The brief stock market flurry caused by one hacked, fake tweet comes just weeks after the U.S. markets watchdog, the Securities and Exchange Commission, decided to allow public companies to use Twitter, LinkedIn and Facebook to disseminate news to their investors.
The minutes-long multibillion-dollar market collapse, prompted by a fake Associated Press report about an attack on the White House, was exposed as a hoax and markets recovered. Investigations are expected to follow, although an SEC spokeswoman would neither confirm nor deny on Wednesday whether the agency has launched a probe.
But the fiasco highlights the complex problems market regulators face in the social media age – and the potential risks to companies and investors who are increasingly turning to social media.
The SEC's move to clarify its disclosure rules came as it decided not to take action after the chief executive officer of Web video service Netflix Inc. disclosed viewership numbers on his Facebook page instead of through a filing with the SEC or a news release. The SEC said its rules in the area were unclear, and clarified that companies could use social media to disseminate company information, provided they alert all investors they are doing so.
Canada's largest markets regulator, the Ontario Securities Commission, has been more cautious. It has not followed the SEC's lead on the issue, although it recently allowed public companies to post corporate filings on their websites, rather than insisting that such documents be mailed to all shareholders.
The ease with which a Twitter account in particular can be hacked, however, should make companies and investors very wary about relying on information from social media, says cyber-security expert Daniel Tobok, head of forensics for telecom giant Telus Inc.
For one thing, in most organizations the employee in charge of the Twitter account is usually low ranking, he says, and most Twitter passwords are notoriously weak.
"People don't think much about it: 'It's only Twitter, it doesn't give access to our company,'" Mr. Tobok said. "But it does talk about your company's [public] profile, which can cause a chain reaction, and a financial impact, at the end of the day."
In the AP case – according to what appeared to be an internal AP memo posted by U.S. media blogger Jim Romenesko – hackers tricked AP employees into clicking on a link in an e-mail that appeared to come from a colleague, a targeted technique known as "spear phishing" that allows hackers to induce people into unknowingly providing passwords or personal information.
It's easy to do, and almost impossible to stop, Mr. Tobok said: "Spear-phishing has to do with human intelligence. No tools, no firewalls can stop it. … When an e-mail comes and says click here and it doesn't look like it's from Prince Abdullah, we think it's real."
Carol Hansell, a senior partner with Davies Ward Phillips & Vineberg LLP in Toronto, who advises public companies about their disclosure obligations, said social media are clearly changing the landscape, even though regulators and her large corporate clients remain wary of it. But she expects that social media eventually will become a standard route for corporate disclosures.
"It is in the interest of the marketplace to make sure that we get that information out there as soon as possible," she said. "And the press release [rules] seem behind the times."
Edward Waitzer, a lawyer at Stikeman Elliott LLP and former chairman of the OSC, said market turmoil caused by fake information is not new – but the speed at which the increasingly computerized stock markets of the 21st century react is.
"It's faster, and more pervasive," he said. "There are flash crashes in that sense all the time. Last week, it was gold. Next week, it will be something else."
Mr. Waitzer said the fake AP tweet underscores the challenges regulators face from the massive increase in high-frequency trading, the computer-driven and automated activity blamed for the speed with which the bottom fell out of the market on Tuesday. Canadian securities regulators and the SEC have been reviewing their rules on this kind of trading, but Mr. Waitzer suggests it needs to be reined in. "It's a basic market structure issue."