Schneier on Security
A blog covering security and security technology.
« Did Reason Evolve as a Persuasion Tool? |
| NSA Style Manual »
June 23, 2011
Insider Attack Against M&A Information in Document Titles
Protecting against insiders is hard.
Kluger and two accomplices -- a Wall Street trader and a mortgage broker -- allegedly stole and traded on material nonpublic information about M&A deals over a period of 17 years, according to federal authorities. The trio, facing charges from the U.S. Securities and Exchange Commission and the Department of Justice, allegedly made at least $32 million from the trades....
Kluger had access to information on M&A deals in Wilson Sonsini's DMS, but he did not open the documents to avoid leaving an audit trail that could possibly expose the scheme, prosecutors assert. Instead, he conducted searches and perused titles. "Kluger looked for board resolutions, press releases, and merger agreements because the titles of these documents revealed that specific companies were involved in pending mergers and acquisitions," the charges state....
Remember, when people fill out the titles of documents, they are thinking about how to make the document easier to find, not about how to conceal information. Even if the firm uses code names, as was the case in the Wilson Sonsini files, it's often easy to figure out the codes.
Posted on June 23, 2011 at 6:29 AM
• 21 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Bruce what's with the new 'S' logo in the address bar on the home page? Planning to get a cape emblazoned with that?
@AC2 That favicon has been there for at least a year, probably longer.
Ooops... First time I saw it, honest!
Kluger and associates did pretty well to get away with it for over 17 years... I didn't see any mention of how the crimes were detected... an angry ex?!
@AC2: Well, he was going to use both initials, but...
This shows the basic dichotomy of information of value.
In order to make it "findable" and usefull as information in the ordinary human sense you need to "leak information". Once leaked information can not be constrained or controled.
Now the usual solution is "audit" but that is actually a "shutting the barn door after..." and as has been shown here there are usually ways around audit, be it directly or indirectly where the audit data is rendered ineffective (ie if many people run broad scope searches then the number of people pulling up the individual records is a sizable fraction of the staff.
There are known solutions to this issue but in general they are both to expensive and to difficult to implement in current comercial software.
I remember long long ago a client who had a vendor they exchanged information on customers with. The vendor *required* that the format of this information be an e-mail with a subject line containing the customer's full name, DOB and SSN. I was immediately jaw-droppingly shocked at this, but it really set in when I realized that asking them to encrypt their e-mail wouldn't even help with this. The PII was in the *subject*.
(in the end, I just told them they needed to find a new vendor, there was no hope for that one)
@Clive Robinson at June 23, 2011 9:33 AM
I think you pretty much nailed that.
The cost to have prevented this would have been very high. Now, it may have paid off for in this instances, but across the board world-wide it would have cost more than it saved.
Audit is often closing the barn door after, but it does provide deterrence value that is tough to measure.
Ten years ago I was involved in building a hosted legal invoicing system. The risk there was the use of M&A target names in invoice line items. Well... one of the risks.
For guidance on what to do about the possible data leakage in the billing system, I looked into what the American Bar Association requires for security of email containing privileged information -- and found that they had no requirements at all. And it wasn't that they hadn't considered it. In fact they had, but they had decided that the risk interception or misaddressing of email was not substantially greater than the risk of interception or misaddressing of fax or courier communications.
So with a little luck that means 16 million in lawyer fees and with the other half it's back to business as usual. Everybody happy. The system works.
Easy comment: Just another example of my meme. :-)
The thing I love about my meme is that there are so many daily confirmations of its truth I can rest assured I will never be proved wrong. :-)
It gives one a safe feeling, like a vault in Switzerland.
The cost to prevent one case of such abuse would be pretty high, but how do we know that there weren't 20 other people doing exactly the same thing?
I've mentioned M&A information security on a number of occasions.
The basic problem is that traditional encryption secures the contents of documents or files, but does a poor job of securing the existence of the documents and a very poor job of obscuring the interest third parties might have in these documents.
If I can guess that an acquisition will occur within 3 months than it is an easy way to earn 20 to 50% return by "front-running, the acquisition. The exact details of the deal, are irrelevant because in 99% of takeovers the buy-out premium will be at least 20% above the average trading price for the last 6 months.
Here are two M&A hacks that can be easily implemented by anyone, with absolutely no involvement in the deals.
- Lawyer Honey-pot (create a web site that contains details of likely deals and monitor (reverse ping) all access to the web site.
- Monitor access to specialty " M&A data rooms" (these are usually hosted by third party financial service providers.) Unfortunately you can figure out the existence of an M&A data room and imply the existence of an access account for a likely acquiring entity, by simply monitoring traffic.
The problem with insiders seems to just be an expression of the Byzantine Generals problem. I grant the point that absence of evidence is not evidence of absence but even if the number were ten times the estimated amount the overall risk to the system would be minute. While $32 million might seems like a lot of money to you or me in the M&A world it is not even a blip on the radar screen.
I'm one of these people who thinks that the correct implication of Bayes Theorem is that when dealing with highly improbable events it's better to just ignore them. The cost/benefit calculations are never in your favor.
@Jenny Juno: "The cost to prevent one case of such abuse would be pretty high, but how do we know that there weren't 20 other people doing exactly the same thing?"
We don't. That's the dillemma.
Well, I remember that little hacker drama Takedown where Kevin Mitnick was trying to upload his software to a server and the "good guys" used a fake cell tower to throw a wrench in his plans.
I would think that facebooking or tweeting or whatever they call it is still like using an old style telephone line: the police can always be at the other end or indeed, the man in the middle.
oops. The previous comment is for another post of yours.
When I worked at a large law firm, we not only used code names, we also used the document management system to restrict access (including search) to the deal files, so that only people actually on the team could see them. I imagine there were ways around that, too, but they weren't simple. I wonder why they weren't doing that at WSGR.
The following is most likely a naive question based on my lack of knowledge about how the titles are used:
If it is not practical to prevent the information being leaked to insiders via the titles, is it possible to ensure the titles are public so that everyone has access? (that is, analyzing titles is no longer insider information)
@ Richard Clay,
"If it is not practical to prevent the information being leaked to insiders via the titles, is it possible to ensure the titles are public so that everyone has access?"
It depends on what you mean by "ensure the titles are public so that everyone has access?"
As a general case document titles have significant meaning to the contents of the document. Frequently they are a one sentance synopsis of the document.
The problem with insider trading is that just knowing X is considering a merger with Y is more than sufficient to make a very significant profit, without needing to know any of the actual details of the document.
To make the title public it would have to be devoid of any and all meaning which would be less than "Case X file Y document Z" because even this convays some information. Because it is often possible from other documents to know who is working on case X, what they specialsie in and who the likley "customers" are.
The problem is any information can leak further information, even the absence of information can tell volumes. That is you can see that case numbers are issued sequentially but there is little or no documents appearing in the DB for a given number and some authors etc are not appearing in the DB it could be they are working on a secret case and by knowledge of their previous work and clients draw conclusions that might be worth trading on.
What the organisation did was to make the document titles available to make an internal resource more valuable (generaly a good busines idea), but failed to take sufficient audit steps to ensure that it was not being used for other (in this case illegal) activities.
Which raises the question of even if the company did have "full audit" information could they have prevented insider trading occuring? The simple answer is no because people of skill will always know how to "game the system" in some way. And provided they remain below the noise threshold and don't talk then they will not get caught.
By far the majority of times people get caught because somebody talks, either to boast how clever they are or because they have done something else minor and trade in others for being let compleatly of the hook. The authorities in turn claim some (usually provable) nonsense about "how their advanced systems and skilled investigators" picked it up by some "oh so sophisticated and secret statistical system".
They put out this nonsence for several reasons, but three usually are ate the top of the list.
Firstly - and most obvious because it allows them to let somebody off the hook without further question.
Secondly - because it gives them political mileage to get larger appropriations. etc.
Thirdly - to deter others who might be thinking of doing similar illegal activities.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.