Thoughts on Handling Sensitive News and Information

Many in our industry are following recent news that several business wire services including Business Wire, PR Newswire and Marketwired were hacked by an insider trading ring seeking to profit from non-public information. Federal investigators allege the hacking ring pocketed more than $100 million from illicit trades over a five-year period by obtaining information contained in more than 150,000 press releases before their scheduled delivery.

It isn’t the first time hackers targeted non-public information to make money and it likely won’t be the last, despite measures the news services are taking to assure clients that their systems are secure.

Here is an excerpt from a statement Business Wire posted on its website after the hacking was revealed August 11:

In addition to working closely with the U.S. Government, Business Wire proactively hired a prominent cybersecurity firm to conduct additional forensic testing of its systems, and to provide assurance that Business Wire’s network is fully operational and secure.

“Security is our number one concern at Business Wire,” said Cathy Baron Tamraz, the company’s CEO. “We devote substantial resources annually to security, including multiple security audits by leading industry consultants. Protecting the confidential information of our clients is of paramount importance. Despite extreme vigilance and commitment, recent events illustrate that no one is immune to the highly sophisticated illegal cyber-intrusions that are plaguing every aspect of our society.”

It’s extremely important for news wires to remain secure for information that has been uploaded before release, an issue that is of vital concern to both public and non-public companies.  Sensitive news about such matters as mergers and acquisitions, new product launches or changes affecting key executives must remain secure until released.

There are steps you can take to ensure information remains secure and confidential until you are ready for it to become public. Here are a few suggestions:

  • Timing — When preparing information for public release, determine the best time to upload the information to a wire news service. The less time the information is on a server, the better. For public companies, upload news releases after market close or in the morning before the market opens.
  • Email encryption – If your firm is planning to release important and/or sensitive news, there are multiple options to help ensure it remains secure. You can download or purchase extra software that will plug in to your email system or install an email certificate that allows your users to share a public key with anyone who wants to send them an email and use a private key to decrypt any emails they receive. Another option would be to use a third-party encrypted email service. Encryption can be in place permanently or only during specific periods when sensitive information is being prepared for release. It also can be used for information beyond email.
  • Keep the circle small – When planning for the release of sensitive information, the fewer people who have access to the information the better. Even among trusted colleagues, it never hurts to remind your team not to share information with family, friends or co-workers.
  • Passwords – Make sure your passwords are strong, as well as security questions and answers if you use them. Passwords should have upper and lower case letters, along with numbers and/or punctuation so that they are non-English words. You can use How Secure is My Password to check for strength.
  • Confidentiality – Mark documents that are private and confidential. For legal matters, copy legal counsel and mark the documents privileged. Reinforcing the importance of knowing when and when not to share information is key.
  • It’s in the cloud – Companies with IT departments or staff understand the need to contract with proven, trusted providers to help ensure security. The Cloud Security Alliance (CSA) has a cloud controls matrix that offers basic security principlesfor cloud vendors and cloud users to help assess the overall security risk of a cloud provider. org

The bottom line is that even with strong proactive efforts, information online is not always secure. The recent hacking incidents remind all of us that we have to be vigilant in protecting confidential information.