Best practices for securing undisclosed news on your IR web site

Spiders from financial news organizations trawl web sites for news, and can find undisclosed material information that hasn't been properly secured.

A prematurely leaked earnings release is the scenario that keeps many IROs up at night, and some of the market’s biggest names have been surprised in recent months when material news they hadn’t yet disclosed showed up on the financial newswires.

In every case, the leaked press releases were posted to a public – but unpublished – section of the companies’ web sites, enabling savvy – and aggressive – news organizations to gain access to the news before its scheduled disclosure without hacking passwords, breeching any firewalls or breaking any laws.   The press releases were all posted to an unpublished web page, the URL of which was easily guessed by reporters.

Commenting on an incident in late 2010 for a Wall St. Journal blog, Bloomberg News issued the following explanation:  “We found the release posted on the company’s website without any required password or firewall. The company failed to respond to multiple calls from us to verify the information on their website before we published our story.”

“An unpublished URL doesn’t create secure environment,” said Chris Antoline, Product Manager of Web Engagement at PR Newswire.  “Posting a press release to a web page that is otherwise public is risky. People – and news spiders designed to hunt for content – don’t need URLs to find information.”

One shouldn’t rely solely upon the judgment of your company’s IT staff or a vendor – they may be unaware of how competitive the financial news reporting environment is, and the risks posed to the company.

Securing this content is not difficult, but many times your web team or vendor simply doesn’t understand the directives of IR Department or the importance of timing around announcements. A simple meeting or discussion to convey the concept of SEC guidelines around disclosure can guarantee that the web team is thinking in your best interests.

What’s NOT secure:

  • Unpublished URLs Draft or preview web pages that are not behind the firewall
  • Any URLs that might be dynamically-generated using some sort of numerical sequencing for database items, such as news releases. www.xyzcompany/about/news/1871 is NOT secure since a spider (or human) can easily add or remove a number to the URL, and pull up unpublished documents.
  • Any CMS which has security where you have not changed your password from “admin” or “login” or “password”

How to determine whether or not your practices are secure

Questions to ask your IT department or your vendor:

  • What are the security measures in place for protecting non-public content in our Content Management System (CMS)?
  • Is ‘dark’ content in our CMS able to be accessed publicly via a direct URL?
  • Does our CMS use sequential numbering for the database?
  • Can we password protect pages and content to prevent outsiders from accessing certain information which we only want a select group of people to access?

Another way to test the security of undisclosed documents is to try to access them yourself, from a home computer or smart phone that’s not attached to your company network.  If you can pull up the test document via an unpublished URL, that’s a red flag.  Others can do the same.

To secure your company’s undisclosed material information, PR Newswire suggests the following practices:

  • Be sure the proper security measures are adhered to by your CMS before publishing content that is not yet ready for the public to view.
  • Leveraging unpublished URLs can be an effective way to present content for the user experience you’re trying to accomplish on your website, but make sure all private, unpublished content is protected by a password.
  • Have your web team program the system to use non-sequential URL generators
  • Better yet, use a URL Editor, where not only do you make the system more secure but you help your SEO efforts as well.

Remember, as a publicly traded company it is ultimately your organization’s responsibility to ensure that yet-to-be-disclosed content is kept secure.  Asking a few simple yet critical questions of your internal IT team or website vendor can go a long way in saving your company time, money and even market share repairing damage that could have been prevented.

Authored by Chris Antoline, Product Manager, Web Engagement Products, PR Newswire.

Secure & Fully Featured IR Web Site Services

Looking for a secure and easy to use investor relations web site service?  PR Newswire’s web site creation and hosting tool, IR Room, helps your company organize and secure critical information for investors, analysts and media while maximizing your online presence.

Image courtesy of Flickr user The Itsy Bitsy Spider

One response to “Best practices for securing undisclosed news on your IR web site

  1. It’s frightening to think that what’s supposed to be only shared within the office for the mean time are easily hacked or leaked by the public even before it is released. But the burden should be with the office’s IT department as it is their job to make sure that none is shared before the higher department says so. Security should always come first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s