A Regulatory Perfect Storm

MessageGate
December 31, 2008 | COMMENTS

Tighter control of corporate e-mail profiles is needed due to increased compliance enforcement in heavily regulated industries such as financial services, utilities, and health care. Growing regulation combined with information privacy concerns, e-discovery and constant collaboration with external constituents creates what could be considered a “regulatory perfect storm.”

“In light of the current financial crisis and ongoing legislation involving Electronically Stored Information (ESI), organizations should be prepared for increased regulation and governance,” said Brian Babineau, senior analyst with Enterprise Strategy Group (ESG). “To improve disclosures and safeguard against potential regulatory violations within enterprise e-mail traffic, companies need to integrate IT, compliance, HR, and legal departments into a cohesive team to implement an ongoing proactive strategic approach to regulatory risk management.”

According to research collected during MessageGate Activity Profile (MAP) customer audits, current regulations including SEC Rule 17a-4, SOX, FERC, and HIPAA, in addition to amendments to the Federal Rules of Civil Procedure (FRCP), pose an increased risk of violation to organizations lacking the necessary policy controls. With regulatory and e-discovery deadlines in full effect, organizations of all sizes are pressed to implement a proactive approach based on cost-effective e-mail retention and archiving policies that can be consistently enforced.

“Simply reporting e-mail behavior is no longer sufficient. Organizations must implement strict and consistent e-mail controls in order to meet compliance mandates head-on,” said Norbert Orth, president and CEO for MessageGate. “By actively managing the risk of future violations through e-mail controls that incorporate active security policies in real time, companies can effectively build a shelter against the storm through a preventative stance on e-mail risk management.”

The following steps help organizations address this situation by creating a true culture of compliance without additional expense in time or business interruption:

1. Manage intentional and unintentional employee misuse. While neither SOX nor the SEC's implementing regulations impose specific requirements for e-mail security, or IT security in general, the frameworks commonly used for assessing internal controls are still applicable to e-mail. The instant and casual nature of e-mail poses a risk for all organizations. To secure casual conversations and avoid routine routing of inappropriate e-mails to compliance departments, consider e-mail controls as a low-cost insurance and a critical component to preventing information from unauthorized use, disclosure or modification.

2. Practice smart archiving. Many companies try to retain all e-mails, but the huge and growing volume of e-mail impacts storage budgets and resources. With SEC Rule 17a-4, securities firms must retain their electronic documents, including e-mail, for five years and ensure that it is readily retrievable and reviewable in a short turnaround time. When e-mail is requested by a regulatory body, the retrieval time is immediate, usually within the next 24 hours. By applying real-time analysis through consistent e-mail archiving controls before messages enter the archive, companies can avoid costly e-discovery litigation fines.

3. Create e-mail controls and policies that can intercept at-risk e-mails . Under HIPAA, companies must maintain administrative, technical, and physical safeguards to prevent intentional or unintentional disclosure of Protected Health Information (PHI). In order to maintain complete audit trails for any data leaving the company, look for a flexible policy engine that enables proactive management of information flow while mitigating insider threats, all in real time.

4. Audit and profile e-mail usage in real time. To safeguard against any potential e-mail risks, build custom policies that look for specific criteria in e-mail attachments, including file formats and usage patterns. For example, FRCP requires the speedy recovery of electronically stored information which is only possible with rapid search and retrieval capabilities, as well as the ability to audit operations. IT should have the ability to review e-mails and implement actions based on group affiliation, policies, as well as e-mail and attachment content and context in real time within the live e-mail stream.

5. Provide real-time blocking and re-routing of outbound e-mails . Companies need a solution that can stop the risk of incident at ingestion of the e-mail and provides IT with the ability to review and monitor e-mails within the live e-mail stream through a network implementation. For utilities companies to meet FERC requirements, a proactive e-mail risk management approach is required in order to block and prevent restricted information contained within e-mail from ever reaching restricted individuals based on group designations, or the parameters of content in the message or attachment.

MessageGate provides software and services for enterprise e-mail controls. For more information, call 877-544-8500.