Most companies recognize the information security risks related to technology use, but the risks arising from social media and social networking remain less clear. And yet the ever-increasing business use of social media — and the blurring distinction between what is done on one's own behalf or on behalf of an employer — makes it imperative for businesses to fully understand, evaluate, and mitigate these risks.
Social media and networking have become essential parts of today’s corporate sales and marketing strategies. Generally speaking, social media relates to content such as an individual’s personal opinion, observation, knowledge, or other information posted on social websites, in blogs, via online video sharing, or in making comments about others’ posts, and so on. Social networking, while it has a content component, is more about the connections people make and the communities they form with peers.
Cyber liability is the fastest growing area of commercial insurance in the world right now. Organizations are realizing that the risk is real, that they're not quite as secure as they thought and, therefore, they're taking steps to transfer that exposure to insurance companies. (continued.)
Like any essential business technology, social media and networking can present substantial risks for companies, including:
• The loss of valuable intellectual property through users’ sharing of copyrighted and trademarked information (notably a risk for media companies).
• Personal injury — libel or defamation risks — as a result of an individual’s defamatory social media remarks for which the employer is held responsible.
• The spread of inaccurate or intentionally false information about a company’s operations, particularly during critical periods, for example, ahead of a corporate earnings announcement or following a natural disaster.
• Negative and quick-spreading commentary about a company’s business practices — for example, its customer service or charitable donations.
All of these examples carry a measure of reputation risk. In the absence of savvy management of social media and networking exposures, particularly during times of crisis, organizations could experience sudden and material impact to their brands and market values.
The posting of one video that “went viral” referring to an airline’s poor customer service, for example, was accompanied by a 10 per cent drop in that company’s stock price. Meanwhile, a c-suite executive at a retail firm who shared company information via a personal social media account was fired, and a technology company executive became the target of a Securities and Exchange Commission investigation for sharing potentially material information via a corporate social media account.
According to analysts at Marsh Canada, social media and networking also bring substantial security risks and allows new ways for hackers to infiltrate corporate networks. Users regularly share seemingly innocuous personal data with others — for example, dates and places of birth, the names of relatives and pets, education history, and other information. (continued.)
All too frequently, personal data is used to create corporate passwords or as answers to security questions in obtaining or changing passwords. (For example, “What is your spouse’s name?”) Armed only with access to an individual’s public social media profile and knowledge of his employer’s email address naming convention (e.g. [email protected]), a hacker could have all of the information necessary to access a corporate email system, intranet, and, potentially, its most valued corporate and customer information.
Similarly, social media and networking has become a new venue for “phishing” attacks, through which criminals seek to obtain usernames, passwords, and financial and other information. Hackers, criminals, and others also frequently entice social media users to download benign-looking but malicious content, often masked by seemingly harmless shortened URLs.
Unfortunately, there is no easy way for businesses to eliminate their social media and networking risks. Simply disengaging from social networks will not prevent customers and others from continuing the conversation about a company. And blocking employees’ use of social networks on corporate systems will not prevent them from accessing those same networks on their personal computers, mobile phones, and other devices.
Still, there are steps that organizations can take to reduce exposures, beginning with establishment of firm-wide social media and networking policies and procedures. Although there are no hard and fast rules about the use of social media, corporate policies should:
• Identify who has the authority to post what information on which social media.
• Ensure any postings to social media are coordinated with necessary disclosures through traditional means of communication (for example, press releases, earnings statements, or other disclosures).
• Consider legal requirements (for example, employment and intellectual property law).
• Ensure appropriate training for all colleagues.
• Be reviewed and updated on a regular basis.
These policies should address differences between professional and personal use of social media. It is important that businesses and employees be aware of how the two can interact and affect security. Risk managers and others involved in developing and enforcing social media policies should ensure that corporate training includes advice on maintaining secure passwords and identifying phishing attacks. (continued.)
Beyond establishing social media use policies, companies should consider social media as part of their broader approach to managing cyber risks, including risk transfer options. Risk assessments, for example, may demonstrate how social media might contribute to network security exposures, such as theft of intellectual property.
Working closely with experienced insurance and risk advisors, it is important to consider the appropriateness of privacy and computer security insurance, which provides direct loss and liability protection for risks created by the use of technology and data in day-to-day operations — including social media. Among other things, such policies are able to address:
• Protection for claims arising from a failure of computer security to prevent or mitigate a computer attack.
• Protection for claims arising from a disclosure or mishandling of confidential information — whether electronic or hard copy.
• Protection for the intentional acts of rogue employees and vicarious liability for a privacy breach by third-party vendors or business process outsourcing firms.
• Coverage for defense of regulatory actions, including affirmative coverage for assessed fines and penalties.
Cyber policies can also include a fund for public relations and crisis management in connection with a crisis event relating to a failure of computer security or breach of privacy.
The value of social media and networking, for both individuals and companies, is undeniable. These sites enable individuals and their peers to share personal updates ranging from the mundane to the momentous, reconnect with old friends and find new ones, join online communities, search for jobs, and find information. For many businesses, social media is now a critical component of corporate sales and marketing strategies and a means for customers and employees to communicate with one another.
But as with any new tool, social media comes with unforeseen, emerging, and evolving risks. Protecting an organization against social media risks requires a mix of sound policy, awareness of regulations, risk mitigation, and insurance.
- Michael Petersen, the managing director at Marsh Canada Limited, is the author of this article