Protecting Your Company from Rogue Employees

While employee malfeasance rarely takes down entire companies, it can result in serious fines, sanctions, court judgments, settlements and reputational damage. Big data analytics is one way leading companies are able to mitigate risk, by proactively detecting threatening or illegal behavior.

Traditional ERM Approaches Won’t Do

Compliance officers do their best. They generally work within enterprise risk management (ERM) frameworks to introduce corporate policies and procedures, conduct risk avoidance training and audits, and create inter-disciplinary committees. They work with IT to run compliance auditing software on critical structured data, including financial databases and transactional applications.

By targeting only well-behaved structured data, however, compliance officers can lose sight of one key fact—structured data is a small percentage of organizational data. Data storage analysts report that most organizational data are only 15% to 20% structured data and 80% to 85% unstructured. This leaves a huge volume of data that presents serious compliance risk to IP, especially electronic communications.

While e-mail, instant messaging, texting and social media are ingrained in our culture, traditional auditing software does not focus on communications. These threats often evade notice until the damage is done.

Here are some ways threats can escape the radar of employers that have traditional ERM approaches:

  • Limited ability to analyze unstructured data. The inability to monitor unstructured data leaves the company open to regulatory consequences and other risk.
  • Keyword searching to winnow down data sets often delivers a high volume of false positive results. Filtering techniques such as keyword searches may not be highly accurate and require intensive manual review. The result is higher cost and longer timeframes for manual-review projects.
  • Potential security issues. Communication platforms are rapidly proliferating. Employees might be sharing inappropriate corporate information on social media, yet these mentions often go unmonitored by the company, potentially missing evidence of employee misconduct.
  • Complex regulatory changes. Many governmental and industry regulations are already complicated, and their revisions only intensify complexity. For example, since introducing Dodd-Frank, regulators have written 224 of 400 expected rules and continue to modify existing rules.
  • Case-by-case approaches. Case-centric approaches to litigation, investigations and regulatory compliance matters impede applying learning and attorney work product on these cases to other matters. This inability lengthens legal reviews and investigations and multiplies costs. Case-based discovery also makes it difficult to discover widespread risky communications between employee groups and outside organizations.
  • Geographic and organizational silos. Relevant data is spread across different storage locations and eDiscovery platforms, creating distinct data silos.

A Cautionary Tale

Here is an example of risk that can go undetected until it’s too late, as it did at Wells Fargo. Banker 1 is responsible for reaching high quarterly sales goals. His manager increases his sales goals for the next quarter. Banker 1 emails a colleague complaining about how his goals are impossible to meet. Banker 2 suggests he try a creative process called “pinning,” which consists of a banker enrolling an actual customer in online banking to create a “sale.” The banker fills in the customer’s name and address but puts in a fake email address so the customer never receives banking communications. The banker meets his sales goals—and hopes the customer never finds out.

How Big Data Analytics Can Help

Analytics tools are already omnipresent in eDiscovery and compliance reviews. They include predictive coding, email threading and concept searching. They are highly useful for culling large data volumes to more manageable sizes. They also locate meaningful text and concept patterns so that reviewers can strategically work with high priority documents.

The catch is that these analytics can only filter to a point, and only work on a single-case basis. No matter how the case management software learns from tagging and work product, that learning cannot be applied across multiple matters if it resides on different review platforms or with different vendors. Each time a new case begins, reviewers and their software must start over. This leads to very long and repetitive document review processes, already the single most expensive activity in eDiscovery. Clients and attorneys also risk exposing sensitive information as the matter makes its way between document review platforms and multiple stakeholders.

A big data approach, versus specific analytics tools can continuously consolidate billions of documents into a central repository. It can also apply machine and human learning to enable the reporting of trends, new data relationships, and fresh insights into data across all cases—not just a single matter—for greater efficiency, cost control and risk mitigation.

New Approaches Needed for Effective Data Risk Management

virus

Over time, the role of corporate legal departments has expanded to address the increasing risks in corporations—from increasing involvement in implementing corporate policies to leading employee training on procedures for managing electronic communications, social media, and bring your own device (BYOD) policies. This shift, however, is not enough to meet the challenges posed by an increasing range of risks proliferating within global organizations. Legal and compliance groups must also take the lead in finding new ways to leverage the power inherent in their data and address the challenges posed by massive data stores, information and network security challenges, as well as regulatory compliance requirements.

Failings of Traditional Strategies

In the past, organizations used straightforward, people-intensive methods to search for and remediate risk. For example, organizations instituted policies training, hoping that it would be sufficient to corral employee use of electronic communications, BYOD, and social media. Some may have formed working groups or intradepartmental committees designed to consider the implications of data privacy or information security for their businesses. Others rely on basic technology, such as keyword searches, that trigger electronic alerts when they find a hit in a document.

While these tools are still important to demonstrate compliance, they are insufficient alone to monitor for risk. Older technology falls short when it comes to handling unstructured data, such as e-mail. For example, discerning employees will be too cautious to use triggering keywords such as “donations” or “bribes” when referring to illicit activity. Keywords are also notoriously inaccurate: if over-inclusive, they may yield a stockpile of irrelevant information, while under-inclusive keywords could omit critical documents from discovery.

Trends Drive New Risk Management Approaches

Three recent trends—escalations in data volumes, increasing threats to data privacy and security, and heightened regulatory scrutiny—highlight the need for more intensive means to investigate risk in organizations.

1-Burgeoning Data Stores

With today’s hyperfocus on information, risk follows data. The more data sources organizations have, and the more locations for storage of data, the greater the legal exposure.

Email is perhaps the most insidious source of risk, as hackers may look to exploit unwitting employees who may open spoofed e-mails containing malware or viruses designed to attack the corporate network. Along with e-mail, employees also have more ways than ever to share confidential corporate data such as trade secrets with outsiders. Newer forms of unstructured data, such as social media and instant messaging, allow people to disperse troubling information even more rapidly than before.

As more organizations look for low-cost storage for their data reserves, they have turned to the cloud—yet another source of potential risk to data privacy. Cloud providers may be susceptible to the same hacker schemes as employees. Moreover, depending on the terms of their service-level agreements, they could employ lax security protocols, lack disaster-recovery plans, share data with other clients, or transfer data to third parties, all without notifying the data owner. Furthermore, depending on the location of the cloud storage, it may trigger the application of international laws that protect data privacy and prevent the processing or transfer of a corporation’s data.

2-Data Privacy and Security

Traditional approaches to risk management are poorly equipped to meet the demands imposed by today’s data privacy and security regulations, particularly when it comes to the need to protect personally identifiable information, protected health information, nonpublic information, trade secrets, and privileged data.

This is especially true for global organizations, which are likely to have information cross international borders and trigger other nations’ data privacy schemes. Many nations have adopted restrictive schemes designed to protect their citizens’ personal information, such as the European Union’s Data Protection Directive, which controls when and how organizations can collect, process, store, alter, retrieve, and transmit this personal data. Many nations in the Asia-Pacific region have also created data privacy regimes, including China, which has blocking statutes that forbid the cross-border transfer of documents that contain “state secrets” as well as confidential commercial information.

Domestically, organizations must worry about laws such as the Health Information Technology for Economic and Clinical Health (HITECH) Act, which extends the Health Insurance Portability and Accountability Act (HIPAA) to a covered entity’s third-party business associates. Under HIPAA’s Security Rule, organizations and their business associates must take reasonable measures to safeguard protected health information. Organizations must vigilantly monitor their data to ensure there are no gaps in security that would violate these rules.

3-Regulatory Enforcement

The nation’s regulatory framework is becoming more complex almost by the day. Regulations that supplement laws such as the Foreign Corrupt Practices Act (FCPA) and the International Traffic in Arms Regulations (ITAR) have generated new areas of vulnerability, particularly when it comes to third-party relationships.

For example, the current administration has taken the position that no FCPA infraction is too small to prosecute. Organizations that fail to take proactive measures to search for, disclose, and remediate misconduct are likely to face substantial penalties if a regulatory agency discovers misconduct. Traditional tools, such as internal audits, are not up to the task of detecting the malfeasance of internal fraudsters, who may mask their corrupt behavior with code words or other innuendo that make it difficult to discover using keywords. Unless more advanced tools are used, an organization’s best defense against fraud might be reliance on tipsters.

A similar approach is required to ensure compliance with ITAR. This law imposes stiff penalties, including millions in fines, against U.S. organizations that export “defense articles” without government authorization. “Articles” is defined so broadly that it covers technical, defense-related data in documents, blueprints, drawings, photographs, plans, or instructions. The Directorate of Defense Trade Controls, the U.S. agency that enforces ITAR, is likely to take a more lenient approach with companies that have implemented a rigorous compliance program and that voluntarily disclose and remediate any failures.

Data-Driven Tools

Risk professionals now have a number of advanced analytics tools at their disposal to counteract the additional risks that lurk in emerging forms of data. Linguistic analysis techniques can identify instances where employees use seemingly innocuous words or phrases to engage in subterfuge. Concept clustering is a tool that isolates subtle patterns within documents that seem dissimilar to the untrained—or undigitized—eye. These conceptual search tools can identify patterns in documents, based on keywords or chunks of text, and flag the documents that refer to items that might fall within ITAR’s purview. Data visualization tools can analyze relationships and look for troubling connections that might violate the FCPA, such as links between employees, vendors, and foreign officials. In addition, anomaly detection tools can scan records for irregularities, such as unusual recurring payments.

Counsel, risk and compliance professionals can also apply tools such as technology-assisted review (TAR) to prioritize documents for review based on the likelihood that they contain material of concern. Using TAR, experienced legal counsel code a seed set of documents for relevancy to the issue at hand. Once done, they feed these documents into a computer that is programmed to uncover the logical reasoning behind the lawyers’ coding decisions. Sophisticated algorithms then apply that logic across an entire document population. The process is iterative, so that ultimately the computer’s logic closely mirrors the lawyers’ coding decisions. Organizations can use TAR to limit the population of documents for review, thus expediting the data mining process.

Soft Market Conditions Present Biggest Challenge for Reinsurance Industry, Survey Finds

Ongoing soft market conditions are the most widely-cited challenge facing the global reinsurance industry in 2015, according to a global study of reinsurance professionals by insurance software company Xuber. For its Global Reinsurance Survey, the company spoke with senior professionals including insurers, reinsurers, brokers, industry organizations, lawyers, insurance-linked securities (ILS) investment managers, analytics firms and modelers, across the U.K., U.S., Bermuda, Canada, Channel Islands, Cayman Islands, Germany and Switzerland about the top concerns and biggest opportunities facing the reinsurance industry today. Of those polled, 81% listed soft market conditions among their top five concerns, followed by competition from third party capital (66%), and mergers and acquisitions (M&A) (66%).

The top five challenges cited were:

Xuber Global Reinsurance Survey challenges

Experts within the field do see plenty of growth opportunities as well. Indeed, some of this potential is thanks to the soft market. According to the report, “Another opportunity in the soft market identified by 59% of executives was to create niche opportunities that showcase their expertise. In a squeezed market, opportunities can open up for enterprising businesses that can identify today’s emerging risks and those of tomorrow and create products that are tailored for them. This can be linked to using Big Data better (51%) and diversifying the business portfolio (42%).”

The top five business opportunities cited were:

Xuber Global Reinsurance Survey opportunities

“This survey unearthed a range of new business opportunities that can provide the competitive edge needed to survive and prosper in the current environment,” said Chris Baker, executive director at Xuber. “With margins tight and prices falling, reinsurers are under great pressure to ensure their processes are as efficient as possible. Surviving and prospering in the soft market will require companies to operate at optimal efficiency, and their IT systems will be central to this. Only the savviest of reinsurers who recognize that technology can be the catalyst for change will emerge unscathed.”

Other key insights from the study include:

Xuber Global Reinsurance Survey

 

U.S. Insurers Gearing up For Tech Growth

A study by Xchanging plc found that technology was the highest priority for 60% of respondents and an overwhelming majority, 86%, ranked it as their first or second priority. The survey also found that 67% of insurers believe their company’s IT budget will increase this year, with 44% saying it would increase significantly. The study, conducted at the Acord Loma Forum in May, found that 36% of respondents said it was most likely that big data would see an increase.