How to Mitigate the Risks of Collaboration Tools
As many of us continue working remotely, we see, hear, and experience new stories almost daily of the unique aspects of life in the virtual world: the challenge in staying connected to distant colleagues, our collective coping with Zoom fatigue and meeting overload, and the dizzying array of new cybersecurity challenges spawned during the pandemic. We’ve even been greeted by the appearance by a live goat supplied by a farmer who rents them out to Zoom bomb your next meeting. Working from home is truly a different animal.
For regulated industries, there are additional concerns with working from home. The communication tools that have replaced conversations in meeting rooms and at the water cooler — Microsoft Teams, Slack, Zoom, etc. — have been beneficial but also introduce new risks. This was the topic of discussion in a panel we recently hosted at the SIFMA C&L Virtual Forum.
We brought together a distinguished group of experts with legal, technology and compliance perspectives, including:
- Anthony Diana, Co-Chair of IP, Tech & Data Group at Reed Smith. Anthony focuses primarily on advising financial institutions on data and technology issues
- Matt Kelly, Founder of Radical Compliance and former editor of Compliance Week. Matt has been a leading author on regulatory risk and corporate compliance for over 15 years
- Shaun Hurst, Technical Director from Smarsh. Shaun is a subject-matter expert on financial regulations and data privacy and was a compliance executive at Citibank for 15 years
The benefits of collaboration tools
The post-pandemic adoption of collaboration tools highlights an acceleration on a path we were already traveling. Many organizations that have standardized on Microsoft Teams are also deploying Slack across different departments, in addition to Webex Teams, Workplace by Facebook, JIRA, Confluence, and many other tools used by employees that may not yet be official approved.
Shaun noted, “If you see the data, you can understand why this is happening. If you look at the productivity gains, you see the reduction in email and the fact that individuals can speed decision-making. There's really an ROI here that companies began to see prior to the pandemic. The key challenge has been that, maybe a small percentage of your employees have been remote using these tools back in February of 2020, and now it's 95% of employees that are on these technologies every day. If I'm not on Slack, Teams, or Zoom, I'm on my mobile device. If not, I'm likely using some combination of them all.”
Anthony had a slightly different perspective: put aside traditional measures of ROI, because you really don’t have a choice. “It's a C-suite decision,” he said. “From the top of the house, it’s a business imperative to get these tools up and running. Executives at financial institutions are saying, ‘We need to work this way.’ You have to collaborate. You're not having meetings in a room; you're not having conversations over coffee. This is the new way to work.”
Matt added, "There is no choice. If companies don’t adopt these technologies, employees will do it anyway. They think they are helping the company by doing their job by whatever means they have access to. However, a few months ago, we weren’t having board meetings on Zoom. We didn’t expect to do this, and we are learning the hard way.”
The unique risks of collaboration tools
To legal and compliance executives, collaboration tools may appear as just another generation of technology that's been released from Microsoft, or whichever provider. So, why is collaboration technology different? A few important considerations:
Persistent, interactive, multi-modal conversations. Today’s collaboration tools are more than messaging, with voice, video, AI, bots that exist within conversations that can persist and be altered over time.
An unclear boundary with personal communications. Unlike other tools, users can often see collaboration tools as a place to chat, and not always maintain separation from business activities.
Evolving methods of capture and preservation. Each tool is evolving quickly to meet the demands of a growing number of regular users. That pace of new feature releases is often accompanied by a lag in available automated controls.
Anthony noted that financial institutions are accepting more risk when it comes to collaboration tools. "The challenge is that many of these tools are not built for a highly regulated industry. You might have 5,000 people in a persistent chat — some that shouldn't be in the same room," he said. "We have groups sharing files, emojis, and memes, working on content, sharing a whiteboard, making edits and deletions to business content. A lot of these collaborative technologies run in the cloud; they can update constantly with new features and functions, which makes it difficult for financial institutions to adapt quickly.”
So, Is there a fundamental incongruence between collaboration tools and compliance?
“When you look only at these tools natively, I think there is,” Shaun said. “We just don't have a choice anymore. Your employees need to be productive, which means that firms must embrace and these technologies and new ways of working.”
The implications for the ways that firms manage risk, prepare for discovery, and meet ongoing regulatory obligations will be profound and inevitable.
Risk mitigation strategies: technology considerations
We’ve previously covered discussions of best practices for remote work, so we wrapped up our discussion with a few collective observations on technology, policy and training investments to mitigate collaborative risks. Technology considerations include:
More stakeholders engaged in benefit v. risk analyses. Legal and compliance stakeholders have become more integral to the evaluation of new collaborative tools, although determining who can say “yes” to the additional risk remains elusive.
Increased frequency of inspection of native features & capabilities. Firms are increasing the frequency of inspection of new collaboration tool features, including understanding which new features can be disabled.
Accelerated frequency of new releases. Stay-at-home work has changed the pace of innovation, which is causing a struggle to in-step with the release of new features. In many cases, these new features are deployed before available controls.
Risk mitigation strategies: policy considerations
New collaboration features can be released and be made accessible to users before automated compliance controls. This raises numerous policy implications.
Governance requirements remain paramount. Each new feature requires an assessment of its impact on recordkeeping and supervisory obligations. They require an understanding of where data is being stored, how it is being secured, and how that vendor would enable processing those features to meet discovery or privacy inquiries.
Expect technology to lead regulatory guidance. Absent regulatory guidance, enforcement actions, or case law, firms need to evaluate new features such as whiteboards, bots, and recordings to update policies. Documenting what controls are available and how those controls would be audited and tested is vital to documenting what risks the firm is willing to accept and mitigate.
Compliance should be empowered to work with front line staff. Adjustments to communications and code of conduct policies are only as effective if they are specific to how the tools are actually being used internally and with clients.
Supervision & content inspection practices can require dramatic change. This is particularly true if a firm is moving from centrally controlled tools to a set of easily accessible collaboration technology alternatives. Additional oversight may be required to inspect for fragments of prohibited tools and inappropriate freeware versions of approved applications.
Identity management becomes even more important. Knowing who is communicating with whom is central to policy decisions, but much more complex when not confined to an email address. Validating user identities across multiple technologies and personal devices that can create anonymous users is fundamental across policies that impact supervision, compliance and e-discovery.
Risk mitigation strategies: training considerations
As noted by all of our panelists — it all starts with the human element. If you don’t begin with an understanding of how users are using collaborative tools, then policy controls will be irrelevant. Important considerations:
- Clear, unambiguous messaging from executives about which tools and features are prohibited
- Explicit training that defines acceptable and prohibited uses defined by job role & content type
- Interactive, ongoing engagement with users to stay on top of new tools that are best equipping staff to do their jobs effectively
- The use of attestations that extend beyond foundational training
- A “trust but verify” strategy for employees and underlying technologies (with testing and audit by IT professionals)
Enabling communication today and in the future
Ultimately, this examination of new collaboration technologies is not just about the mitigation of risk. It's also enabling your employees to be more effective in the way that they engage with their clients. And, it is doing so by working through good information governance practices.
The market acceptance of collaborative technology is not static. The innovation curve has been broken by the work-from-home dynamic. Lessons learned from the last six months can serve as a guide to prioritize technology, policy and training — to better prepare for the next set of features and collaborative networks that will continue to emerge.
Share this post!
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.