Just a week after the SEC announced its decision to loosen restrictions on companies' use of Twitter and other social media, a hacker showed how risky a decision that could be.
When an Associated Press breaking news account announced to the world that the White House was under attack, the reaction from the market was instantaneous. The Dow declined 150 points, and several billion dollars of market value was wiped out in a few seconds. This was not a scenario that was seen coming but now it is one that firms cannot choose to ignore.
Just as with the AP scenario, every Twitter and every Facebook account is potentially a target. Were any public company's Twitter account to be hacked and incorrect news about earnings, acquisitions, sales released to the world, it would potentially have an instantaneous impact on the market. Unlike news of an attack on the White House, a false earnings report or proposed merger might not be so easy to quickly prove the news to be false.
As we move headlong into a world driven by instantaneous news cycles, firms should take a step back to evaluate the risk that this poses. One issue highlighted by recent events is the risk posed by the proliferation of accounts, Facebook, Twitter and so on, that purport to be, or in some way are, official firm accounts. Such proliferation multiplies the threat posed not just by external misuse, highlighted by the recent incident, but also internal or rogue misuse.
The following is a rule that can be observed in any organization that uses information technology to any extent: the number of user accounts in applications that are useful and easy to use will see exponential growth and rapid proliferation unless a concerted effort is made to exert control over the process. A common example is just the process of creating folders on shared drives to house documents. Since they are free and easy to create, hundreds of folders containing data can be opened by every employee who authors or edits Word, Excel, PowerPoint files. Some of these may contain important, privileged information, the bulk, however, will not. How does a firm ensure the ability to identify and protect the latter from inappropriate dissemination? Alternatively when a judge demands documents, how does a firm ensure it is able to locate and provide them? Attempts to exert central control generally come too late to be effective. A plan needs to be formulated upfront.
If banks need to worry about the control over the proliferation of internal accounts and unstructured data sources, how much more so for accounts on web applications that house and relay information to the public domain? Apps, such as Twitter, are free to use: no expensive licensing deals with named, authorized users are required. The risk is further increased since Twitter, Facebook etc have now been sanctioned for use by the SEC and management as a means of broadcasting market sensitive information. One imagines that each line of business will soon want their own accounts to broadcast their progress to the outside world. One wonders how many Twitter accounts each major bank already has.
Now that the media has been reporting on how boring these corporate Twitter accounts can be, one can imagine that the shackles of corporate control may get loosened to make things more interesting. After all, what is the point of having a Twitter account if it has no followers?
To get followers, one needs to be interesting, even newsworthy. The natural tendency to try to gain an edge in the competitive brokerage, trading and investment world through passing on interesting information to clients and potential clients may become harder to police as accounts proliferate and become part of a normative sales and business development strategy. As well as monitoring the tweets and updates of those who are authorized to use Twitter, how does one monitor those who are not authorized to do so when there are many such accounts? More fundamentally, how does one ensure that all material information that is distributed by such channels is distributed broadly enough to satisfy Fair Disclosure Rules?
Firms need to get ahead of this issue by providing clear rules of the road to those who are authorized users and ensuring uncontrolled proliferation does not happen. In addition to that, firms need to make sure it has adequate "code red" or "break the glass" procedures in place for when a false report is issued from a firm account.
As we saw with the AP report, the market reacts incredibly quickly and though a firm may be held blameless for a hacked account it may not be if it fails to alert the market in a timely way. This AP event was the canary in the coal mine and it would be best for firms to heed the call.Andrew Waxman writes on operational risk in capital markets and financial services. Andrew is a consultant in IBM's US financial risk services and compliance group. The views expressed her are those of his own. As an operational risk manager, Andrew has worked at some of the ... View Full Bio