Protecting Your Organization
From Communications Risk
Three Stakeholder Perspectives
About The Webinar
The reality of stay-at-home work has opened up organizations to a new era of business communications. Corporate support for Zoom, Slack, and Microsoft Teams is too often accompanied by freeware downloads, and unauthorized use of WhatsApp, WeChat and mobile messaging apps. The risks that come with these tools make it increasingly important for Legal, Compliance, and IT professionals to collaborate in the development of a unified plan to protect their organization.
Listen to Smarsh and industry experts for our "Innovation Exchange" webinar series to learn:
- How Legal, Compliance, and IT define communications risk
- How these functions are investing in technology, processes, and training to remediate those risks
- Best practices for aligning priorities across these functions
Panelists For the Webinar
VP of Information Governance,
Robert Cruz is Senior Director of Information Governance for Smarsh and Actiance. He has more than 20 years of experience in providing thought leadership on emerging topics including cloud computing, information governance, and Discovery cost and risk reduction.
Paredes Strategies LLC.
Paredes advises on financial regulation, compliance, risk management, corporate governance, and regulatory strategy. He also serves as an expert and advisor in regulatory enforcement investigations and in private litigation involving securities law and corporate law. Paredes has brought his extensive government, compliance, enforcement, and regulatory experience to bear in serving as an independent compliance consultant/corporate monitor. Paredes was a professor of law at Washington University in St. Louis before joining the SEC. He also has been a Lecturer on Law at Harvard Law School, a Distinguished Scholar in Residence at NYU School of Law, and a Distinguished Policy Fellow and Lecturer at the University of Pennsylvania Law School. Paredes co-hosts a podcast on fintech called “Appetite for Disruption.” Paredes holds a bachelor’s degree in economics from UC Berkeley and earned his J.D. from Yale Law School.
Editor and CEO,
Matt Kelly is editor and CEO of RadicalCompliance.com, a blog and newsletter that follows corporate governance, risk, and compliance issues at large organizations; it includes the Compliance Jobs Report, a weekly update on compliance professionals moving around the industry. He also speaks on compliance, governance, and risk topics frequently. Kelly was named as ‘Rising Star of Corporate Governance’ by Millstein Center for Corporate Governance in inaugural class of 2008; and named to Ethisphere’s ‘Most Influential in Business Ethics’ list in 2011 (no. 91) and 2013 (no. 77). In 2018 he won a Reader’s Choice award from JD Supra as one of the Top 10 authors on corporate compliance. Kelly previously was editor of Compliance Week, a newsletter on corporate compliance, from 2006 through 2015. He lives in Boston, Massachusetts, and can be reached at mkelly@RadicalCompliance.com or on Twitter at @compliancememe.
Larry Goldfarb’s career has been focused on understanding regulatory compliance issues and developing and managing technology solutions to ensure adherence. Most recently, Larry was the Message Archiving Product Manager at Deutsche Bank. He managed both the evolution of the compliance messaging archiving infrastructure from concept to implementation and the ongoing operation to include finance, service level agreements, key performance indicators and operational issues. Larry was a co-founder of a SaaS software company, Compliance11, which provides compliance automation tools for the financial services industry. The company was purchased by Charles Schwab in 2011. Prior to that, he was Chief Information Officer of Legal and Compliance at UBS in which he was charged with overseeing a large portfolio of Legal and Compliance IT projects that included affirmation online, global shareholding, AML / case management, knowledge management and document management initiatives.
Transcription of Webinar Audio
Davi Schmidt:Thank you for joining our Innovation Exchange Webinar Series. Today's webinar is Protecting Your Organization from Communications Risk, Three Stakeholder Perspectives. Please be aware that all participants will be muted for the duration of the call. Feel free to submit any questions you may have via the GoToWebinar messaging app and we'll attempt to answer as many of them as possible. Joining us today is moderator Robert Cruz and presenters, Troy Paredes, Matt Kelly and Laurence Goldfarb. With that, I will hand it over to you Robert.
Robert Cruz: Thank you Davi, and thank you everyone for joining. Really appreciate your time. Welcome to the first Innovation Exchange sponsored by Smarsh. Really exciting discussion today coming up on about communications risk and first before we start, let me provide the standard disclaimer. Smarsh provides this material for informational purposes only. Smarsh does not provide any legal advice or opinions. You must consult with your attorney regarding compliance with applicable laws and regulations. The topic at hand, protecting your organization from communications risk, obviously a very timely and immediate concern for every organization.
Robert Cruz: Clearly, the organizations that we're working with today are dealing with the fundamental challenges of just making sure that the health and safety of their workers are protected, that there are the basic capabilities for them to do their jobs, that HR systems are updated. This is in no way attempting to position this on this topic amongst those, but clearly you need to think about and need to have some processes around the ways that we are now doing our jobs, the tools that we're using to communicate internally and with our customers. The approach that we're taking here is really to look at it from a practitioner perspective, to look at it from a technology perspective, to look at it from a compliance perspective, as well as from an investigative or e-discovery perspective.
Robert Cruz: We have a great panel of experts with us and again, just from the spirit of this program, this is about exchange of information and ideas and best practices. I would encourage you to use the chat panel and submit questions to us that we can address in real time. We'll also reserve some time in the backend where we can cover some of those topics, and you can get some direct input and feedback from the experts we have today with us. Let's go to the agenda. Quick introductions, we're going to first talk about how organizations are defining risk? What are the things that are the biggest concerns right now that they're attempting to deal with?
Robert Cruz: Then we're going to look at what are they attempting to do to mitigate that risk? Where are the investments taking place? Then we'll look forward what is this going to take us? What should companies be looking forward after we emerge from this situation, and we'll finish it up just with a brief overview of how Smarsh can help organizations in addressing some of the concerns that were raised in here today. Introductions, great panel of experts that we have with us today and I think first, I want to introduce Matt Kelly, editor and CEO of Radical Compliance. Matt, thanks for joining. Why don't you tell us a little about yourself and your perspective on this topic?
Matt Kelly: Yeah, sure. Hi Robert and thank you for having me on. It has a pleasure to be here. Radical Compliance is a newsletter that I run in publish about corporate compliance and governance challenges. It is mostly my own views about the news for the prior week and some analysis. In one form or another, I've been writing about corporate compliance since 2003 and started off writing mostly about Sarbanes-Oxley compliance, and then moving on to anti-corruption, data security privacy, and whatnot. I have found that a lot of these challenges are starting to all blur or converge into a greater risk management challenge that organizations face.
Matt Kelly: I mean three months ago, nobody expected this would be the enterprise risk challenge, we are all thinking about and talking about, but I do think in a certain sense, COVID-19 has really swept all of these prior concerns into a new dimension, where all of our risks that we had all been worried about before, they are all largely still here, but they work and exist in a very different a context where we're all either working from home or with much more economic uncertainty, so how does that affect all the controls and processes that you've been implementing for 15 or 20 years. There's a lot to say there. I definitely look forward to what we're going to discuss here today.
Robert Cruz: Absolutely. Thanks Matt. We really appreciate you joining us. Why don't we go over to Troy Paredes? Troy, thanks for your joining as well. Why don't you tell us a little bit about yourself?
Troy Paredes: Great. Thanks for the opportunity. Right now, I run a consulting firm that focuses on compliance, financial regulation, corporate governance, investigations, monitorships, and the like. Been doing that for several years now. Prior to that from 2008 to 2013, I was a commissioner at the Securities and Exchange Commission and prior to that, I'd been a professor of corporate and securities law and some related fields. It's really interesting to have the chance to bring those different perspectives to bear thinking about what we're going through at the moment.
Troy Paredes: I was at the SEC as a commissioner when we had the financial crisis and this crisis, while it has financial dimensions, certainly has its roots and something else which gives rise as was also just mentioned by Matt, new dynamics, new circumstances, new settings. Of course with all of that, comes new ways in which people are interacting, this discussion here being an example of that and as all of those things change, raises the question of the ways in which the risk profile both in terms of the nature of the risks and the magnitude of the risks can change in companies. Then you get to the big question which is, all right and so in light of that, what do you do?
Troy Paredes: I'm really looking forward to the discussion. One other quick thing I'll note that I spend some time doing as well as I happen to have a podcast called Appetite for Disruption where my co-host and I focus on new and advancing disruptive technologies. I think a lot of the stuff that's happening of a technological front and will happen as a result of what we're going to now. I can speak to all the activity in the technology space too.
Robert Cruz: Terrific and this is disruption with a capital D that we're all faced with right now, right? Appreciate you joining.
Troy Paredes: Yup.
Robert Cruz: Thank you, and finally over to Laurence Goldfarb. Laurence, thank you for joining. Why don't you tell us a little bit about yourself?
Laurence Goldfarb: Robert, thank you very much for having me. I'm currently working at a new software company called Central. It's based in Silicon Valley and it does sophisticated assessments, not only four types of compliance and risk management, but for privacy program management, vendor management, and its most interesting product bank network management. I've been in the field of compliance technology for almost 25 years. I started at UBS where I was the chief information officer for legal compliance, and started with a department of about four people and grew it to well over 100 when I left. I've also been in the corporate world at Deutsche Bank where I ran the compliance messaging archive.
Laurence Goldfarb: You can only imagine the number of systems that went into the archive, all the problems and we were talking about more than five million messages a day. In addition to that, I've been involved in two different interesting startups. One was a company called Compliance 11, in which we didn't employ trade monitoring. We started it from zero and sold it to Charles Schwab 2011, and just most recently, I was involved in a start-up information governance firm, looking at privacy program management from just dealing with privacy.
Laurence Goldfarb: I find this period most interesting just because firms now all of a sudden have to take most of their tools that they use within the four walls of their company and have individuals figure out how to deal with those tools really without significant amounts of supervision. The challenge is, is to provide individuals tools that they need and also provide management a way to supervise those in a way that isn't too intrusive forcing users to go off on their own. I'm looking forward to this conversation and talking about some of the interesting challenges that the new world presents.
Robert Cruz: Awesome, and as you can see, we've got a very diverse set of backgrounds here. We can speak from a technological compliance investigative discovery through each of those lenses, so I think that's really the purpose of this panel today. For myself, I'm the vice president of information governance for Smarsh. Primary role that I play is helping to facilitate discussions amongst our practitioner customers, so the folks that are using the technology to address either regulatory obligations using the product for discovery or just attempting to better manage their data so that that data can be leveraged by other applications. Let's get to it and I think the place to start is disruption.
Robert Cruz: Troy mentioned it and also I think in the introductions, we talked about the fact that this is happening anyway. When we look at individuals who suddenly are in this remote work situation, we now have people that are resorting to using in some cases the tools that they're most familiar with. They'll pick up their cellphone and call their client. Others are into the situation where they're using Zoom. Zoom has grown from 10 million to 200 million users in three months. The use of Microsoft Teams video has grown by 1000% in the month of March alone. Really the question becomes to start, how are companies dealing with this, and this would also be a great question for the audience.
Robert Cruz: Do you see this disruption as a small medium or large change to what was happening already inside your firm given changes in the tools that we're all using? To the panel and maybe we start with Matt. I mean you're talking to clients, what are they telling you in terms of how they've responded to this? Is this a small medium or large change to the way that they were managing their business?
Matt Kelly: Yeah. I guess the best way to describe it lately within the last week or two is that many people, compliance officers I talked to would say they're generally okay, and you can see from the tone of my voice how qualified and uncertain that is. I wouldn't necessarily say it is a large or a small disruption. I think that varies by firm, but what it is, the proper adjective here is a compressed disruption. I think many people would have said, "We'll get to this sort of a whirl by like 2030, and now we're going to get to it by like June," and nobody had anticipated that. A lot of them now for the first several weeks, this had been more about whether we can just get basic tasks done in the circumstance, we have very suddenly, very compressed timeframe been forced into.
Matt Kelly: Dare I say it, I think of some of them put compliance and regulatory compliance maybe as a secondary concern. I am not saying people were taking compliance lightly or blowing it off. Everybody has been aware that we also do have regulatory obligations we have to think about and compliance and procedures to follow, but for the first six weeks from March clear or late February into the end of March, early April, this was just emergency procedures. Do we actually know that everybody is okay? Do we know that they are all online? Do they have Wi-Fi access? Do they have the tools?
Matt Kelly: A fair number of businesses still are there and I know we are talking about communications issues here, but we should always remember there is a vast realm of big operational risks for a lot of firms that is really consuming a lot of their time. This also is something that they struggle with what's the right amount of attention that I have to allocate to all sorts of compliance things that I'm trying to think about, and a lot of employees really, they're under strain personally, operationally. How do I do my job? Am I going to have my job? I coughed four hours ago, does this mean that I have it now, and those things lined up distracting you.
Matt Kelly: I bid a bit more towards regulatory compliance and operations. I think a lot of firms were also trying to make sure that they had any surge capacity they would need such as, for example, call centers where number one, your center is closed so all your call reps are working at home. Number two, you're getting twice as many calls from your customers. Can you route them the right way? Do you have clear procedures to do that? You had to figure all that out. I think a fair number of firms have figured that out. The other thing that Laurence had talked about this a bit minutes ago, I think a big part of the challenge was that they had tools, but they didn't actually ever envision that the tools we have we'd be using in this way.
Matt Kelly: Like Zoom, I think Zoom is a great technology. I think it's one of the very few video conferencing apps that I can use painlessly. I think a lot of companies feel that way, but up until the end of February, boards would have occurred to them, "Oh yeah, we can chat from time to make plans for dinner. We're never going to have a board meeting on Zoom to review confidential information." Now maybe you are and then suddenly realize, "Oh geez, I can't. The tool that we have has not been designed to use it in the way that we're now being forced to use, so what are the implications," and then suddenly risk and compliance people are scrambling to figure that out.
Matt Kelly: That's where they are, but I think for a lot of them, they just figured are we still in business, can we still communicate, we're all breathing. That's victory right there, and now we're trying to figure out what is the new normal going to be for the rest of this. That's where they seemed to be.
Robert Cruz: That's interesting point because the tool not being designed or intended for these purposes. I attended a school board meeting where one of the board members was asleep, another one was petting his dog. These are things that people haven't necessarily been equipped to use for that particular context. Troy, what about your clients, what are they telling you? What's the level of disruption that you're reading from the folks you're dealing with?
Troy Paredes: I think the way Matt put it in terms the first wave of this was is everybody safe and is everybody healthy, and how are we going to continue to provide the services and the products and the like that we're in business to provide to customers, to investors, to the marketplace because that's certainly important as well, but compliance as was mentioned and risk management more broadly continues and need to be front and center too. Now that there's I would say a handle of the health and safety, but now that there's a shock to the system of what's going on, what's happening that we've gotten a little bit past that.
Troy Paredes: Now we're in the position okay, how do we manage this, how do we maintain this, how do we come out the other side of this, that then it leaves a little more room if you will for the focus on the compliance aspects, the control aspects, the policies, the procedures then, and the governance aspects. I think consistent with them that was saying and so as I think about it, look, you got to be pragmatic. There's nothing wrong with pragmatism. You got to run your business. There's nothing wrong with running your business. That's what is important as well, but it turns out the rules and regulations continue to apply.
Troy Paredes: The one thing the regulators have not said, and I don't think one can expect them to say is, is, "Well that rule and regulation which mattered in January doesn't matter anymore." That's not to say that as the regulars have done, there hasn't been some recognition that in these periods, you need to think about how folks are going to comply. Maybe there's an accommodation here and an accommodation there, just being mindful of the realities, but the rules and regulations continue to persist.
Troy Paredes: The challenge then is, is from a compliance perspective, overall governance perspective, making sure that in light of the new risks, in light of the additional ways in which people are communicating, in light of frankly the concerns and questions around health and safety that persist, how do we take that into account in thinking about what if any adaptations need to be made from a compliance perspective, policies, procedures, controls, governance, oversight and the like? Just to underscore that as still and always a front and center question. There was a statement that was put out on March 23, so a full month ago from the co-directors of the division of enforcement at the Securities and Exchange Commission on market integrity.
Troy Paredes: It's a really short statement but let me just highlight two quick things. One, there's a sentence that says and I'm simply quoting here. It says, we the co-directors of the enforcement division at the commission say, "we wish to emphasize the importance of maintaining market integrity and following corporate controls and procedures," and then they go on to say at the very end and wrapping up. They say, "The enforcement division at the SEC is committing substantial resources to ensuring that our Main Street investors are not victims of fraud or illegal practices in these unprecedented market and economic conditions. The enforcement division is committed to protecting investors and maintaining confidence in the fairness and integrity of our markets."
Troy Paredes: I think the point there is you don't necessarily have to take it from myself in terms of the ways in which the regulators continue to focus on compliance from their perspective and the rules and regulations still apply. That's coming from the co-directors of the division of enforcement at the SEC, and I think that's just an important, if you will, north star for people to have in mind, even as you're struggling through what are for sure difficult times where health and safety and everything else has to be front of mind as well.
Robert Cruz: Some great points there and I'm going to skip forward and Laurence come back to you on the questions of risk because I think what Troy just highlighted was basically the regulatory dimension of this challenge, but clearly there are other aspects of risk that firms are seeing, reading, living in terms of security data privacy, the increase in malware, and other things that are happening on the mobile device. I mean Zoom bombing is now a concept that folks are worried about. We're not only talking about the regulatory and security issues, but we're also talking about compliance, regulatory compliance and compliance with your own internal policies.
Robert Cruz: How can you ensure that people are doing the appropriate things? In addition and I think this will come up well in the next section here, be prepared for litigation, any discovery and the reality that this will continue. Now just the notion that some of the content that may be relevant to these investigations could be residing within Zoom or Slack or Teams are new dimensions of risks that organizations are having to wrestle with. Let's get to this discussion of risk and just understanding how organizations and how are the different functions identifying and prioritizing these risks.
Robert Cruz: Laurence, why don't we start with you in terms of looking at the technological aspects, the fact that people are now on this multitude of tools, some of which are better than others to enable the capture, the preservation, just ensuring that the tools are robust and would withstand the volume of usage they're now having to go through. What are some of the technological risks here that you see as most important in this work situation?
Laurence Goldfarb: Thank you, Robert, and Troy and Matt, those are certainly very interesting assessments of the situation. My feeling about risk goes to the fact that there is such significant process change associated with remote working. For instance, a firm may you have used paper checks to send out as an audit trail for regulatory purposes. Now how difficult is that or middle office, people maybe next to their traders to try to just understand the buzz, but now they're hundreds of miles or tens of miles away and how could they possibly get that information. My first real concern in risk is inadequate communications.
Laurence Goldfarb: How do you capture that communication that you need to keep your business going, whether it be supervision or just doing your job or just general oversight? As I go through a couple of these risks, I'll posit some possible technology solutions. Some are fairly bare bones. How do you do that? Well, what I've heard in talking to a number of companies is they have meetings. Meeting sound oh, everybody has meetings, but they have very short meetings using Zoom or GoToMeeting or WebEx. Just very short meetings to capture the essence of what the issues are to make sure everybody is on the same page.
Laurence Goldfarb: By slightly repurposing something they used for traders, they allow back office people and even some just practitioners to hear that and, in that sense, compliance is subject to that as well. They are able to hear what's going on in and as if they're sitting on the desk. My first point about risk is communication. Secondly and this is maybe a little more to Robert's point is different cyber risk. It has to do with that cyber risk, especially given the fact that people may not be quite as aware of it because they're not within the four walls of the company.
Laurence Goldfarb: I think here is beholden on IT to make sure that various systems that are being used are understood, the employees know what to do and they're doing their part. For instance, explaining about phishing attacks, explaining about how bad actors can get involved in email forwarding. Every email that you get goes to somewhere else and by making sure that there's various training on that, and by keeping antivirus strong. Most of the problems that have occurred. If you think of Target, if you think of Capital One, if you think of a number of issues that have occurred, if passwords were strong and antivirus was strong catching malware, a lot of these issues would not have happened.
Laurence Goldfarb: In addition, things like DLP, data loss prevention where companies have these already, to make sure that they're being monitored, to make sure that Social Security numbers and various pieces of information do not leave the firm is critical and that needs to be followed up. Again, this is an IT function, but one that has to be followed. My final point is now cloud providers because now most companies, especially small, medium-sized companies are relying on cloud providers, and compliance looks at whether they have a SOC 2 or a SAS 70, but just because they have that, doesn't mean they're not doing the right thing.
Laurence Goldfarb: For instance, we know that Facebook was sharing data with Cambridge Analytica, and that wasn't well known, even though that Facebook has certainly a lot with certifications. I know Robert was mentioning Zoom. Zoom again has a lot of certifications, but as we know, there's significant problems. Those problems have occurred because people don't fully understand the application. For instance, everyone in Zoom has their own private password access link. That should not be shared. When that gets shared, now anybody whoever had that link has access to your meetings using passwords. You don't have to use passwords, but those IT should turn those on so that passwords are always being used, and video where the host should be the only one able to share the video at first.
Laurence Goldfarb: That helps to prevent the Zoom bombing and the like. In general, my thought about risk is if people do the right thing, if they use proper hygiene and dealing with their systems and everybody does what they're supposed to do, then a lot of the risk associated with using your systems within your firm can be mitigated. We'll talk a little bit more about what you can do with software and systems outside of the realm of the company probably in the next segment.
Robert Cruz: Yeah, let's get to mitigation in a second here, but let me ask Matt to comment on what's changed in terms of organizations and their thinking about not just the big C, the regulatory compliance risk, but small C, potential violations of codes of conduct and communication policies and potential IP leaks. Are you seeing companies paying more attention to these areas, spending more time thinking about how companies might be introducing vulnerabilities through these new tools with remote situations that's happened now?
Matt Kelly: Yeah, they are and in fact, I want to pick up on a way that Laurence phrased it, which I thought was really good. When he was talking about there might be a couple of traders who are sitting next to each other and they can hear the buzz. Now that's gone because they're all sitting separately. Really what has happened is a lot of these person-to-person business practices that we all know so well, we are almost unaware of them, they are now suddenly translated into the online realm.
Matt Kelly: We have to start thinking through so what are the risks that happen then because of that, and that's where a lot of compliance and internal audit and risk managers are I think, is they're trying to assess the secondary risks that come about because of this very compressed move to all work from home, all online. They're figuring that out, but when Laurence was talking about Zoom calls and how everybody has their own private link. If you imagine Zoom call in the real world, it would be like a meeting in a glass conference room with the doors unlocked. Well, the board would never actually allow that because they would want some security that nobody can just waltz in, but you don't really think about that in the real world because it's so natural.
Matt Kelly: Here in the virtual world that we've been forced into, you might not take the extra step to realize, "Oh wait a minute, we do need to lock the door. Everybody has a Zoom pass link. We'll use that," and now you're more secure. It's that going through those exercises is where we are. Everybody knows, for example, that moving to online discussion, okay, your cyber security risks go up, your fraud risks go up. We might not have policies and procedures that are up to snuff yet because the new process online creates new risks, and we haven't really thought about what are the compensating controls that we wanted. What if we can't actually build them right now, do we change the technology which is a big deal?
Matt Kelly: Do we change the procedure which puts a burden on the actual users? There's a lot of that that is being thought about. A couple of other practical things that I think also the small C compliance issues that are driving people to distraction. There's a lot of frustration about delays in sensitive matters like investigations. If you can't easily get to a interview subject because physically, you could go visit them, you could eyeball them, see if they're getting squirrely. You can't do that as easily if at all online, so what do you do? Do you want delay the investigation? Do you change the strategy of it?
Matt Kelly: If you're getting documentation, do you have more concerns now about the authenticity of the documents and the data because that might be more susceptible to fabrication? I was talking with an investigator earlier today who literally brought up all of those things where he is actually changing the camera angle for interview subjects, so he can get a better view of them than we would typically have head-on in a video conference. Nuances like that, you're down to thinking about that. Then the last thing that I think a lot of compliance officers are trying to get their heads around are old types of misconduct that still exist in the online world around more like say workplace bullying, sexual harassment.
Matt Kelly: These things can happen online. They would typically happen in an office in person somehow and now they're all happening online, so what's the documentation that you need there? Are you surveilling all people's conversations because that's privacy risk? How do we sort that out? How do we investigate that? What's the proper discipline? Nobody really quite knows that or a lot of firms that have some experience in it find that they're still very much as thrown into the deep end of the pool. There's a lot of that trying to figure out what do we do with all of this interaction that's happening online now, how do we document it, how do we study it, how do we respond to it. That's what's going on.
Robert Cruz: Yeah. There's even a term Slack bullying that's floating around that is talking to exactly to that scenario. Troy, I want to add you here because just the idea of now, it's not the view of an email or a document that you might need for litigation or an investigation. It's a conversation that took place on Zoom or WebEx or some of the collaborative platform and what kind of new challenges does that create from that perspective.
Troy Paredes: Well, it's interesting there's always been the challenge of there are going to be certain ways that people communicate that aren't captured to people going on a corner and having a conversation. It's pretty hard to capture. I think part of it is, Robert, exactly to your question is, is thinking about what the new channels and means and modes of communication are from a technological perspective and asking the question, what does that then mean in terms of whatever enhancements need to be instituted from a surveillance, a monitoring, a record-keeping perspective.
Troy Paredes: It comes back in part to what Laurence was saying in terms of the technology from a compliance, surveillance, risk management perspective, needing to match up to the ways in which people are now communicating differently. Not just differently in terms of different channels of communications, but going back to what Matt was saying as well. People are communicating over those channels in ways that no one would have expected or at least no one would have expected in the first second quarter of 2020. That sort of innovation if you will all the way around is key without question, but there's a piece of it that I think is going to be important stitching together a lot of what I think has been said.
Troy Paredes: What I'm about to say I think it's going to sound really basic, but I think it's going to be something that's easy to fall by the wayside, and that is formalizing, institutionalizing and in a rigorous way, companies conducting lessons learned exercises whenever we get to the other side of this. There are things people should be doing now, right? When you spot an issue, a shortcoming in a policy, a procedure or control, you identify a way in which a provision in a code of conduct is not being adhere to.
Troy Paredes: Those things should be adhered to in the moment and not delayed, but taking a step back and doing the rigorous discussion, lessons learned exercise with all of the right stakeholders participating and saying, what did we learn, not what did we just learn big picture, but what did we learn when it comes to the implementation and the details doing that lessons learn exercise and then saying, "All right, in light of that what does it mean for risk management? What does it mean for technology? What does it mean for governance? What does it mean for surveillance? What does it mean for record and communication capturing and the like is going to be a really important piece.
Troy Paredes: I would just encourage not to allow that to slide because I think when you do that in a rigorous way and a rigorous way with the right stakeholders around the table, you may think you kept good lists and you may think that you recall what the challenges were, but that all-hands-on-deck stakeholder or lessons learned exercises for sure I think on a reveal very useful insights that may otherwise gone unrecognized, and that then can be baked into how things change again from a compliance, risk management technology, et cetera, perspective going forward.
Robert Cruz: Some great insights there, and I want to get to what a lot of you have already alluded to, which is the mitigation strategies. What our company is actually doing? We're out of an inflection point it seems where initially we were all thrust into this situation, and now you've had a little bit more time to think about well, this situation may persist and I may need to continue to support this virtual workforce or potentially a longer period of time. Let's get to what you guys are finding in terms of what companies are doing to mitigate. How do they prioritize these investments? Matt, why don't you start with what's happening from a policy perspective?
Robert Cruz: How are companies dealing with this in terms of making sure that their policies are reflecting the way the companies and individual are currently doing the jobs that need to get done?
Matt Kelly: I have a few ideas about that Robert, although I did just want to chime in on one thing Troy had said which I think was spot-on, talking about doing these post-mortems about what else can we do to put some structure around this. I mean really, that's nothing different than what most companies should have been doing and probably had been doing before from a more mechanical process perspective, but if you had some invoice payment fraud in say 2007 or 2008, when we were all thinking about internal controls, segregation of duties, and good accounting, this is the stuff you would have done is like, "Okay, how did this happen? How do we rectify our controls and our procedures to make sure it doesn't happen again?"
Matt Kelly: What Troy was just saying is the exact same sort of thing at a more abstract level. It's just we're dealing with a different a risk with people and communication, but it's the same remediation step to try and figure out how do we improve. For anybody who might be thinking really, do we have to do all that, it's nothing you haven't done before if you sit down and think about it. I do think where companies are trying to put some of their investments in right now is I think first, they're still trying to clarify just what the policies should be and what the consequences are for not following them. I think for a lot of companies also, they're not entirely sure what the consequences should be.
Matt Kelly: Clearly, if you are breaking the law or you are in a clear violation of a longstanding regulation, like there's no joke there about what the consequences should be, but for example, if everybody is using Zoom and somebody slips and accidentally uses Zoom again when they weren't supposed to, like what are you going to do with that? You have to think through what's the proper disciplinary policy or what's the consequence. I can tell you I know some compliance officers now who take this so seriously. They do not even have after work virtual happy hours on Zoom anymore. They insist on Microsoft team meetings or Skype for business or something like that, but I do think that as they're trying to get through this there is still a bit of a log jam about what we should do next.
Matt Kelly: Do you want to provide other sorts of tools because the ones you have aren't working very well and okay, well then how would we evaluate what those tools should be or what about more helpful steps like single sign-on for users, which I am a big fan of? As a personal anecdote here, my wife and I have two small kids and the education system is borrowing us with various tools that we should try to use. We have various passwords. We have various logins. We don't know what they are and we are falling into exactly the trap Laurence had mentioned before about where the tools become an obstacle more than a tool, so we don't use them.
Matt Kelly: Well, do you find a new tool or do you somehow change it for single sign-on, things like that? There's still a lot of thinking about that and since you used the word investment, my last point is that I do see there's not necessarily an investment of dollars yet. Sometimes there is, but the compliance officers are trying to invest a lot of time in strengthening relationships with IT, with legal, with HR, consensus about what we should try to do here because there's a whole lot of making it up as we go along. We're confident let's nail it all down. There's still a lot of that that's happening too.
Robert Cruz: Yeah, it's a great point and it adds to what Laurence was saying earlier. Talk to us about technology Laurence and in particular, the importance of the alignment between compliance, technology and legal and evaluated some of these technologies.
Laurence Goldfarb: Right. Well, when I was running this software company and I had a nice affirmations and assessment tool simplified but a good tool, and people would say," So how do you make sure that individuals are trading using your system, doing personal trades using the system to get a pre-clear?" I said, "You needed affirmations. You needed attestations. You need to make sure that the individuals understood the rules and that they affirmed that they were going to stay with it, and then we're going to do it. That's I think what needs to get done on a regular basis here, so to make sure that the employees know what they can use and what they can't.
Laurence Goldfarb: I think that that's critical setting up a bit of an attestation on a regular basis, but in terms of investment and investing in tools that perhaps will not have a long lead period because we don't have a lot of time and we know everybody is extremely busy working from home. You never really have a time off. You never get on the train and relax, you're constantly working. My watchword here is repurpose because most firms have plenty of tools, and those tools can cover the gamut from what everybody needs, from video conferencing to chatting, to collaboration, tools exist. When I was at Deutsche Bank, you can only imagine how many tools they have, thousands and thousands and thousands of tools, but obviously certain groups didn't have access to it.
Laurence Goldfarb: Now for instance Slack, Slack was a tool that was used by project teams and IT to communicate. Let's repurpose that tool to be used as a way to communicate amongst teams in the front office or between compliance in the front office. I had mentioned earlier hoot-n-hollers. Hoot-n-hollers could be used as a way to have... This is to Matt's point to make sure that everybody understands the buzz and what's going on. Probably one of the more interesting repurposing that I can think of is remote desktop. We know and many firms, larger firms already have what they call virtualization, but a lot of them small or midsize firms don't, but their support groups do access your screen to fix things.
Laurence Goldfarb: There is remote desktop for support organizations and install software or the fixed problems you have, but those can easily be repurposed to have individuals access their work computers from home or with some change, you can create something called virtual desktop where everybody can access tools that are provided by the company, thus being able to give individuals access to multiple tools across the organization that should be able to satisfy their need for almost anything they need to do.
Laurence Goldfarb: My coming out of this and the types of investments that need, I think in addition to the blocking and tackling that we at all talked about and following the policies and procedures is working with your IT group to understand what can be repurposed to allow individuals in the front office, back office, middle office to be owned in the different risk groups, to be able to use those tools that they need to be successful.
Robert Cruz: You raised the important point here of where do we go from here? What happens when we emerge from this to the new normal whatever that is? I want to get to this question of what do you think we learn from this and does this ultimately lead us toward a more shared view of risk of greater collaboration across these functions to evaluate these technologies. Troy, why don't you take us through what your thoughts are in terms of what's next? Where do we go after we've managed to survive this situation?
Troy Paredes: Yeah. Let me just pick up where you we're starting to go because I think it's a really important point, and it's where I hope we are next, though I think we've already seen some of it even before COVID-19, and that is a lot of cross team, cross functional engagement and interaction. When you think about compliance and technology, but I thought Matt made an interesting point in terms of referencing HR particularly when you're dealing with the kinds of things folks are dealing with. Now you think about risk management more broadly. I mean my personal view is, is compliance is really part of the broader risk management of effort. You think about the business itself.
Troy Paredes: It's important to have the business taking ownership of course on compliance too. I hope that there's even more of what we have already been seeing in more recent years of compliance, not just being for compliance or compliance legal, that compliance is working closely with all of these other functions because that's where the knowledge base comes from, that's where the sharing comes, from that's I think where the buy-in comes from. I think that also speaks to the fact that getting compliance risk management right where it's effective, where it's reasonable, where it's mindful of business objectives where you get all of that together and working if you will harmoniously.
Troy Paredes: That's ultimately I think good for the business over the long term in terms of being on the foundation from a compliance and risk management perspective that's going to make sure that it's on the right course over time. I would hope we would see even more of that coming out of this. A more specific point to all of this is the following that even as we are doing more things remotely, and I do think that that will persist to some degree. Maybe forever or certainly for a long time, still realizing that it's important to keep in touch with people, that that human contact even if it's through a chat or a call continues to be important.
Troy Paredes: Part of that is just genuinely caring for the people you work for and your teams and your colleagues. I think that to be honest is important all the time, not just in a time like this. I think if you're thinking about it say from the manager's perspective or supervisor's perspective, even compliance perspective, what have you, is also making sure that people know you're available. Just because you may not be down the hall, just because you may not be sitting on the desk with say traders or other folks in the business, that doesn't mean you're not available. I think making sure that you think about how to ensure that your teams and others know that you're available, you're still there to ask questions.
Troy Paredes: You're more than happy and willing to hop on a call, but if you're proactive and all of that as well. I actually think that can go a long way because if you reach out to somebody, they may actually have a question that they're struggling with. Again, if you were down the hall, they may poke their head in your office or they may catch you on the desk. Perhaps they won't otherwise reach out in a timeline like this, but if you reached out you, may catch them at the right time and really be a very helpful resource. I think it's worth making the time and prioritizing those sorts of interactions and contacts as well, not only again on the human side of things, but to make yourself available as a resource to help your team's work through whatever it is they need help working through.
Robert Cruz: Great point. Just help those that are struggling with this transition. The best practice is that those who are accustomed to virtual work and share with others that may not have been experienced with this in the past. Matt, can you go further just in terms of where is the sharing and alignment here that emerges? Is it regarding process or training or budgets or priorities? What do you see coming out from the end of this?
Matt Kelly: Well, the thing that strikes me a lot is that Robert, you had asked about are we going to see a shared view of risk. We're already moving to that. We're having to that and what COVID 19 is doing is changing the velocity of that evolution, and we can't really say very clearly how it's going to change because we don't know when the COVID crisis will end. If I knew for a fact that we wouldn't have a vaccine for three years, I'd give you one answer, but it is possible we could find out next week that half of us have already had it with no symptoms and this isn't a big deal and we can all go back to work.
Matt Kelly: If this was only going to last three months, no, we're not going to get as much of a shared view of risk from this as we would have if it were three years, but the thing that I keep coming back to is the dynamic that had been evolving for a while was the board. Above all, it's the board. The board wants a more immediate view of what are the emerging risks and why are they emerging. Well, how do you give them that? You give them that with good data analytics and monitoring tools.
Matt Kelly: As much as we talk about tools and we might think of them as software or apps, a lot of software is going to be just algorithms or a lot of the tools, I mean they're going to be algorithms that measure the risk, and that's what's going to drive a shared view because internal audit and IT are going to build those algorithms, but they're going to be informed by legal and compliance and HR who are going to need to say we have... It has to tell us this, and so then we'll know it's in the red zone or it's still in the green zone. The pace of that change.
Matt Kelly: The pace of that conversation is going to be dictated by how long COVID last, and we don't know, but more than anything else, that's my thought is that I would have said we'll have a shared view of risk by 2030. Now, yeah, could we have one by the end of the year? Sure, yes because this is a very high pressure thing that we're all going through and it's just the pressure of it will drive the development of the tech that will drive the monitoring, the algorithms and the tools that we use, and that's going to give us the shared view. That's what I see.
Robert Cruz: Great insight and I can presume that were land consensus that the evaluation of risk pertaining to a new technology is now something that multiple stakeholders are engaging in. More folks are being asked to evaluate and provide their perspective on is this introducing new privacy, security, regulatory or discovery risk before they allow their employees to use new communication networks. We're approaching home here and I thought what we do is just key takeaway from each of you. What would be the one thing you would advise a company to do after leaving this webinar? Why don't we start with Laurence and final takeaway key single thing that an organization should do from your perspective?
Laurence Goldfarb: Well, I'm going to say two things, but I'm going to say them quickly. One of them, it's more important than ever for companies to understand their cloud provider. Make sure not only are they looking at the risk and something that Troy or Matt would say in terms of the way the company would treat an internal system, that's the way they should treat the cloud provider, but also understand the product, understand the privacy, understand some of the features. The second point is that to amplify what Troy and I just said, is that the culture needs to continue to become can do, so where there's problems or issues like can we get a system can, we get it captured, is it archive, conducive.
Laurence Goldfarb: It has to be all hands on deck to solve the problem as opposed to well, do we get this committee together? I don't know, they've never been together before. I think can do is extremely important and something that as Matt points out I think is going to roll forward things that I think management are going to be really appreciative of as we go forward.
Robert Cruz: Great. How about you Troy, key takeaway, a thing that firms should consider next?
Troy Paredes: Sure. Obviously, there's a lot of things, but let me hit one that has the flavor of optimism, and that is start planning for the future. Start planning for when there is a reopening or rolling reopening or whatever it is that we're confronted with or have the opportunity do. Everybody working remotely instead of working in an office presented its challenges, and that's what we've been talking about. I think when people start going back to the office, it's going to present a whole set of challenges as well. I think in order for that to not only go smoothly from an operations perspective, a compliance and a risk perspective, but also of course without question a health and safety perspective, is going to have its own difficulties.
Troy Paredes: I think that's something where it's important for folks not to start focusing on that in a serious way when they're on the eve of needing to implement something, but in advance so that when the opportunity arises, it can be done in a way that's mindful again and not only of health and safety, but operational compliance, broader risk management, technological considerations as well.
Robert Cruz: Great, and how about you Matt?
Matt Kelly: I'll try and thread a couple of different needles here, and companies need to be thinking a lot about how do we monitor the activity that is happening within our enterprise. You do that by working with your people and don't forget that we have actual human beings at the company. What are they trying to do and how are they doing it, and what problems are they encountering, but this is only going to succeed, and Troy is spot on that we're going to have a whole other set of challenges once we start to turn things back on. This is only going to succeed if we have the people, the employees on our side that like they, the management that we normally like to take shots at, they're trying to help us let's make sure that we can help them by being honest and upfront with them.
Matt Kelly: If your employees don't have that mindset, if they see you as the adversary, you're going to be sunk and that's true today, tomorrow, probably was true yesterday too. That's really about how do we get the employees buy-in on this, so we can understand what they're really up against, and then we can build the right tools for them and monitor how it works.
Robert Cruz: Great insights from everyone. Think about the confluence of people process and technology, plan for the future, be aware of the capabilities of third parties, and just recognize that the needs of your employees. Brilliant insights and really appreciate all of you joining us this afternoon and sharing your experience and background. We have a few questions here, but before we get to them, I just want to give a couple of minutes to how Smarsh can help in this area, just looking at some of the technologies that we're deploying now for organizations that are working through this transition. Then we'll get to the several other questions that came through here in the last 45 minutes or so.
Robert Cruz: In terms of capabilities, essentially what we're offering is number one, the ability to capture all these communication sources that your employees are now using, whether they are Slack or Zoom or just ensuring that information that's being communicated and delivered on a mobile device is properly preserved and stored, so that then you have that ability to store the information within the repository that enables you to be ready for investigation and discovery, that allows you to meet your supervisory obligations according to FINRA or the regulated industries, and to enable the workflow, the applications that you need to perform on a day to day basis, whether that's your supervisory obligation or whether that's providing information and data to your other applications in your environment.
Robert Cruz: This has been the sole focus of our company since we've started and so today supporting 80 different communication networks. A part of our tasks is to stay in front of how your clients wanted you to communicate, what are the tools are they demanding that you use and support, and making sure you have the appropriate compliance controls to deal with whatever mechanism that your business needs to do its business through.
Robert Cruz: Just final point is the resources that we're very actively staying in front of in terms of just helping our customers, helping the practitioners with perspectives, best practices, how to address common challenges, very active in our blog talking to a number of individuals that are going through this process, looking at what this means for a supervisory perspective, whether it's SEC or FINRA. Also, looking at this from an HR perspective, how do you deal with the personnel and the questions around empathy, just making sure that folks have what they need to do their jobs.
Robert Cruz: From a product perspective, a lot of capabilities here on the site that talk about how we preserve and capture the various communication sources that we've been talking about here, how we can enable you to be flexible, to quickly deploy these networks, and ensure that your employees can use them and do that in a way that's safe. With that, let me hand it back to Davi Schmidt and let's take a couple of questions here in the couple of minutes we have left. Davi Schmidt, why don't you see what we have here?
Davi Schmidt:Yeah. We have a couple of questions coming around this topic, how can firms limit the use of unauthorized networks like WeChat and WhatsApp, et cetera, and maybe talk about the vulnerabilities with those applications as well.
Robert Cruz: Anyone want to take the first shot at the unauthorized networks and other tools that are...
Laurence Goldfarb: Sorry Robert. The way I described it is when you're dealing with something like that where there's very little way you can surveil whether somebody especially at home is using a tool like that, you really need to use affirmations and attestations. Send out an attestation to say, "Do you understand the policies associated with using the devices and are you willing..." and then affirm that your individual is doing that according to the policy. That I think is the best way and for them to understand the penalties if they use these sort of things, and that usually is fairly effective.
Robert Cruz: Right. Matt or Troy, other thoughts?
Matt Kelly: I will bow to the IT expert here on this panel.
Robert Cruz: Okay, and I'll just quickly out on that point that this is a quickly evolving area of technology. There are approaches that are beginning to hit the market that will allow firms to provide access to some of the tools, in particular the WeChats and the WhatsApps, but to do that in a way that ensures that you also have the controls in place. Keep an eye on the technology side of this because I think just given the reality and the growth that those networks are seeing, you're seeing the compliance controls beginning to catch up with the ability to capture store in the view of what's happening on those networks.
Laurence Goldfarb: Robert, I think it's good to note that when you look at Smarsh and its practice, interfaces that they have with all the various tools and all the various communication devices, like WeChat, I was noticing Verizon or AT and T, these are systems that if they can be captured and I'm sure Troy and Matt would agree are very possible and can be used properly and legally and within a company. The fact that Smarsh provide this information and provide these connectors is legal of going to allowing individuals to use different kinds of communication tools.
Robert Cruz: That's a great point Laurence. Thanks a lot for that, appreciate it and again, that's a part of what we do is if a firm says whatever we can capture you can use, that's what we're helping to support. If there's a mechanism available for that communication to be reliably, securely, consistently captured, then that's what we have, the ability to be agile and provide the mechanism to do that. Davi Schmidt, time for last question?
Davi Schmidt:Sure. We can do one last question. Do you see more organizations adopting cloud technologies for the first time?
Matt Kelly: My short answer is that most companies I have seen, they've already been using the cloud and I think a fair number of them might not even know that pockets of the enterprise have been using the cloud. Specific to that question, are they adopting the cloud for the first time, I would almost venture to say no because they've already been touching the cloud for quite some time in different ways.
Laurence Goldfarb: Yeah, and just to amplify that point, many of the larger banks almost all of them are moving towards the cloud with Office 365, so much more cost-effective, certain types of archiving are included as part of it. It's just so much more effective and it's much easier to interface with archiving and compliance tools. Yes, the cloud is here and here to stay for sure.
Robert Cruz: Terrific. Thanks for the responses, and we have a few other questions that I will commit to providing a response back to those on the line. Look for that to be coming back in a summary of this session. Thanks.
Davi Schmidt:Thank you to all of our panelists and thank you everyone for participating in this webinar. Please note that the webinar has been recorded and the link will be sent out via email. We will also announce the winner of the Bose noise-canceling headphones tomorrow, so look out for that email as well. You're welcome to send any additional questions you may have to email@example.com. If you asked the question and we were not able to get to it, we'll be following up with you after this webinar to make sure all of those questions get answered. Thanks again for joining us and have a great rest of your day.