SUMMARY
A recent SEBI order has penalised two individuals for allegedly sharing UPSI over WhatsApp
Alleged parties have contended that the shared information was market rumors
SEBI has noted that anyone in the possession of UPSI is an insider, irrespective of how they received this information
With work from home the only option for millions of Indians, businesses and companies have had to deal with an unprecedented level of cybersecurity risk. Online communication tools such as Zoom, WhatsApp, Slack and others have become the primary mode of team communication, with participants joining from all across the country and even overseas. The sudden shift to the distributed teams has left companies vulnerable to many cybersecurity risks including unsecured home networks, fake VPN, the clicking of malware-laden emails, accessing malicious websites, and downloading of virus-infected material among others.
The risk is greatest for listed tech companies such as MakeMyTrip, Infoedge, IndiaMart, and others; using digital tools has also increased the risk of insider trading. For instance, WhatsApp has time and again found involved in Indian companies’ insider trading operations.
Just this month, Indian markets regulator SEBI penalised two individuals for allegedly sharing unpublished price sensitive information (UPSI) relating to the scrips of four public entities on Whatsapp group chats. These companies included Wipro, Asian Paints, Bata, and Mindtree. Earlier in 2017, similar cases of information leak on WhatsApp groups had happened with regards to the scrips of Axis Bank, and Dr.Reddy’s Laboratories.
In the SEBI’s recent order, the regulator imposed a penalty of INR 45 lakh and INR 15 lakh, on Shruti Vora and Parthiv Dalal respectively. Vora and Dalal were part of the Antique Stock Broking sales team. The investigation concluded that these individuals violated SEBI Act provisions which prohibit sharing of non-public information with unauthorised persons and insider trading.
In her defense, Vora submitted that the source of the information of her WhatsApp messages dated May 9, 2017, were estimates of broker firm/analysts as available on Bloomberg which was in the public domain and thus could not be considered as UPSI. She contended that such a message was merely forwarded by her as received.
In response to Vora’s claim, SEBI said that any person is to be considered an insider regardless of how the UPSI has come into his/her possession. Therefore, once information is established to be a UPSI, anybody who is in possession of such information will be an insider.
Further, another point contended by Vora was that despite the fact that she forwarded the information being forwarded to several people, there is no evidence that anyone has traded on the basis of the shared information. To which, SEBI established that the regulation does not exempt the person from the guilt of communicating merely on the fact that no trade had taken place based on the communicated UPSI.
Security Measures In Times Of Remote Work
Pankit Desai, cofounder and CEO Sequretek said while there are security tools available that can monitor the user behaviour as well as block movement of sensitive information there is only so much one can accomplish by way of technology.
Companies need a combination of tools and techniques to help mitigate the risks. Desai suggested that companies should set up strong processes to identify what this sensitive information is and limit its circulation to specific individuals.
Further, the individuals who have access to sensitive information should be sensitized on their responsibility. Businesses should also install monitoring tools for tracking and tracing information flow along with instating strong financial or legal deterrent measures for errant behaviour.
Kumar Ritesh, CEO and founder of CYFIRMA, also stressed on the fact that employees should be equipped with relevant cybersecurity awareness training to handle cyber threats and risks. He added that companies should review their cyber defence methods to ensure appropriate technologies are deployed on data, endpoint and gateway security. Further, processes must be in place to ensure content is encrypted, data is backed-up daily, and threat profiling is performed so that there is zoning and risks containerisation.
According to an Economic Times report, a leading paint company has recently asked its IT team to share their market investments and their immediate family members. Even after the first phase of unlocking, IT departments will continue to have access to video meetings that are done on the company infrastructure, as certain stakeholders still continue to work remotely.
As Nick Bayley, managing director at consultancy Duff & Phelps told Financial Times, “At the moment, it is the traders who are going back to working in the office, but banks may well want to prioritise their deal teams because there is nothing safer than sticking them in a room behind a locked door.”
