SAP Users: Prevent leaks during closed accounting periods with HaloCORE
There’s no ‘good’ time for a data breach, but accidentally leaking sensitive information during closed periods leads to heavier financial and reputational costs than at other parts of the year. As SAP holds public companies' most sensitive financial and HR data, executives must guarantee the security of thousands of SAP downloads or face non-compliance fines and legal repercussions.
You have a legal duty to enforce closed periods, but how can you prevent leaks from bad actors or negligent third-party partners? With HaloCORE’s Zero Trust protection for SAP data exports.
September 17, 2024
There’s no ‘good’ time for a data breach, but accidentally leaking sensitive information during closed periods leads to heavier financial and reputational costs than at other parts of the year. As SAP holds public companies' most sensitive financial and HR data, executives must guarantee the security of thousands of SAP downloads or face non-compliance fines and legal repercussions.
You have a legal duty to enforce closed periods, but how can you prevent leaks from bad actors or negligent third-party partners? With HaloCORE’s Zero Trust protection for SAP data exports.
The risk of leaks during closed periods
In the closed period between your company closing its books and reporting this information to the public (i.e. filing your yearly Form 10-K with the SEC), ‘insiders’ have access to information that could distort the market or company share price, such as profit & loss data, expansion plans or the gain or loss of customer contracts. In the US, this is known as ‘material non-public information’ (MNPI).
From directors to accounting staff, insiders are prohibited from sharing MNPI during the 30-60 day closed period and during ‘quiet periods’ before sensitive announcements, such as new product launches. Leaks of MNPI not only lead to fines and jail terms for individuals involved, but financial, reputational and legal consequences for companies too. For example, in 2020, the SEC fined Ares Investment Management $1 million for failing to enact adequate policies to secure MNPI. In 2013, the SEC fined SAC Capital a record $1.8 billion for insider trading.
Why preventing leaks during closed periods is challenging
Just as secrecy during closed periods maintains market integrity, preventing leaks during closed periods maintains your company’s reputation. But preventing leaks during this time is particularly challenging for five key reasons.
Misunderstanding closed periods. In the EU, closed periods are 30 calendar days, but in the US, there is no set period with some companies using 30 business days while others use 30 calendar days or four weeks. As such, employees don’t always know when data embargoes are in place.
Determining material non-public information. From purchase orders to customer contracts, MNPI can be anything. It’s therefore difficult for insiders to know what SAP data they can download and share publicly.
Pinpointing insider threats. Insider threats can be malicious (i.e. purposeful stealing of data) or accidental (i.e. negligence or ignorance). They are hard to prevent as insiders already have access to your organization’s sensitive data and know the weaknesses of your cybersecurity. According to the 2023 Cost of Insider Threats Global Report, 71% of companies suffer over 20+ insider security incidents per year, 55% of which are employee negligence, with an average annual remediation cost of $7.2 million.
Sharing data with third-party partners. Public companies often work with external partners during closed periods, such as accountants or lawyers. Downloading SAP data and sharing this private information outside your organization increases the chances of a data breach.
Preventing ignorant actions. The more employees you have, the more chances for accidental leaks from ignorant actions. In 2017, for example, a Boeing employee asked his wife for help formatting a spreadsheet without realizing it contained the personal information of 36,000 other employees.
The cure? Zero Trust for SAP during closed periods
From confidential reports and spreadsheets to customer brochures and headcount data, it’s illegal to disclose any pertinent financial information held in SAP that could affect the market or the company’s share price before it’s officially announced. But as soon as data leaves the SAP system, it becomes vulnerable to mishandling and misuse.
However, HaloCORE embeds Microsoft Purview Information Protection (MPIP) directly into SAP’s application layer, automatically protecting material non-public information coming out of the SAP system. As HaloCORE is embedded in SAP data from the point of origin, all SAP downloads are protected from insider threats, be it a disgruntled junior manager attempting to steal information or a third-party accountant accidentally sharing a spreadsheet to unauthorized persons.
As HaloCORE’s authorization labels automatically protect SAP data exports, your employees also don’t need to worry about how they act during closed periods, enabling you to continue business as usual.
Case study: multinational professional services company
A multinational professional services company was worried that departing employees could take sensitive material with them and disclose it during closed accounting periods. With over 700,000 employees exacerbating the risk of a damaging data leak, the company used HaloCORE’s automatic labeling checks to protect all data coming out of its secure systems.
