1
Global Relay
7 May 2013
Best Practices for Mutual Fun Dealers:Archiving, Data Protection & Compliance in a social world
2
AgendaMESSAGE ARCHIVING & REGULATORY COMPLIANCE
1. The Marriage Between Technology & Compliance Message Archiving – It’s not just about email… Understanding your Requirements Privacy Laws & Data Protection Social Media
2. Due Diligence on Engaging a Vendor Understanding Message Processing – You are Accountable Know Your Vendor; SAS 70 & internal controls
3. Leveraging Your Archive Audit & Litigation Readiness Business Continuity & Disaster Recovery Employee Access from Web, Outlook, BlackBerry & iPhone
4. Q & A
Global Relay Communications Inc - Proprietary & Confidential
3
14th year of delivering Software-as-a-Service in a secure private cloud Core competency: Message Archiving, Compliance, & eDiscovery Team of 215 + employees; more than 100+ developers; strong Legal/Audit team 16,000 customers, 95% in the financial services sector Serving Broker-Dealers, Investment Advisors, Hedge Funds, Private Equity & Banks, Mutual Funds Offices in major financial centers worldwide, providing 24x7x365 support:
Global Relay is the Message Archiving Vendor in FINRA’s Compliance Resource Provider Program
Vancouver
New York
London
Singapore
Hong KongChicago
Copyright © 1999-2013 Global Relay Communications Inc. Confidential & Proprietary. All Rights Reserved. Not to be reproduced or distributed without permission.
About Global RelayCANADIAN OWNED AND OPERATED
100% Canadian Owned & Operated
4
Global Relay AwardsRECOGNITION AND ACCOLADES
2011, 2012
Top 200 ranking for 2012 & 2011 on Deloitte Fast 500 – the fastest-growing technology companies in North America
Warren Roy named BC CEO of the Year for 2012 by Business In Vancouver magazine – recognizing outstanding Business Strategy, Financial performance, People Development, Innovation &Social Responsibility/Sustainability
Recognized as one of the Top 10 Best Companies to Work For in British Columbia by BC Business Magazine for 2012 and 2011
Ranked among Largest Software Companies and Fastest Growing Companies in BC by Business in Vancouver magazine for 2012 and 2011
Shannon Rogers, President & General Counsel ranked#1 for 2011 on PROFIT magazine’s list of Top 100 Female Entrepreneurs in Canada
Copyright © 1999-2013 Global Relay Communications Inc. Confidential & Proprietary. All Rights Reserved. Not to be reproduced or distributed without permission.
5
Positioned as a “Challenger” in 2012 Gartner Magic Quadrant for Enterprise Information Archiving:
Rated extremely high on “ability to execute”Quote: “Customers indicate extremely high satisfaction with Global Relay's service, in part due to the company's focus on technology: 50% of Global Relay's employees are developers and all code is written internally.”
Analyst RecognitionINDUSTRY ANALYSTS’ EVALUATION OF GLOBAL RELAY
Rated “Excellent” or “Very Good” on 8 of 10 criteria inQ3 2011 Market Overview: SaaS Message Archiving(Forrester Wave for for SaaS archiving was discontinued)
Most recent Forrester Wave for Software-as-a-Service Message Archiving (2008): Global Relay positioned as a “Strong Performer”Quote: “Global Relay’s offering features broad message capture options, very good support for Bloomberg messaging environments, and strong supervision functionality.”
Gartner Magic Quadrant for Enterprise Information Archiving – published December, 2012
Copyright © 1999-2013 Global Relay Communications Inc. Confidential & Proprietary. All Rights Reserved. Not to be reproduced or distributed without permission.
1) The Marriage Between Technology & Compliance
Message Archiving – It’s not just about email…Understanding your RequirementsPrivacy Laws & Data ProtectionSocial Media
6Global Relay Communications Inc - Proprietary & Confidential
7
Global Relay ArchiveIT’S NOT JUST ABOUT EMAIL . . .
Copyright © 1999-2013 Global Relay Communications Inc. Confidential & Proprietary. All Rights Reserved. Not to be reproduced or distributed without permission.
o Message archiving solutions require: Archiving of all message types (Recordkeeping) Supervisory controls: typically random sampling & keyword flagging
o Note! Ensure employees understand not to use personal messaging (e.g. Gmail) for business correspondence
8
The Big PictureMESSAGE ARCHIVING & REGULATORY COMPLIANCE
o Preserving “who said what, when” to address: MFDA, IIROC, litigation, internal & investor issues
o Understand your requirements Determine what message types are allowed & prohibited in your
business Determine what to do on day 1 of your registration
Archive on a going-forward basis?• Legacy messaging is subject to court subpoena & discovery
Import all legacy messaging including PSTs?• Ensure a single location for eDiscovery• Note! Migrating PST & legacy messages from archiving
servers requires reconciliation, metadata & chain of custody documentation
Supervision & Recordkeeping Rules, retention terms, legal holds and business requirements are complex and may conflict
Global Relay Communications Inc - Proprietary & Confidential
9
Unified Archive for any Message Type
Importer Buffer (30 days)
On-PremiseArchive
SM
TP
(T
LS
) E
xte
rna
l D
eliv
ery
FileDownloader
XML > XCF
XCF > EML
API Downloader
Database
JSON > EML
AppDownloader
JSON
JSON > EML
Glo
bal
Rel
ayC
ust
om
erU
sers
Jour
na
l SS
L/T
LS
IMA
P /
SM
TP
SM
TP
Gro
up D
eliv
ery
XM
PP
/ H
TT
PS
XM
L
RE
ST
/HT
TP
S
OA
uth
JSO
N /
SS
L
SM
TP XMPP > EML
HT
TP
S
Message Routing
SM
TP
Global Relay Archive
SMTP
Mes
sag
e C
on
vert
er
So
cial
Co
nve
rter
Mo
bile
Co
nve
rter
ADGR OCS
App
Normalized Messages (EML)
Email Public IM OCS/Lync XMPP IM Trading / Market Data Social Media
Mobile
Global Relay Communications Inc - Proprietary & Confidential
10
Regulatory RequirementsRULES FOR ELECTRONIC MESSAGE RECORDKEEPING
The Fundamentals: 1) Recordkeeping2) Supervision3) Audit
1. Recordkeeping IIROC Rule 29.7, MFDA Rule 5.1, National Instrument 31-103 (11.5) Requires capture, archive & preservation of electronic business records
Indexing of messaging & attachments Dedicated, tamperproof storage
Storage for easy search, retrieval & access Defined retention term (7 years or 5 years)
Serialize & date-stamp each message Message export capability
Global Relay Communications Inc - Proprietary & Confidential
11
The Fundamentals:
1) Recordkeeping
2) Supervision
3) Audit
2. Supervisory Compliance IIROC Rule 29.7, MFDA Rules 2.5, 2.7, National Instrument 31-103 (11.1) Supervisory controls to detect & prevent regulatory violations
Message review flags defined by keywords, phrases & exclusions Search & Review across all message types Preserve message context & threads Ensure full audit trails to log User, Review & Auditor actions Enforcement of supervisory policies
Regulatory RequirementsRULES FOR ELECTRONIC MESSAGE SUPERVISION
Global Relay Communications Inc - Proprietary & Confidential
12
The Fundamentals:
1) Recordkeeping
2) Supervision
3) Audit
3. Audit Considerations when producing data for regulators
Turnaround speed: need to furnish “promptly” – determine time required to export reviewer-defined data
Online access (Auditor login) vs. data extraction (FTP, PST, hard drive)Objective: to produce relevant data promptly
Attorney-client privilege flagging (pre-tag vs. manual) Metadata & BCCs; Distribution Lists
Vendor can provide support during Audits, Exams, litigation, eDiscovery
Regulatory RequirementsRULES FOR ELECTRONIC MESSAGE AUDIT & EDISCOVERY
Global Relay Communications Inc - Proprietary & Confidential
13
Privacy & Data ProtectionSAFEGUARDING INTELLECTUAL PROPERTY
o End-to-end security: Data leak prevention Lock down USB drive access Endpoint security
o Message encryption Data In Transit:
Use SSL/TLS Protocols for login and authentication Ensure your firm & counterparties use mail servers with opportunistic TLS
transport Optionally deploy policy-based encryption for message transport (vendors
include Echoworx, ZixCorp, AppRiver, DataMotion) Note! Encryption technologies must support indexing and archiving of
messages Data At Rest in Archive:
Encrypt all messages with strong ciphers
For firms doing business in the US and internationally Global Relay houses all customer data in Canada (outside the reach of the USA
Patriot Act) Canada’s privacy laws make it an internationally recognized “data safe zone”
Global Relay Communications Inc - Proprietary & Confidential
14
International Data Security & PrivacyCANADA: A DATA SAFE ZONE
The “Cloud” still has to be hosted somewhere…. oCanada is an internationally recognized “safe zone” for preserving data
Data is hosted in mirrored SSAE 16 Type II Data Centers in East/West coast of Canada
With customers in 90+ countries, Global Relay has deep experience in cross-border issues, including international legal, compliance, audit & eDiscovery matters
Data Privacy in CanadaoStringent data privacy and protection laws in Canada
Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) governs personal information collected, used and disclosed by private sector companies in the course of commercial business
The European Commission has twice audited Canada’s privacy laws and determined that those laws provide protection equivalent or better than the European Privacy Directive
USA PATRIOT Act – Not a Concern for Global Relay CustomersoGlobal Relay hosts data in Canada, outside reach of the USA PATRIOT Act
Customer data held by Global Relay is not subject to direct data access demands by the U.S. government
Many large US and international financial firms select Global Relay on this basis
Copyright © 1999-2013 Global Relay Communications Inc. Confidential & Proprietary. All Rights Reserved. Not to be reproduced or distributed without permission.
15
Social MediaCurrent StatisticsRegulatory Views Best Practices
15
Global Relay – Proprietary & Confidential
16
About LinkedIn#1 NETWORKING TOOL USED IN BUSINESS
Global Relay - Proprietary & Confidential
o Profile The only widely-recognized professional social networking tool $19B market cap; revenue from premium subscriptions, HR services & advertising Operating since 2003
o Stats 2.9 million companies have LinkedIn company pages 64% of users outside USA
o Growth Current growth rate: 2 new members per second, now at 225 million members
o Uses for Securities Dealers Finding with new clients & keeping in touch with existing ones Sharing news & insight with clients
17
About TwitterMICRO-BLOGGING PLATFORM
Global Relay - Proprietary & Confidential
o Profile “Micro-blogging” tool where each communication is limited to 140 characters Content is largely public in nature Private company, $140M revenue from advertising Operating since 2006
o Stats 57% of Twitter users use mobile devices 350 million tweets per day being sent
o Growth Fastest growing social media platform, now at 200+ million active users
o Uses for Securities Dealers Reps can quickly share with people who choose to follow them Gather public insight about a particular product, sector or event
18
About Facebook#1 SOCIAL NETWORK WORLDWIDE
Global Relay - Proprietary & Confidential
o Profile The world’s #1 social network $5B revenue (2012) from advertising Operating since 2004
o Stats 1.06 billion users; 618 million are active daily 81% of US social network users say Facebook is how they prefer to interact with
companies
o Growth 51% of Americans aged 12 and up use Facebook, a 538% increase since 2008
o Uses for Securities Dealers A forum for two-way dialogue with clients A platform for publishing news, events and articles
Sources: CloudTactix, SubmitEdge.com
19
How do regulators view Social Media?JUST ANOTHER FORM OF ELECTRONIC COMMUNICATION…
o FINRA’s mission: To protect investors by maintaining fairness in markets
o Same rules apply: Social Media falls under existing “media-neutral” requirements, including:• Recordkeeping: capture & preservation of electronic business records
o SEC Rule 204-2 (RIAs & Hedge Funds)o SEC Rule 17a-3 & 17a-4; FINRA Rule 3110 (Broker-Dealers)
• Supervision and enforcement of supervisory policieso SEC Rule 206(4)-7 (RIAs & Hedge Funds)o FINRA Rule 3010 & Regulatory Notice 07-59 (Broker-Dealers)
• Audit Readiness: Considerations when producing data for regulatorso Online access (Auditor login) vs. data extraction (FTP, PST, hard drive)o Turnaround speed: need to furnish “promptly” – determine time required to export
reviewer-defined data• Communications With the Public:
o Regulatory Notice 12-29 & FINRA Rule 2210 (Effective Feb. 4, 2013)o Specific to Social Media:
• FINRA Regulatory Notices 10-06 & 11-39• Before engaging in social media use, firms must be sure that they have technology to record and
retain these communications
19
Global Relay – Proprietary & Confidential
20
Social Media ComplianceREGULATORY CONSIDERATIONS
Social Media is subject to the same regulatory requirementsfor electronic communications For example, IIROC Dealer Member Rule 29.7, plus SEC/FINRA Social Media requires compliant solutions. A few examples:
Type Deemed by IIROC
Examples ComplianceConsiderations
Public Profile Original Advertisement
Facebook ProfileLinkedIn Profile
Pre-ReviewAccess ControlsArchiving
Status Updates Interactive Electronic Forum
Twitter TweetsFacebook Status Updates
Access ControlsPre or Post-Review depending on your firm’s specific policiesArchiving
Email Electronic Correspondence
LinkedIn Messages
Access ControlsSupervision & MonitoringArchiving
21
…However, Note Key Differences with Social MediaNEW APPROACHES FOR NEW COMMUNICATION METHODS
o Categorizations of Social Media Communications• Static Content
o Static: content that remains posted until changed by the firm or individual; accessible to all site visitors. Requires principal pre-approval.
o Examples: Initial Tweets, Facebook Wall Posts, LinkedIn Network Updates
• Interactive Contento Interactive: real-time communication; requires supervision after the fact
(on a risk basis)o Examples: Email, IM, Facebook Wall Comments, LinkedIn Network Comments,
Retweets
• Linking to Third-Party Contento Firms are responsible for content of linked sites & what reps endorseo “Linking” or endorsing can trigger entanglement principles o SEC concept of “prominence and proximity” o Examples: Facebook “Likes”, Twitter “Retweets”, LinkedIn “Recommendations”
21
Global Relay – Proprietary & Confidential
22
What About Mobile Devices?SOCIAL MEDIA TOOLS ARE THE MOST POPULAR SMARTPHONE APPS
o A ubiquitous pairing: Social Media & smartphones• More than one third of Facebook members access via smartphone• Mobile users are twice as active on Social Media
o FINRA: The communication, not the device, is determinative• Same rules apply for social media content on smartphones
o Mobile makes Recordkeeping more difficult• Make sure your social media compliance solution can capture social media
content generated on:o Mobile devices: smartphones, tablets (BlackBerry, iPhone, iPad, Android
etc.)o Home computerso Public computers (hotels, airport kiosks, etc.)
22
Global Relay – Proprietary & Confidential
23
Social Media Compliance via Policy
Best practices for achieving compliant social media via policy
o Approval workflow: implement for social media For example, employees must seek CCO/Legal approval before posting certain social
media elements, such as a profile, credentials, referrals, advisor websites, preapproved content, etc.
o Training: provide social media compliance education for employees Make ongoing education mandatory for employees who use and review social media
o Limit use of your firm’s name and/or product names Decrease risks to your firm (such as data leaks)
o Prohibit social media communications that recommend investments or products Unless a registered principal has approved the content
o Revisit existing supervision frequencies & plans Ensure they are appropriate for social media
o Access: Select which social media sites employees can visit Restrict what is non-essential: home use, mobile devices
Global Relay Communications Inc - Proprietary & Confidential
24
Social Media Compliance via Technology
Best practices for achieving compliant social media via technology
o Select a message archiving vendor that offers social media compliance capability Capture: Ensure the vendor has the capability to capture & retain all social
media data for each user Unify: Integrate social media data to your existing message archive alongside
other message types such as email, Bloomberg, BlackBerry, Thomson Reuters, Instant Messaging, etc.
Supervise: Leverage the supervisory capabilities within your archive – add social media messages to your firm’s message monitoring & review process
o Consider a third-party social media compliance tool to enforce policies Block/allow specific actions – for example, block Facebook Games or
LinkedIn Recommendations Specify activity permission per employee – for example, staff other than
registered reps have read-only access to social media sites
Conclusion: Social media is here to stay and if managed wisely, it can be a useful tool for your business.
Global Relay Communications Inc - Proprietary & Confidential
25
Case Study: The Importance of Social Media ArchivingNETFLIX CEO REED HASTINGS’ & FACEBOOK DISCLOSURE
Global Relay Communications Inc - Proprietary & Confidential
Situation:
•Netflix CEO Reed Hastings posted material information about the company on Facebook (a statistic about viewership)
•Did not file the same information in a press release or Form 8-K
•SEC investigated…
•SEC deems Social Media to be an appropriate channel for public information… so long as the public is told where to look
Lessons Learned:
•Social media is evolving from a marketing tool to a serious source of public information
•As with other communications with investors and the public, social media posts need to be captured and retained
26
Case Study: AP Twitter Account Hacked
Global Relay Communications Inc - Proprietary & Confidential
Situation:
•AP’s Twitter account hacked by hostile group who claimed explosion at the White House
•136 Billion in market value quickly erased, before market rebounds
Lessons Learned:
•Twitter, and other social media, being used as a market data tool
•Password security on social media needs to be questioned and improved
27
Social Media Capture Requires Opt-In from Usero Opt-In & User Rights
A blurred line between personal & professional realms – e.g. LinkedIn profiles Unlike email, employees own & control most social media accounts Employees must opt in for social media archiving Privacy rights a concern: firms should not store employees’ passwords
Opt-In Flow – Global Relay Archive for Social Media
Global Relay Communications Inc - Proprietary & Confidential
Viewing LinkedIn content in Global Relay ArchiveWITH HIGHLIGHTED CHANGES AND KEYWORD FLAGGING
28
29
What’s Next? New Social Media Sites & “Dual Uses”
29
Global Relay – Proprietary & Confidential
30
Web ArchivingPOWERED BY PAGEFREEZER
Global Relay - Proprietary & Confidential
o Create an archive for websites, blogs & social media pages in the cloud Continually creates digital snapshots of your web content, at the frequency you specify Supports dynamic content: audio, video, Flash, and more Very straightforward setup; archive any number of different websites
o Use the PageFreezer dashboard to scroll through an interactive timeline of your archived websites Choose one of the digital snapshots of your
website to brows & replay Search capability lets you pinpoint a specific
keyword or date
31
Web Archiving (continued)POWERED BY PAGEFREEZER
Global Relay - Proprietary & Confidential
o View your website within PageFreezer’s interface An exact copy of your website as it appeared at a
specific moment in the past Dynamic content like video, audio, Flash, etc. is
re-playable in its original format
2) Due Diligence on Engaging a Vendor
Understanding Message Processing – You are AccountableKnow Your Vendor; SSAE 16/SAS 70 & Internal Controls
32Global Relay Communications Inc - Proprietary & Confidential
33
Message Archiving & AuthenticityIT’S ABOUT QUALITY, ACCURACY & COMPLETENESS
Fundamental message processing requirements
o Message log reconciliation Compare messages sent with messages received by archive Daily log reconciliation is a best practice Ensure all messages are received by archive
o Schema validation Ensure message content is accurate – for example, XML tags, headers &
bodies
o Write verification Ensure accurate message processing in the event of hardware/software
failures
o Malformed messages which fail to be accurately indexed & archived Sent to failure bin for analysis & remediation Forensic auditors check into this process
Global Relay Communications Inc - Proprietary & Confidential
34
Due Diligence KNOW YOUR VENDOR
o Select vendors with experience in the financial sector
o Look for independent third-party validation SSAE 16 Type II / SOC I (Environmental Controls) Audited Internal Controls
o Evaluate vendors’ security, business & operational controls Physical Security
Change Management (Patches, Releases, Upgrades)
Network Security & Availability
Message Flow & Processing
Data Import, Extraction & Destruction
Security Policies & Standards
Personnel Policies & Procedures (e.g. background checks,
references)
Global Relay Communications Inc - Proprietary & Confidential
3) Leveraging Your Archive
Audit & Litigation ReadinessBusiness Continuity & Disaster RecoveryEmployee Access from Web, Outlook, & Mobile
35Global Relay Communications Inc - Proprietary & Confidential
36
Additional Reasons to Archive MessagesLEVERAGING YOUR ARCHIVE: BEYOND COMPLIANCE
o Audit & Litigation Readiness Evidentiary-quality records Liability & HR considerations
o Long-term Storage & Message Management Employee convenience & productivity Retrieving historical & deleted messages
o Business Continuity & Disaster Recovery End-user access to messaging in the event
mail servers are down
o Employee Access to All Archived Message Types Outlook plug-in with archive access Smartphone apps to Search, View,
Recover, Reply, Reply All & Forward
Global Relay Communications Inc - Proprietary & Confidential
BlackBerry, iPhone,
iPad, Android
Microsoft Outlook Plug-in
37 37
Thank You
Global Relay Offices Worldwide
Vancouver 604.484.6630
New York 866.484.6630
Chicago 866.484.6630
London +44.203.139.9064
Singapore +65.3158.1301
www.globalrelay.com
Warren RoyCEO
Shannon RogersPresident & General Counsel
Bryan YoungVice President, Sales
Additional Resources
oCompliance Solutions Guidebook Series
www.globalrelay.com
oKPMG Report on Global Relay Security, Business & Operational Controls
Contact Global Relay
oInformation Sheet on Data Discovery & Extractions
Contact Global Relay