By Michael Brice, Founder and President, BW Cyber
On September 27, 2022, the SEC issued a press release stating that it had issued 16 Wall Street firms with combined fines totaling more than $1.1bn. Yes, that’s correct: $1.1 billion dollars!
Basically, the SEC said that these firms were not properly maintaining and preserving electronic communications. In all, they fined 15 broker-dealers and one affiliated investment adviser for “widespread and longstanding failures by the firms and their employees.” Moreover, they included a parting warning, that stated, “As part of our examinations and enforcement work, we will continue to ensure compliance with these laws.”
Let me restate their warning: “…we will continue to ensure compliance with these laws.” I know what that means: it means they are putting everyone else on notice that in 6-12 months you had better be preserving your electronic communications!
So, before I explain how to prevent getting into the SEC’s ‘electronic communications preservation’ bullseye, let me now explain why the big fine. Basically, it was a combination of the following:
- The companies lacked explicit policies related to exactly what must be preserved.
- While the companies did have Acceptable Use policies to address communication methods that were acceptable, the actual use or “not accepted use” was not enforced.
- The companies’ IT departments either lacked explicit security policies to define technically what investor communications were included, or even worse, they had the policies but did not enforce the policies.
Ok, so what do you, as an SEC registrant, need to do? It’s actually pretty simple.
- Work with the CCO to determine exactly what forms of investor communications are acceptable and document them in your Acceptable Use Policy. Be very explicit and only allow what is allowed. For example, “we only allow Microsoft Outlook e-mail, Microsoft Teams Instant Messenger, Facebook Messenger, LinkedIn InMail, and WhatsApp.”
- Create a separate IT Acceptable Use Journaling Policy that mandates that the Acceptable Use ‘allowables’ (see above) are definitively journaled.
- Define within the IT Acceptable Use Journaling Policy the exact artifacts that will prove that the journaling has taken place as required (e.g., logs to show that backups took place as defined).
- Now, and most importantly – you must attest that the policy was followed. (BW Cyber recommends quarterly Security Policy attestations). Remember, ‘What you do not inspect, other people will not respect’.
- Lastly, we suggest you also identify technical capabilities to prevent users from breaking these rules. For example, if you do not allow Teams or Zoom Instant Messaging with investors, have your IT staff remove the ability to use those functions. Do the same with WhatsApp if you do not allow that either. Do searches periodically to ensure non-approved communication tools are not installed on company allowed devices (e.g., via your Mobile Device Management Policy for bring-your-own devices (BYOD), etc.)
Our last recommendation is to address what a user can and cannot do with their personal phones and tablets (e.g., the Bring Your Own Devices referred to as “BYOD policy”). While we are now seeing our larger clients trending back to providing company issued phones and tablets to lock down these communications, we realize that can be a very expensive solution. At this point, if budget is an issue (and it almost always is), when it comes to SMS texting, BW Cyber suggests that your policy allow your employees to use their BYOD devices to communicate administratively with investors for very simple activities like confirming meetings (I’ll be 10 mins late) and providing passwords to encrypted documents. Otherwise, make it very clear that the BYOD device is for voice communications only.
Was the SEC trying to make a point with the $1.1 Billion fine? Absolutely! As such: read the SEC’s press release again and focus on this line: “As part of our examinations and enforcement work, we will continue to ensure compliance with these laws.”
This is not over…
