The focus of the social media conversation is on “rewards.” Whatis the ROI? How much will business increase? How many new recruitsand customers can my company expect to draw in through socialmedia? However, the social media risk conversation is stillemerging and forming.

This article will propose a structure for conceptualizing socialmedia risk in the insurance industry. There are three broad riskcategories, each with three subcategories. These “three rules ofthree” will, at a high level, both define the nature of the problemand the nature of risk management strategies.

Rule of Three Part One

The first rule of three is focused on regulators. There arethree categories of regulatory risk, which need to be considered:1) insurance regulators, 2) securities regulators, and 3)investment advisor regulators. Each of these three broad categoriesof regulators includes a “state” component i.e. state insurancedepartment and state securities departments, with all of theirlaws, rules and regulations.

Each of these categories also includes a national or Federalcomponent. FINRA (securities) and the SEC (securities andinvestment advice) are high profile examples of national levelregulators. However, the Treasury Department and the IRS also actin the capacity of national level regulators for the insuranceindustry, specifically on the issue of anti-money laundering andforeign asset control, and related auditing and enforcementactivities.

Laws and regulations generally focus on advertising regulationsand overt criminal activity. The current, broad regulatorytrend is to apply existing laws and regulations to social media.This principle is most notably set forth in FINRA Regulatory Notice10-06.

While this document applies specifically to FINRA regulatedbroker-dealers, it has become something of a standard in regulatorycircles both in the United States and abroad. The way to beginassessing social media risk is to simply document a company's linesof business, and list the regulatory authorities for each line ofbusiness.

The next step is to document those regulations that might apply.The answers are knowable; it merely takes familiarity with bothsocial media and with the regulatory environment.

Rule of Three Part Two

The second rule of three reviews social media risk from adifferent angle. Social media is often defined in terms of 1)clouds and 2) crowds. A complete understanding of general socialmedia risk must include 3) device risk.

Cloud risk is simply the problem of having data reside not intightly controlled corporate environments but in the cloud.Certainly, privacy laws like those of the State of Massachusettsmake transmission of non-public, personally identifiableinformation across unsecured lines and on unsecured sites aproblem.

There are also explicit data retention requirements issued byFINRA and the SEC, and implicit data capture and retention needs tomanage litigation discovery. There are regulatory riskstherefore associated with capturing data, retaining data,transmitting data, and discovering data.

Crowd risk has two major components 1) reputational risk; and 2)content restrictions on employees and persons otherwise associatedwith a company. One way of looking at reputational risk is thatcorporations now share their brand with users of Web 2.0technologies, i.e. the public.

Long gone is the luxury of managing the corporate brand throughprint, radio, TV, and Web 1.0. Today's reputational risk managementis a science all its own, one which requires its own skill set andsupporting technologies.

Content restrictions are a function of industry regulations andlabor laws at a minimum. Companies will need to carefully considertheir regulatory requirements for communicating with the public. Onthe industry side of the issue, public communications are oftensubject to filing requirements with one or several regulators. Thespecific requirements vary not only by jurisdiction, but also bythe nature of the public communication.

On the labor side, privacy laws, labor laws and oversight by theNational Labor Relations Board—among others—are worth a company'sconsideration. Industry regulations tilt toward discovery andtransparency, labor laws toward employee protection and privacy.These competing needs create tensions, which will be sorted outover time through litigation and rule making as the lines betweenour online personal and professional lives blur.

In addition to cloud and crowd risks, there is device risk aswell. Device risk needs to be considered separately from cloud riskbecause of the unique considerations introduced. In the past,devices were largely managed by the corporation from both theperspective of the physical device and the data plan.

Today, relatively cheap mobile devices from smart phones totablets and netbooks and readily accessible personal data plansmake accessing Web 2.0 outside of corporate controls a simplematter. Buy a device, buy a plan (or access free Wi-Fi) and accessto social media is immediate available.

Device risk needs to be considered carefully because privacylaws create demands for password protection and encryption at aminimum. The obligation to protect data extends to employees andmany people associated with a company regardless of their use of acorporate or personal device. Controls might range from developmentof corporate policies and education on those policies to audits anddisciplinary actions for violation of corporate policies.

The Third Rule of Three

Managing social media risk is a three-part process, as it is formost risk management programs. The three parts are: 1) develop aplan—sometimes known as written supervisory procedures; 2) acquirethe technologies and adequate staffing to fulfill the planrequirements and 3) test both the plan and its execution on aregular basis.

Each regulator has its own view on managing risk. Some, likeFINRA and the SEC have codified how and when firms test themselves.Those internal tests are subject to review themselves by FINRA andthe SEC.

Others will apply a risk-based testing methodology during theirbiennial exam cycle, examining controls on an after-the-fact basis.Whether your company is subject to an annual internal testingrequirement, or to a less frequent examination of policies andprocedures, each firm is accountable for addressing and responsiblymanaging social media risk.

Conclusion

One risk management strategy, which is not considered in thisarticle, is risk avoidance. Whether your firm activelyparticipates in social media or not, your firm has its own share ofsocial media risk.

From reputational risk to regulatory risk to privacy risk, allfirms are in some way or other exposed. The firms that activelyengage in social media, and create adequate risk management plans,should be well positioned to take advantage of social media'sinherent marketing opportunities.