FOUR service providers who together host the majority of investor relations websites in North America have expressed confidence that their systems are secure following high-profile leaks of unpublished earnings information in recent weeks.
None of the companies’ products were party to the leaks at The Walt Disney Company (NYSE: DIS) or at NetApp Inc. (NASDAQ: NTAP), which involved Bloomberg discovering earnings information the companies had uploaded to non-public areas of their self-hosted websites in preparation for their earnings announcements.
The Disney and NetApp incidents have prompted some to question the security of IR websites and the risk this poses to companies that may wish to use their websites for disclosure. IR Web Report’s view is that the recent incidents are due to management at the companies failing to put in place proper disclosure controls and web publishing systems, not because of any inherent weaknesses in website technologies.
To provide more information to IR departments that may be concerned about their systems, we approached four of the most prominent investor relations website providers for brief statements explaining their approaches to security, recognizing that they cannot get into specifics.
Here are the four vendor statements presented in full and in the order we received them:
Q4 Web Systems
At Q4 Web Systems, the security of client information is a primary concern. In general, we do not disclose security controls and procedures in detail as this would create unnecessary risk for our clients. Having said that, at a high level our data center and infrastructure is SAS 70 Type II certified and our application is regularly tested for intrusion and vulnerabilities. Also, because we are a software-as-a-service company and deliver our application through the cloud we are able to react quickly with updates and patches should new security issues become known. To date, Q4 has had no incidents of security breaches or inadvertent website disclosure errors.
From a client perspective, Q4 Web is a self-publishing system that gives our clients complete control over all aspects of their investor website. As such, from a disclosure perspective our system is only as good as our clients’ disclosure controls and procedures. Our proprietary website disclosure records provides clients complete internal transparency on how employees are executing according to the company’s disclosure controls. We have found that these records have assisted companies in making improvements to their disclosure controls, resulting in a more secure disclosure environment for them.
Thomson Reuters Web Disclosure was designed with release security as a top priority. We believe it is the most secure solution available because it:
- Gives companies full control of their message creation and distribution process, eliminating the need for third parties, ensuring no one outside the company sees the release until it is published.
- Ensures that only authorized users can publish releases on behalf of the company:
- Clients need a username and password to access our release publishing tool. These expire every 30 days, prompting them to change their login.
- As an added security measure, our release publishing tool requires a validation code to enable the publishing of a regulatory release. This code is randomly generated for each release and emailed only to users with publishing rights at the company.
- Symantec, a leading independent web security expert, has assessed our platform and stated: “The assessment concluded that the overall security of Release Publishing’s public facing application provides a secure means for their customers to access the services they provide.
- Establishes the client’s IR website as a recognized primary point of disclosure by ensuring that their release and related materials are posted to the disclosure capsule on the site at exactly the same time that they reach other outlets.
- The links to our releases are randomly generated URLs so that the URL cannot be penetrated or guessed by outside parties.
- Enables companies to publish a release immediately or schedule it for distribution at a future time so they do not need to publish from an unsecure email or mobile system.
- Allows clients to monitor how their message is resonating in real-time, so they can quickly spot any misinformation about their company.
While we don’t publish the specifics of our internal security measures (we will discuss these measures with individual clients), we do have strict procedures in place to ensure the security of our client’s materials. Our content management system, the IR Console, has been audited and certified by a licensed third party as recently as this year (2010).
With these systems in place, to date, we have not had any instances where someone was able to gain unauthorized access to unpublished information. We are continually monitoring industry developments in this regard, and will continue to enhance both our systems and procedures as necessary to ensure client materials remain secure.
NASDAQ OMX Corporate Solutions contends that the public web will continue to be the broadest and most efficient conduit for real-time disclosure. While these cases are certainly aberrations, they clearly indicate the need for increased vigilance by publicly traded companies, specifically related to the methods used to disseminate content.
As an exchange and service provider, we encourage companies to regularly assess their exposure to risk and choose trusted distribution partners that can ensure full transparency and timely disclosure, not only via the Internet but traditional methods as well. As a result, NASDAQ OMX continuously monitors its practices and dedicates comprehensive resources to provide enhanced encryption, secure servers as well as extensive training to employees for proper oversight of the disclosure process.