The Impact of the SEC’s WhatsApp Probe

The SEC’s recent WhatsApp probe demonstrates the detrimental impact unauthorized business communications can have on an organization. Chris Lehman of SafeGuard Cyber highlights lessons learned from the probe from a cybersecurity and compliance lens.  

Insider Risks in the Digital Era

In today’s rapidly evolving digital landscape, it has become increasingly clear that insider risks and threats have the potential to be just as detrimental as external attacks. Organizations face mounting cybersecurity and compliance pressures from the C-Suite and the Securities and Exchange Commission (SEC) to manage and mitigate these risks. As demonstrated in the SEC’s recent crackdown on Wall Street firms utilizing messaging apps like WhatsApp for business communications, the result can be damaging and costly. In August, the SEC announcedOpens a new window “charges against ten firms in their capacity as broker-dealers and one dually registered broker-dealer and investment adviser for widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications.”  

The SEC’s WhatsApp probe sheds light on the challenges of using workplace communication tools to operate more efficiently while fostering a resilient cybersecurity environment and staying compliant with agency guidelines. The good news is that there are some key lessons we can take away from the incident to ensure clear compliance and security moving forward.  

1. Misuse of technology comes with a cost

It’s no secret that poor security practices can lead to vulnerabilities and risks. With the rise in employees working from home and adopting modern technology and communication tools in the enterprise – vulnerabilities, threats, and risks can extend beyond traditional methods. Leaders must understand the implications of misusing communication tools like WhatsApp, Signal, or other methods employees use to connect outside their employer’s safeguarded network. 

Financial entities on Wall Street like Wells Fargo Securities, BNP Paribas Securities Corp, BMO Capital Markets Corp, and two dozen others learned this very quickly when they were hit with a wave of fines over their employees’ use of unmonitored communication channels for business conversations. The SEC fined these organizations for a combined amount of $289 millionOpens a new window . As the SEC dug into the internal communications of these companies, one thing was made clear – this wasn’t an isolated incident.  

Organizations of all types should take this as an opportunity to evaluate their policies and level-set expectations with employees for all business-related communications. There are a plethora of communication tools out there that enable seamless virtual communication between employees. Guidelines on the use of these tools and technology must be clear to ensure organizations remain SEC-compliant. 

While the fines these organizations incurred made a monetary impact, the “cost” could have been worse. By communicating about business-related functions in unauthorized channels like WhatsApp, employees put sensitive company information, data, and other people within an organization at risk for cyberattacks and breaches. This must be incorporated into an organization’s comprehensive cybersecurity approach to safeguard company data and prevent vulnerabilities. 

2. Compliance requires visibility into business communications taking place in unmonitored channels on “BYOD”

In today’s technologically advanced age, the boundaries between our professional and personal lives are blurring. This shift is largely due to two interconnected trends: the rise of Bring Your Device (BYOD) workplace policies and the increasing use of mobile messaging apps for business communication. While these developments offer undeniable benefits, such as increased efficiency and reduced costs, they also present unique compliance challenges that must be addressed. During the SEC’s WhatsApp probe, the agency asked the investment advisers for messages on personal devices or applications that discuss business.  

Companies must set up clear rules to keep work information secure when employees use their devices, ensuring personal privacy is respected and corporate data is protected. Getting this balance right is a challenging but vital task. IT professionals must enforce robust BYOD policies that allow them to monitor business communications on these devices while ensuring employee privacy. Implementing stringent policies for messaging app usage in the business environment is another key step. 

See More: BYOD: A Threat to Data Security and Privacy Protection?

3. Unmonitored business communication channels introduce cybersecurity risks, too 

Spurred by digital transformations and the pandemic, businesses have moved a lot of internal, external, and customer communications to workplace collaboration tools and cloud messaging apps such as Slack, Teams, WhatsApp, and Zoom. Employees frequently discuss very sensitive topics over these apps with coworkers and customers.  

While communicating via these channels helps companies operate more efficiently, it naturally poses cybersecurity risks. Using these tools in business has attracted the attention of attackers who successfully exploit their security weaknesses and tailor their attacks to specific communication platforms. WhatsApp has already been exploited in a variety of social engineering attacks. Cybercriminals will target the full range of these tools to exploit that sensitive data. 

See More: Key Findings on Cybersecurity Risk Management

Maintaining Security and Compliance 

The SEC crackdown brings a valuable lesson: while technological innovation accelerates business growth, its misuse could lead to regulatory consequences. There is more at risk than getting fined for using unmonitored communication tools for business discussions; it also creates opportunities for data breaches.  

The shift in communication channels from email to platforms like WhatsApp highlights that humans are the biggest risk in maintaining compliance. Companies must prioritize gaining complete visibility into where business-related discussions occur in these new communications channels, establishing policies, training employees on handling sensitive information, and utilizing technology to address potential gaps in record-keeping, inconsistent application of communication policies, and absence of essential cybersecurity governance. 

The fallout from the SEC probe of WhatsApp and Signal underscores the need for businesses to gain better insight into the tools their employees are using to communicate both internally and with customers. The rules are ever-evolving in this cyber era. Keeping abreast of changes, continuously educating employees, and aligning strategies with regulations can go a long way in safeguarding an organization. 

How can your organization navigate the evolving landscape of cybersecurity and compliance? Let us know on FacebookOpens a new window , XOpens a new window , and LinkedInOpens a new window . We’d love to hear from you!

Image Source: Shutterstock

MORE ON CYBERSECURITY AND COMPLIANCE

• Why Compliance Does Not Equal Cybersecurity
• Key Findings on Cybersecurity Risk Management
• 5 Tools for Employee Compliance and Cybersecurity
• The State of Cybersecurity: Trends and Actions To Take