Heartbleed Bug: The Less Said, The Better?

I want to tread carefully on this. Online account security is nothing to trifle with. In all likelihood, concern over the Heartbleed security bug has seized the attention of the very highest levels of your mutual fund or exchange-traded fund (ETF) organization.

The timeliness, frequency and depth of what your firm communicates about your own and third parties’ systems’ status, including vulnerabilities and patches, is a function of your culture and of your executive management including your IT, Legal and Communications leadership.

Understood. At the same time, I’m guessing that your Sales and telephone staffs have been armed with scripts for institutional investors, financial advisors and individual investors since the hole in Internet security was revealed in late March/early April. The relationship managers who serve those constituencies no doubt demanded “something to tell them,” and they’ve received what they asked for.

Why haven’t more communications appeared on Websites and in social media account updates? Two weeks after the initial report, I’ve seen just a handful of communications. Not all are on Website home pages, and even fewer have been part of the Twitter or Facebook update streams. 

The media has been continuously warning people to change the passwords on their financial accounts and other accounts where they may have used passwords also used on financial accounts.

Two-thirds of all Websites are reportedly affected. Among fund companies specifically, no less than American Funds has disclosed that it had an issue.

In the screenshot below, you’ll see that one person asked about Heartbleed in an April 10 comment on an American Funds' Facebook update about something else. And, you’ll see the April 14 note that American Funds posted on its Website acknowledging a “very narrow of risk.” According to reports yesterday, American has emailed clients suggesting that they change their user information, password, security image and questions, and delete their browsing history and cookies.

This is unfortunate and, American Funds was obliged to communicate the risk to its clients.

If your firm hasn't already fielded calls about Heartbleed, American Funds' notification to its 800,000 mutual fund shareholders and their advisors likely will heighten concern and result in questions.

At times we've all wondered, “What do our clients really want from us?” In this instance, isn’t it predictable? Isn’t it logical to expect that clients arrived at mutual fund and ETF Websites or checked Twitter feeds looking for Heartbleed information?

Even if your firm's systems have not been compromised. Even if you don't operate a brokerage business. Even if your firm uses a third-party transfer agent for shareholder servicing and all your site does is provide a link to that site. Even if IT scoffs at the question whether the passwords to your advisor Website could have been hacked.

Your client is not likely to be making these distinctions. 

'Controlling The Message'

At one time, brands sought to control the size of the attention given to an issue by limiting what they said. That’s not available anymore, if it ever was. And, there's the false security in believing that an offline communication can remain under the radar just because it isn’t made available on the Web.

In delivering the self-publishing capabilities that enable individuals to share brands’ marketing news, Web 2.0 has also empowered individuals to share a full range of information with each other. In this space, we know that financial advisors tweet advisor-only conference calls and upload to their blogs images from restricted distribution publications, for instance. Shareholders regularly complain about firms' password protocols on Twitter.

On the subject of Heartbleed, citizen contributors to both Bogleheads.org and a Morningstar forum took it upon themselves to check some fund Websites on a Heartbleed hacker checker. One result, according to the posters’ claims, was that TIAA-CREF failed the test of its site. See this and this. In fact, according to a syndicated press release that appears on this Web page, TIAA-CREF at one point issued a statement denying online reports of Heartbleed vulnerability.

Like it or not, there is no such thing as keeping something quiet or controlling who or what is going to pass a communication or even an observation on. There is no flushing search engine results.

In your organization, nobody knows this better than Digital Marketing. Even when there’s nothing to report, say something because your clients want to hear from you and you know that the Website or your Twitter or Facebook page is where they’ll come to. A clear, adequate communication on the Web will keep the call volume under control, and will facilitate the peer-to-peer online communication already underway.

Marginalizing A Digital Presence

Less important for your clients but important to the contribution your work can make: A de facto policy that reserves Web and social communications for only what’s required (fund updates) or marketing-based (commentaries, appearances, announcements) marginalizes the potential value of having an open, 24/7 digital presence.

Every once in a while I hear from someone who asks why I haven’t adopted the term “social business” instead of “social media”—the implication being that brands have evolved beyond social media. I disagree. The pages of the calendar may have flipped, but this has yet to become a social business.  

Four years ago, I was surprised when more financial Twitter accounts didn’t use their Twitter accounts to communicate about the flash crash. But that was too early in the history of asset managers and social media, the news itself was confusing, firms weren’t ready.

Little more than a year ago, PBS ran a documentary about retirement funding and the expense of retirement plans. Most asset managers chose not to comment, despite the fact that the show consumed online commentary for a while. It was controversial and complex, and no firm was compelled to jump in the fray.

This slower developing Heartbleed issue, on which few fund firms were directly impacted apparently, was an opportunity for a firm to demonstrate the attributes of being social—transparency, accountability and authenticity among them.

The relevant, financial services-focused online conversation these last two weeks has been about Heartbleed and the security of financial assets. Others have had plenty to contribute, and more firms could have joined in, even if only in an informational/educational (change your passwords!) role.

It's strange to land on a financial site with no front-and-center acknowledgment of Heartbleed. Forgive me. But even to someone who knows better, the firm seems out of touch, at best.   

The topic is too hot right now for you the digital marketer to call the question internally and advocate for your “constituency.” But if you agree that it’s time to challenge those who believe “the less publicly said, the better,” you might start to think about what it will take to get your firm to think more expansively.   

To help you make your case, here are a few examples of firms that have communicated something. 

Fidelity Pop-up

T. Rowe Price Splash Page Violator

OppenheimerFunds Timely Topic

Vanguard Home Page News Item