The UK Financial Services Authority (FSA) has pinpointed weak corporate IT controls in an investigation into insider trading.
Insider trading has become a serious problem during the current mergers and acquisitions boom, the financial firm watchdog said, and in a special report, it highlighted the need for improved IT security.
"Many firms could improve aspects of their IT controls to limit access to inside information. Some firms were careful in limiting the number of people made official insiders but had not considered the implications of open access IT systems, meaning that non insiders could also, theoretically, access inside information," the FSA stated.
"There is a real need for bankers and brokers to tighten up their information security policies. Firms must take a more rigorous approach to letting people see sensitive information to avoid insider dealing," said Donal Casey, security expert, at business and IT consultancy, Morse.
"They should also be tightening up their IT security procedures and ensuring that only authorised people are given access to confidential information. This is relatively straightforward, it is chiefly about putting the right access controls in place," he added.
The FSA was particularly critical of the complacency in many city firms.
"All of the firms we spoke to were confident that leaks of information relating to public takeovers did not originate from within their firm… Given the firms with whom we spoke included some of those who are the most active in UK public takeover deals, and given the observed price volatility on a proportion of such deals, it seems reasonable to conclude that parties were perhaps too complacent that their own internal procedures were already robust," the report noted.
The FSA also highlighted the security risks of mobile technology and email.
"Some firms had not considered IT security issues surrounding the use of blackberries, laptops and storage media (such as memory sticks)," the report noted.
The watchdog called for systems that create and an audit trail of who has reviewed particular documents. This can be useful for internal reviews following any leakage of information," it said.
The FSA also noted that "on most deals, there is a high volume of email traffic, mostly sent without password protection, and a risk of 'fat finger errors' (where emails are sent to the wrong address)".
The FSA suggested the adoption of "secure data rooms", where documents are stored and only insiders are given access to view documents. This reduces the flow of emails and creates an audit trail of who has viewed documents.
"Currently, such technology appears not to be widely used for M&A [merger and acquisition] work (aside from by financial printers)," it noted.
The FSA identified a series of best practices including:
- Restrict IT access to only named individuals working on a specific deal, rather than allowing open IT access to everyone in a certain department or business unit.
- The use of secure data rooms; ensuring that security to the portal is robust and that access to the portal is restricted to named individuals.
- Dedicated IT support for deal teams so that those providing the support are considered to be part of the team and are included in training etc.
- Procedures so that once a member of staff leaves a firm, or changes roles, the individual's access to IT systems is quickly and completely removed. This was an area many firms could improve.
- Employ 'ethical hackers' to check the robustness of IT systems and keep abreast of any new methods of data theft.
- Use appropriate code names for IT files and folders.
- Password protect/encrypt electronic equipment such as mobile phones, BlackBerrys, laptops and memory devices.
- Restrict access to other peoples email accounts.
- Mark sensitive calendar entries as private.
- Perform risk-based security checks on deal rooms to check for any breaches.
- Password protect individual documents that contain sensitive information.
- Use technology to generate an audit trail of those people who have access to sensitive files, including when they actually access those files.
- Restrict emails containing sensitive information from going to personal web-based accounts.
- Use codenames on the subject lines of emails so that inadvertent disclosures are not made to staff/third parties who happen to see the emails.
- Maintain formal, written procedures for when 'fat finger' errors occur on emails, letters or faxes. For example, recalling emails quickly and IT check to see if emails have been opened. If they have been read, then the Compliance department must make the reader an insider.
- Disable Microsoft Outlook functionality so that external email addresses have to be typed individually rather than automatically selected.
- Use virtual private networks (VPNs) for staff who need access to business systems when working offsite.
- Personal computing devices should have an automatic locking facility so that when people leave them for brief periods no one else can access them.