Conceptualizing the Risk of Social Media

The focus of the social media conversation is on “rewards.” What is the ROI? How much will business increase? How many new recruits and customers can my company expect to draw in through social media? However, the social media risk conversation is still emerging and forming.

This article will propose a structure for conceptualizing social media risk in the insurance industry. There are three broad risk categories, each with three subcategories. These “three rules of three” will, at a high level, both define the nature of the problem and the nature of risk management strategies.

Rule of Three Part One

The first rule of three is focused on regulators. There are three categories of regulatory risk, which need to be considered: 1) insurance regulators, 2) securities regulators, and 3) investment advisor regulators. Each of these three broad categories of regulators includes a “state” component i.e. state insurance department and state securities departments, with all of their laws, rules and regulations. 

Each of these categories also includes a national or Federal component. FINRA (securities) and the SEC (securities and investment advice) are high profile examples of national level regulators. However, the Treasury Department and the IRS also act in the capacity of national level regulators for the insurance industry, specifically on the issue of anti-money laundering and foreign asset control, and related auditing and enforcement activities. 

Laws and regulations generally focus on advertising regulations and overt criminal activity.  The current, broad regulatory trend is to apply existing laws and regulations to social media. This principle is most notably set forth in FINRA Regulatory Notice 10-06.

While this document applies specifically to FINRA regulated broker-dealers, it has become something of a standard in regulatory circles both in the United States and abroad. The way to begin assessing social media risk is to simply document a company's lines of business, and list the regulatory authorities for each line of business.

The next step is to document those regulations that might apply. The answers are knowable; it merely takes familiarity with both social media and with the regulatory environment.

Rule of Three Part Two

The second rule of three reviews social media risk from a different angle. Social media is often defined in terms of  1) clouds and 2) crowds. A complete understanding of general social media risk must include 3) device risk.

Cloud risk is simply the problem of having data reside not in tightly controlled corporate environments but in the cloud. Certainly, privacy laws like those of the State of Massachusetts make transmission of non-public, personally identifiable information across unsecured lines and on unsecured sites a problem.

There are also explicit data retention requirements issued by FINRA and the SEC, and implicit data capture and retention needs to manage litigation discovery.  There are regulatory risks therefore associated with capturing data, retaining data, transmitting data, and discovering data.

Crowd risk has two major components 1) reputational risk; and 2) content restrictions on employees and persons otherwise associated with a company. One way of looking at reputational risk is that corporations now share their brand with users of Web 2.0 technologies, i.e. the public.

Long gone is the luxury of managing the corporate brand through print, radio, TV, and Web 1.0. Today's reputational risk management is a science all its own, one which requires its own skill set and supporting technologies.

Content restrictions are a function of industry regulations and labor laws at a minimum. Companies will need to carefully consider their regulatory requirements for communicating with the public. On the industry side of the issue, public communications are often subject to filing requirements with one or several regulators. The specific requirements vary not only by jurisdiction, but also by the nature of the public communication.

On the labor side, privacy laws, labor laws and oversight by the National Labor Relations Board—among others—are worth a company's consideration. Industry regulations tilt toward discovery and transparency, labor laws toward employee protection and privacy. These competing needs create tensions, which will be sorted out over time through litigation and rule making as the lines between our online personal and professional lives blur.

In addition to cloud and crowd risks, there is device risk as well. Device risk needs to be considered separately from cloud risk because of the unique considerations introduced. In the past, devices were largely managed by the corporation from both the perspective of the physical device and the data plan.

Today, relatively cheap mobile devices from smart phones to tablets and netbooks and readily accessible personal data plans make accessing Web 2.0 outside of corporate controls a simple matter. Buy a device, buy a plan (or access free Wi-Fi) and access to social media is immediate available.

Device risk needs to be considered carefully because privacy laws create demands for password protection and encryption at a minimum. The obligation to protect data extends to employees and many people associated with a company regardless of their use of a corporate or personal device. Controls might range from development of corporate policies and education on those policies to audits and disciplinary actions for violation of corporate policies.

The Third Rule of Three

Managing social media risk is a three-part process, as it is for most risk management programs. The three parts are: 1) develop a plan—sometimes known as written supervisory procedures; 2) acquire the technologies and adequate staffing to fulfill the plan requirements and 3) test both the plan and its execution on a regular basis.

Each regulator has its own view on managing risk. Some, like FINRA and the SEC have codified how and when firms test themselves. Those internal tests are subject to review themselves by FINRA and the SEC. 

Others will apply a risk-based testing methodology during their biennial exam cycle, examining controls on an after-the-fact basis. Whether your company is subject to an annual internal testing requirement, or to a less frequent examination of policies and procedures, each firm is accountable for addressing and responsibly managing social media risk.

Conclusion

One risk management strategy, which is not considered in this article, is risk avoidance.  Whether your firm actively participates in social media or not, your firm has its own share of social media risk.

From reputational risk to regulatory risk to privacy risk, all firms are in some way or other exposed. The firms that actively engage in social media, and create adequate risk management plans, should be well positioned to take advantage of social media's inherent marketing opportunities.