A former Expedia IT technician has admitted hacking into company executives' emails and trading on that information to net more than US$300,000 in profits, according to
his guilty plea in a U.S. federal court in San Francisco. Between March 2013 and April 2015, Jonathan Ly used his network privileges to access devices belonging to Expedia's chief financial officer and head of investor relations and then used the information about upcoming earnings and agreement announcements gleaned from their email messages to make trades in the company's stock before the information became public. Ly was able to continue the scheme even after he left Expedia because he kept a company laptop.
I wrote a column about a fraud case in which a capital management company and one of its hedge fund analysts ran afoul of the U.S. Securities and Exchange Commission's (SEC's) rules regarding insider trading. That column focused on the systematic policies and procedures that organizations need to implement to combat insider trading, including measures to address this kind of fraud when it involves employees and their outside contacts.
Perhaps the idea that illegal insider trading can be completely eliminated is unachievable. However, building on the "lessons learned" from that column, here are some additional observations and suggested measures to further help detect and prevent insider fraud, as in this news story:
Take away the discretion to trade from the insider, as much as possible. The most basic and frequent form of insider trading involves consistent patterns of trading spikes in the days before announcements of earnings or significant business developments, such as a merger. Most organizations probably have insider trading policies that place some restrictions on employee trading during blackout periods. However, these policies often only cover senior executives, but not other key employees, such as senior analysts, sales staff, and technology workers who could potentially gain access to sensitive information. CEOs and other top officers typically have very limited periods during the year when they can trade. In addition to the usual blackout periods, they also are prohibited from trading during times when they possess nonpublic material information. In the case of a CEO, that could be quite often. Implementing a more comprehensive ban on trading by the kinds of employees (and their families) who have the greatest potential access to sensitive information could help dissuade potential fraud.
Implement automatic share plans, not only for senior officers, but also other employees who have access to sensitive information. These plans allow employees to sell their shares according to a pre-arranged schedule. The trading decision has nothing to do with the insider and is not necessarily dependent on any event. Automatic share plans also make it easier for employees to exercise their stock options and help companies avoid the perception of questionable trades.
Require top officers and key employees to notify the company's chief financial officer or legal department before making a trade. Although it may not be possible to prevent a particular trade, in combination with careful ongoing monitoring, review of the company's stock trades by an internal watchdog can reveal unusual patterns of activity that may catch inappropriate behavior. And, while internal monitoring is critical, it's also important to have third-party verification by an accountant or auditor to check insiders' holdings at the end of the year and compare these with transactions they reported throughout the year.
"Wall off" both sensitive areas of company computers and the email accounts of senior executives to mitigate the high risk of employee and outsider hacking. This is perhaps the most challenging element of fraud perpetration. Nonetheless, organizations need to continuously invest in and improve controls over IT administrative access privileges to sensitive computers and information, along with the email accounts of senior executives. They also should take measures to prevent the hacking of "passwords" files and credentials associated with IT administrative service accounts. Physical assets such as laptops and computers also must be stringently controlled to prevent unauthorized employee use.