misleading statements; however, the devil is in the details. As an example, in March 2014, the SEC provided guidance relating to testimonials used in advertisements on social media. The SEC’s guidance advised that RIAs may advertise using public commentary about their services posted on independent social media sites, provided that every review is included in the advisory firm’s advertisement. The SEC’s guidance cautioned that an RIA must not be able to influence the third-party sites, and its advertisement must include all comments about the firm without editing them. RIAs may not offer a subjective analysis of the opinions published on those sites. Basically, when linking to review sites, the RIA must be willing to take the good reviews with the bad ones.
Even if RIAs are complying with general guidance from the SEC, their specific use of social media can create compliance problems. Although one adviser’s reviews on Yelp did not raise red flags, the firm provided a short bio, which was included on the site. The content supplied by the adviser boasted that the firm ‘is the most trusted,’ and its ‘financial services are flawless.’ It would be impossible for an adviser to prove with objective evidence that the firm is the most trusted. Furthermore, words like “flawless” are viewed as marketing hype, which is inherently misleading.
Blogs raise additional compliance requirements
While blogs are an effective marketing tool, they raise additional compliance requirements. Some RIAs require that blog posts be preapproved by the firm’s CCO or a designee. This approval process often slows down the firm’s ability to post timely content. Other firms set forth blog posting guidelines for personnel to follow and then monitor posts after the fact.
Interactive blogs up the ante on compliance requirements. A firm’s CCO must review the site regularly to ensure that noncompliant content has not been posted by third parties. For example, a client might post a testimonial for the adviser. If that occurs, it must be removed promptly. Otherwise, the firm is taking ownership of the testimonials.
A firm’s compliance manual should specify who is authorized to blog on behalf of the firm. Policies and procedures should articulate whether Investment Adviser Representatives (“IARs”) and solicitors may post on blogs and what type of content is allowed. RIAs must also implement a process to make certain that all blog posts are retained in the firm’s books and records. Companies such as Smarsh can assist RIAs with archiving blogs and all types of social media.
If a RIA allows IARs to host their own blogs or to post on other sites, the firm should establish restrictions on what may be discussed. In addition to preapproving all posts, the firm’s CCO or a designee must supervise and monitor these blogs. Occasionally, IARs make the mistake of referencing past specific recommendations of the RIA, which were profitable to clients. Rule 206(4)-1(a)(2) under the Investment Advisers Act of 1940, and similar state rules, prohibit references to past specific recommendations that were profitable to anyone unless the ad sets forth or offers to provide a list of all securities recommended during the immediately preceding period of not less than one year. The list must also contain specific disclosures. Examiners are concerned that RIAs will only mention the securities that soared in value, not those that performed poorly.
Facebook users need face time with their CCO
RIAs should make certain that all associated persons understand that personal Facebook pages should not be used to market the firm. Furthermore, a RIA’s social media policy should stipulate who may post on social media sites used for business purposes.
CCOs must be vigilant in their supervision of the firm’s Facebook page. CCOs should never assume that the content on another RIA’s Facebook page is compliant. One RIA’s Facebook page contained a post from a client who expressed his euphoria over how well the adviser had managed his portfolio. Another client posted his gratitude for making his dream vacation possible. Like other advertisements, social media sites should not contain express or implied testimonials. RIAs that permit noncompliant content to remain on their Facebook page are likely to receive a deficiency letter when examiners conduct an examination. There is also a risk that a competitor will tip off regulators regarding the RIA’s noncompliant activities.
Posting business-related content on a personal Facebook page causes it to be an advertisement for the firm. When that occurs, the personal Facebook page is subject to the RIA’s social media policies and procedures.
While CCOs do not owe a duty to supervise employees’ personal Facebook pages–if they do post business-related content, the CCO must take action after learning that a social media site is being used inappropriately. CCOs must act decisively if they learn that an IAR is touting the firm’s performance or services on a personal Facebook page. In some cases, activities and statements on an associated person’s personal Facebook page can reflect badly upon the firm and indirectly hurt its image. Associated persons should be warned that Facebook posts are not always private and may harm the firm’s reputation.
A firm’s CCO should require that IARs and other members of the firm disclose which forms of social media they use. Associated persons should attest that they will not use social media for business purposes unless authorized to do so by the firm.
CCOs should impart the message that every communication, including those using social media, may be reviewed by examiners at some point. Examiners analyze whether a RIA is meeting its fiduciary obligations. Stephen Murphy, Vice President for NCS Regulatory Compliance, recently conducted a webinar with Mike Pagani of Smarsh entitled, How New Communication Channels Are Affecting the Role of the CCO. Murphy observed that from a supervisory point of view, CCOs must discern whether an adviser was trying to perpetrate a fraud or was just sloppy. To listen to the recording of this webinar, please visit our webinar center here.
A hastily-written communication using social media might give the impression that the RIA has not met its fiduciary duty. As an example, when reviewed by examiners in a vacuum, it might be impossible to discern that an IAR discussed a particular issue at length with a client only hours earlier. In addition, these communications may lack disclosures, which help to ensure that the content is not misleading.
Firms should implement policies and procedures that directly address social media. They should be consistent with the RIA’s advertising policies and procedures.
Investment advisers, as well as their marketing and compliance personnel, can benefit enormously by learning more about how social media can be used effectively and compliantly. All of them will receive valuable information by attending NCS Regulatory Compliance’s summit Driving Growth through Social Media on March 8, 2018, at the Delray Beach Marriott. Peter Driscoll, Director of the SEC’s Office of Compliance Inspections and Examinations, will be the keynote speaker, covering the important topic of 2018 Exam Priorities. To register, please visit our registration site here.
Organizations today are faced with an unprecedented volume and variety of information risks that have enterprise-wide impact, including:
- Increased frequency of data breach carried out by advanced, targeted attacks
- Leaks of sensitive or high value information from departing employees
- Aggressive sanctions from regulators over the lack of supervisory compliance controls
- Business use of social and messaging tools that are not under IT and security controls
Unfortunately, organizational scale and complexity has forced some organizations to continue to rely upon existing technologies, buying processes, and functionally-driven priorities that have plagued companies for the past 15-20 years and have resulted in solution overlap, IT redundancy, and ineffective risk management processes.
These opposing forces lead to a question about information risk: are organizations becoming more functionally siloed and specialized or are we moving toward a shared view of risk?
To answer this question, Actiance issued a survey that generated over 150 responses from IT, Security, Compliance and other risk management stakeholders. Highlights from the survey results include:
- As expected, managing the impact of data breach was the highest priority across all functions, with the only exception being Risk/Compliance titles who ranked the loss of sensitive customer information slightly higher
- In terms of what is working well in managing risk today, respondents across all functions overwhelming pointed toward clearly defined policies as an area working well. Risk/Compliance titles again differed from others in highlighting monitoring and alerting process controls as an area that is working well today
- On the flip side, all functions reported that the lack of budget and sufficient resources as an area not working well, with negative responses being led by Security titles
- Collaboration across functions in the evaluation and selection of risk management solutions appears to be a practice applied by the vast majority of responses, with only 5% of respondents that their function alone is responsible for those tasks
- In terms of future collaboration, all functions highlight the definition of common control processes as a top priority. Security respondents again differ from others in highlighting the definition of business requirements for technology solution selection as top priority.
So, what can we conclude about convergence versus specialization?
This survey indicates that the views of information risk held by Security and Compliance stakeholders continue to converge. This is not unexpected, given the organization-wide concern over data breach and cyber security, and as was demonstrated by the survey question that all stakeholders are prioritizing solutions that can reduce the probability of a bad event from occurring over those that provide improved productivity or promises of cost reduction.
The survey also highlighted the importance placed on collaboration – with IT playing a critical role in coordinating with both Security and Compliance stakeholders. The fact that only 5% of respondents indicated that their function alone is responsible for the evaluation of risk management solutions indicates that we may have finally arrived in an era when siloed, departmental-level decision making is done only on an exception. The fact that the evaluation of most enterprise-grade risk management solutions must now proceed through security assessments, review of policy enforcement capabilities, and inspection by those involved in eDiscovery attests to this new reality.
Originally published on Actiance.com February 21, 2018.