WhatsApp, Signal, iMessage: These everyday apps could be putting your organisation at significant risk, especially when it comes to your organisation sharing sensitive Cyber Threat Intelligence (CTI). This second installment delves into a recent US legal case that exposes the dangers of relying on informal communication channels & underscores the need for a more structured, secure approach to CTI sharing. In September 2023, ten American financial institutions were fined over half a billion dollars for widespread recordkeeping failures related to their use of commercial instant messaging platforms (e.g., WhatsApp, Signal, iMessage, etc). Employees at these firms, including senior managers, conducted business communications on unauthorised personal messaging platforms without preserving the necessary records, a violation of U.S. federal securities laws.
The US Securities & Exchange Commission (SEC) found that these institutions failed to properly maintain electronic records of business-related communications, as required under the Securities Exchange Act & the Investment Advisers Act. These acts resulted in regulatory authorities being deprived of crucial communication records during their investigations. The fines were part of a broader crackdown by regulators on the use of “off-channel” communications that bypass official company records, potentially enabling misconduct to go undetected.
While record-keeping requirements for financial institutions, & specifically trading-related activities, are heavily regulated, the principle of sharing internal business information (such as CTI) is clearly relevant here. Regulation will always lag behind reality, this case highlights a crucial issue for all organisations, regardless of location or industry. It’s a stark warning about the risks of sharing sensitive business information, including CTI, on unauthorised platforms.
This incident is not just instructive for Australia, but for all organisations, highlighting the importance of robust governance & compliance around communication platforms. Unauthorised CTI sharing could lead to inaccurate threat assessments, delayed responses, or even compromise of sensitive intelligence.
Beyond regulatory penalties, organisations risk data breaches, reputational damage, and legal liabilities.Organisations should prioritise auditing their communication channels & implement strict policies regarding sensitive data sharing. This includes providing training to ensure compliance and exploring secure, authorised platforms specifically designed for CTI collaboration.
This case is a stark reminder that protecting sensitive information, including CTI, demands a commitment to secure & compliant communication practices.
Originally published on LinkedIn, 21st October 2024
