Nuix Discover® for Government has been designated FedRAMP Ready, at the high-security impact level, and is now listed in the Federal Risk and Authorization Management Program Marketplace for US federal agencies and government contractors.
Nuix has initiated the FedRAMP authorization process, which can take up to 12 months. Upon authorization, federal agencies will be able to use Nuix Discover for Government to process and store their most sensitive unclassified data.
“We’re excited to have achieved this important milestone on the path to becoming FedRAMP Authorized at the High Impact level and providing a secure and robust cloud eDiscovery and investigation solution for federal agencies,” said Michael Smith, EVP, Americas at Nuix. “As part of our mission of finding truth in a digital world to be a force for good, we look forward to helping our federal government customers conduct their most sensitive and significant investigations using our secure cloud software.”
WHAT IS NUIX DISCOVER® FOR GOVERNMENT?
Nuix Discover for Government combines the world’s leading eDiscovery processing, review, analytics, and predictive coding in one software-as-a-service solution that can be hosted in Nuix’s US government-only cloud environment or an agency’s private cloud. It dramatically improves the speed and quality of early case assessment, investigation, document review, and case management in eDiscovery, investigation, and Freedom of Information Act (FOIA) request processes.
As part of the FedRAMP authorization process, Nuix has incorporated world-class end-to-end encryption into Nuix Discover for Government, meeting Federal Information Processing Standard (FIPS) 140-2 Security Requirements for Cryptographic Modules.
The FedRAMP High Impact level is required for agencies that handle the government’s most sensitive, unclassified data in cloud computing environments. This includes systems where the loss of confidentiality, integrity, or availability could have a severe or catastrophic adverse effect on organizational operations, organizational assets or individuals.
“This significant investment in cloud security benefits not just our federal government customers but everyone who uses Nuix software as a service,” said Michael Smith.
The global market for mergers and acquisitions reached new heights last year, and many expect the frenzy to continue in 2022. The latest annual survey from Pitchbook estimated there were 38,000 merger and acquisition (M&A) transactions in 2021, with just shy of US$5 trillion in deal value.
That’s a lot of activity. But despite the lofty goals and growth projections that drive M&A decision making, history shows these transactions don’t always convert into corporate value. In one study, for example, Deloitte analyzed 116 M&A deals that were explicitly “growth-oriented,” and found that only 27% helped those companies grow faster than their historical rate.
POST-DEAL INTEGRATION AND SYNERGIES
There are of course, many reasons why companies fail to realize the cost or growth synergies anticipated for a deal; economic and political issues and “people” and cultural differences are often cited.
Some companies simply fail to manage the huge operational complexity of acquiring or selling a business. This can include failing to manage the risks inherent in the buyer’s or seller’s data. This is a significant issue when you consider that global data volumes double every three years or so and more than 80% of the world’s data is unstructured, such as emails, making it harder to manage and understand.
Challenges in managing corporate data can lead companies to struggle with issues such as:
Identifying and retaining the company’s commercially sensitive information and intellectual property
Identifying compliance risks in the target company’s data
These struggles can have dire consequences down the track. Highly priced intellectual property may turn out to be kept haphazardly across multiple storage systems, making it hard to consolidate and extract value from. In the case of a divestiture, it may get left behind with the parent entity or inadvertently sent off with the buyer. The acquiring company can also inherit compliance risks – in the current environment, especially privacy risks – which lead to regulatory action or litigation when things blow up post-acquisition.
RETAINING VALUE, MINIMIZING RISKS
How can companies avoid leaving value on the table or acquiring unforeseen risks? Over many years of working with companies and their advisors on M&As, Nuix has developed a robust approach to understanding and addressing these data governance and risk issues.
In one example, Nuix worked with a global pharmaceutical company to avoid it sending off its critical intellectual property along with the subsidiary it was divesting. To achieve this, Nuix had to search the subsidiary’s datacenters for the parent’s intellectual property. This meant finding IP across millions of emails, documents and other unstructured records and then remediating the data, all under tight commercial deadlines.
Our process, in broad strokes, is detailed in the diagram below.
The main advantages of using Nuix technology and workflows, for the buyer or selling company, include:
We can find and collect data (such as critical intellectual property) from local and remote repositories, including laptops and desktops, email servers, file shares and cloud sources
Our efficient and scalable processing turns more than 1,000 file formats into meaningful and searchable information by capturing the content and metadata
Our browser-based review software enables fast and efficient collaboration for merger teams to analyze, classify and report on findings
Once you have classified data, you can defensibly move or delete it, copy it or flag it for further action.
Just as importantly, in M&A transactions the parties need to review huge amounts of data under the shadow of commercial and regulatory deadlines. Most of our customers say that compared to competitors, Nuix has the fastest data processing, can review the widest variety of file types and can handle the largest volume of data.
Equally exciting is that this workflow is not just a one-off exercise. Once you’ve gone to the trouble of setting it up, it can deliver ongoing value for the merged entity. The target company and its acquirer can scan for changes up to the merger deadline and proactively monitor to maintain compliance and deliver data and cost efficiencies afterwards.
The Covid pandemic has shown many organizations how much they rely on third parties in their supply chains, to help them deliver services and products to customers. At the same time, the growth in environmental, social and governance (ESG) concerns has forced many organizations to re-visit the commercial relationships they have with third parties whose behaviors may create risks for the organizations’ ESG goals and commitments.
Deloitte recently surveyed the third-party risk management practices of over 1000 organizations in more than 30 countries. It found that since COVID-19 became a global pandemic on 11 March 2020, just over half (51%) of respondents faced one or more third-party risk incidents. These incidents created regulatory, reputational or strategic issues for respondents in areas such as:
Cybersecurity and privacy issues in third parties
Failure by third parties to meet their contractual obligations to those organizations
ESG issues in third parties, such as environmental pollution, modern slavery, bribery and corruption.
Unsurprisingly, the experiences of the past 24 months have also sharpened regulators’ interest in businesses’ arrangements with their third-party vendors. Regulators have often been quick to remind those businesses that they remain ultimately responsible for meeting their obligations to customers and regulators, and where they rely on third parties, it’s their job to manage the third parties to ensure those obligations are met. Some regulators have gone as far as to require businesses to include in their third-party contracts, rights for the business to conduct ongoing audits and continuity assessments of their external vendors. The reasons for doing this are borne out in a recent McKinsey study which showed that while most third-party disruptions occur lower down in the supply chain, two-thirds of companies say they can’t confirm the business continuity arrangements with their non-tier-one suppliers.
STEPS TOWARD BETTER RISK MANAGEMENT
An important foundational step towards managing these increasing third party risks for any organization is to have an up-to-date and comprehensive management system for all the contractual arrangements the business has with these external parties.
Our experience though, is that this is not always as easy as it sounds. Particularly for large organizations, contracts aren’t always where they should be.
Even if you are organized enough to put all your contracts in one place, can you say for sure the document in your central repository is the final version? Or is that the contract the vendor sent a couple of days later after final negotiations with the legal team? Is it the computer-readable Microsoft Word version or the signed-and-scanned PDF emailed back to the other party?
FINDING CONTRACTS, WHEREVER THEY’RE HIDDEN
Nuix recently worked with a large bank in the United States that was grappling with this challenge.
The bank needed to improve its risk management of third-party vendor contracts. Over time, each business unit had developed its own practices for managing third parties which led to considerable differences across the bank on standard contract language, different approaches to third-party risk management and material variances in approaches to ongoing due diligence. Different approaches in the contracts to pricing was also an issue, with the situation almost certainly leading to commercial value being left on the table.
To deal with this, the bank was looking to centralize all its contracts into a single third-party management system. But over time, many contracts had been stored by staff amongst terabytes of data in difficult to search locations such as employees’ inboxes or shared drives.
The bank’s contract management team knew it couldn’t just run a search for “contract” across all employees’ emails, file shares and other data repositories. Instead, it used the Nuix Data Finder plugin to run a series of detailed search queries relating to common contract terms across each business unit’s systems.
Nuix Data Finder rapidly trawled the bank’s systems – running optical character recognition to capture scanned documents – and extracted text and metadata from items across the network. This allowed the contract management team to analyze responsive items in real time and flag any real contracts for further analysis.
Real-time search results helped them fine-tune their search queries to improve the accuracy of detection for each system they analyzed. The bank then extracted the most recent versions of each confirmed contract and migrated it into the management system for ongoing administration. In doing so, Nuix helped the bank rapidly take steps to start dealing with its operational and strategic third-party risk exposure.
RE-ENERGIZING THIRD-PARTY RISK MANAGEMENT
Managing third-party risks is a growing concern. Over half of Deloitte’s survey respondents agreed that because of recent and ongoing global events, they need to increase their focus on third parties and make at least some major investments to re-energize their third-party risk management programs. In similar findings from a recent global study by KPMG, 77% of the 1263 risk professionals surveyed believed overhauling their third-party risk management model was overdue.
Re-energizing third-party risk management can take many forms. There is, for example, an increasing appetite among business to have much more real-time data on the performance of their third-party vendors. These are longer term goals for businesses and the technology to deliver these outcomes is still at an early stage. A key stage along this journey is for all businesses to have a complete understanding of the current arrangements they have with their third parties and there’s a readily available technology to help handle that key foundational step.
Artificial intelligence or, more specifically, deep learning entered the digital forensics and incident response (DFIR) space originally to help reduce the amount of time investigators spent analyzing cases. It started out with simple skin tone and body shape detection in graphics; this evolved into the ability to place a percentage value on how much skin appeared in a picture or video.
This technology is especially helpful for investigations into sexual assault, child abuse and other graphically disturbing cases. It saves analysts from manually looking at thousands, or in some cases millions, of graphics and video content, speeding review while at the same time (hopefully) preserving their general well-being in the process.
As deep learning technology has evolved, and more models have been developed, we’re faced with an important equation to solve. Which is more important: efficiency or accuracy? In a perfect world we would want both.
If you take a moment to look around, you’ll notice some big companies are making huge, regular investments into developing artificial intelligence models. These models are often freely available for technology companies like Nuix to incorporate into their own products.
I think it’s important to note here that these models, while freely available, are not the latest and greatest technology available. Still, the fact that so many options are available is impressive in its own right.
By default, Nuix uses Google’s Inception V3 model for image classification. This model balances accuracy (greater than 78.1%) with incredible speed. That’s great for cases where time is a critical factor; other options such as the Yahoo Open NSFW model (now known as Tensorflow by Google) and VGG16 work more slowly, relatively speaking, but operate at over 90% accuracy. The VGG16 model has the ability to learn through data ingestion, thus increasing its accuracy over time.
There are models in development that reach 98% accuracy while maintaining the speed of the Inception V3 model, but they have yet to reach our market.
EXPLORING THE MODELS FURTHER
Graphics analysis is an example of artificial narrow intelligence (ANI), which I explored in the last article. ANI is programmed to perform a specific task, freeing humans from performing repetitive and time-consuming work. For anyone who has performed graphic analysis, we know it certainly qualifies as both.
The models we’re talking about are convolutional neural networks (CNN), which detect patterns in images using techniques that analyze small areas of the image in a layered, procedural approach that can detect image edges, ranges of color and other aspects that help the machine classify the image for the analyst.
Explaining how this works is difficult. Thankfully, there are some great explanations online. One is the brilliant Anh H. Reynaolds’ article on Convolutional Neural Networks, which she was gracious enough to give me permission to share in this blog. AI education site DeepLizard also published an explainer video that’s worth watching to learn more. If you have a need-to-know mindset about how things work, both are worth the time investment.
MAKING THE CHOICE
As I did the research for this article, I came to an important conclusion. I can’t definitively say which model or approach is right for your investigative needs. Analysts should take the time to assess the different models and be comfortable with the mix of accuracy and speed they offer. During testimony, a decent attorney may ask what kind of testing and comparison you conducted to choose your machine learning model. It hasn’t happened often, but I have had attorneys surprise me with the homework they do.
I prefer to use real cases and test different models against them, with a couple caveats. First, you should run tests against models that you’ve already run through your trusted methods and technologies – just be prepared to find things you might not have found the first time around. After all, that’s the benefit of using the technology.
Also, testing is unbillable work – it’s just wrong to bill a client for work done while testing a new machine learning model. That doesn’t make the work any less valuable; the time you spend testing your models and documenting the results will have an incredible impact at every stage of your investigation.
Nuix announced its decision to buy Topos Labs, Inc. (Topos), a developer of natural language processing (NLP) software that helps computer systems better understand text and spoken words at speed and scale.
Headquartered in Boston, MA, Topos designed its artificial intelligence (AI) driven NLP platform to reduce the workload on data reviewers and analysts by surfacing relevant or risky content faster. Its mission is to provide customers with risk-oriented content intelligence for proactive risk management and regulatory compliance.
The addition to Topos to our already extensive software platform will, as you’ll see, play a noticeable role in making the lives of our users easier. Whether you’re tasked with conducting internal corporate investigations, handling legal discovery review or ensuring your organization is meeting its risk and regulatory obligations, Topos’ NLP capabilities and integration with Nuix in the coming months will be something to pay attention to.
POWERFUL ANALYSIS AND CLASSIFICATION The platform, which is still in the early stages of its development, can already automate accurate analysis and classification of complex content in documents, electronic communications and social media. Business users can directly define NLP models through the software’s no-code user interface, reducing the time required to identify risk in the organization’s data. From there, it can present the risk assessment of confidential, sensitive and regulated content in user-friendly dashboards.
“The acquisition of Topos is an exciting evolution in Nuix’s journey,” said David Sitsky, Nuix Engineering Founder and Chief Scientist. “Integrating the Nuix Engine’s ability to process vast quantities of unstructured data with the next generation NLP capabilities of Topos will be game-changing for Nuix’s product portfolio.”
“Topos will strengthen Nuix’s product offering by helping customers get to relevant data even faster,” added Rod Vawdrey, Nuix Global Group CEO. “The potential for user-friendly dashboards and for users to easily customize the software to their specific needs also reflects Nuix’s focus on empowering our customers to search through unstructured data at speed and scale. We look forward to Christopher Stephenson [Topos CEO] and his talented team joining Nuix.”
WELCOMING THE TOPOS TEAM As part of the deal the Topos team, including members of senior management, joined Nuix. By welcoming the Topos team and integrating the NLP capability at this stage of its development, Nuix can optimize the technology to benefit its investigations, eDiscovery and governance, risk and compliance (GRC) customers, further enhancing the unstructured data processing power of the Nuix Engine.
“We are delighted to join Nuix and are excited about combining our innovative NLP platform with the Nuix platform,” said Christopher Stephenson, CEO, Topos Labs. “Along with my talented engineering and product team, I look forward to deploying Topos to further enhance Nuix’s powerful processing capabilities and to being part of a global leader in investigative analytics and intelligence software.”
Under Australia’s Privacy Act, organizations that hold people’s tax file numbers (TFNs) must securely destroy or permanently deidentify those TFNs once they no longer have a legal reason for storing them. This might happen when someone stops being a customer.
Australia’s privacy regulations pay particular attention to TFNs because of the potential for them to be used in fraud and identity theft.
RISKS AND CHALLENGES
Managing these risks can be challenging. In large organizations, TFNs can be stored within vast oceans of data, in many different locations and file formats. This may include scanned handwritten documents such as application forms.
Without powerful technology to find and redact TFNs, the task of compliance can be almost impossible. If not dealt with properly, this sensitive information can be exposed in an instant by an embarrassing and costly data breach.
BIG FOUR BANK
To help proactively manage these risks, one of Australia’s Big Four banks recently deployed Nuix Workstation and the Nuix Data Finder plugin to find and redact TFNs across more than 240 million documents.
Using the unmatched power and speed of the patented Nuix Engine, bank staff quickly scanned the documents and identified those containing TFNs, significantly reducing the bank’s compliance risk profile within a very short timeframe.
PRIVACY DATA IS A GLOBAL ISSUE
Australian banks aren’t the only organizations facing this challenge. Healthcare providers, insurers, professional services firms and government agencies often hold enormous amounts of private and sensitive data. Privacy laws around the world strictly require organizations to only hold private data they need for business purposes and to ensure they remove any personally identifiable information they no longer have use for.
As volumes of data in the world increase at a compound annual growth rate of 23% – doubling every three years – this will become an impossible problem very soon unless organizations invest in the right technology to solve it.