Preventing a $25M Email Leak – UBS and RBS Examples

With all the buzz around the Linked In IPO this week, financial services agencies are finding that data loss prevention is taking on a new urgency.  Financial data leaks are getting increasing press coverage and costing institutions significantly with fines, lost business, damage to reputation and regulatory sanctions.  The LinkedIn IPOs were underwritten by Morgan Stanley, JPMorgan Chase  and Bank of America and by all accounts was a huge success and went off without a hitch.

However, a number of other major IPOs in recent months were not so lucky and have been lost by various underwriters due to inadvertent disclosures:

  • Nov 2010 – A senior high-yield analyst at UBS sent an email containing valuation information regarding the 13$ billion General Motors initial public offering.  The email was sent the night before GM filed its terms for the IPO, breaking SEC fair disclosure rules.  SEC regulations forced GM to report the incident and drop UBS as an underwriter for the IPO. The full article can be found here.
  • Jan 2011 – An employee at the Royal Bank of Scotland (RBS) sent an unauthorized email to institutional investors about an impending 1.6$ billion initial public offering by Nielsen Holdings, a television audience rating company.  RBS had been a proposed underwriter for the IPO, but subsequent to the email which again broke SEC fair disclosure rules, Nielsen filed an amended registration statement with the U.S. SEC which omitted RBS as an underwriter.  The full article can be found here.

UBS has always been a leading global equities underwriter and being excluded from such a high-profile deal is certainly a blow, not only from a revenue perspective but also with relation to its involvement in future offerings.  Similar impacts to revenue and reputation were likely experienced by RBS in being excluded in the second example.

These particular examples involve leaks that are accidental, caused by users who are simply trying to do their work in a fast-paced, rapidly changing environment.  Financial institutions work hard to maintain their business agility, but they are also heavily regulated.  So they need to consider carefully what information is shared, with whom, and the timing in which it is released.  This is a major challenge when you consider the complexity of the problem, an ever-changing workforce with different skills and attitudes toward security, and the huge volumes of data generated with diverse data protection needs.

Fair Disclosure Regulations
Company valuation data is often distributed to institutional investors via email, as seen in these examples.  Exchanging this information quickly and efficiently with your best clients is important to conducting business especially where securities are involved.

However, the U.S. Securities and Exchange Commission’s ‘Fair Disclosure Rules’ mandate that all publicly traded companies must disclose material information to all investors at the same time.  Ensuring that this information is not inadvertently disclosed to selective investors before it is disclosed to the public is critical to ensuring that securities firms are not fined or sanctioned and that future business opportunities are not missed due to a loss of reputation.  Overall, the audience and timing with which this sensitive data is shared is very important, from the perspective of doing business quickly but also from the perspective of being compliant with the appropriate regulations. In these situations, strictly enforced policies are needed to ensure that standards imposed by regulatory bodies like the U.S. SEC are strictly followed.

Involving the User:  Alert, Remediate, Educate
Most organizations place high expectations on the IT department to prevent these leaks. Yet there is only so much that IT can achieve on their own, due to the size and complexity of the problem.  To address the challenge of accidental data loss, many companies are deploying data loss prevention (DLP) solutions. Unfortunately, these deployments can quickly become multi-year projects as IT administrators attempt to translate the business process into automated rules for every data loss scenario.   It is also impossible to accurately identify every type of sensitive piece of data, just as it is impossible to predict the behavior of every type of user.

This is why it is critical to make users the first line of defense in any data loss prevention strategy. Involving the user in the data loss prevention strategy means having them actively involved in preventing data leaks and continually learning how to handle sensitive data.  This can be accomplished by:

  • Alert users while they work to potential policy violations
  • Provide users with the tools they need to remediate the problem before the data breach occurs
  • Continually educate users within their familiar work environment on the appropriate ways to handle sensitive data

Alerting Users – Alert users to policy violations before a data breach occurs by installing DLP technology on the user’s desktop.  The best place to activate data loss protection and provide the user with real-time alerts is within the application where the user has contradicted corporate policy – in the leaks described above, this means within their email applications.  As well, alerts should be based on the data’s content.  Alerts within the application based on specific content gives the user the appropriate context to address the problem themselves and learn from the situation.  For example, within email a DLP policy should check the email’s recipients, its message content, and any attached documents when the user clicks send to ensure that investment related keywords and phrases related to an IPO are not being emailed to external recipients.

Remediating Policy Violations – Give users the software tools they need to fix problems themselves. Most security violations are inadvertent, such as users accidentally attaching the wrong document to an email, selecting the wrong recipient, or overlooking a confidential section in a long email thread. Users should be trusted to correct these sorts of policy violations, without having to involve IT and interrupt business productivity.  They need software tools and features so that when they are alerted to a policy breach, they can either remove or redact (black out) the offending content, adjust the recipients, or remove inappropriate attachments.

Educating Users – Users are often unfamiliar with corporate policy, or they may not understand the larger compliance picture in regulated environments such as financial organizations. Sometimes data leaks are simply a matter of underestimating the consequences of going against policy – such as emailing data about an impending IPO to some of your best clients.  Education is one of the most effective ways to prevent data loss. There are two ways to educate users on security policy: through real-time alerts that are targeted and informative within the application in which a user is working, and through monitoring user activity to help identify areas where more education might be needed.

Protecting IPO Information from Email Data Leaks – Going Public Without Going Public

The IPO related situations described above could have been prevented by using software tools like TITUS Aware for Microsoft Outlook.  TITUS Aware can apply policies within Microsoft Outlook ensuring users comply with corporate policies while they work.  When a user clicks send on an email, TITUS Aware validates the message’s content, recipients and attachments (including the content within attachments) to ensure that corporate policy has been followed.  These policies are fully configurable and can be very specific, providing users with guidance that is targeted and specific to the email in question.

In these examples, a simple policy can be configured which validates an email’s body, subject line and attachments for investment related terms like ‘valuation’, ‘initial public offering’, ‘investment’, ‘stock’, as well as company names.  Also, that same policy can be configured to only alert users if any of these terms are found and there are external email addresses included in the recipient list, even if those addresses are within groups or distribution lists.  We can then configure that policy with a specific warning message educating the user about this particular situation.  When the user clicks send the alert appears, the user is forced to remedy the situation before the email can be sent, TITUS Aware guides the user to the offending content or recipients helping them to adjust their message, and any action taken by the user is logged so it can be reported on by IT.

Users will make mistakes, but TITUS Aware can alert them while they work to situations in which they may be breaking policy and on how to quickly remedy the issue.  So users can continue working in our fast paced environments and be confident that they’re following appropriate policies and procedures.  Ultimately, a workforce that is well educated on corporate policies and how to handle sensitive data is the best first line of defense to protecting your business.  Combined, these aspects of a user-driven data loss prevention strategy will help ensure that the business is compliant while your business continues to run efficiently.

Leave a Reply