Growing external e-mail threats and an evolving compliance and legal liability environment are forcing financial services firms to reevaluate their state of preparedness.
The financial services industry continues to lead the way in adoption and management of electronic communications. But, even with a tried-and-true technology such as e-mail, recent experience reveals that financial services companies have much to learn about the hazards and proper handling of the medium. In the case of instant messaging (IM) - which has been adopted so far on a very small scale for business reasons but which has permeated enterprise environments through popular interest - financial services organizations' grip on proper use is even more tenuous.
Business users of e-mail have long since adjusted the culturally significant peculiarities of the medium, including its tendency to foster informality and the temptation to send half-thought-out communications. Those responsible for the administration of e-mail also quickly developed an understanding of the security threats peculiar to it. But the vulnerabilities brought by e-mail have grown to an unanticipated degree and on unforeseen fronts.
Predictably, controlling security threats such as viruses and worms has been a continuing cat-and-mouse game between the good guys and the bad. But what wasn't so easy to foresee was the proliferation of spam as an infrastructure burden and productivity drain. Despite predictions by some of the technology industry's leading lights, not only is spam on the rise, but worldwide revenues for antispam solutions will experience a compound annual growth rate of 42 percent through 2008, leading to a jump from $300 million spent in 2003 to more than $1.7 billion in 2008, according to Framingham, Mass.-based researcher IDC.
It may also have been foreseeable that e-mail and other electronic communications would present novel document management challenges, but exactly what those challenges might be was not as easily divined, especially by a conservative industry. It's become clear enough from recent history that the regulatory and legal liability hazards of electronic communications - as well as the potential technical challenges - have not been sufficiently understood in financial services. Electronic communications now provide solid evidence in hostile work environments - where "he-said/she-said" disputes often prevailed in the past - as in other legal and regulatory actions, such as Eliot Spitzer's case against Marsh & McLennan, et al., in which damning conversations previously may have been limited to the telephone. Failure to provide such documents during regulatory or legal discovery can lead to - and have resulted in - fines in the millions of dollars.
Financial services executives are aware that their preparation for such eventualities is wanting and they're scared, according to Lisa Sotto, an attorney with New York-based law firm Hunton & Williams. "I have been inundated in the last two years with records management work by companies that know their issues but don't know how to create a sound, sensible records management program for their company," Sotto says.
Companies fall short in the consistent application of policy and use of effective technology for functions such as storage and retrieval of electronic communications, and in many cases fail to understand what must be retained, according to Sotto. For example, "People don't tend to think of IM as recorded information that they need to retain pursuant to record-keeping requirements and legal holds in the case of litigation," despite regulations to the contrary, she asserts.
More organizations are likely to get up to speed as a few unlucky ones get into trouble, but what they really need to do is become more proactive as the regulatory and legal environment evolves to potentially include even voice communication as subject to retention rules. "VoIP comes into your computer and is effectively recorded on a wave file; now it could live the same life as an e-mail," Sotto cautions. "People are not yet recording voicemails, but I don't know how you can argue against it; it is recorded information, subject to the same evidentiary, discovery and production requirements in litigation."