The use of "collaboration" applications including Microsoft Teams and Skype for Business is a growing risk to investment adviser electronic communication compliance, according to a new survey of IT and compliance professionals.
The recent survey by Smarsh, a firm specializing in cloud-based archiving solutions, showed that many firms which allow the use of collaboration platforms lack any written policy concerning such collaboration and also do not have an archiving or supervision solution in place.
Such platforms offer a list of business applications including instant chat, file sharing, storage, calendar distribution, and diverse communication modes such as text, calls and video in a convenient centralized solution. Smarsh surveyed more than 300 information technology (IT) and compliance leaders, most of whom were personally responsible for electronic communication compliance within their firms.
Firms without a proper policy for use, supervision, and retention for collaborative platforms face greatly increased regulatory risk, the survey showed.
According to Smarsh, the collaboration channels are quickly becoming the “one-stop shop” for a growing list of business applications. The applications are also dynamic, with new integrations and capabilities being added every day.
The survey found a majority of those respondents who allow the use of a collaboration platforms have standardized on Microsoft products (Teams or Skype for Business). The platform offered by Slack is also widely, used with 13% of the respondents using its system.
In addition, online meeting applications present an emerging risk. In fact, as platforms add modalities and capabilities, the meeting solutions and IM/collaboration platform categories are converging, according to Smarsh. Therefore, firms must consider the use of meeting applications like Zoom and WebEx Teams when forming policies and procedures for proper supervision of collaborative applications.
Firms also must find a way to properly supervise the meeting applications as they may include live, recorded video, and voice traditionally found only on the unified business communication solutions. One-third of those surveyed say they allow the use of meeting applications without any restrictions or policies governing use.
The survey found that 41% of the 300 respondents have no defined policy to support usage or restriction on enterprise-wide collaboration platforms. Additionally, approximately 17% of those surveyed put policies in place prohibiting the channel. A prohibitive approach to technology and assuming employees will know it falls into a restricted category can often be challenging.
While prohibition can often be a quick and initial response to new and quickly changing technologies, those who attempt to enforce it often have little or no confidence they could prove adherence to the prohibition. Smarsh also found among firms that prohibit the use of collaboration platforms, 42% lack a specific policy on the prohibition.
The lack of an archiving and supervision solutions to this type of technology application is also a risky proposition, said Smarsh, which provides such services. Smarsh found that 24% of those who allow collaboration platforms have no means of supplying associated communications data or records if required. Therefore, the lack of policies and the inability to achieve or supervise makes collaboration platforms the second highest source of communications compliance risk among the survey respondents, following text and SMS messaging.
The Smarsh survey highlighted the compliance risks presented by the use of collaboration software, and now compliance teams should heed the warning. A firm must incorporate the use of the applications in the firm’s policies and procedures and take steps to ensure the capture of data that is contained in the applications.
Smarsh also found that new integrations and capabilities are being added every day. For example, through “auto upgrade” from Skype for Business to Microsoft Teams, Microsoft may be introducing a variety of new capabilities that compliance teams should evaluate before enabling access to regulated users.
Therefore, compliance departments should evaluate features offered in new collaborative tools. Additionally, firms should take extra care in assessing interactive capabilities such as persistent chats that will complicate supervisory review in compliance tools designed for email and static messaging, according to Smarsh.
Lastly, a strong policy and supervisory structure may fail without proper training. Therefore, an advisory firm’s training program should cover what types of collaboration applications can be used for business and the risks involved in using one that isn’t being monitored.