Growing external e-mail threats and an evolving compliance and legal liability environment are forcing financial services firms to reevaluate their state of preparedness.
The financial services industry continues to lead the way in adoption and management of electronic communications. But, even with a tried-and-true technology such as e-mail, recent experience reveals that financial services companies have much to learn about the hazards and proper handling of the medium. In the case of instant messaging (IM) - which has been adopted so far on a very small scale for business reasons but which has permeated enterprise environments through popular interest - financial services organizations' grip on proper use is even more tenuous.
Business users of e-mail have long since adjusted the culturally significant peculiarities of the medium, including its tendency to foster informality and the temptation to send half-thought-out communications. Those responsible for the administration of e-mail also quickly developed an understanding of the security threats peculiar to it. But the vulnerabilities brought by e-mail have grown to an unanticipated degree and on unforeseen fronts.
Predictably, controlling security threats such as viruses and worms has been a continuing cat-and-mouse game between the good guys and the bad. But what wasn't so easy to foresee was the proliferation of spam as an infrastructure burden and productivity drain. Despite predictions by some of the technology industry's leading lights, not only is spam on the rise, but worldwide revenues for antispam solutions will experience a compound annual growth rate of 42 percent through 2008, leading to a jump from $300 million spent in 2003 to more than $1.7 billion in 2008, according to Framingham, Mass.-based researcher IDC.
It may also have been foreseeable that e-mail and other electronic communications would present novel document management challenges, but exactly what those challenges might be was not as easily divined, especially by a conservative industry. It's become clear enough from recent history that the regulatory and legal liability hazards of electronic communications - as well as the potential technical challenges - have not been sufficiently understood in financial services. Electronic communications now provide solid evidence in hostile work environments - where "he-said/she-said" disputes often prevailed in the past - as in other legal and regulatory actions, such as Eliot Spitzer's case against Marsh & McLennan, et al., in which damning conversations previously may have been limited to the telephone. Failure to provide such documents during regulatory or legal discovery can lead to - and have resulted in - fines in the millions of dollars.
Financial services executives are aware that their preparation for such eventualities is wanting and they're scared, according to Lisa Sotto, an attorney with New York-based law firm Hunton & Williams. "I have been inundated in the last two years with records management work by companies that know their issues but don't know how to create a sound, sensible records management program for their company," Sotto says.
Companies fall short in the consistent application of policy and use of effective technology for functions such as storage and retrieval of electronic communications, and in many cases fail to understand what must be retained, according to Sotto. For example, "People don't tend to think of IM as recorded information that they need to retain pursuant to record-keeping requirements and legal holds in the case of litigation," despite regulations to the contrary, she asserts.
More organizations are likely to get up to speed as a few unlucky ones get into trouble, but what they really need to do is become more proactive as the regulatory and legal environment evolves to potentially include even voice communication as subject to retention rules. "VoIP comes into your computer and is effectively recorded on a wave file; now it could live the same life as an e-mail," Sotto cautions. "People are not yet recording voicemails, but I don't know how you can argue against it; it is recorded information, subject to the same evidentiary, discovery and production requirements in litigation."
For e-mail and IM, as with traditional written correspondence, a comprehensive risk management strategy can go a long way toward mitigating dangers. Nancy Flynn, executive director of the ePolicy Institute, a Columbus, Ohio-based research and consulting firm focused on e-mail and IM, recommends a three-pronged approach: establish written policy, educate your workforce and enforce policies with a combination of disciplinary action and software technology.
"You need to work on the assumption that it's not a matter of 'if' you will be sued or investigated by a regulator but 'when,'" Flynn advises. With the right practices and technology in place, she continues, not only will you be able to comply with the demands of discovery, but "the e-mail or IM that is discovered will be less likely to contain messages that can be used as evidence against you." The technology component of the strategy should include software that filters and monitors content; has robust capability for archiving, including storage and retrieval of records; and purges non-business records, Flynn says.
The archiving component is central to achieving regulatory and legal compliance, but traditional technologies can leave financial services companies exposed in today's more-demanding compliance environment, according to Mike Gundling, senior vice president of product management at electronic communications solution vendor iLumin (Reston, Va.). "Many use e-mail archive products that were built for mail storage management and are ill-suited for compliance needs," Gundling claims. "Typically the products are scheduled to run on evenings and weekends to free up storage on the mail servers. When messages are deleted between scheduled processing, they are lost forever."
Some firms are out of compliance and place themselves at risk of litigation because they store their archives on tape - a practice at odds with SEC 17a-4, which states that messages must be kept for three years, and for the first two years in an "easily accessible place," Gundling adds. "Firms that are asked to search and produce messages from tape are often using backup systems that have no tools for discovery," he says.
Gundling recalls a real-life example in which a company spent an additional 200 man hours per day on remedial efforts in order to provide requested e-mail records to outside counsel, resulting in millions of dollars in costs. "With an effective e-mail archive solution, the entire cost is avoided and a successful investigation and litigation outcome is more likely," Gundling argues.
Chu Abad, vice president, IT, Seattle Northwest Securities Corp. (SNW; Seattle; $731 million in assets), deployed iLumin's Assentor archiving solution in 1999, soon after his arrival at the firm. The solution collects all internal, inbound and outbound e-mail, indexes the content, manages internally set retention periods and monitors for potential violations. Abad originally selected the product both on the strength of its functionality and a recommendation from the SEC and NASD. "At the time, iLumin was one of the vendors that did monitoring and capturing," he recalls. However, SNW reaffirmed its commitment to the product after an evaluation based primarily on functionality.
In July 2004, SNW integrated Assentor with Permabit's (Cambridge, Mass.) Permeon storage and retrieval component. The addition was dictated by a two-fold increase in storage demands resulting from regulatory document retention requirements, according to Abad. "Previous optical disk solutions were no longer cost-effective, so we had to seek an alternative that would be economical in terms of both costs and man hours," he relates.
This year SNW plans to add iLumin's Assentor Discovery product to facilitate high-volume searching of its archives. Discovery integrates well with both the base Assentor product and Microsoft Exchange. "When you get subpoenaed for documents, etc., it makes it much easier to create search criteria and parameters for generating results," Abad says. "It's a lot easier than doing [discovery] manually."
Abad reports that the solution has cost SNW less than $80,000, but he says that ROI is hard to measure. "ROI is not necessarily a monetary number, but rather the fact of being compliant with regulations," he says. "I do not want to think about the total value in fines that we could have faced had we not implemented Assentor."
Similar anxieties, along with productivity concerns, prompted an upgrading of protection against incoming e-mail threats at Oklahoma City-based American Fidelity Assurance Co. ($3.7 billion in assets), a provider of life, cancer, disability insurance, long-term care, hospitalization, tax-deferred annuities and flexible spending programs. The carrier formerly relied on a freeware antispam solution that was being overwhelmed by increasing e-mail volume. According to American Fidelity's chief security officer, Steve Dunkle, the insurer's IT department was "spending a tremendous amount of time trying to tune the solution to keep up with the increasing influx of spam." Consequently, it ran into the dilemma of "spend more time or just not keep up," he says. Given the department's other priorities, the result was to "not keep up," Dunkle recalls.
In May 2004, American Fidelity replaced the freeware solution with Tumbleweed's (Redwood City, Calif.) Email Firewall, along with the vendor's Dynamic Anti-spam Services (DAS) to filter and secure e-mail traffic. Among the most striking results of the implementation is that, while the former solution identified and quarantined about 18 percent of incoming e-mail as spam, the Tumbleweed solution captures more than 60 percent, with a minimum of false positives, according to Dunkle. It also blocks 99.99 percent of e-mail-borne viruses and provides the insurer with granularity of control, including filtering multimedia and graphic file attachments, according to a Tumbleweed source.
Take a Load Off
Dunkle says Tumbleweed not only protects American Fidelity from hostile work environment-type threats and other liability risks associated with spam, but it also addresses the considerable infrastructure burden of spam. Circulation of spam was, Dunkle explains, "increasing the load on the network and storage space, not to mention productivity on the employees' part."
Tumbleweed's DAS also frees-up IT human resources from antispam filtering duties. "We didn't have the resources in-house to keep up with spam and virus protection, so essentially what we've done is allowed Tumbleweed to maintain that for us," Dunkle says. "The individuals that were maintaining the system are now free to work on projects we need them to be working on."
Employee productivity is the chief reason for adoption of IM within financial services companies, and indeed the industry tops the list of business investment in the technology, accounting for 44 percent of IM revenues, according to technology market research firm The Radicati Group (Palo Alto, Calif.). Business uses include customer service chat, financial adviser-to-client communication and inquiry-and-response between securities traders. Nevertheless, according to Sara Radicati, president and CEO of The Radicati Group, "We find in most companies, IM is still prohibited and still used informally."
SNW's Abad says that while the firm has tolerated IM use for non-business purposes, it currently is rethinking the policy. Having seen the technology's potential for spreading viruses, Abad relates, "We're on the fence right now as to whether to continue allowing IM or totally taking it out."
Abad says a technology with the potential of IM cannot be resisted, but its adoption nevertheless must be conditioned by business justification. "If we decided we needed [IM] for business, then we would bring it in. But we would have to monitor, capture and log all conversations, and that would mean another investment of $20,000 to $40,000." While not prohibitive, that is enough of an expense to disqualify what is, for the time being, merely a "nice-to-have" technology. The question now, says Abad, is, "Is it more cost-effective to just kill it off? The answer is, 'Probably.'"
While its informal nature appears likely to doom IM at SNW - if only temporarily - it's also likely to suggest the utility of IM for the enterprise as employees, familiar with the technology from private experience, proselytize in favor of the convenience of IM for interoffice communication. Such starting points can familiarize companies with the management of IM, as well as its potential further benefits, within the context of a company-regulated deployment.
An example of this type of "domesticated" IM deployment is in place at Brotherhood Mutual (Fort Wayne, Ind.; $126 million in premium), a provider of P&C insurance to churches. Brotherhood Mutual is using the IBM (Armonk, N.Y.) Lotus Sametime platform to connect about 20 individuals within its IT department. "IM is wonderful for being able to see rapidly who is available, even when you're not running a thread of conversation but just checking to see if you can get someone on the phone," says Daryl Pannabecker, vice president, IS. The department uses the technology internally as well as with a select group of external IT developers. IM, Pannabecker explains, "has been a way of making that group feel more like part of a cohesive unit."
The deployment is being run essentially as a pilot to pave the way for other uses, should a business need arise. Brotherhood Mutual currently prohibits use of Internet-based IM and uses Belarc (Maynard, Mass.) software to monitor its network for illicit deployment. Brotherhood Mutual currently does not archive IM records, given its limited use of the technology.
While Pannabecker won't speculate as to possible future uses of IM at Brotherhood Mutual, he points to the technology's industry potential for uses such as customer service chat or the management of increasing numbers of remote employees. "IM gives you some of the feel of being more local, and in the case of [IBM's] Sametime, the pieces you get with it, such as desktop sharing and whiteboarding, further increase that local feel," he says.
While many companies may be better advised to prohibit IM for the time being, successful trial of the technology can keep a company in a "sweet-spot" of avoiding needless liability while being able to pull the trigger when failure to have IM might become a competitive disadvantage. Of Brotherhood Mutual's deployment, Pannabecker says, "The fact that we have it installed, ready and in use in certain areas - the capability is definitely there to go full scale with it at whatever point we would see necessary."
Employee interest in the technology also resulted in the implementation of an internal IM application at Golf Savings Bank (Mountlake Terrace, Wash.; $270 million in assets), which operates eight branch offices throughout Washington. Despite a company policy forbidding the use of IM, employees were installing AOL IM and Microsoft's MSN Messenger, according to Jane Fortier, Golf's vice president of IT. While the bank took a tough stance on external communications, it also took seriously employee demand for IM.
"The biggest part of our business is mortgage lending, and you'd have groups of people working in different parts of the building trying to put loans together and wanting to quickly ask, 'Hey, where is the appraisal on this loan?' and the person concerned would be on the phone and out of reach," Fortier explains. "We decided we'd take the other programs away from them but try to make them happy because they had a valid request."
Fortier conducted her own research and testing and found that San Diego-based WiredRed's e/pop solution met her requirements for scalability, speed, performance and security. Golf began a trial at a single branch in March 2003 and rolled out the solution enterprisewide the following June with very little modification. "We thought people would object to one thing or another, but e/pop was welcomed in almost 'out-of-the-box' condition," Fortier comments. The application is used on Golf's Windows 2000 servers and desktops, which are connected across the bank's branches, LAN to WAN, via frame relay.
Training on the application was minimal since many people were familiar with IM already. Integrating the bank's active directory made networking use easy, pre-providing potential connections across the enterprise, as did the creation of groups of frequent collaborators. The application indicates the status of users by color - red indicating someone who has not logged on, amber equating to "do not disturb" and green signifying receptivity to messaging. "Many people enjoy that feature just to see who is potentially available, especially on weekends," Fortier relates.
Golf does not shy away from worthwhile investments, Fortier relates, so the firm didn't blink at the implementation costs of e/pop. The bank incurred an initial cost of $6,300 for 160 seats, a figure that included "a nice purchase discount," she notes. Golf also pays annual maintenance for what Fortier characterizes as "really good" service. "We've had few issues, and when we've had them, we get an answer right away," she says.
Golf also has added WiredRed's audit and reporting capability as a proactive measure to supplement written policies governing electronic communications usage. "We already had something in place for e-mail, so when we decided to add another medium for conversation, even though at that time our regulatory agency [the FDIC] wasn't necessarily requiring it, we knew it was just a matter of time before we would need to archive messages and be able to audit and search for certain words or threads," Fortier explains. The bank currently saves all IM records indefinitely via off-site storage.
Anthony O'Donnell has covered technology in the insurance industry since 2000, when he joined the editorial staff of Insurance & Technology. As an editor and reporter for I&T and the InformationWeek Financial Services of TechWeb he has written on all areas of information ... View Full Bio