IM: Plenty of Benefits, But Risks Too

Like many other businesses, the financial sector has embraced e-commerce as a way of expanding. Today, online banking is fairly common. Many financial institutions offer a variety of products and services for commercial and retail customers.

And the finance market is mirroring wider use of all things “e” by taking e-business a step farther with the use of instant messaging (IM) to provide faster customer-inquiry responses. But although IM use often allows them to provide better customer service, it also exposes institutions to a variety of potential risks.

What is IM and How Does it Work?

Instant messaging emerged in the late 1990s from increased use of and dependence on the Internet for general and commercial communication and transactions. IM is client software that allows person-to-person interactive communication in real time, provided that users have the same software. The client software lets a user maintain a list of contacts with whom he or she would like to communicate. Users can send messages to any contact on their list. Users can also block a particular contact, or even all unknown individuals, from sending an instant message.

IM seems like the solution for many business issues that companies face today. Unfortunately, IM technology has quite a few vulnerabilities, and these weaknesses create security threats that present various types of potential liability.

Issues Financial Institutions Face by Using IM

Security Risk

Due to IM's inherent vulnerabilities, financial institutions that use instant messaging may expose themselves to a variety of security risks such as:

• Malicious code such as viruses, worms or Trojan horses. E-mail provides mass communication in large corporations. To prevent spam and viruses from entering corporate networks, companies diligently filter all e-mail passing through their network. Antivirus software is used to catch any virus in the corporate e-mail system. Files sent via IM do not pass through the corporate e-mail system, and so these files cannot be scanned for viruses. Because of IM's file-transfer capabilities, viruses can be easily transmitted from one machine to another.
• Account hijacking and impersonation. IM announces information about the user and the user's machine, including but not limited to, IP address. This makes the user susceptible to cybercriminals and increases the chance of identity theft.
• Lack of encryption. IM sessions are like an open book to the online community. Encrypted IM solutions are available, but they are more expensive than unencrypted IM, which is generally free.

Violation of Privacy Legislation

Privacy legislation continues to affect the day-to-day business operations of all financial institutions. Most privacy legislation requires financial institutions to document and implement security controls as well as policies and procedures to protect personal, identifiable customer information. Many laws also require proper record retention of certain information or transactions. Insecure IM sessions or failure to log, archive and monitor IM sessions, will result in compliance violations, which can expose institutions to various governmental actions such as fines, criminal prosecution or lawsuits. IM use can be costly when businesses have such stringent requirements to satisfy.

Examples of privacy legislation that affects financial institutions include:

• The Gramm Leach Bliley Act (GLBA). GLBA requires financial-services organizations to provide adequate security for systems that handle customer data. Security guidelines require creation and documentation of detailed data-security programs that address physical and logical access to data, risk-assessment and mitigation programs, and employee training in new security controls. Third-party contractors also must comply with GLBA regulations.
• Health Insurance Portability and Accountability Act (HIPAA). Health-care providers, health plans and health-data clearing houses are responsible for the security of client health information. Customer medical data are subject to distribution and usage controls. Controls must also be established to protect customer data privacy.

Records Management

Financial institutions are subject to various legislation that requires them to keep specific logs of transactions and documents. If a corporation has a specific logging requirement, then it is important that the IM system being implemented fulfill those requirements. Record administration and retention can be particularly challenging when IM is involved. For instance, because some sessions could become lengthy, storage can be expensive. Also, some records may not need to be kept, and some may require longer retention than others. And it is important that the records policy include guidelines specifying which records should be maintained, and for how long.

Proper records-management policies and procedures not only ensure compliance with various legislative requirements, but also help reduce the cost of discovery if a lawsuit is filed. Many corporations are aware that e-mail is discoverable and, because of that, e-mail retention policies and procedures are important. Often, other forms of electronic communication are overlooked in records-retention policies. “Electronic evidence may also reside in records of instant message sessions, chat rooms, unified message systems that combine email records with voice mail tapes, digital TV recorders, MP3 player and global positioning system satellite records that track vehicle locations” See Lesley Friedman Rosenthal, “Electronic Discovery Can unearth Treasure Trove of Information or Potential Land Mines,” 75 New York State Bar Association Journal 32, 34 n.7 (2003).

Corporate customers need a digital records-management policy that governs deletion and retention of e-mail and other electronic communications. Technology should be purchased that automates deletion and retention, thus automating enforcement of the company's retention policy as much as possible. In addition, archiving technology should index messages for easy retrieval. If IM is used as part of daily operations, and IM records are poorly indexed, a discovery request could result in enormous cost.

Examples of legislation and regulating or other entities that require financial institutions to keep specific record-administration and retention polices are:

• Sarbanes Oxley;
• USA Patriot Act;
• Rules mandated by the New York Stock Exchange (NYSE);
• The National Association of Securities Dealers (NASD); and
• The Securities and Exchange Commission (SEC).

It is particularly critical for broker-dealers to seek legal advice on the necessary requirements for complying with electronic record retention and supervisory procedures mandated by the NYSE, NASD and SEC, because these rules can be confusing. Recently, NASD addressed the use of instant messaging directly, announcing that NASD members must retain IM records for at least 3 years. “Firms have to remember that regardless of the informality of instant messaging, it is still subject to the same requirements as e-mail communication and members must ensure that their use of instant messaging is consistent with their basic supervisory and record-keeping obligations,” Network World quoted Mary Schapiro, NASD vice chairman and president of regulatory policy and oversight, in an article last year.

All of the legislation referenced in this article is regularly enforced, and regulators audit those organizations that handle financial or medical data. Failure to comply with such legislative requirements can lead to fines, prosecution, or both. Also, institutions that fail to comply with the standards mentioned here leave themselves vulnerable to class action lawsuits from clients and third parties. These lawsuits result not only in direct financial losses, but can also lead to ruined reputation, and loss of consumer trust ' which is especially harmful for a company providing online financial products or services.

Suggested Actions to Help Manage Potential IM Risk

Security Measures

The first line of defense in managing risk associated with IM is to implement appropriate security policies and controls. Developing appropriate security controls begins with understanding the limitations of IM and taking the time for proper security planning prior to using any form of instant messaging. Security is vital in any type of transaction occurring over IM. Financial executives and the rest of institutions' staff should understand and document the level of security needed for the type of transactions that will be conducted using IM.

Security policies must be well defined, documented and enforced to be effective. Proper user education is essential for security polices to achieve the desired result. Policies and controls are worthless if the individuals using IM technology do not understand or are not aware of the importance of complying with such policies.

Proper access controls are essential for securing any network. Companies of all sizes should establish proper access controls for all employees who will be using IM technology. The procedures should address the following:

• Level of access. It is important to identify what level of employees should have IM access. Access, for instance, could be limited to employees in certain departments, such as customer service or sales in an effort to reduce undue risk.
• Access authorization. Upper management should approve access granted to select employees. The flow of authorization should be documented and maintained regularly.

Intrusion detection is critical to ensure a secure environment, and systems personnel should ensure that antivirus protection is in place and functioning. Financial institutions should also conduct regular internal testing of antivirus software. In addition, an outside auditor should conduct periodic testing. McAfee's Virus Scan and Norton AntiVirus 2004 are two products that are widely used to address virus concerns related to instant messaging. As with any software purchase, antivirus software should be carefully evaluated by the institution's information-technology department to ensure that the software purchased appropriately addresses security concerns pertaining to anticipated use and the IT infrastructure in place. The system's firewall should be tightened by using various levels of blocking, and only IM solutions that offer encryption should be used.

Insurance

Institutions planning to use IM for customer services should also consider purchasing an Internet insurance policy. The insurance business is addressing the impact of the Internet on many fronts. Cyberrisk coverage, also known as cyberliability coverage, is available for most companies involved in e-commerce. Cyberliability refers to a range of different polices designed for organizations involved in e-commerce. Coverage and terms vary dramatically because the market is new. Each policy is tailored to the specific needs of a company, including the technology being used and the level of risk involved or anticipated. These e-services-specific types of policies are important for e-enterprises because damages that e-commerce and Internet companies incur are not typically covered by traditional policies such as general liability. For in-depth information on policy types and coverage limitations, visit the Web site of the American International Group Inc. at http://www.aignetadvantage.com/ or Affinity Insurance Services at www. techshield.com/index.jsp, or see the article “Besieged by Cyber Liability” at www.insurancejournal.com/magazines/southcentral/2002/09/02/features/23199.htm.

Examples of what might be covered in an e-commerce insurance policy are:

• Loss/corruption of data. Covers damage to or destruction of valuable information assets as a result of viruses, malicious code and Trojan horses.
• Business interruption. Covers loss of business income resulting from an attack on a company's network and that limits ability to conduct business, such as a denial-of-service computer attack.
• Cyberextortion. Covers the “settlement” of an extortion threat against a company's network, as well as the cost of hiring a security firm to track down and negotiate with blackmailers.
• Public relations. Covers public relations costs associated with a cyberattack and restoring of public confidence.
• Criminal rewards. Covers the cost of posting a criminal-reward fund for information leading to the arrest and conviction of the cybercriminal who attacked the company's computer systems.
• Identity theft. Provides access to an identity-theft call center if personal information is stolen from a customer or employee.

Instant messaging is very popular. IM products and services have great potential in the corporate world. Companies should evaluate security needs to determine whether instant messaging is appropriate for their business purposes. A survey of the variety of services available in the marketplace shows that the demand for IM and the business it can help companies conduct will continue growing, and the service will become an integral part of every business as it matures into a more sophisticated technology.

Like many other businesses, the financial sector has embraced e-commerce as a way of expanding. Today, online banking is fairly common. Many financial institutions offer a variety of products and services for commercial and retail customers.

And the finance market is mirroring wider use of all things “e” by taking e-business a step farther with the use of instant messaging (IM) to provide faster customer-inquiry responses. But although IM use often allows them to provide better customer service, it also exposes institutions to a variety of potential risks.

What is IM and How Does it Work?

Instant messaging emerged in the late 1990s from increased use of and dependence on the Internet for general and commercial communication and transactions. IM is client software that allows person-to-person interactive communication in real time, provided that users have the same software. The client software lets a user maintain a list of contacts with whom he or she would like to communicate. Users can send messages to any contact on their list. Users can also block a particular contact, or even all unknown individuals, from sending an instant message.

IM seems like the solution for many business issues that companies face today. Unfortunately, IM technology has quite a few vulnerabilities, and these weaknesses create security threats that present various types of potential liability.

Issues Financial Institutions Face by Using IM

Security Risk

Due to IM's inherent vulnerabilities, financial institutions that use instant messaging may expose themselves to a variety of security risks such as:

• Malicious code such as viruses, worms or Trojan horses. E-mail provides mass communication in large corporations. To prevent spam and viruses from entering corporate networks, companies diligently filter all e-mail passing through their network. Antivirus software is used to catch any virus in the corporate e-mail system. Files sent via IM do not pass through the corporate e-mail system, and so these files cannot be scanned for viruses. Because of IM's file-transfer capabilities, viruses can be easily transmitted from one machine to another.
• Account hijacking and impersonation. IM announces information about the user and the user's machine, including but not limited to, IP address. This makes the user susceptible to cybercriminals and increases the chance of identity theft.
• Lack of encryption. IM sessions are like an open book to the online community. Encrypted IM solutions are available, but they are more expensive than unencrypted IM, which is generally free.

Violation of Privacy Legislation

Privacy legislation continues to affect the day-to-day business operations of all financial institutions. Most privacy legislation requires financial institutions to document and implement security controls as well as policies and procedures to protect personal, identifiable customer information. Many laws also require proper record retention of certain information or transactions. Insecure IM sessions or failure to log, archive and monitor IM sessions, will result in compliance violations, which can expose institutions to various governmental actions such as fines, criminal prosecution or lawsuits. IM use can be costly when businesses have such stringent requirements to satisfy.

Examples of privacy legislation that affects financial institutions include:

• The Gramm Leach Bliley Act (GLBA). GLBA requires financial-services organizations to provide adequate security for systems that handle customer data. Security guidelines require creation and documentation of detailed data-security programs that address physical and logical access to data, risk-assessment and mitigation programs, and employee training in new security controls. Third-party contractors also must comply with GLBA regulations.
• Health Insurance Portability and Accountability Act (HIPAA). Health-care providers, health plans and health-data clearing houses are responsible for the security of client health information. Customer medical data are subject to distribution and usage controls. Controls must also be established to protect customer data privacy.

Records Management

Financial institutions are subject to various legislation that requires them to keep specific logs of transactions and documents. If a corporation has a specific logging requirement, then it is important that the IM system being implemented fulfill those requirements. Record administration and retention can be particularly challenging when IM is involved. For instance, because some sessions could become lengthy, storage can be expensive. Also, some records may not need to be kept, and some may require longer retention than others. And it is important that the records policy include guidelines specifying which records should be maintained, and for how long.

Proper records-management policies and procedures not only ensure compliance with various legislative requirements, but also help reduce the cost of discovery if a lawsuit is filed. Many corporations are aware that e-mail is discoverable and, because of that, e-mail retention policies and procedures are important. Often, other forms of electronic communication are overlooked in records-retention policies. “Electronic evidence may also reside in records of instant message sessions, chat rooms, unified message systems that combine email records with voice mail tapes, digital TV recorders, MP3 player and global positioning system satellite records that track vehicle locations” See Lesley Friedman Rosenthal, “Electronic Discovery Can unearth Treasure Trove of Information or Potential Land Mines,” 75 New York State Bar Association Journal 32, 34 n.7 (2003).

Corporate customers need a digital records-management policy that governs deletion and retention of e-mail and other electronic communications. Technology should be purchased that automates deletion and retention, thus automating enforcement of the company's retention policy as much as possible. In addition, archiving technology should index messages for easy retrieval. If IM is used as part of daily operations, and IM records are poorly indexed, a discovery request could result in enormous cost.

Examples of legislation and regulating or other entities that require financial institutions to keep specific record-administration and retention polices are:

• Sarbanes Oxley;
• USA Patriot Act;
• Rules mandated by the New York Stock Exchange (NYSE);
• The National Association of Securities Dealers (NASD); and
• The Securities and Exchange Commission (SEC).

It is particularly critical for broker-dealers to seek legal advice on the necessary requirements for complying with electronic record retention and supervisory procedures mandated by the NYSE, NASD and SEC, because these rules can be confusing. Recently, NASD addressed the use of instant messaging directly, announcing that NASD members must retain IM records for at least 3 years. “Firms have to remember that regardless of the informality of instant messaging, it is still subject to the same requirements as e-mail communication and members must ensure that their use of instant messaging is consistent with their basic supervisory and record-keeping obligations,” Network World quoted Mary Schapiro, NASD vice chairman and president of regulatory policy and oversight, in an article last year.

All of the legislation referenced in this article is regularly enforced, and regulators audit those organizations that handle financial or medical data. Failure to comply with such legislative requirements can lead to fines, prosecution, or both. Also, institutions that fail to comply with the standards mentioned here leave themselves vulnerable to class action lawsuits from clients and third parties. These lawsuits result not only in direct financial losses, but can also lead to ruined reputation, and loss of consumer trust ' which is especially harmful for a company providing online financial products or services.

Suggested Actions to Help Manage Potential IM Risk

Security Measures

The first line of defense in managing risk associated with IM is to implement appropriate security policies and controls. Developing appropriate security controls begins with understanding the limitations of IM and taking the time for proper security planning prior to using any form of instant messaging. Security is vital in any type of transaction occurring over IM. Financial executives and the rest of institutions' staff should understand and document the level of security needed for the type of transactions that will be conducted using IM.

Security policies must be well defined, documented and enforced to be effective. Proper user education is essential for security polices to achieve the desired result. Policies and controls are worthless if the individuals using IM technology do not understand or are not aware of the importance of complying with such policies.

Proper access controls are essential for securing any network. Companies of all sizes should establish proper access controls for all employees who will be using IM technology. The procedures should address the following:

• Level of access. It is important to identify what level of employees should have IM access. Access, for instance, could be limited to employees in certain departments, such as customer service or sales in an effort to reduce undue risk.
• Access authorization. Upper management should approve access granted to select employees. The flow of authorization should be documented and maintained regularly.

Intrusion detection is critical to ensure a secure environment, and systems personnel should ensure that antivirus protection is in place and functioning. Financial institutions should also conduct regular internal testing of antivirus software. In addition, an outside auditor should conduct periodic testing. McAfee's Virus Scan and Norton AntiVirus 2004 are two products that are widely used to address virus concerns related to instant messaging. As with any software purchase, antivirus software should be carefully evaluated by the institution's information-technology department to ensure that the software purchased appropriately addresses security concerns pertaining to anticipated use and the IT infrastructure in place. The system's firewall should be tightened by using various levels of blocking, and only IM solutions that offer encryption should be used.

Insurance

Institutions planning to use IM for customer services should also consider purchasing an Internet insurance policy. The insurance business is addressing the impact of the Internet on many fronts. Cyberrisk coverage, also known as cyberliability coverage, is available for most companies involved in e-commerce. Cyberliability refers to a range of different polices designed for organizations involved in e-commerce. Coverage and terms vary dramatically because the market is new. Each policy is tailored to the specific needs of a company, including the technology being used and the level of risk involved or anticipated. These e-services-specific types of policies are important for e-enterprises because damages that e-commerce and Internet companies incur are not typically covered by traditional policies such as general liability. For in-depth information on policy types and coverage limitations, visit the Web site of the American International Group Inc. at http://www.aignetadvantage.com/ or Affinity Insurance Services at www. techshield.com/index.jsp, or see the article “Besieged by Cyber Liability” at www.insurancejournal.com/magazines/southcentral/2002/09/02/features/23199.htm.

Examples of what might be covered in an e-commerce insurance policy are:

• Loss/corruption of data. Covers damage to or destruction of valuable information assets as a result of viruses, malicious code and Trojan horses.
• Business interruption. Covers loss of business income resulting from an attack on a company's network and that limits ability to conduct business, such as a denial-of-service computer attack.
• Cyberextortion. Covers the “settlement” of an extortion threat against a company's network, as well as the cost of hiring a security firm to track down and negotiate with blackmailers.
• Public relations. Covers public relations costs associated with a cyberattack and restoring of public confidence.
• Criminal rewards. Covers the cost of posting a criminal-reward fund for information leading to the arrest and conviction of the cybercriminal who attacked the company's computer systems.
• Identity theft. Provides access to an identity-theft call center if personal information is stolen from a customer or employee.

Instant messaging is very popular. IM products and services have great potential in the corporate world. Companies should evaluate security needs to determine whether instant messaging is appropriate for their business purposes. A survey of the variety of services available in the marketplace shows that the demand for IM and the business it can help companies conduct will continue growing, and the service will become an integral part of every business as it matures into a more sophisticated technology.