In the financial industry, insider attacks have long been lucrative targets, and this trend is only growing as more and more computers are being used to launch attacks on a massive scale. The theft of financial and intellectual property, the destruction of assets, and the disruption of internal systems and customer operations are all consequences of insider attacks on firms’ electronic systems. Unfortunately, detecting and preventing attacks has proven to be a challenge, as insiders can use their familiarity with the firm’s systems to launch attacks without being noticed.
In addition, the prohibition of insider trading is another area in which regulators and companies are challenged. The purpose of insider trading laws and regulations is to ensure that no one will benefit from trading on “insider” or “unpublished” information – information that is not available to all market participants. To create a level playing field, all market participants must have access to information. In our experience, monitoring compliance with insider regulations is more efficient when insider trading prohibition is automated.
Benefits of Automation
- Data storage systems for investments & holdings of employees, immediate family members, and persons with material financial relationships as defined by the regulation
- Requests for approval/rejection of trades automatically
- Holding/contra restrictions can be configured
- UPSI, blackout periods, and no-trading periods
- Creating an automated restricted securities list
- Submission of periodic disclosures electronically
- Workflow system for all trading approvals, automated reminder emails, notifications, and audit trails
Although an organization may have automated its internal processes to prevent insider trading (PIT), there are some pitfalls to avoid.
Here are a few that should be considered
- Unpublished Price Sensitive Information (UPSI) leak, whistleblowing
- Whenever UPSI is leaked, it should be based on the whistleblower’s direct experience. Any secondary, unreliable source or any form of informal communication should be avoided.
- Authentic evidence supporting a leak of UPSI must be provided by the whistleblower. Whistleblowers will be subject to disciplinary action if it is established that their allegation was made with mala fide intentions or was frivolous or not genuine.
- Chinese Wall
In order to prevent the misuse of confidential information, the company should adopt a “Chinese Wall” policy that separates “inside areas” from “public areas”. In an organization, “inside areas” are defined as those areas where confidential information is routinely provided to employees while “public areas” are defined as those departments dealing with sales, marketing, investment advice, etc. Measures that organizations can use to separate “inside spaces “from ” public spaces “.
- Anyone in the “public area” should not receive price-sensitive information from employees in the “inside area”.
- There may be physical separation between employees in “inside areas” and employees in “public areas”.
- Defining the various departments as “inside areas”
- Employees from the public areas may be permitted to access confidential information only in exceptional circumstances based on ” need to know ” criteria.
- Access Control
- There are certain people who are allowed access only if they have permission. Various forms of access control may be used. For example, financial firms should have sensitive information locked up, key card access to rooms and buildings, the inability to download information from a computer to a USB drive, and the presence of physical security guards
- Additionally, companies should prevent their employees from downloading information onto USB drives or disks. There are a variety of risks associated with inserting a device into a company’s computer, such as stealing information and possibly uploading a virus.
- An employee’s access to information on a computer or database should be determined by IT and management as a team. An access control list should be established by IT and management to regulate which individuals have access to certain materials, and this list should be reviewed on a regular basis to verify if an individual still requires access.
- Some companies go even further by restricting access to certain areas of the company to specific employees. There may be secured floors in a building accessible only by key card. All employees within that specific business are allowed to enter and sit next to each other in those areas. An organization might not permit employees of the investment banking business to sit next to those of the research department by physically separating them.
- Management should decide how groups should be divided and who has access to certain floors in a company. Management and security should review the access list to ensure that certain people have a specific reason to have access to certain areas in the company at least annually, according to the Gatekeeper principle.
The challenge of securing information from the inside as well as the outside remains a continuous challenge, even after an organization has automated the process for preventing insider trading.