The last 48 hours have brought significant attention to an otherwise “boring” compliance and record keeping world. Telemessage (a Smarsh company), a widely used solution to capture digital communications from various mobile messaging applications was reportedly hacked. The attack targeted a clone of the Signal application, which is used by enterprises and government agencies to meet their regulatory retention obligations. But it has raised broader questions about the use and risks of messaging applications designed for the mass market, and not for enterprises and government agencies.
Beginning in 2022, the Securities and Exchange Commission (SEC), along with the Commodities Futures Trading Commission (CFTC), brought a series of enforcement actions against financial services firms for record keeping failures. These actions were focused on the failure to properly capture digital communications that were occurring in channels such as Signal, WhatsApp, Telegram, iMessage, and similar applications. In total, over $2B in fines were issued related to “off-channel” communications with these regulated firms.
Financial services, government agencies, and firms in other regulated industries, have extensive record keeping requirements, which includes digital communications. Over many years, these firms and solution providers developed platforms to capture, compliantly store and archive, and provide ready access to digital communications from commonly used platforms like email, Microsoft Teams, Slack, Bloomberg, Thomson Reuters, Symphony, and similar applications. This allowed organizations to meet their regulatory obligations, while providing employees with more communication options.
In parallel, the availability and use of messaging applications, such as Signal, WhatsApp, iMessage, WeChat, and similar, became commonplace. WhatsApp alone has nearly 3 billion monthly active users globally. These messaging applications were designed for mass consumer adoption, for their simplicity, and for their security including end-end encryption. However, they were not designed as enterprise applications to fit in a compliance control plane. In fact, these messaging applications generally do not have built-in mechanisms designed for record retention, and capture for compliant archiving.
It is important to understand that the record keeping requirements are not simply about storing some object for a requisite amount of time, it must be accessible via search for eDiscovery and regulatory inquiries. In addition, these interactions are subject to Supervision and Surveillance requirements for many financial services firms. This means a decrypted form of the communication must be available for search indexing, and for analysis by Supervision/Surveillance tools. [It is important to note that modern archiving platforms encrypt data in motion and at rest, but the object is decrypted for operations such as indexing, supervision/surveillance, investigation and review functions.]
Security has been a significant driver for the adoption of these mass messaging tools, especially via the use of end-end encryption. With this approach, only the sender and the intended recipient(s) can decrypt the data. Capturing the encrypted form of the object at any point in between the two end-points, only gives an unintelligible and unusable copy.
So how do regulated firms and government agencies capture communications from end-end encrypted messaging applications, never designed for compliant record keeping? There are multiple methods, which vary based on the unique design of each of the messaging applications and capture tools, but all include some level of a “middleman.” These include:
The one thing that is common among all the approaches is that a decrypted form of the interaction has been captured, somewhere in the end-end flow, which can then be routed to compliant archives or other record keeping systems. This is where the tension between security and compliance is introduced. If security were the only concern, there would be no need to introduce a mechanism to capture a decrypted object somewhere in the flow. But regulatory requirements obligate firms to capture digital communications relevant to their business, or operations of a government agency occurring in these channels.
Ironically, the SEC previously confronted this tension and came down on the side of security. Historically, the SEC rules required that a designated third-party had access and capability to retrieve and produce data, on behalf of regulated firms, if they were unable or unwilling to do so. During the commentary period when the SEC was updating the record keeping requirements in 2022, the Commission received significant feedback from the industry that the third-party rule created security risks, by requiring numerous outside parties with access to critical systems. The Commission agreed, and removed the third-party requirement, so long as internal individuals could fulfill the same role.
This is not to say that we cannot have highly secure capture from these messaging applications. The industry has a decade plus of doing so in various forms, at scale, and with high degrees of integrity. But the proliferation of mass market messaging applications that are not designed to fit within an enterprise infrastructure adds complexity, especially in trying to balance the security and compliance equation.
10 Recommendations for Messaging Application Customers
|
What do we know, and where does this lead us?
Perhaps the greatest irony is that scores of regulated firms and government agencies are now out of compliance. Given the hack, TeleMessage suspended their service, to prevent further risk or penetration. As of this writing, there is no timeline to bring the service back online. Millions of digital interactions daily from these messaging applications are not being captured, which is where this problem first started.
Your legacy application is built on outdated technology, such as unsupported hardware or software, which makes it difficult to maintain and poses significant data security risks.