Jumping the gun

runner-dropshadowed_8

Note: In keeping with the AIRA Chatham House Rule policy the first example of the following article is unattributed. The below mentioned “Local Company” has assisted AIRA in writing the article, with the view to support and further educate fellow AIRA members, and enhance best practice Investor Relations. We thank them for this valuable contribution…

At the recent Sydney Australasian Investor Relations Association (AIRA) Chapter lunch, one of our corporate members recounted an instance of inadvertent early disclosure of a results announcement via its company website. In this article, we discuss the circumstances that led to this situation, highlight a similar instance from overseas, look at how this is something that could increasingly be an issue given changes in technology, and suggest some key learnings for investor relations and communications professionals.

Local Example

The company was finalising its results presentation the night before release of the results to the market… as is not uncommon for many AIRA members. The presentation, along with market announcement and financial statements were due to be signed off by the board early the next morning so all documents could be filed with the relevant exchanges before market open.

IR, Communication and Finance people were working on the presentation in the same room, emailing the document between each other and finalising it to prepare for publication. This included the Communications person uploading the slide deck to the back end of the company’s investor website ‘in development mode’, which meant it was not accessible by anyone browsing the website. i.e. no link was created to indicate “click here to download our HY16 Results” so the file was considered to be effectively ‘hidden’. In the past, there had been no issue using the development part of the website, which was hosted by an external software company…however, in this instance this approach exposed a significant risk.

Unknown to the company a pdf of the presentation was indexed to a link that could be accessed externally and a Bloomberg news bot had scraped the company website afterthe document was uploaded. In spite of the company website having no clickable link to the document, the Bloomberg bot had downloaded the pdf, named it correctly and posted it to the Current News page of the company’s equity section on the Bloomberg network i.e. <XXX AU> <Equity> <CN> <Go>. This occurred after the market had closed but some 12 hours before it was planned to be approved by the board and released to the exchange.

The company was only made aware of this when contacted by a sell side analyst, who was still working, received a Bloomberg alert and downloaded the document. He rang the IRO to confirm it was the latest, correct version. The version he referred to had only been changed by the CFO and IRO approximately 5 minutes earlier!

Initially it was thought that in emailing the slide deck to each other one of the three working on the presentation had inadvertently emailed it to someone externally, who had leaked it to Bloomberg. But that was quickly (and frantically) discounted. The IRO quickly went into Crisis Management mode, escalating the issue to the CFO and CEO in accordance with best practice.

The Bloomberg help desk in Singapore were reached after numerous attempts of using the <HELP> function on the company’s terminal. They were helpful and agreed to pull the document from the system having understood the situation and the fact the document had not been authorised to be released. However, the Bloomberg team warned the company that once the document was pulled the bot was still active so it had continued to scrape the company website for the presentation and the link needed to be removed completely. The company’s entire website had to be taken down to make sure the document wasn’t still there to be scraped by the bot. Bloomberg were eventually able to provide the problematic link to the document on the company’s website when the IRO and Communications people were unable to find it by looking at all external facing links.

In the time that the document was live on Bloomberg it had been downloaded three times: once by the analyst, once by the company, and once by someone else, who to this day is unknown. The company sent an email to the analyst that night indicating that Bloomberg had received the presentation in error, was not authorised to do so and the analyst should not rely on any of the information in it being correct.

Lessons learnt:

  • Preparing the documents after market closed was ultimately the only thing that saved the company from having to make an unplanned disclosure when the document was leaked
  • Analysis indicates that there are a large number of cases when bots are sweeping corporate websites for new or sensitive information
  • Documents should only ever be uploaded to a website (or even test website) after they are confirmed live on the exchange – a delay of a few minutes to ensure the document is already public is ultimately a better outcome
  • Some companies use a direct link to the exchange releases on their own investor site to eliminate all risk around uploading documents – this may remove the ability to customise the look and feel of the investor site but is ultimately fool proof against documents being leaked early
  • Make sure that you have a plan in place to manage a situation where sensitive information or documents are inadvertently released

US Example –  by Dean Laffan – iReport

Analysts following a certain stock which we’ll call ‘Newco’ were preparing for the release of Newco’s Full Year Results. In reviewing Newco’s previous releases in the days prior to the announcement and earnings call, the analysts noticed that the company was quite regimented in how they named the PDF files released. Let’s say it was Newco’s FY15 Results that were about to be released, the previous three release documents had been named as follows;

Newco_HYR_15.pdf
Newco_FYR_14.pdf
Newco_HYR_14.pdf

From the above, it was reasonable to assume that the new file to be released the next day would be called ‘Newco_FYR_15.pdf’

The documents were also always uploaded to the designated section of Newco’s website, where the location url might have looked something like this;

www.newco.com/investors/downloads/SECFilings/

The analysts supposed that if Newco repeated the same procedure as previously used that they might upload the document before public release in the belief that since there was no direct link to the file, it would be safe. If so, it should be found at;

www.newco.com/investors/downloads/SECFilings/Newco_FYR_15.pdf

The two analysts ordered pizza and waited, refreshing the url every 10 minutes or so. Voila! at about 8:00pm the night before the release, once uploaded by Newco staff, the PDF file appeared in their browser and was promptly downloaded.

Once again, no direct link had been made to the file and it had not yet been released to the SEC, yet it was exposed.

Key take-aways from this example:

  • It is imperative that you do not upload the files to your website in any way until after they have been confirmed as published on the ASX.
  • Note, there is nothing inherently wrong with the predictable naming of Newco’s PDF files. Once released to the market, the ‘guessability’ of the file name is irrelevant. Obscuring the file name is not the answer, rather it is following proper procedure.
  • Investigate the full ‘chain of custody’ for all your ASX releases, especially those documents that may originate or be handled outside of the investor relations or company secretary domain. For example, presentations generated in your business services or in-house design departments, where awareness of these issues may not be front of mind.
  • Ensure that upload of the documents is done by a staff member suitably cognisant of the importance of keeping these documents offline until they have been properly released to market.
  • Finally, also be wary of your website Content Management System (CMS) that may allow you to ‘schedule’ release of documents at a predetermined date and time. In most cases the PDF will actually be on the site and the link generated and published at the time you specify, but the PDF would still be discoverable in a fashion similar to the above. Have a candid conversation with your IT department to fully understand how your website works in this area.

 

Dean Laffan is the founder of iReport the one-stop shop for all your design, communication, staging and technical needs for the events on your IR calendar. See more at www.ireport.com.au and our webcasting arm at www.streamit.net.au

Dean has worked extensively in the PDF format for over 15 years and as a member of the Acrobat Global Advisory Board.

 

 

 

 

 

Who’s Looking Over Your Shoulder ?

“Digital files cannot be made uncopyable, any more than water can be made not wet.”
– Bruce Schneier


computer-screen

Web 2.0 has been a great boon for communications. But as Investor Relations operatives who deal with restricted information there are any number of dangers when dealing with market sensitive and other commercially sensitive material. Some of them are well documented .. network and wireless security, IT departments handling the surge in BYOD (Bring Your Own Device) to work. But here are some others you may not have considered.

Here’a quick run down in no particular order on some potential security/privacy dangers you may not have personally considered from everyday tools you may use in your work day. These risks will vary from person to person. The hard drive contents of a junior employee  will pale in comparison to the laptop of your CFO, but perhaps all are food for thought.

Google the phrase ‘The Death of Anonymity’ and you’ll se a slew of articles from any number of gurus outlining the sheer amount of tracking that various websites impose on us now. Here is security uber-maven Bruce Schneier on Bloomberg.

Bruce has so much of this stuff in his head he could write a book … oh wait he already has.

But it’s not just the social sites like Facebook we need to think about. For instance do any of you use something like Evernote ? Evernote is a digital file folder that lets you collect urls, images, notes and all sorts of other data, then access them from anywhere, obviously by storing all your data in the cloud. The problem is if this were research on an acquisition or other sensitive topic not only do Evernote know all about it, so could anyone who can access your Evernote account.

evernote

Of course every cloud vendor talks about how secure they are, but is that true ?  Ask a customer of online dating site Ashley Madison !  I’ve used Evernote as an example, but any service that you use which stores your data in the cloud has the same potential weakness. No one is safe when it comes to information in the cloud and on servers anywhere, witness the North Korean hack against Sony and most recently and famously the Russian attack against the DNC prior to the recent US election.

Paris_hackRemember about 10 years ago one of the first celebrity cases was when when Paris Hilton’s phone was famously hacked ?  Note that wasn’t her physical phone she carried which was illegally accessed, but rather the cloud based backup of her phone’s data at T-Mobile.

Likewise in the  News of The World scandal the breach of data was achieved by hacking the cloud based voice mail of the victim’s network provider, not the actual phone. So it’s pretty clear that if it’s in the cloud and part of a publicly available product, it can be accessed without your consent.

For the same reason we strongly dissuade our clients from using the vertigo inducing Prezi for anything slightly resembling confidential presentations. Prezi comes in three flavours, only the Premium version of which allows you to create Prezi’s on your desktop, rather than in the cloud. But you really can never know much data leakage occurs with any of these types of cloud services.

On a slightly different have you ever used a web based mail service like mail2web to access your regular email addresses ?  If you do realise that you do so with the clear understanding that to  use the service you need to give them your email address and password. Would you ever do that if say someone at a call centre asked you ?

Likewise many millions of people use Gmail and Google Docs. Look at the terms of service and you will see that Google reserve the right to robotically scan your mail and use that data to better target the information they present to you (advertising). Here is the clause in question from their Terms of Service

“Our automated systems analyse your content (including emails) to provide you personally relevant product features, such as customised search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.”

google-doscs

Similarly, when using Chrome, Google stores your searches, partial searches, all of your bookmarks and other sync data including allocating your computer a unique ID number which Google says is only there to confirm successful installation, but it is not deleted after install.

The other range of services and companies in which we place great trust, is the recent boom in services which allow us to transfer digital files too large for email. Businesses such as YouSendit (now rebranded to Hightail), Wetransfer, and SendThisFile just to name a few.

All of these companies are holding and daily transferring terrabytes of data globally including all sorts of corporate assets such as reports, drafts, brochures, videos, design mock-ups and so on. I use WeTransfer these days, I did read their 4,000 word Terms of Service. It seems benign (they promise not to peak at your files) I’m sure they are lovely folk but as the recently famous saying goes “When something online is free, you’re not the customer, you’re the product.”  How can we be sure that any of these companies is not running scans over our data ?  We simply can’t.

Dropbox_logo_(September_2013).svg

In 2014 well know file sharing service DropBox appointed Condaleeza Rice to their board. Rice was one of the key architects of the massive NSA monitoring of domestic phone and internet records exposed by Edward Snowden. Snowden has described DropBox as ‘hostile to privacy’  and recommends use of a ‘zero knowledge’ service such as SpiderOak which works in a similar way to other file sharing and chat services but all file are encrypted, even from SpiderOak itself.

The value proposition of SpiderOak is that even if forced to hand over data to authorities, SpiderOak cannot assist in decrypting the information and has no desire to do so. Note: I am not vouching for the efficacy of SpiderOak, AIRA members should be guided by their own internal best practice. i.e. Speak to your own in-house cyber-nerds in IT.

So what is the solution ? … well I sure don’t have a silver bullet and if I had one, it may be out of date tomorrow. As knowledge workers in the field of Investor Relations we have to receive and transmit digital files of varying degrees of importance and confidentiality. What is clear is that as recent events concerning the US, Russia, Sony, Wikileaks, Mossack Fonseca et al indicate, it is a constantly moving target and we should ensure we are briefed regularly in best practice by your own experts.