Keeping financial data secure: Best practices for investor relations websites
Published on May 16th, 2011 by Matt Farlie
A rash of incidents in recent financial quarters has seen public companies (including Disney, Microsoft and others) prematurely disclosing their earnings information — from news posting early to their website, to lags between the time of distribution and posting, to files containing material information made available online ahead of time. With the rising importance of investor relations websites as recognized communications channels, it’s only getting worse. In addition to individual snoopers, news agencies and market intelligence firms now have automated crawlers that scour corporate IR sites during earnings season, looking for news ahead of an official announcement or posting.
Many of these incidents have to do with a content management system (CMS) publishing tool being used incorrectly, or a client who is self-publishing content on their own website without the assistance of a CMS tool. (If used correctly, it should be noted, CMS software provides infinitely more safeguards and conveniences than do-it-yourself publishing and posting of material news.)
These incidents of premature disclosure have highlighted the need for security and careful coordination in the processes and systems that companies use to maintain and update their IR websites. Following are some best practices and recommended tips to help you keep your news secure, and ensure that it’s only made public at the appropriate time.
- Coordinate your distribution and posting times.
Whether or not you use a CMS to update your website, be sure that your news is posting online at the closest time possible to when it’s going out on any push-distribution channels, such as a newswire, Facebook fan-page update or a Twitter account. Some of the recent incidents have seen news posted to corporate IR sites 15 or 30 minutes before it’s sent out via a push announcement. If you’re going for a Web-only disclosure, this may work, but if you want a coordinated, simultaneous effort across multiple channels – to cover all the bases – you need to ensure that it will be synchronized.
- Use scheduled publishing.
A good CMS will allow you to compose a page or linked-file ahead of time and upload it to the system without posting it live. Then, you can select the date and time that you’d like to publish the information and keep it offline until that time. (A very good CMS, by the way, will keep the information completely hidden within a database – away from prying eyes who may try to guess the URL – and not just hide the link to an unpublished page on a live server.)
- Make use of user rights.
Another useful feature of a good CMS is rights and roles. These allow you to delegate tasks (such as writing, editing and approving) among different team members while retaining publishing control with only those who should have it. This way, nothing gets published to your IR site without an authorized user approving it.
- Use encrypted ID mames for linked files.
A good CMS will utilize encrypted identifiers (usually called “Document IDs”) to mask the name and location of a linked file, such as an Excel file containing earnings tables. With these Document IDs, files can be linked from a public-facing HTML page without giving away the file-location and file-naming convention, thus protecting these file names and locations from identification in the future. (A few of the recent incidents have involved “sequencing,” where automated robots and crawlers – from news and market-intelligence firms – have changed a “Q1” to “Q2” in a file name (or similar) and accessed a file ahead of its scheduled release time. Encrypted file names prevent this vulnerability.)
- Self-publish, smartly.
If you are not using a CMS to maintain your IR website and, instead, manually managing the pages, files and directories, be sure to keep these additional tips in mind:
- Change file names.
One of the greatest vulnerabilities that allow security breaches is the ability to switch a single letter or number in a linked file name, and find a file ahead of time. To prevent this, change your naming conventions from quarter to quarter; for instance, “Q1Earnings.pdf” to “EarningsQ2.pdf”, or a similar variation. Also, for added protection, change your file type, if practical. Switch from a PDF to an Excel or a Word document so prying eyes won’t know what’s coming next
- Change file locations.
Similar to the last item, be sure to change the folders or directories where any linked files are located (again, if practical) from one quarter to another. Files cannot be accessed ahead of time unless someone can guess both the name and location of the file. (This is especially important because the file path is often displayed in the browser’s URL line, if a CMS tool isn’t being used.
- If it’s on the live server, it’s public.
A good CMS has the ability to keep non-public information offline in a staging area until its scheduled posting time. However, if you aren’t using a CMS, remember: If a file or text page is on a live, Web server, you should consider it public. It doesn’t have to be openly linked in order to be accessed, which many of the recent breaches have shown, especially those incidents with predictable file names and directory locations.
- Consider Web scripts.
If you’re not using a CMS, be sure to check out some simple Web scripts and programs that can help schedule publication of pages or maintain a file library with Document IDs. You may not need the full functionality of a CMS, but for your reputation and peace of mind, you owe it to yourself to consider low-cost scripts that can help you do your job and provide a reasonable baseline of security.
- Change file names.
By using these tips and best practices, rest assured that you have taken the necessary steps to safeguard your information and maintain as much control over its disclosure as possible. (Marketwire’s EasySuite 2.0 solution can help you create and maintain a secure website that includes the features mentioned, and more. Contact us for information on how it can help you.) Remember: It’s not just your share price that can be affected in the event of premature disclosure of material information. It can also substantially impact your reputation with investors and the market, as well.
- How to use earned media to boost your brand
- How to incorporate social media into your investor relations strategy