Editor’s Note: This post is excerpted in slightly altered form from the forthcoming book “Rogues of Wall Street: How to Manage Risk in the Cognitive Era,” which will be published in May by Wiley.
Fake news is all the rage now. But this is not a new phenomenon. Just a week after the Securities and Exchange Commission announced its decision in early 2013 to loosen restrictions on the use of Twitter and other social media by companies, a hacker showed how risky a decision that could prove to be. When an Associated Press Twitter account announced to the world that the White House was under attack, the reaction from the financial market was instantaneous. The Dow declined by 150 points and several billion dollars of market value was wiped out in a few seconds. It turns out the AP’s Twitter account had been hacked, but the damage was done. This was not a scenario that was predicted but now it was one firms cannot choose to ignore.
Just as with the AP scenario, every Twitter and Facebook account is potentially a target. Were any public company’s Twitter account to be hacked and incorrect news about earnings, acquisitions, sales or other information released to the world, it would potentially have an instantaneous impact on the market. Unlike news of an attack on the White House, a false earnings report or proposed merger might not be so easy to quickly prove to be false to the world at large. As we move headlong into the instant-news-cycle-driven world, firms should take a step back to evaluate the risk that this poses. Institutions must evaluate the risk posed by the proliferation of official firm social media accounts. Such proliferation multiplies the threat posed not just by external misuse, highlighted by recent incidents, but also internal or rogue misuse.
There is one thing that can be observed in any organization that uses information technology to any extent: The number of user accounts in applications that are useful and easy to use will see exponential growth and rapid proliferation unless a concerted effort is made to exert control over the process. A common example is just the process of creating folders on shared drives to house documents. Since they are free and easy to create, hundreds of folders containing data opened are accessible to every employee who authors or edits Word, Excel or PowerPoint files. Some of these may contain important, privileged information; the bulk, however, will not. How does a firm ensure the ability to identify and protect the latter from inappropriate dissemination? Alternatively, when a judge demands documents, how does a firm ensure it is able to locate and provide them? Attempts to exert central control generally come too late to be effective. A plan needs to be formulated upfront.
If banks need to worry about the control over the proliferation of internal accounts and unstructured data sources, how much more so for accounts on web applications that house and relay information to the public domain? Apps, such as Twitter, are free to use: no expensive licensing deals with named, authorized users are required. The risk is further increased since Twitter, Facebook and other social media platforms have been sanctioned for use by the SEC and management as a means of broadcasting market-sensitive information.
One imagines that each line of business will soon want its own account to broadcast its progress to the outside world. One wonders how many official Twitter accounts each major bank already has. With the media reporting on how boring these corporate Twitter accounts can be, one can imagine that the shackles of corporate control may be loosened to make things more interesting. After all, what is the point of having a Twitter account if it has no followers? To get followers, one needs to be interesting, even newsworthy.
The natural tendency to try to gain an edge in the competitive brokerage, trading and investment world through passing on interesting information to clients and potential clients may become harder to police as accounts proliferate and become part of a normative sales and business development strategy. As well as monitoring the tweets and updates of those who are authorized to use Twitter on behalf of the company, how does one monitor those who are not authorized to do so when there are many such accounts? More fundamentally, how does one ensure that all material information that is distributed by such channels is distributed broadly enough to satisfy Fair Disclosure Rules?
Not only can “official” corporate Twitter or Facebook accounts be cause for concern, personal accounts can be as well. In this increasingly narcissistic “selfie” world we live in, the silly story of former Rep. Anthony Weiner may turn out to be the canary in the coal mine. It turns out that not just politicians but CEOs and other highflying and ambitious executives are shameless self-promoters. Furthermore, a conflation of corporate identity with personal identity is likely to occur when any cyber moment can be turned into a branding opportunity. And when the brand of the CEO becomes the brand of the company, or indeed when anyone’s personal brand can be so intertwined, then it can be argued that the personal and the corporate have been melded into one. At that point, is there anything distinctly personal and private anymore? So companies may need to monitor activities on employees’ Facebook pages to ensure that their brands are being promoted rather than dirtied. A senior executive or CEO updating pictures on his Facebook page with racy pictures in a luxury resort or in a newly-purchased $50 million home may send out the wrong message to customers. A CEO tweeting negative remarks about gay marriage may conflict with corporate values. Yet even more concerning would be a CEO sending out information or opinions on the state of the company to his friend on Facebook. Yet privacy laws can be problematic here because in many countries, companies are forbidden from monitoring their employees’ personal social media accounts.
Firms can get ahead of this issue by providing clear rules of the road on the use of social media, whether with personal or corporate accounts. Firms need to make sure they have adequate “code red” or “break the glass” procedures in place for when a false report is issued from a firm account. As we saw with the AP tweet about the White House, the market reacts incredibly quickly and, though a firm may be held blameless for a hacked account, it may not be if it fails to alert the market in a timely way. With regard to personal accounts used by senior executives and CEOs, this is already a highly effective means of promoting personal and corporate brands. Firms need to make sure they have an appropriate framework in place for educating, monitoring and responding to events caused by their misuse, intentional or otherwise.