Network Security, Compliance, and Out-Sourcing Your Job To China

made in china

You may have heard the story about the computer programmer who outsourced his work duties and sat in is office watching cat videos all day. “Bob” was an “inoffensive and quiet” programmer in his mid-40’s, with “a relatively long tenure with the company” and “someone you wouldn’t look at twice in an elevator.”

His company noticed some “anomalous activity” in their VPN logs and called in a consultant. Unfortunately for Bob, his company was a U.S. critical infrastructure company. That anomalous activity was traced back to a connection in China. Red flags were raised and security alarms went off in people’s minds. The company thought it was being hacked, spied on, or infected with spyware from an unknown force in China, putting US infrastructure at risk.

Two things caused the investigators to scratch their heads: (1) The company had a two-factor authentication for these VPN connection. That means you needed a rotating token RSA key fob for network access. (2) The developer whose credentials were being used was sitting at his desk in the office.  As a result, the VPN logs showed him logged in from China, yet the employee was sitting at his desk. Even worse, the VPN connection to China was shown to go back many months, before the company was even monitoring the VPN.

Fearing that Bob’s computer was infected with a trojan horse or other malware, the investigators cloned Bob’s desktop and searched its contents. Instead of nasty computer viruses, they found hundreds of .pdf invoices from a third party contractor in China.

It turned out that this was Bob’s typical day:

9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos
11:30 a.m. – Take lunch
1:00 p.m. – Ebay time.
2:00 – ish p.m Facebook updates – LinkedIn
4:30 p.m. – End of day update e-mail to management.
5:00 p.m. – Go home

Bob had physically FedExed his RSA token to China so that the third-party contractor could log-in under his credentials. The contractor worked for a fifth of the cost of his salary. Bob pocketed the difference, surfed the internet, and managed his contractor.

Sources:

Outsourcing Compliance and the CCO

One of the requirements of registration as a registered investment adviser is the appointment of a Chief Compliance Officer and the establishment of a formal compliance program. The SEC stated that a firm need not hire a new person to be the CCO. However, there will be a substantial time commitment.

You can spread some of the compliance work to multiple people in the firm, though the CCO will ultimately be responsible for oversight. Another option is to send some of the work outside the firm that would outsource some or most of the compliance functions.

Insider trading monitoring is one of the candidates for outsourcing. There is a lot of data and a lot of paperwork to track. Even for a private equity firm that does not regularly trade in public securities, there is plenty to keep a person occupied during the week. For a private equity firm, some trade tracking software will go a long way to help the CCO (and the employees) deal with the invasive and tedious requirement to track employee trading.

The SEC rules also require an annual review and update of the compliance policies and procedures. This too is a likely area for outsourcing. A third party can provide additional insight to the firm as to what your peer firms are doing and what issues the regulators are focusing on.