SPECIAL REPORT
E-Mail and Instant Messaging Face Compliance Challenges

In the financial workplace, e-mail and instant messaging (IM) are becoming essential enterprise tools. Once the province of teens chatting with their friends, instant messaging is now relied on by brokerage firms and other financial companies to maintain contact with clients. An ever-increasing number of government regulations and industry-specific rules make compliance with secure-messaging criteria mandatory.

According to analyst firm Giga Information Group, 60 percent or more of large companies use some form of instant messaging, but 90 percent of those companies have no formal IT support, and fewer than 10 percent have implemented secure, enterprise messaging.

Regulations imposed by the Securities Exchange Commission, the Freedom of Information Act and Sarbanes-Oxley make no distinction between public instant-messaging clients provided by AOL, MSN, ICQ and Yahoo (Nasdaq: YHOO) and the enterprise-messaging systems provided by Microsoft (Nasdaq: MSFT) Live Communications Server and IBM (NYSE: IBM) Lotus Instant Messaging. Regardless of the platform, financial institutions that fail to meet security compliance mandates can face significant financial and legal liabilities.

Perhaps the most stringent of the regulations involves storing electronic messages. That can cause unique problems because e-mail and messaging clients are not typically integrated into one common application. Those two separate functions each have several obstacles in meeting compliance regulations.

"We have to keep all e-mail and instant-messaging conversations on site for three years and be able to fully search the content," Richard W. Smith, the IT director at R.W. Smith brokerage, told TechNewsWorld.

Mailstore One Compliance Solution

R.W. Smith's advisers handle 1,500 to 9,000 pieces of e-mail per day alone. With no written standards for e-mail clients, finding a suitable compliance solution was a Herculean chore. Smith researched several leading software technologies before selecting MailStore by Information Management Research (IMR) to handle its SEC compliance.

According to Smith, the product's default installation needed no fine tuning and the bulk storage costs were well under what other products cost, according to Smith.

"We are able to maintain 480 GB of archives for under US$10,000 per year. Other solutions had monthly maintenance costs of $7,500 plus an initial $5,000 set-up fee," Smith said.

A major selling point for Smith was the ability to transport archives to other database architectures from the propriety storage format of MailStore's own database. That, combined with an iron-clad security process that prevents clients from accessing the archives, makes compliance with SEC regulations worry free.

"It's worth its weight in gold," Smith said about his satisfaction with MailStore.

Tougher Than Other Industries

Dmitry Shapiro, CTO and founder of Akonix.com, said security regulations are much more demanding for financial institutions than for other industries. To comply with some of the more strict regulations, instant-messaging files must be stored in a write-once-read-many format like the kind used by CD recordable discs. Also, the financial institution must prove an audit trail for all stored records. Finally, firms must be able to access all messages and make the search results available to auditors.

"Instant messaging applications natively lack those abilities," he said. "So financial agencies must solve those archiving problems to meet SEC standards."

Akonix's answer to the IM-compliance regulations is L7 Enterprise, a software package available with a one-time user license and an annual fee. Shapiro said several factors make the L7 Enterprise package worth considering. For one, he said, L7 Enterprise is widely deployed with close to 400,000 users. Many of the product's users are not financial institutions but want a reliable way to lock down IM abuses by employees and want to be able to catalog the content of business conversations.

"It deals with security, regardless of whether or not SEC compliance is needed," he said. For example, Cingular Wireless uses the application at all of its locations, he said.

FDIC Policies

In July, the Federal Deposit Insurance Corporation (FDIC) issued its 5,300 member banks and financial institutions a warning about unmangaged instant-messaging access. Its "Guidance on Instant Messaging" warned that using popular consumer IM clients -- such as Yahoo, Microsoft's MSN Messenger and AOL's Instant Messenger -- can expose companies to security, privacy and legal liability risks.

Included in these risks are viruses and worms, illegal downloading of copyrighted material, loss of confidential information and identity theft. According to the FDIC recommendations, members should protect themselves against these vulnerabilities by establishing policies and implementing solutions to allow, restrict or deny IM use based on the individual need of the enterprise.

Akonix's L7 Enterprise provides users with security, management, reporting and regulatory compliance across both public and enterprise IM systems. This includes logging, auditing, reporting and archiving features to comply with FDIC, federal, industry and internal compliance rules for electronic communications.

Shapiro said the software, just like antivirus and other network-security products, must be updated regularly. That process is handled automatically through a resident live update module. "It also functions as IM proxy, setting a firewall between the instant-messaging client and the message source," he said.

The automatically updated filters in the L7 Enterprise application introduce a layer of network security against worms and viruses that otherwise could compromise computer systems by being hidden in instant-messaging traffic.