The UK Financial Services Authority (FSA) has pinpointed weak corporate IT controls in an investigation into insider trading.
Insider trading has become a serious problem during the current mergers and acquisitions boom, the financial firm watchdog said, and in a special report it highlighted the need for improved IT security.
"Many firms could improve aspects of their IT controls to limit access to inside information. Some firms were careful in limiting the number of people made official insiders but had not considered the implications of open access IT systems, meaning that non insiders could also, theoretically, access inside information," the FSA stated.
"There is a real need for bankers and brokers to tighten up their information security policies. Firms must take a more rigorous approach to letting people see sensitive information to avoid insider dealing," said Donal Casey, security expert, at Business and IT Consultancy Morse.
"They should also be tightening up their IT security procedures and ensuring that only authorized people are given access to confidential information. This is relatively straightforward, it is chiefly about putting the right access controls in place," he added.
The FSA was particularly critical of the complacency in many city firms.
"All of the firms we spoke to were confident that leaks of information relating to public takeovers did not originate from within their firm.... Given the firms with whom we spoke included some of those who are the most active in UK public takeover deals, and given the observed price volatility on a proportion of such deals, it seems reasonable to conclude that parties were perhaps too complacent that their own internal procedures were already robust," the report noted.
The FSA also highlighted the security risks of mobile technology and e-mail.
"Some firms had not considered IT security issues surrounding the use of BlackBerrys, laptops and storage media (such as memory sticks)," the report noted.
The watchdog called for systems that create an audit trail of who has reviewed particular documents. This can be useful for internal reviews following any leakage of information," it said.
The FSA also noted that: "on most deals, there is a high volume of e-mail traffic, mostly sent without password protection, and a risk of 'fat finger errors' (where e-mails are sent to the wrong address)."
The FSA suggested the adoption of "secure data rooms", where documents are stored and only insiders are given access to view documents.
This reduces the flow of e-mails and creates an audit trail of who has viewed documents.
"Currently, such technology appears not to be widely used for M&A [merger and acquisition] work (aside from by financial printers)," it noted.
The FSA identified a series of best practices including:
— Restrict IT access to only named individuals working on a specific deal, rather than allowing open IT access to everyone in a certain department or business unit.
— The use of secure data rooms; ensuring that security to the portal is robust and that access to the portal is restricted to named individuals.
— Dedicated IT support for deal teams so that those providing the support are considered to be part of the team and are included in training etc.
— Procedures so that once a member of staff leaves a firm, or changes roles, the individual's access to IT systems is quickly and completely removed. This was an area many firms could improve.
— Employ 'ethical hackers' to check the robustness of IT systems and keep abreast of any new methods of data theft.
— Use appropriate codenames for IT files and folders.
— Password protect / encrypt electronic equipment such as mobile phones, BlackBerrys, laptops and memory devices.
— Restrict access to other people's e-mail accounts.
— Mark sensitive calendar entries as private.
— Perform risk-based security checks on deal rooms to check for any breaches.
— Password protect individual documents that contain sensitive information.
— Technology to generate an audit trail of those people who have access to sensitive files, including when they actually access those files.
— Restrict e-mails containing sensitive information from going to personal Web-based accounts.
— Use codenames on the subject lines of e-mails so that inadvertent disclosures are not made to staff/third parties who happen to see the e-mails.
— Maintain formal, written procedures for when 'fat finger' errors occur on e-mails, letters or faxes. For example, recalling e-mails quickly and IT check to see if e-mails have been opened. If they have been read, then the Compliance department must make the reader an insider.
— Disable Outlook functionality so that external e-mail addresses have to be typed individually rather than automatically selected.
— Keep up to date with security updates, apply quickly any patches released by product providers.
— Use Virtual Private Networks for staff who need access to business systems when working off-site.
— Personal computing devices have an automatic locking facility so that when people leave them for brief periods no one else can access them.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.