The arrest of a disgruntled programmer trying to walk away with code for automated trading at Goldman Sachs raises questions about the value of intellectual property and challenges in protecting it.
First Goldman Sachs got very lucky in this case because the attempted theft was a case of amateur hour gone awry. The programmer may have been motivated and even knowledgable on quantitative modelling but clearly he was no security expert. The choice of exfiltration tactic, attempting to upload source code to a Germany, could have been easily detected by monitoring at the network perimeter or even internal machines. No doubt vendors specializing in the latest brand of snake oil, data-leak prevention or DLP, will capitalize on this opportunity for free advertising. But DLP is a case of we-catch-the-incompetent-ones. It is not possible to look at a stream of bits leaving the company network and decide if they correspond to intellectual property or harmless personal browsing. Techniques such as steganography make it possible to hide messages inside other, innocuous seeming messages that provide cover.
The second point is more disturbing: what was the corrupt insider planning to do with the source code? How would he capitalize on the IP theft? Is he planning to set up his own trading system? Or is he planning to sell the code to another firm?
First option seems very likely. The latest trend in automated trading systems is high-frequency trading. Decision time between discovering market prices and placing trade order is on the order milliseconds here. In fact the servers are often co-located near the exchanges themselves in order to reduce latency from order placement to execution. While the trades each earn small amount of revenue, but the ability to repeat this thousands of times for each market inefficiency allows quant hedge-funds to generate steady revenues. What all this means for potential disgrunted employees: it would be almost impossible for one individual working out of a basement or a bunch of guys sitting around Bloomberg terminals to capitalize on knowledge of the models. Even if they could predict the exact positions the model would take, the chances of front-running it are slim to none. Even given same speed, without massive capital to spread between thousands of trades, it simply would not scale enough to present a threat.
Since the speeds here are too high for human reaction times, the next option is to selling the software to another company with an existing system for low-latency trading in place. This is where a different problem emerges: no respectable company would touch stolen IP. Especially not one with deep pockets and an already viable line of business. The potential liability, both in lost revenue from the likely fines and direct personal culpability of senior ranking executives would all but guarantee that no serious player will take the risk. (Granted the case of Bernie “Made-off” Madoff provides evidence that highly dishonest operations exist in this space.)
Most likely option for monetizing such stolen IP then is a combination of individual risk and plausible deniability for a major competitor. The aspiring crook pretends that he/she came up with the trading strategy on his/her own (or perhaps the inverse strategy, since front-running is going to be a challenge, they can instead attempt to take the exact opposite positions.) The new employer is pleasantly surprised that the strategy is generating handsome returns, and appropriately rewards the brilliant quant, while HR departments pats themselves on the back for a great hiring decision. This is a case where the new employer may not be motivated to ask questions about the unexpected success.
One final aspect is that even in the absence of any reasonable way to monetize the stolen software, Goldman Sachs would be wise to give up on that particular model. The possibility itself that others may have studied the model and derived their own conclusions from it is enough to cast doubts on its future effectiveness.