ISLAMABAD: Pakistan’s Karachi Stock Exchange is investigating whether staff profited from years of unauthorised access to real time trading data in a market that has rocketed more than 450 per cent since 2009.
The potential breach came to light after two whistleblowers accused senior staff of accessing sensitive trading data through a secure network and accessing emails without authority, according to confidential documents seen by Reuters.
Some board members expressed concern the access could have allowed the staff to benefit because they knew of individual buy and sell orders, the documents show.
Any suggestion that staff may have illegally profited from having access to real-time market data stands to deal a blow to the KSE, where about a third of shares freely available to investors are held by foreigners.
In the first public acknowledgement of the potential breach, KSE Managing Director Nadeem Naqvi told Reuters an investigation was under way into whether any individuals profited.
“My primary focus from day one has been data security,” he said. “The integrity of the exchange depends on this.” With a market capitalisation of $54 billion, the KSE is Asia’s third-smallest stock exchange in US dollars among those monitored daily by Thomson Reuters. Only Vietnam and Sri Lanka are smaller.
Last year, the Karachi 100-index rose 38pc in US dollar terms, making it the 10th best performing stock market in the world.
The index soared to a record of more than 27,200 points in January from less than 5,000 points in early 2009.
Pakistani consultancy Sidat Hyder Morshed Associates, which was asked to investigate by the KSE, said in a report in December that senior IT staff were able to read staff emails and monitor trades conducted through secure systems in real time.
It said “some IT staff” had this access, without giving a precise number. These members of staff could monitor individual unique identification numbers that track trading activity.
The report also noted that former manager director, Adnan Afridi, had access to such trading data. He said this was because market surveillance teams reported to him.
“There was no impropriety,” he told Reuters. “A feed was available to my computer so I could see if there was anything we needed to take action on.” Afridi noted that since reforms enacted last year, the managing director of the KSE is no longer responsible for market surveillance.
Reuters has seen the consultancy’s report and KSE minutes of board meetings where the issue was discussed. The documents are confidential.
The consultancy did not investigate whether the staff had manipulated the market. Instead, it was asked to identify the whistleblowers and authenticate their claims.
The KSE did not retain deleted emails and did not log who was accessing emails or trading data, the consultancy’s report said, making it hard to find evidence of manipulation.
The report found that staff had apparently been tipped off to the investigation and may have deleted files.
Sidat Hyder Morshed Associates declined to comment.
Minutes of KSE board meetings show that members were concerned by the potential breach.
“Persons privy to such information might be involved in front-running,” said Mohammad Sohail, the minutes of a Dec 12 meeting show.
Front-running is when insiders with privileged knowledge make a trade based on the information ahead of time or simultaneously. It is illegal in Pakistan.
Another board member, Kamal Afsar, expressed concern that the security breach could have contributed to a 2008 stock market crash, which wiped two thirds off the value of the stock market.
“Live market data was visible to selected persons which could have led to market manipulation,” he said in a Dec 9 meeting, according to the minutes. “If the investigation is broadened, it may provide more disclosures.”
Afsar and Sohail did not respond to several requests for comment.
The minutes show that many staff had their access to secure systems revoked, outside consultants were brought in to strengthen the security of the KSE systems and the whistleblowers were thanked, not disciplined.
“I do not believe in letting bygones be bygones,” said Naqvi. “If people exploited the system, we will find them.” But the Securities and Exchange Commission of Pakistan (SECP) is hobbled by a slow legal system in pursuing harsh penalties for offenders. If the accused contest their fines, cases can drag on for years, it says.—Reuters
Our Equities Correspondent adds: On query, the Naqvi had this to say: “While certain vulnerabilities in the e-mail server were identified, those were immediately rectified once recommended by the consultants.
“As per historical data access is concerned, all access has been curtailed since the current management took charge”.
He categorically stated that there was no evidence from forensic analysis of any actual data leakage. The MD further states: “There is an ongoing enquiry regarding any potential misuse of data and the results of the enquiry would be made available to the board before the end of February.”