About Actiance

Social Media Regulation and Risk

Sarah Carter , VP Marketing Actiance, Inc.

About Actiance, why am I here? The Communications Revolution isn’t new It’s being led by end users Who are having a degree of success But it brings a degree or risk in a number of areas General Regulation Specific Regulation – FINRA, FSA, IIROC, SEBI What happens when you don’t address the risk? A best practice approach for control

Finally: Chumby About Actiance

. Enable the New Internet – 4,5 00+ We b20b 2.0 apps, Un ifidified Communications, Social Networks . Global operations – USA, EMEA, India, Asia/Pacific . Market Leader – 9 of the top 10 US banks – Top 5 Canadian banks – 3 of the top 5 energy companies . Broadest Partner Ecosystem – Technology alliances It’s a communications revolution

• Public IM • P2P • Anonymizers • VIPVoIP • Financi al IM • Social Networks • Unified Communications • Games • Web Conferencing • Virtual Worlds • VoIP • IPTV • Remote Admin Tools

Source: Actiance Annual Greynets Surveys 2008 – 2011 & Projected The charge is led by the end users

Actual customer traffic history (~155 organizations) Representing all Internet activity from over 150K end users (Actiance Internet Survey 2009)

Source: Actiance Annual Internet Survey 2010 And Success is being gained

U.S. One

Interactive Capital Management

Cathy Curtis, CFP

@AskCiti, @AnnaObrien

Data Leakage Incoming Threats Compliance & eDiscovery User Behavior

Personal SEC, FINRA,IIROC Employee Information Malware, Spyware Productivity HIPAA, FISMA, SEBI Intellectual Property Viruses, Trojans Bandwidth SOX, PCI, FSA Explosion Credit Card, Inappropriate FRCP- eDiscovery SSN Content Every employee is Client Records FERC, NERC the face of business Web 2.0 & Social Networks Regulation & Compliance

Regulation Social Network and Web 2.0 Impact

Obliged to store records and make accessible. Public correspondence requires SEC and FINRA approval, review and retention. Extended to social media. htt//http://www.fi nra.org/I /Idt/Industry/Issues/Ad /Adtii/006118vertising/p006118

Protect information, monitor for sensitive content, and ensure not sent over Gramm-Leach-Bliley Act (GLBA) public channels (e.g., Twitter)

Ensuring cardholder data is not sent over unsecured channels AND PROVING PCI IT.

Prevent identity theft. Protect IM and Web 2.0 from malware and phishing Red Flag Rules when users are more likely to drop their guard.

Email and IM are ESI. Posts to social media sites must be preserved if FRCP (eDiscovery) reasonably determined to be discoverable. http://blog.twitter.com/ Web 2.0 & Social Networks Regulation & Compliance

Regulation Social Networks and Web 2.0 Impact

Sarbanes-Oxley (SOX) Businesses must preserve information relevant to the company reporting.

CdiSCanadian Securiti es Retain records for two years, in a manner that allows “rapid recovery to a Administrators National regulator,” Can extend to IM and social media. Instrument 31-303 (CSA NI)

Investment Dealers Association Demands the retention of records with respect to business activities, of Canada (IDA29.7) regardless o f its me dium o f creat ion. MiFID and FSA Specifically requires the retention of electronic communications conversations Markets in Financial Instruments when trades are referenced. Directive (()EU) Model Requirements for the management of Electronic European requirements for the retention of electronic records. Records (MoReq) Pg. 9 FINRA Regulatory Notice 10-06: Guidelines for Social Networks

Regulation Social Network and Web 2.0 Impact

SEC Rules 17a-3 and 17a-4 and NASD Rule 3110 Retain records of communications related to business

Electronic forum & chat rooms, content posted to social media may constitute Public Appearances a public appearance

Prior Approvals Wall postings require prior approvals

Participation Real-time participation on social networks equals participation

For instance communications between research and investment banking FINRA Regulatory Notice 07 -59 dtthldbtitddepartments should be restricted

Only those subject to firms supervision should have access, provide training Restrict Personnel prior to engagement, prohibit or restrict those who pose a compliance risk. Restrict access with technology. Pg. 11 Financial Services Authority (FSA): Guidelines for Social Networks

Regulation Social Network and Web 2.0 Impact

Senior Management Arrangements, Systems and Controls (SYSC) An enterprise must arrange for orderly records to be kept of its business and internal organization. SYSC 9.1.1

SYSC 9.1.2 Records must be kept for at least five years.

An enterprise should have appropriate systems and controls in place with SYSC 9.1.5 respect t o th e a dequacy o f, access to, an d the secur ity of it s record s. Policy Statement 08/1 Must record conversations on public and enterprise IM networks. A firm must take reasonable care to establish and maintain such systems and SYSC 3.1 controls as are appropriate to its business. Firms must take reasonable steps to ensure that ethical walls remain effective SYSC 10.2 and are adequately monitored.

All communications or financial promotions must be based on the principles of Financial Promotions Industry fair dealing. Adequate records of financial promotions must be kept. Update No. 5

Matrixx stock price – The nasal spray form of cold remedy Zicam, produced by Matrixx Initiatives, has potentially been found to damage some peoples’ sense of smell. Stock price drop from $19.24 that day to $5.78 on June 16th . Its $5 . 21 now.

Do your Research on

Fedex & Ketchum

Nestle & Greenpeace Ensuring regulation is met, reducing risk

Issue Control Requirements

Identity management Ensure that all the different logins of an individual link back to corporate identity

Activity control Posting of content allowed for marketing but read-only for everyone else

Granular application control Employees can access Facebook, but not Facebook Chat or Facebook Games

Anti-malware Protect network against hidden phishing or Trojan attacks

Data leak prevention Protect organization from employees disclosing sensitive information

Moderation Messages posted only upon approval by designated officer

Logging and archiving Log all content posted to social networks

Export of data Export stored data to any email archive or WORM storage More Info?

www.actiance.com

Visit the Actiance Collateral Library at http://actiance.com/products/collateral-library.aspx

Specific Questions? http:// www.li nk edi n.com/i n/ sarahl oui secart er Twitter: @SarahActiance Email: [email protected] 650 631 6452 (desk) 415 806 9504 (cell) +44 (()0) 7970 729068 (UK mobile ) Sarah Carter, VP Marketing Actiance, Inc.

http://www.linkedin.com/in/sarahlouisecarter Twitter: @SarahActiance

Pg. 18