Social Media Regulation and Risk
Sarah Carter , VP Marketing Actiance, Inc.
Confidential and Proprietary © 2011, Actiance, Inc. All rights reserved. Actiance and the Actiance logo are trademarks of Actiance, Inc. Agenda
About Actiance, why am I here? The Communications Revolution isn’t new It’s being led by end users Who are having a degree of success But it brings a degree or risk in a number of areas General Regulation Specific Regulation – FINRA, FSA, IIROC, SEBI What happens when you don’t address the risk? A best practice approach for control
Finally: Chumby About Actiance
. Enable the New Internet – 4,5 00+ We b20b 2.0 apps, Un ifidified Communications, Social Networks . Global operations – USA, EMEA, India, Asia/Pacific . Market Leader – 9 of the top 10 US banks – Top 5 Canadian banks – 3 of the top 5 energy companies . Broadest Partner Ecosystem – Technology alliances It’s a communications revolution
• Public IM • P2P • Anonymizers • VIPVoIP • Financi al IM • Social Networks • Unified Communications • Games • Web Conferencing • Virtual Worlds • VoIP • IPTV • Remote Admin Tools
Source: Actiance Annual Greynets Surveys 2008 – 2011 & Projected The charge is led by the end users
Actual customer traffic history (~155 organizations) Representing all Internet activity from over 150K end users (Actiance Internet Survey 2009)
Source: Actiance Annual Internet Survey 2010 And Success is being gained
U.S. One
Interactive Capital Management
Cathy Curtis, CFP
@AskCiti, @AnnaObrien
Confidential and Proprietary © 2011, Actiance, Inc. All rights reserved. But there are a series of risks..
Data Leakage Incoming Threats Compliance & eDiscovery User Behavior
Personal SEC, FINRA,IIROC Employee Information Malware, Spyware Productivity HIPAA, FISMA, SEBI Intellectual Property Viruses, Trojans Bandwidth SOX, PCI, FSA Explosion Credit Card, Inappropriate FRCP- eDiscovery SSN Content Every employee is Client Records FERC, NERC the face of business Web 2.0 & Social Networks Regulation & Compliance
Regulation Social Network and Web 2.0 Impact
Obliged to store records and make accessible. Public correspondence requires SEC and FINRA approval, review and retention. Extended to social media. htt//http://www.fi nra.org/I /Idt/Industry/Issues/Ad /Adtii/006118vertising/p006118
Protect information, monitor for sensitive content, and ensure not sent over Gramm-Leach-Bliley Act (GLBA) public channels (e.g., Twitter)
Ensuring cardholder data is not sent over unsecured channels AND PROVING PCI IT.
Prevent identity theft. Protect IM and Web 2.0 from malware and phishing Red Flag Rules when users are more likely to drop their guard.
Email and IM are ESI. Posts to social media sites must be preserved if FRCP (eDiscovery) reasonably determined to be discoverable. http://blog.twitter.com/ Web 2.0 & Social Networks Regulation & Compliance
Regulation Social Networks and Web 2.0 Impact
Sarbanes-Oxley (SOX) Businesses must preserve information relevant to the company reporting.
CdiSCanadian Securiti es Retain records for two years, in a manner that allows “rapid recovery to a Administrators National regulator,” Can extend to IM and social media. Instrument 31-303 (CSA NI)
Investment Dealers Association Demands the retention of records with respect to business activities, of Canada (IDA29.7) regardless o f its me dium o f creat ion. MiFID and FSA Specifically requires the retention of electronic communications conversations Markets in Financial Instruments when trades are referenced. Directive (()EU) Model Requirements for the management of Electronic European requirements for the retention of electronic records. Records (MoReq) Pg. 9 FINRA Regulatory Notice 10-06: Guidelines for Social Networks
Regulation Social Network and Web 2.0 Impact
SEC Rules 17a-3 and 17a-4 and NASD Rule 3110 Retain records of communications related to business
Electronic forum & chat rooms, content posted to social media may constitute Public Appearances a public appearance
Prior Approvals Wall postings require prior approvals
Participation Real-time participation on social networks equals participation
For instance communications between research and investment banking FINRA Regulatory Notice 07 -59 dtthldbtitddepartments should be restricted
Only those subject to firms supervision should have access, provide training Restrict Personnel prior to engagement, prohibit or restrict those who pose a compliance risk. Restrict access with technology. Pg. 11 Financial Services Authority (FSA): Guidelines for Social Networks
Regulation Social Network and Web 2.0 Impact
Senior Management Arrangements, Systems and Controls (SYSC) An enterprise must arrange for orderly records to be kept of its business and internal organization. SYSC 9.1.1
SYSC 9.1.2 Records must be kept for at least five years.
An enterprise should have appropriate systems and controls in place with SYSC 9.1.5 respect t o th e a dequacy o f, access to, an d the secur ity of it s record s. Policy Statement 08/1 Must record conversations on public and enterprise IM networks. A firm must take reasonable care to establish and maintain such systems and SYSC 3.1 controls as are appropriate to its business. Firms must take reasonable steps to ensure that ethical walls remain effective SYSC 10.2 and are adequately monitored.
All communications or financial promotions must be based on the principles of Financial Promotions Industry fair dealing. Adequate records of financial promotions must be kept. Update No. 5
14 Confidential and Proprietary © 2011, Actiance, Inc. All rights reserved. What Can Go Wrong?
Matrixx stock price – The nasal spray form of cold remedy Zicam, produced by Matrixx Initiatives, has potentially been found to damage some peoples’ sense of smell. Stock price drop from $19.24 that day to $5.78 on June 16th . Its $5 . 21 now.
Do your Research on
Fedex & Ketchum
Nestle & Greenpeace Ensuring regulation is met, reducing risk
Issue Control Requirements
Identity management Ensure that all the different logins of an individual link back to corporate identity
Activity control Posting of content allowed for marketing but read-only for everyone else
Granular application control Employees can access Facebook, but not Facebook Chat or Facebook Games
Anti-malware Protect network against hidden phishing or Trojan attacks
Data leak prevention Protect organization from employees disclosing sensitive information
Moderation Messages posted only upon approval by designated officer
Logging and archiving Log all content posted to social networks
Export of data Export stored data to any email archive or WORM storage More Info?
www.actiance.com
Visit the Actiance Collateral Library at http://actiance.com/products/collateral-library.aspx
Specific Questions? http:// www.li nk edi n.com/i n/ sarahl oui secart er Twitter: @SarahActiance Email: [email protected] 650 631 6452 (desk) 415 806 9504 (cell) +44 (()0) 7970 729068 (UK mobile ) Sarah Carter, VP Marketing Actiance, Inc.
http://www.linkedin.com/in/sarahlouisecarter Twitter: @SarahActiance
Pg. 18