It is that opportunity which asset management firms need to prevent through a combination of compliance controls and technology, say panelists and attendees at a recent symposium hosted by the Hedge Fund Association in New York. The theft of trade secrets, such as algorithms, trading strategies and customer lists, has become prevalent and problematic for asset management firms now that trade secrets are maintained primarily in electronic form. Rogue employees can cut, copy, download and transfer the data for illegal purposes and multiple reasons. Debt, greed, revenge, or even ego can play a role. Regardless of the motivation, the damage is often unquantifiable.
For starters, the US Securities and Exchange Commission won’t hesitate to fine a registered investment adviser for its lack of controls when customer data or funds go missing. Fund management firms also often pay forensic specialists to uncover what type of data was stolen after receiving a tip from competitors or customer. The asset management firm might even have its own suspicions after discovering that the employee has jumped ship to launch his or her own firm or join a rival. Ultimately, when the asset management firm does discover that data has been stolen — and who did it — it must decide whether it is worthwhile to file a civil suit against the rogue employee.
The newly passed Defense Against Trade Secrets Act tries to make it easier for financial firms to sue for data theft in federal rather than only state court. It also expands the definition of data to include “all forms and types of financial, business, scientific, technical, economic or engineering information” including patterns, plans, compilations, formulas, designs, prototypes, methods, techniques, programs or codes whether tangible or intangible. The legislation takes into account data that is stored, compiled or memorized physically, electronically, graphically, photographically or in writing. Legal experts tell FinOps Report that the inclusion of financial information as well as intangible data, which would include computer code and algorithms, could help financial firms seeking to protect their trade secrets.
Still, litigation can be time-consuming and expensive. It can cost an estimated US$1 million to litigate a case involving the theft of intellectual property valued at between US$1 million and US$10 million. The asset management firm may ultimately decide it can’t afford to pursue legal action. Even if it does settle the case out of court, far more damage has been done than what the settlement pays for. By the time the litigation is settled, the rogue employee has already helped his or her new firm use the algorithms and trading strategies to boost its investment returns and the client list to solicit new customers. He or she might have even sold the information to third parties who have encouraged the employees to steal the company’s crown jewels to sell on the “Dark Web.”
Insiders have the upper hand when it comes to data theft because they have the benefit of time to slowly take data without raising any red flags. Most of the time no one is watching. Firms often operate on the premise that their employees know the rules or are trustworthy.
“The most effective way to prevent data theft is through a solid compliance program that relies on a combination of human resources, legal, audit and IT resources,” explains Scott Garley, head of the securities litigation group at law firm Gibbons PC in New York. Starting off with good background checks and references when adding new employees can go a long way to mitigating the potential a wannabe data thief is entering the shop. So will personality tests.
Not enough asset management firms explain that intellectual property created by an employee during his or her tenure at a firm belongs to the firm, not the employee. Even if they do, they might neglect to clarify what data they are talking about. “Employment contracts might use the phrasing ‘assets of the firm,’ presuming that the employee will understand,” says Kelley Howes, an attorney with Morrison & Foerster in Denver. “When the employee is finally caught with the trade secrets, he or she could simply say that he or she didn’t know the data was proprietary in the first place.”
Once the employee passes the sniff test to win a job, the next step involves training. “Any good compliance program will explain in writing which applications the employee can access and when and for what reason,” says Mark Sidoti, chair of the electronic discovery task force at Gibbons PC in New York. “It will also outline how and when data can be transferred and to which internal and external parties.”
Limiting access to applications and the transfer of data will help curtail potential theft. So will knowing that the use of applications will be monitored at all times. “Employees need to understand that they should have no expectation of privacy as long as they use a company’s servers,” says Howes. Their emails and other communications can be audited at random.”
Just who is the employee? Everyone who has access to any and all applications. “One of the biggest mistakes a firm can make is to not monitor C-level or high-ranking employees on the presumption that they would know better than to steal company data,” says Garley. “Nothing could be further from the truth. They are the ones who have the greatest opportunity to steal confidential data, because they have the most privileged access.”
Monitoring employee activity involves technology and there are plenty of software packages which will prevent access to unauthorized applications for starters. The data theft prevention applications spot and block unauthorized attempts to move around sensitive data. However, they have one shortcoming. Most of the time data is stolen by those who have authorized status.
Auditing user logs is also a common methodology, but can be time-consuming and ineffective because at best it provides only a footprint. “The records won’t provide enough data to determine an employee’s actions and the employee could easily say that the tracking system was mistaken,” says Gabriel Friedlander, chief technology officer and co-founder of ObserveIT, a Boston-based IT activity tracking firm. “The firm needs to show evidence that the employee was the one misusing the data, or it won’t have a solid legal case.”
Relying on the log of an employee’s use of a financial application, for example, won’t help if the user has been given access, covered his or her tracks and deleted steps. Logs also typically rely on obscure hard-to-digest technical language created for the benefit of developers and companies often can’t crack the language. Therefore, they find it impossible to learn what users are doing, explains Friedlander.
A better approach: relying on activity monitoring systems that can see in the moment, when and how insiders are genuine threats. By monitoring what employees do on their computers, the firm can view in real-time or later what they access, when they did or whether they manipulated or used any programs and data in an unauthorized way. User activity monitoring can be set to start when keyboard or mouse activity is detected or can be triggered only when a specific application is accessed or a policy is violated.
Some activity monitoring systems, such as ObserveIT’s, can even keep track of what employees are doing when working on cloud-based applications. It is those applications which fund management firms need to be the most cautious of. They store data outside the firm and provide access from anywhere. Such off-premise applications can bypass a company’s firewall and be more susceptible to theft. Insiders can even bring to work their own cloud applications, such as Gdrive or Dropbox and store confidential information within these personal and less secure cloud apps.
When catching potential data theft, thinking small is the optimal approach. Uncovering that even the slightest amount of valuable data has been stolen, should be a call to action. Asset management firms might believe that it isn’t cost-effective to pursue a single case or that it is a one-off occurrence. But nothing could be further from the truth. Reprimanding — and even firing — employees will pay off in the long run. “Employees who steal the company’s intellectual property don’t just wake up one morning and decide to download entire files of algorithms, trading strategies and customer names,” insists Friedlander. “They often start off stealing tidbits of proprietary information to test if they can get away with larger acts of wrongdoing.”
Last but not least, creating a culture of strong checks and balances as well as reporting can help prevent potential data theft. The biggest source of controls can be fellow employees who might pick up on a colleague or supervisor’s unusual activity even before monitoring applications do. “The employee might be asked to share a passcode on the grounds the information is critical to completing a task,” says Friedlander. “The employee might have even been offered a bribe in the form of cash or free lunch or tickets.”
Rogue data thieves almost never work alone and always work in a vacuum. They often rely on colleagues to overlook their conduct either knowingly or unwittingly. They also take advantage of employers who feel that too much scrutiny will demotivate employees. “Fund management firms should never let employees think they are trusted completely,” says Friedlander. “Knowing that isn’t the case can be a big deterrent.”