Public companies have traditionally met regulations requiring "broad, non-exclusionary distribution" of corporate information through newswires – typically one of the big three: Business Wire, PR Newswire, or Marketwired.
Yet some communications pros tell PRWeek that clients need to rethink how they use newswires in the wake of authorities busting a group that allegedly hacked into the platforms, accessed unpublished press releases, and made stock trades based on the stolen information.
Corporations should start uploading their sensitive documents to the wires at the last possible moment, say experts, while others wish the industry would challenge how the Securities and Exchange Commission’s disclosure requirements have been interpreted and acted upon.
The big three press release distributors were reportedly penetrated as part of a sophisticated scheme in which hackers and traders gained access to statements on not-yet-public mergers and acquisitions in an effort to trade on the insider information. The SEC has charged 32 people, saying they made more than $100 million in illegal profits.
Companies that reportedly were victims of the scheme include Delta Airlines, Bank of America, Ford Motor, and Netflix, among dozens of others.
Christopher Penn, VP of marketing technology at Shift Communications, says companies have many ways to disseminate information such as their email media lists, social media channels, and corporate websites. In fact, he contends newswires offer little value for most companies hoping to get coverage from journalists.
"That was the reason you would use them in the past – to reach journalists – but the wire service in its current form does not do that anymore," says Penn. "Most people don’t read press releases. Their value from getting attention from the press is pretty nil."
However, he says newswires "are still absolutely relevant for public companies to meet SEC regulations around fair disclosure."
"Social media is a great way to get out information, but from a regulatory perspective, we have to allow the legwork before we use social," Penn explains. "In lieu of that, press releases are the easiest way to get all the information out there. They already meet the gold standard in the eyes of the SEC."
He adds that while wire services are sure to improve security, companies have to be realistic about the probably of a hacking incident.
"The reality is every organization on the planet will at some point be hacked," Penn contends. "It is almost impossible to bullet-proof yourself unless you take all your services online and lock them in a concrete bunker."
He advises that companies should set new protocols for sharing sensitive documents with wire services nearer to the time they’ll be released.
"The material that was compromised was under embargo and queued up in the systems," says Penn. "If you have really serious stuff that is highly sensitive, wait until the day of or night before when the announcement is to be made; don’t queue it up weeks ahead in the system because that increases the risk of compromise."
Others argue that newswires have long been an outdated way to disseminate information, and the security breach should serve as a call to action for the PR industry to develop a better way to meet SEC requirements.
Jon Greer, chief content officer of JGC Marketing Communications, urges public companies to stop using the wire services and develop secure internal methods for meeting SEC disclosure requirements. He acknowledges it is difficult to interpret what exactly constitutes broad and fair distribution, but notes SEC requirements don’t mandate press releases be issued by one of the wires.
"Public companies are the ones ultimately responsible to the SEC, investors, and other stakeholders for data integrity. How can investors trust trading your stock if the wires are lax about security of their unpublished market-moving information?" Greer asks. "Most public companies already have an automated media list, so key publications such as Dow Jones, Reuters, and Bloomberg are already covered. Most companies are also posting links on Twitter and Facebook to their own websites and blogs with the information."
Using their own infrastructure would also help companies’ bottom lines, he adds, noting that the method would be more affordable than wire services.
Ina McGuinness, principal at McGuinness Communications, a firm that works with publicly traded and pre-IPO companies, says she uses newswires all the time for IR clients. Yet she admits surprise that newswires are considered the only solution to meet SEC requirements, given the rapid growth of digital and social media tools.
McGuinness notes there is no case law for what constitutes full disclosure. McGuinness says that if the SEC said posting the information on your website constitutes full disclosure, all companies would have to do is issue a short press release to select media outlets directing them to the company website.
"But nobody wants to be the one to challenge what the wire service actually does for them, or to say there might be another solution," she says. "Clients may be concerned about it but they feel there is no alternative. It is just the path of least resistance."
The wires respond
All of the major wire services responded to the security breach with statements of reassurance that they are, and have been, doing all they can to secure client information.
Business Wire sent an e-mail to its clients with a letter from CEO Cathy Baron Tamraz. It began, "We understand your concerns surrounding this week’s federal indictment of a global hacking…We would like to take this opportunity to provide you with the story behind the headlines."
The letter explained that government investigators asked Business Wire about fewer than 85 releases, and pointed out that no examples listed in the indictments and the SEC complaint were Business Wire releases.
"Despite our extreme vigilance, today's reality is that no one today is immune from hacking," it continued. "We want to reassure you that Business Wire’s systems are safe and secure. We continue to work closely with a leading cybersecurity firm to ensure that they remain so."
Business Wire clients tell PRWeek they are concerned about the hack and are asking the company for more details about its security measures.
"We are aware of the issue," says Mike Moran, global news manager at Ford, via email. "We are working with Business Wire to understand what is being done by Business Wire to safeguard news releases before their scheduled release."
The newswires also reiterated their value and competence in handling and disseminating corporate information in statements to PRWeek.
Marketwired said in a statement issued via Levick that "press release distribution remains one of the most effective and efficient ways to reach a broad audience in a timely fashion, across multiple channels." It also pointed out its multichannel distribution options and ability to help companies meet disclosure regulations.
"To support this, we have made significant investments across our entire network to create a world-class security ecosystem," the company said in the statement. "We are confident that Marketwired is protected by first-class security, monitoring, and prevention practices."
PR Newswire also responded to requests for comment with a statement from its chief information security officer Laura Deaner.
"Protecting information and securing IT systems are challenges that all companies face today," she said in the statement. "PR Newswire is committed to providing a secure environment for client information and employs a multi-dimensional approach to information security, led by a dedicated security team."
Deaner added in the statement that wire services continue to be "a critical part of today’s fast-paced news cycle."
None of the major wire services are apologizing for the breach, which strikes some experts as a failure to take responsibility for the situation. However, the scheme was described as "one of the most intricate and sophisticated trading rings that we have ever seen, spanning the globe and involving dozens of individuals and entities" by Andrew Ceresney, director of the SEC’s division of enforcement, at a press conference.
Dr. Jane LeClair, COO of the National Cybersecurity Institute at Excelsior College in Washington, DC, notes that it is difficult to speculate how the hackers may have gained access.
"One of the biggest reasons companies get hacked is through social engineering and fishing," she explains. "Companies need to train their workforce on protecting against social engineering and not just once but on an ongoing basis because the hackers are getting smarter."
She would also like to see companies join forces to take on the issue, instead of saying, "It is going to happen and there is nothing we can do about it."
"It would be such a smart thing for these wires to join together on the issue and work as a group rather than individually," LeClair concludes. "This is a major thing they can do right now, and many organizations in banking and medical have been doing that."