The challenge:
Private equity firms sometimes struggle to convince staff of the importance of keeping business and personal communications separate. For one, it’s a cybersecurity concern. Secondly, people using their email accounts for business-related purposes can violate a firm’s confidentiality provisions as well as the record keeping requirements under the US Advisers Act. Lastly, utilizing personal email accounts for business-related activities can subject an employee’s entire personal email account to SEC scrutiny during an exam. So the challenge is: how do GPs ensure staff is keeping work and personal life separate when electronically communicating?
Jillian Timmeran’s response:
It happens all the time. An employee runs out of time at the end of the day and forwards an unfinished client presentation, including proprietary firm research, to a personal email account. Even if no one else actually sees the e-mail, mixing business and personal communications could have several adverse consequences including subjecting such data to an increased risk of cybersecurity compromise.
Unfortunately for compliance personnel, everyday violations like this one are all too common in the industry, especially given the ever evolving landscape of communication channels. From IM and chat to apps and social media, any and all forms of recordable electronic communication that are being utilized to transmit firm business should be considered fair game in the event of an audit or investigation by the US Securities and Exchange Commission.
Chat, in particular, presents a unique set of cybersecurity challenges – thanks to the recent explosion of online and app-based platforms that allow users to circumvent traditional e-mail. Firms can find themselves in a lot of trouble here, in particular given the more causal manner in which employees may utilize such platforms. Consider the following hypothetical interaction which one might imagine being played out via GChat, WhatsApp, or dozens of other programs:
Person 1: something big occur on the street I did not hear yet?
Person 2: sec
Person 2: Call my cell
Person 2: Text me!
This chat has several major compliance issues. Firstly, it is vague and could suggest the potential sharing of material non-public information (MNPI) – a violation of both the firm’s insider trading policy and potentially federal securities laws. (Regulators have indicated that taking a conversation offline can be enough for a presumption of suspicious behavior.) Secondly, the line “text me” could be a violation of the firm’s record keeping policy, as well as the Advisers Act, as text messages are typically not automatically archived and most firm communications are required to be archived for at least five years.
Some firms have banned access to personal accounts and IMs while at work altogether. While this is an understandable policy, firms should also be aware of conversations like the one above that even if conducted over an approved channel – seem to point to secretive knowledge or activities executed behind the scenes. In an investigation, red flags could be raised around phrases like “talk offline,” “call me,” and “let’s discuss live.” Even emoticons – being non-verbal and somewhat ambiguous by nature –should be avoided in electronic communications, lest they be misconstrued as having some sort hidden, insidious intent.
As with all business processes, employee training is key. Emphasizing the importance of separating business and personal channels is an important step, but staff should also be aware of how to communicate appropriately when using approved company channels.
If you do not receive this within five minutes, please try to sign in again. If the problem persists, please email: