The Securities and Exchange Commission filed charges against Idris Mustapha, a UK citizen, in a federal court in New York, claiming that Mr. Mustapha hacked brokerage accounts of “unwitting U.S. investors” to facilitate his own trading activities. According to the SEC, during at least April and May this year, Mr. Mustapha impermissibly accessed the accounts of investors at both unnamed US and non-US brokers and placed unauthorized trades of publicly traded corporations. Either just before or just after, he placed trades in the same securities in his own personal account in order to profit from the trading in the hacked accounts. On May 17, for example, the SEC claimed that Mr. Mustapha purchased and sold securities in a hacked account at increasing prices (causing the customer losses), and then sold the same stock in his own account for a profit. The SEC claimed that Mr. Mustapha was able to hack into accounts of five customers at one US broker “through unauthorized access to an administrative user’s account.” The SEC seeks injunctive relief, disgorgement and civil penalties against Mr. Mustapha.
Compliance Weeds: As I have written before, there are only two types of financial services firms: those that have experienced cybersecurity breaches and addressed them, and those that have experienced cybersecurity breaches and did not know. By now all financial service firms—no matter what size—should have assessed or be in the process of assessing the scope of their data (e.g., customer information, proprietary), potential cybersecurity risk, protective measures in place, consequences of a breach and cybersecurity governance (e.g., how would they react if a breach occurred) in order to evaluate their cybersecurity needs and develop a robust protective program. Engaging an outside consultant to try to penetrate a firm’s system is also advisable, as is ensuring that each third-party service provider that accesses a firm’s data has its own, robust cybersecurity program. (Click here for a detailed discussion of cybersecurity and a comprehensive checklist of practical measures in the June 24, 2015 Advisory “Cyber-Attacks: Threats, Regulatory Reaction and Practical Proactive Measures to Help Avoid Risks” by Katten Muchin Rosenman LLP.) All members of the National Futures Association were required to adopt and enforce written policies regarding cybersecurity by March 1, 2016. (Click here for details in the article, "NFA's Interpretive Guidance Regarding Cybersecurity Becomes Effective March 1, 2016" in the October 25, 2015 edition of Bridging the Week.)