Security Remains a Significant Concern for Business Archiving Electronic Communications

Mike Pagani, Chief Evangelist, Smarsh

For the sixth consecutive year, the Smarsh Electronic Communications Compliance Survey illustrates the key trends and concerns facing compliance around the retention and oversight of electronic communications. While many of the concerns highlighted by respondents remain consistent year-to-year, such as increased regulatory scrutiny and new communications channels, the responses also showed supervision practices are not sufficiently keeping pace to address the new compliance implications of these ongoing trends. Gaps in policy, enforcement capabilities and retention remain high, leaving firms vulnerable to undetected fraud, errors, and regulatory enforcement penalties.

For instance, supervision of non-email communications types, such as social media, text messaging and website content poses a real challenge, because the sheer volume of email firms must retain and review already overwhelms most organizations. Resources needed to address the ever-expanding compliance perimeter are growing too slowly, if at all. Against this backdrop of tough challenges, compliance professionals have to somehow align the benefits of modern communications with the critical need to protect their firms, their clients’ data, and even themselves against compliance risks.

These concerns are steady, irrespective of whether a firm allows usage of new communications channels or not, indicating that simply prohibiting employees from using a channel is not sufficient or confidently controlled. Compliance must also ensure employees are not using unsupervised channels without the firm’s permission or knowledge for business purposes, and communications outside the compliance perimeter represent the most significant source of compliance vulnerability and risk.

It’s no wonder compliance professionals are expressing new levels of growing concern that their current programs do not effectively identify potential compliance violations and true risk.

Electronic Message Supervision

The primary purpose of electronic message supervision is to satisfy regulatory requirements designed to protect investors. In addition to retention, firms are required to perform risk-based review of all business correspondence and internal communications, even when messages reside on an employee’s personal devices and social media accounts.

The compliance function must ensure the firm is compliant with these mandates, thereby minimizing the business risks of non-compliance, such as fines, reputational damage, and loss of license to operate. However, the value of electronic communications retention and supervision extends beyond the regulatory checkbox. Sixty-five percent of the Smarsh survey respondents reported that the compliance function is responsible for handling requests to produce electronic communications data for e-discovery or other business purposes, bringing compliance into more aspects of business operations. Increasingly, electronic communications supervision also plays a role in broader risk management, including cybersecurity.

The Road Ahead: Greater Focus on Cybersecurity

Recently, FINRA and the SEC identified cybersecurity as the number one threat to financial institutions, and introduced new regulations in 2015. This year, both regulators also began including cybersecurity in their exams.

Firms around the world are recognizing that the holistic oversight enabled by the comprehensive archiving of electronic communications can greatly reduce risks that would otherwise go undetected in the ‘dark corners’ within firms. These could be described as situations where a rogue employee, third-party supplier, or unmonitored social media account wreaks havoc on a firm’s reputation, business, or regulatory compliance without the firm knowing.

Comprehensive archiving and supervision of electronic communications can proactively help identify ‘bad actors’, dissatisfied customers, and other potentially negative incidents before irreversible damage occurs. Client and employee communications that may pose risk can be flagged, reviewed or analyzed, and escalated for any concerning language or trends, ultimately enhancing risk management and overall cybersecurity efforts.

While the Smarsh survey reveals the majority of firms still struggle with continually evolving regulations and new communications types, progressive ones are now paying even closer attention to the way they retain, archive and supervise email, social media, text messaging, and website communications. Taking full advantage of specialized, advanced technologies such as comprehensive archiving (which can automate message capture, and help a firm perform policy checks and message review) can create new levels of efficiency for compliance teams so their capacity can extend beyond email alone. These firms are also performing security cybersecurity assessments in line with new regulations, implementing solutions that mitigate any identified risks, obtaining certifications where needed, and then reporting on progress in preparation for SEC and FINRA cybersecurity exams.

There is a growing need for firms of all sizes to rethink traditional or legacy approaches to communications supervision, especially when considering finite resources and the evolving strategic role that compliance teams can play moving forward in organizational risk management and cybersecurity initiatives.

About the Author

Mike Pagani is a seasoned IT professional and recognized subject matter expert in the areas of mobility, identity and access management, network security and virtualization. Prior to joining Smarsh in November 2014, Pagani held executive-level corporate and technology leadership/spokesperson roles for Stay-Linked, Quest Software, NComputing, Dell Software and others.

Join the CSO newsletter!

Error: Please check your email address.

Tags SMarsh ElectronicCyber risksSmarsh Electronic Communications Compliance Surveyelectronic communications networkcyber security

More about DellDell SoftwareNComputingQuest SoftwareSEC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mike Pagani

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place