Breach in the Land of Boring
The last 48 hours have brought significant attention to an otherwise “boring” compliance and record keeping world. Telemessage (a Smarsh company), a widely used solution to capture digital communications from various mobile messaging applications was reportedly hacked. The attack targeted a clone of the Signal application, which is used by enterprises and government agencies to meet their regulatory retention obligations. But it has raised broader questions about the use and risks of messaging applications designed for the mass market, and not for enterprises and government agencies.
Background
Beginning in 2022, the Securities and Exchange Commission (SEC), along with the Commodities Futures Trading Commission (CFTC), brought a series of enforcement actions against financial services firms for record keeping failures. These actions were focused on the failure to properly capture digital communications that were occurring in channels such as Signal, WhatsApp, Telegram, iMessage, and similar applications. In total, over $2B in fines were issued related to “off-channel” communications with these regulated firms.
Financial services, government agencies, and firms in other regulated industries, have extensive record keeping requirements, which includes digital communications. Over many years, these firms and solution providers developed platforms to capture, compliantly store and archive, and provide ready access to digital communications from commonly used platforms like email, Microsoft Teams, Slack, Bloomberg, Thomson Reuters, Symphony, and similar applications. This allowed organizations to meet their regulatory obligations, while providing employees with more communication options.
In parallel, the availability and use of messaging applications, such as Signal, WhatsApp, iMessage, WeChat, and similar, became commonplace. WhatsApp alone has nearly 3 billion monthly active users globally. These messaging applications were designed for mass consumer adoption, for their simplicity, and for their security including end-end encryption. However, they were not designed as enterprise applications to fit in a compliance control plane. In fact, these messaging applications generally do not have built-in mechanisms designed for record retention, and capture for compliant archiving.
ebook
6 Questions to Ask Vendors Before Choosing Their Digital Communications Governance & Archiving Solution
Discover essential questions to ask vendors for effective digital communications governance and archiving. Ensure compliance, enhance security, and maintain control over your data.
Capturing What is Meant to Be Hidden
It is important to understand that the record keeping requirements are not simply about storing some object for a requisite amount of time, it must be accessible via search for eDiscovery and regulatory inquiries. In addition, these interactions are subject to Supervision and Surveillance requirements for many financial services firms. This means a decrypted form of the communication must be available for search indexing, and for analysis by Supervision/Surveillance tools. [It is important to note that modern archiving platforms encrypt data in motion and at rest, but the object is decrypted for operations such as indexing, supervision/surveillance, investigation and review functions.]
Security has been a significant driver for the adoption of these mass messaging tools, especially via the use of end-end encryption. With this approach, only the sender and the intended recipient(s) can decrypt the data. Capturing the encrypted form of the object at any point in between the two end-points, only gives an unintelligible and unusable copy.
So how do regulated firms and government agencies capture communications from end-end encrypted messaging applications, never designed for compliant record keeping? There are multiple methods, which vary based on the unique design of each of the messaging applications and capture tools, but all include some level of a “middleman.” These include:
- A dedicated application that moderates the communications between the messaging application and the end user
- Clone-applications that are based on the original (e.g. TM Signal v. Signal), but have capture or governance capabilities
- Registering end-user credentials with an intermediary service to capture interactions (e.g. iMessage)
- Through the cellular carrier (text messages)
The one thing that is common among all the approaches is that a decrypted form of the interaction has been captured, somewhere in the end-end flow, which can then be routed to compliant archives or other record keeping systems. This is where the tension between security and compliance is introduced. If security were the only concern, there would be no need to introduce a mechanism to capture a decrypted object somewhere in the flow. But regulatory requirements obligate firms to capture digital communications relevant to their business, or operations of a government agency occurring in these channels.
Ironically, the SEC previously confronted this tension and came down on the side of security. Historically, the SEC rules required that a designated third-party had access and capability to retrieve and produce data, on behalf of regulated firms, if they were unable or unwilling to do so. During the commentary period when the SEC was updating the record keeping requirements in 2022, the Commission received significant feedback from the industry that the third-party rule created security risks, by requiring numerous outside parties with access to critical systems. The Commission agreed, and removed the third-party requirement, so long as internal individuals could fulfill the same role.
This is not to say that we cannot have highly secure capture from these messaging applications. The industry has a decade plus of doing so in various forms, at scale, and with high degrees of integrity. But the proliferation of mass market messaging applications that are not designed to fit within an enterprise infrastructure adds complexity, especially in trying to balance the security and compliance equation.
10 Recommendations for Messaging Application Customers
|
Where Now?
What do we know, and where does this lead us?
- First, everybody in this space should be taking a hard look at the attack vectors, especially as more information emerges, and revisit their controls and solutions
- Second, enterprises and government agencies will likely review their policies for allowing use of these messaging applications, and determining whether the value outweighs the security and compliance risks
- Third, messaging application providers might introduce additional controls, making it more difficult for the third-party vendors to capture interactions altogether
- Finally, some unwanted attention by threat actors may target a previously boring compliance and record-keeping landscape
Conclusion
Perhaps the greatest irony is that scores of regulated firms and government agencies are now out of compliance. Given the hack, TeleMessage suspended their service, to prevent further risk or penetration. As of this writing, there is no timeline to bring the service back online. Millions of digital interactions daily from these messaging applications are not being captured, which is where this problem first started.
Your legacy application is built on outdated technology, such as unsupported hardware or software, which makes it difficult to maintain and poses significant data security risks.
WHITE PAPER
Digital Communications Governance and Archiving
A guide to reducing risk, boosting performance, and optimizing eDiscovery spend by consolidating communication records from disparate systems into a single repository
Share this:
George Tziahanas, AGC and VP of Compliance at Archive360 has extensive experience working with clients with complex compliance and data risk related challenges. He has worked with many large financial services firms to design and deploy petabyte scale complaint books and records systems, supervision and surveillance, and eDiscovery solutions. George also has significant depth developing strategies and roadmaps addressing compliance and data governance requirements. George has always worked with emerging and advancing technologies; introducing them to address real-world problems. He has worked extensively with AI/ML driven analytics across legal and regulatory use cases, and helps clients adopt these new solutions. George has worked across verticals, with a primary focus on highly regulated enterprises. George holds an M.S. in Molecular Systematics, and a J.D. from DePaul University. He is licensed to practice law in the State of Illinois, and the U.S. District Court for the Norther District of Illinois.
