Home > Uncategorized > Archive Everything Forever, Part 2

Archive Everything Forever, Part 2

In part one of this blog, we explored how clueless regulators levied an almost ridiculous standard of control on securities firms over 15 years ago in an effort to get ahead of the curve on the rapidly growing phenomenon of Internet communication.  At the time, they told securities firms to “archive everything forever” which of course at the time no one had any idea how to do.  In part one of this blog, we discussed how regulators had been essentially behind the curve on monitoring of electronic communications and how this has led to what could be perceived as an overcorrection by regulators to try to get a handle on communications by people involved in the securities industry.

No one really disputes that there is a legitimate government role in monitoring securities markets for inappropriate activity that could indicate an illegal breach of insider trading and other arcane securities laws.  Problem is, with the multitude of communications channels now available to every employee and every relative of every employee of every securities firm, firms and regulators face a daunting task in monitoring of communications.  When I started my employ at a Wall Street firm, one of the things I had to do was register all of the open securities accounts in my name.  Six weeks later, I was called into the office of one of the compliance officers of the firm and asked to explain why I had omitted a particular account.   Surprised by the existence of this account, I explained that apparently it was an account created by an overzealous commodities account rep hoping that I would become an active commodities trader.  The balance in the account was $.62 in a gold fund.  Despite the small amount of the account balance, it was a dead serious meeting with the compliance officer.  Basically, he had grounds to fire me for misrepresenting my list of registered security accounts.  Only when I offered a lame excuse that I did not know the account had been opened up on my behalf and that there was no activity in the account whatsoever other than the opening balance, was I let off the hook with a warning.  At that firm, as is true with most securities firms, one may only have an account which resides at the firm and which is subject to the intense oversight of firm compliance officers who regularly check for activity in sensitive securities. For example, say I decide to buy 100 shares of Cisco.  For an employee at the firm, a few days might elapse and then a call might come from the compliance department saying “you know that trade in Cisco last week?  Well, that trade never happened.”  This would be a sign that there was likely some transaction involving Cisco being managed by the firm for which any activity by a firm employee in Cisco could be viewed as suspect.  No one grateful for their paycheck at a securities firm really argues about this kind of enforcement.

But what to do about texting and social networks?  Wouldn’t it be easy to post something on Twitter or Facebook which might give an indication to someone that a trade in such and such a security might well be worthwhile? Of course it would.  But monitoring these communications channels would be simply impossible in today’s environment.  How could a firm know for example that it had reviewed all of the communications by a particular employee in each of a dozen potential channels any of which could be misused for insider trading?

In part one of this blog, I suggested that now is the time for firms to identify when security more closely aligns with customer and product values and to move away from regulatory and risk-based justification for security investments. I don’t mean to suggest that regulations or risk are unimportant in making decisions about security controls.  However, for industries that have been operating programs of security controls for over two decades, arguably the limits of security benefit to be attained based on regulation and risk reduction have already been achieved.  Now, we’re in an era of cost and budget reductions which will be imposed with the understanding that underlying security will at minimum stay the same if not improve.  Only by identifying opportunities to create added value within products that customers will pay for by implementing innovative new security controls will firms be able to advance the practice of information security.

Of course, one approach to the social network problem is to have the firm merely prohibit employees (and possibly their relatives) from having or using social networks accounts.  This seems draconian at best.  And probably unenforceable.  So let’s rethink the idea of appropriate control and oversight for use of social networking sites.   Why not require that employees register their social networking accounts, including Twitter, Facebook, LinkedIn, etc. as well as any devices they may use for texting purposes with the firm.  Then, the firm could develop an app that would act as a “traffic cop” for use of these networks by firm employees.  Part of the understanding would be that the firm is able to perform surveillance on all traffic by these employees on said networks.  The firm might then elect to archive messages as well as other kinds of interactions with networking sites such as entries to profile pages, etc. in a condensed manner that could later be easily searchable.  Now, the firm’s ability to use social networking as an indispensable appendage to a professional’s day-to-day interaction with their business network becomes something that can be exploited for firm advantage.   Almost all of the discussion about social networking in security circles has been on the negative side.  How do you prevent it?  What policies are needed to control it?  Etc. etc.  This is security people reverting to form: that is, the answer is “no.” When people figure out that the answer has to be “yes,” then security people can take off the blinders and participate with firm managers to identify innovative ways of getting to yes. Having a registered set of social networking accounts and texting vehicles — complete with all the necessary privacy disclaimers — might be one excellent way to get on top of the social networking juggernaut by securities firms and others.  In this way, firms can turn security to their advantage.   A complete archive of all social networking entries could easily be used to absolve valuable employees from suspicion when in the absence of such archives they might be suspected or accused of wrongdoing.  Security people need to learn that the ability to exclude someone from suspicion after any incident may be just as valuable if not more so than the ability to match the evidence with the bad guy.

Until firms can do something like this, it seems inevitable that we will have to relearn the same old lessons Gordon Gekko taught us back in the 80s.   With each new communications channel comes a risk of misuse in violation of securities laws.  Let’s get over that and move to a world where well-intentioned employees can use modern technology in a way that benefits themselves and the firm comfortable in the knowledge that a full record of their use will be around if they ever need it.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.