Is Your Company Compliant with the SEC’s Email Retention Policy?
November 24, 2021 • 5 min read
Under the regulations laid out by the Securities and Exchange Commission (SEC), companies that provide financial services must retain electronic records for a set time, with emails being the most prominent type of record.
According to the SEC email retention policy, email communications must be preserved and immediately accessible for at least two years and archived for at least six. If federal auditors or attorneys in a legal dispute come calling, a company must be able to produce requested emails. If the company cannot produce the emails in question, it could result in significant penalties. If the dispute is significant, not being able to produce essential documents could have devastating financial consequences.
According to SEC 17a-4, financial services companies must store electronic records, and most companies maintain compliance using an automated record retention system. SEC regulations say a storage system must be able to keep records in a tamper-proof, Write Once Read Many (WORM) format. A system should also be able to automatically confirm the accuracy and quality of record-storing, as well as prevent corruption or deletion of files for the archive period. After the retention period passes, the system should delete the records automatically. Regulations also say the storage system should have the ability to download records and store duplicate copies in a secondary location.
Some companies use an on-premises email archive system, and some companies store emails in the cloud. Regulations do not provide details related to formatting, and most companies use an email archive system specifically designed for easy long-term storage.
When an email is passed into the system, it is tagged with metadata so that it can be easily found later. That metadata tag typically includes information like the date the email was written, the date it was archived, and information on the subject matter. Most systems tag emails so that they can be found through search within a matter of seconds or minutes.
Although their descriptions sound similar, a backup system is not the same as an archive system. If a natural disaster or cyberattack occurs, employee mailboxes could be restored by a backup system. However, such systems are only capable of restoring data back to a certain point in time and are not meant to recover specific files or efficiently store data for long periods. If a backup system were to be used as an archive, it would make a company ill-prepared for an audit or legal dispute.
While the most prominent need for an email archive system can be found in the financial services industry, there are federal and state laws for other industries that mandate the archiving of emails. Companies are responsible for ensuring they remain compliant with all email retention laws, and fines and penalties for noncompliance can be costly in these industries as well.
A Strategy for Remaining Compliant
Most (if not all) financial services companies have a comprehensive strategy in place for remaining compliant. However, maintaining compliance is more difficult than it might seem, and companies looking to keep their house in order need to be diligent.
The first step is to designate responsibility to an individual, for SEC compliance and data security. This person should be able to fully understand the scope of the regulations and collaborate with the legal team to make sure the company remains compliant and secure. They should also be in communication with compliance regulators.
Organizations need to determine what types of data have to be archived beyond emails, while the person overseeing compliance must establish a way to identify internal and external emails. An archiving strategy should also consider the length of time to store emails, and which can be deleted after compliance has been met. A strategy should include methods for archiving particularly sensitive information, with some email archiving systems providing functionality that allows for an elevated level of protection.
An archiving system should be developed with access in mind. Many companies find themselves the subject of legal discovery processes and audits. An archiving system should be able to produce specific emails, should one of these situations arise. This requires a well-thought-out plan and structure that includes keeping emails in a WORM format, a high level of searchability, the ability to produce messages in their original state, the prevention of accidental deletion or modification, and a clear workflow for compliance regulators.
An archiving system should also be flexible: Email programs evolve over time and outside parties may switch their platform. This means an archiving system should be able to support a wide range of email formats.
Finally, it is important for staff to receive appropriate training regarding email archiving. When it comes to cyber security and compliance, the old saying goes: People are the weakest link. Proper training can strengthen this weak link and prevent it from breaking. Staff members should know how to handle sensitive email communications and the potential negative consequences of not remaining compliant.
A Note About Social Media Posts
SEC regulations also call for archiving companies' official social media posts, as well as posts from company employees. Some companies have tried to prohibit the use of social media to avoid compliance risks, but this approach is often unsustainable, as our society increasingly relies on social media to remain connected.
Companies considering an email archiving solution should also think about a way to preserve social media posts as directed by regulations from the SEC and other government bodies.
How MirrorWeb Can Help
With the COVID-19 pandemic completely revolutionizing how businesses communicate and get work done, achieving compliance is harder than ever. MirrorWeb offers comprehensive archiving solutions designed to keep our clients compliant. With our archiving solutions, you can easily and automatically store all of your company’s emails, social media posts, webpages, and more. Please contact us today to find out more about how we can keep your company off regulators’ radars.