Information Security in Finance

Looking back over the many years that I have worked in the finance industry it's remarkable to consider the changes in technological development we have seen over that time. During the course of my career email went from something of a novelty to the key form of communication for the workplace. While some other industries have moved on from email to more modern workflow tools, Investment Banking is still driven by email and Microsoft Office documents. Software such as PowerPoint allow a novice to generate a professional presentation within minutes compared to the efforts required by reprographics departments twenty years ago. Unfortunately not every part of Investment Banking has utilised modern technology to the same extent.

Most firms have recognised concerns with email as a means of communication, particularly the ease with which material can be distributed outside of an organisation - and many have policies and controls in place which warn when emails have external recipients, block certain external domains and prevent attachments leaving the firm. There is, however, rarely the same rigour applied to internal communications, or granularity in email recipients which reflect the business risks and regulations that the industry currently faces.

Chinese Walls are barriers within a company which prevent the dissemination of sensitive information which could lead to conflicts of interest. Financial firms are required by law to safeguard against confidential information reaching the wrong people, both internally and externally. Firms physically separate individuals in public or private roles to ensure that information is protected, and set up various projects to protect information flow on a need to know basis. The amount of information communicated electronically now, however, requires walls to be built in the electronic world as well as the real one. Very rarely do these walls go beyond maintaining insider lists and post breach event notification rather than using technology to actively prevent incorrect dissemination of information in the first place.

Throughout my career I observed a number of weaknesses in these internal control systems. Control rooms set up projects around private side deals, often with names aimed at obfuscating any clue as to the underlying information. Whenever an email is sent which contains private information related to a project, it is on the senders responsibility to manually check each recipient is an "insider" from a list which could have additions and removals made at any point in time. Even assuming your employees are meticulous in carrying out these checks, each time they send a mail there are still pitfalls. Auto-complete on email addresses make typing efficient, but adds the risk of an incorrect recipient being selected. In a large institution the chance of people with a similar or the same name grows (at my last employer I had a colleague named Steven Marshall and we were frequently sent emails to the wrong one). A common mistake I observed many times was people not even realising an email contained private information. An email discussion which started off containing confidential information may drift to an innocuous subject at which point someone forwarded it to a recipient who was not an insider as they hadn't scrolled down to know of the original content. How were they expected to know that? And what controls does the firm have in place to attempt to prevent this?

Often the weaknesses in controls are picked up post-event. The sender of an email may recognise that they made a mistake and report it to their compliance department, or the recipient may realise that they have received confidential private information which they should not have done and similarly report the breach. In these cases the individual impacted will usually have to be wall-crossed and may be subject to certain controls and restrictions. If the recipient is a front office employee it may prevent them trading in securities related to the project. There can be a loss of revenue, or an inability to hedge transactions while the individual is restricted. The regulator may be informed, and in certain cases remediation may be required if it is felt that the firm does not have adequate controls in place. In a worse case, neither the sender or recipient may notice or report the breach - and in the case of a malicious employee they could use that information for insider trading. As well as the individual committing a criminal offence the firm would face scrutiny from regulators around how such an event occurred, as well as reputational impact associated with the crime. Firms often have controls which warn about emails to external participants - but businesses still require communication with external parties and the potential impact of a mis-addressed external email containing private information is very significant indeed.

Fortunately for all these weaknesses, technology has kept pace and provided solutions to the controlled dissemination of confidential information, however, the finance industry has not really taken full advantage of these developments, beyond some rudimentary checks. Technology now enables documents to be labelled and classified in a non-intrusive fashion. The single click of a button when you are drafting an email or creating a spreadsheet can identify the document as containing private information related to a specific project. Once classified the email or document attachment cannot be sent to anyone who is not an insider on that project. A message identifies the people you cannot send it to and removes them from the distribution whether inside or outside of your organization. The classification sticks with the document or email, and if it is forwarded all the checks and blocks are repeated. You don't need to read through twenty pages of email discussion to "discover" that a document or attachment contains private information. You have an electronic check to see if email recipients are within a project. You allow technology to support your existing controls and introduce preventative action for e-communication rather than relying on manual checks and post-event notification.

For compliance departments there are now technical solutions that act as a physical Chinese Wall for your firms e-communications. Your existing control room policies remain untouched, but are now used to prevent the dissemination of private information at source. For time pressured front office staff who need to communicate private information efficiently there is a simple one-click solution which reinforces control room processes on your workflow, enabling you to focus on business, while stopping mistakes before they happen. For senior managers you are demonstrating to regulators and staff that you are serious about preventing confidential information leakage and have adequate preventative controls in place with technology supporting your employees.

The failures that many of my colleagues and I observed in the past can now be prevented. This technology is already proven in governmental, defence and industrial applications. RegRisk Technology, my new venture, is set-up to work with you and our partners to implement these solutions and more. If this sounds interesting then please get in touch for further information on how technology can actively prevent confidential information leakage at your firm, while reinforcing your existing control processes.

Steven Marshall - CEO & Co-Founder of RegRisk Technology.