Walking through downtown Palo Alto for lunch last week I noticed something a bit strange. Restaurants and cafes were strangely quiet. VCs, techies, and students were all focused on the big screens. Not watching a Cardinal game or talk show or The Price is Right. No, they were watching Janet Yellen, and parsing every word that could swing financial markets globally. Yes, hypersensitivity of financial information has returned. And yes, for the first time since the Great Recession, #FinServ was trending worldwide.
Now, within this hypersensitive climate, put yourself in the shoes of one tasked with protecting and delivering information within a global financial services firm. The volume of information you must manage with continues to grow at an unstoppable rate, and now you must also deal with an exploding number of tools that your advisors are using to collaborate, from Salesforce Chatter to Jive to all major social media platforms. You must keep apprised of a staggering number of regulatory mandates in all markets that you operate – as well as the sometimes severe consequences of missteps. And you must extend the life of current technology systems given pressure to remove costs, while also protecting sensitive information assets against an unprecedented level of cybersecurity threats.
All of which puts many firms in Information Management Chaos. Consider the following:
- According to IDC and other sources, financial services firms are experiencing 50% growth in email volume per year, largely attributed to current practices to keep everything past mandated retention periods.
- In the past 3 years there have been more than 10 new regulations pertaining to the storage and record keeping of electronic communications around the world. This includes new supervisory rules issued by FINRA, as well as other regulatory requirements issued by FFIEC, SEC, IIIROC and FINMA. Most recently, new guidance was issued in the UK by the Financial Control Authority to govern the use of social media.
- The SEC imposed a record $4.1B in fines within 755 cases in 2014, while FINRA reported an increase in fines of 125% in 2014 to $135M.
- FINRA and SEC concurrently issued cybersecurity reports indicating that 88% of broker-dealers and 74% of investment advisors have been the target of cyberattacks. Both regulatory bodies then announced an on-going cybersecurity audits to ensure cybersecurity protocols are current and actively managed.
- Financial services continue to be plagued with the highest percentage of non-authorized social media accounts of any vertical market. In fact, 55% of Facebook accounts and 25% of Twitter accounts within financial services firms are unauthorized – and can be carriers for security threats, inappropriate content, or other risks to the brand as explained in Proofpoint Nexgate State of Social Media Infrastructure report.
So, how can firms more effectively manage this state of chaos? For some, significantly ramping up regulatory tracking efforts and growing compliance staff are the first steps. Beyond these, firms should consider the following in order to regain control over information:
1) Adjust policies to reflect emerging communication channels: Acceptable use policies should be extended to reflect all authorized communication channels in use by the firm – in all markets that the firm participates in. Given the fluidity of regulatory guidance and quickly evolving nature of the tools, specific examples of acceptable and prohibited use of each channel should be provided.
2) Enable the capture and archive of social and collaborative content: Given the frequency of unauthorized access, firms should evaluate approaches to create visibility into tools currently in use, in order to quickly disable those users and tools that lack the proper credentials. For those that are sanctioned for communication with clients, firms should capture and archive content per applicable mandates from FINRA, SEC, FFIEC, and FCA.
3) Leverage existing supervisory tools and workflow: If possible, firms should seek to minimize disruption to current supervisory and processes by utilizing existing review processes and workflows. Extending current technologies can help to avoid compliance exposure created during lengthy and complex technology migration tasks.
4) Fully incorporate measurement of cybersecurity risk into compliance processes: As noted by both FINRA and SEC, creating and actively managing a cybersecurity program will be an area of increased focus in 2015. Ensuring that cybersecurity expertise is interwoven within risk management and compliance programs will help to improve alignment on a shared functional view of information risk.
5) Double down on compliance training: All processes and technologies will be limited in effectiveness without a corresponding up-leveling of information risk management training – for both users and compliance reviewers. Regulations, as well as capabilities of social communication channels, are fluid, so building a program that leverages best practices while incorporating shifts in regulatory focus is imperative
How Proofpoint Can Help
For more information on how Proofpoint can enable greater control over sensitive information for financial services firms, watch our latest on-demand webinar highlighting our recent enhancements in supervisory review, extended archiving support for Jive and other collaborative content, and integration with existing compliance tools.
Subscribe to the Proofpoint Blog