Exclusive Online Only ContentGreen Alert
How A Morgan Stanley Exec May Have Committed the Perfect Ops Crime. Well, Almost. | Code Green: Goldman Sachs & UBS Cases Heighten Need to Keep Valuable Digital Assets From Walking Out The Door. Millions in Trading Profits May Depend On It. |
Code Green: Goldman Sachs & UBS Cases Heighten Need to Keep Valuable Digital Assets From Walking Out The Door. Millions in Trading Profits May Depend On It.
July 20, 2009
Both Goldman Sachs and UBS have filed charges against former employees they allege stole proprietary computer code key to their high-speed trading programs, now the most tactical and strategic weapons on Wall Street.
The two cases raise questions about the need for increased security to prevent employees from literally walking out the door with valuable digital secrets. And they shine a spotlight on the need to protect profits by preventing the copying and reuse of these codes and the trading strategies they embody.
In the Goldman case, charges were brought against a former vice president for equity strategy and computer programmer on July 3 for allegedly copying 32 megabytes of the bank's trading codes and uploading them to an encrypted server before sending them to a home computer and other devices. In the instance of UBS, the firm confirmed on July 13 that it filed papers in March charging three ex-employees with "misappropriation of trade secrets," specifically the misappropriation of 25,000 lines of source code for the firm's high-peed, algorithmic trading programs.
These two events have not only highlighted the value of these codes to the firms' bottom line-in the case of Goldman, "many millions of dollars of profits per year," according to court papers-but, in the assessment of security experts, they have also brought out the need for proper policies and even more rigorous security programs in place to protect financial firms from data breaches caused by trusted employees with access to highly profitable but microscopic assets. At a security desk in a trading firm's lobby, there's not a lot of checking of what goes in and out of the building on memory sticks, cell phones, iPods or in paper notebooks.
To date, security experts have largely praised Goldman and UBS for their ability to detect breaches to their systems fairly quickly.
In the instance of the Goldman Sachs case, "it appears that they are already doing a lot that is right," says Daivd Etue, a vice president of products & markets at Fidelis Security Systems, a Waltham, Mass. based provider of data leakage prevention (DLP) software designed to prevent the loss of corporate data or critical intellectual property at corporations.
"They had a pretty comprehensive security program in place. We know from the court filings that they were able to detect that a data breach had happened; they were monitoring email; they had blocked ftp file transfers to make it more difficult for people to send things out of the network, and they had started to monitor the use of secure Web browsing; it's just not clear whether or not or not they had the ability to actually stop the data breach from occurring," Etue said. In most instances, companies that experience data breaches do not discover until many months later that a breach has actually occurred, according to Etue.
"Hats off to Goldman and UBS.Obviously they have some good security procedures in place," said Larry Ponemon, founder of the Ponemon Institute, an independent research and consulting firm based in Traverse City, Michigan. But the leaks indicate the need for tighter security.
The fact that Goldman's proprietary code was sent to another, password-protected site raises questions about the scope of a possible data breach, said George Wade, a director of computer forensics at consulting firm Sobel & Co. in Livingston, N.J.
