How to ensure security and compliance when using tools such as Zoom, MS Teams?

Communication tools have saved the day for businesses after the Covid-19-induced lockdown. Therefore, organisations must fully understand the regulatory guidance on security and privacy so they can continue to implement and expand their use of tools such as Zoom and MS Teams.

The onset of the pandemic has taught all sectors the importance of digitalisation. With remote working becoming a norm, there is an ever-increasing number of communication tools such as Microsoft Teams, Zoom, Cisco Webex, RingCentral and Slack used by companies for internal as well as external communication.

According to a recent Conference Board survey, 88% of companies are now willing to hire remote workers, compared with a pre-pandemic rate of 52%, signalling a meaningful change in the modern office environment. The increase in remote work and reliance on collaboration tools for every aspect of day-to-day business has led to increased scrutiny of their privacy and security. On one hand, the plethora of communication options enabled by technology and AI-enabled solutions is poised to become the solution to most challenges. Yet, on the other hand, technology has exacerbated the challenges of remaining compliant.

In the words of security and compliance provider Theta Lake director of market intelligence Stacey English, “It doesn’t matter whether workforces are hybrid, fully remote or in the office, what’s really important from a regulators and regulations point of view, is that the requirements for controls stay the same, as do the obligations around supervision and retention .”

It’s no secret that the variety of communication channels used by companies pose a formidable challenge with respect to compliance. The enormous volumes and unique nature of chat features present complex security and compliance roadblocks. The pandemic’s overnight shift to remote work, now beyond the watchful eye of compliance officers on the floor, has opened Pandora’s box.  Communications compliance goes beyond officers overlooking office memos and emails and must now accommodate for media-rich collaboration forms.

English added that the nature of the communication channels have become much harder to supervise as, for example, “a chat message might have all sorts of files and images attached to it, and your reaction, such as a like, can change the context of the meaning of that conversation.” It’s hardly uncommon for employees to share the wrong screen with sensitive or confidential financial data open during online meetings or send the wrong attachment/file. In another event, an employee might physically show a document that’s hugely market sensitive during a video call, but it wouldn’t traditionally get picked up by compliance tools and teams if the employee didn’t speak about it. “It’s never been so easy for anyone to take a screenshot or recording and share it further. That’s why it’s really important to be alert,” English said. Apart from human errors, there could be a deliberate breach caused by a disgruntled employee who wants to share the company’s information or use it to engage in collusive behaviour. It was communications in chat rooms that enabled the sharing of commercially sensitive information to go undetected for several years.

While getting to grips with the risks of communication tools is one thing, businesses must use them in a regulated environment. As a starting point, a normal requirement across financial services is that businesses must be able to archive, capture and make records e-discoverable.

Record keeping and supervision is fundamental in the event of a company facing an investigation from a regulator where it might be asked to reproduce specific records. If it is unable to do so, companies may find themselves in legal hot waters with fines in millions. English said, “It’s actually very complex to capture and retain chat messages – especially as firms have to go back and try and reconstruct the conversation to see what actually happened.”

Regulatory risks with chat and visual data

With the slew of communication channels today, the risk of data loss, employee misconduct, inappropriate messaging and potential phishing attacks has escalated. As a result, government organisations, watchdogs and compliance teams must be able to identify problematic information about a specific individual, topic or risk whether that’s through companies’ shared screens, whiteboards or visual and written chat conversations.

While FinTechs are increasingly using technology to supervise the communications and activities of employees to ensure compliance with regulatory requirements, they must be able to detect issues such as market abuse or data leakage quickly. English said that a key control for meeting regulatory obligations including MiFID II,  CFTCFINRASEC 17a-4, IIROC and GDPR is capturing records or communications but that companies must consider the dynamic nature of modern communications.  This includes the challenges of interpreting contextual data in chat like emojis, gifs and reactions, the risk of attaching confidential files or accidentally sharing the wrong screen with sensitive data.

With regulators laser-focused on firms’ conduct and culture, it’s more important now than ever for firms to be able to detect and mitigate the risks of misconduct. Clearly, watchdogs expect rigorous controls around communications even when staff work at home. The FCA has reminded firms of the need to continue to comply with recording obligations in SYSC 10A which remain the same whether staff work remotely or in the office.

In April this year, the European Commission fined several banks including Bank of America Merrill Lynch, Crédit Agricole, and Credit Suisse nearly half a billion dollars in fines for trading cartels. This is a stark reminder of the challenges facing firms – irrespective of their size – when it comes to monitoring chat and instant messages to detect misconduct.

Indeed, communications and other data must progress through a standard cycle of capture, analysis, oversight and archiving, English said. This is where Theta Lake comes in.

Diving into Theta Lake’s AI model

With the developments in technology, AI and ML techniques, firms can more efficiently unlock the business value of collaboration platforms. By using Theta Lake’s tools, firms can maximise the productivity benefits of using chat in modern platforms while complying with critical regulatory requirements.

For starters, Theta Lake’s security and compliance platform facilitates the identification of regulatory, privacy, and security risks that might arise during business use. It can detect if there’s something risky on screen which might not be identified in a transcript of a meeting. Alongside ingesting all that content, it also indexes and archives it for a situation when a firm needs to search it. For instance, English said, “You may have a data privacy request asking you to delete information. Unless you have it all indexed, it can become a laborious task.”

With Theta Lake, compliance teams can investigate risky video, audio or chat content, after it has been pinpointed by its tool, instead of sitting through hours of content and data. Risky data is removed across all platforms to protect confidential or sensitive information from being accessed more widely. English said, “It’s about making it easy to supervise, easy to review, easy to find.”

Apart from focusing on capturing problematic data, English advised companies and employees to be cognizant of their words, files, links and documents. She said, “Never assume that data is not being recorded because you don’t know if I have a camera in my background that’s recording this or if my phone is audio recording.”

Compliance teams got their eyes on you

Tellingly, communication tools have become a necessary means after the pandemic and will continue in the future as more companies are resorting to permanent remote work. As applications in the likes of Microsoft Teams and Zoom have catapulted into people’s living rooms, firms such as Theta Lake have become increasingly relevant. As English said, “We were developing solutions for collaboration tools long before the pandemic. Our founders had the foresight to know that’s where the world was headed, but they never imagined that they would be adopted so quickly.”

English concluded, “The key thing to think about is whatever solution you’re using, is it capturing everything?  Will you pick up risks or breaches if they are not written down and they’ve actually just been shown?”

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst

Investors

The following investor(s) were tagged in this article.