On Tuesday morning, federal officials announced two criminal indictments and a civil complaint against a group of defendants who allegedly worked together to:

  • hack into the networks of several business newswire services over a five-year period,
  • steal over 150,000 then-unpublished press releases from NYSE and NASDAQ-traded companies, containing material non-public information about those companies, and
  • trade on that information before the press releases were publicly issued—generating approximately $30 million in illegal profits.

Using tips from the newswire services and their own forensic investigations, government agencies—including the Securities and Exchange Commission (SEC), the Department of Homeland Security (DHS), the Secret Service and the FBI—uncovered the scheme between the hackers and the traders, broke it up, and brought the criminal and civil actions.  From a policy point of view, this announcement—and the investigation that led up to it—demonstrates that cybersecurity is a team sport at the government level, connecting the SEC’s mission (market integrity) with DHS’s (critical infrastructure protection), and with the Secret Service and FBI’s (law enforcement).

But beyond the policy and operational takeaways, there are several lessons companies can learn from the newswires hack to evaluate their own cybersecurity posture.  Here are a few of the key points:

Lesson 1: If you’re focused solely on securing PII, you are ignoring secrets that hackers would love to steal—and may have already stolen.  Many companies have shored up defenses against attacks involving “personally identifiable information,” or PII, because such breaches frequently require disclosure to those affected, and they’re usually followed by regulatory enforcement, lawsuits, expensive credit monitoring, and the reputational hit that accompanies a very public breach.  But as this case shows, bad guys aren’t interested in PII alone.  Company networks contain business secrets that’s just as important as PII, if not more so—here, it was public companies’ unreleased announcements on the newswires’ systems.  For a hedge fund, it might be the trades it is planning to make later today or tomorrow.  For other companies, it may be trade secrets, or emails from the CFO to the CEO about negotiating a merger.  So what should a company do?  Step 1:  identify and locate all valuable secrets on company networks as part of a top-to-bottom vulnerability analysis.  Once those secrets are identified, ask:  How are they currently safeguarded?  Who may access them?  What systems will alert the company that they have been exfiltrated or altered?  The protective measures developed in response to these questions will help the company to strategically safeguard what’s important, and allocate security resources to the information carrying the greatest risk.

Lesson 2: Don’t just worry about the company’s own networks—supply chain security is key.  Why would a bad guy spend the time, effort and resources necessary to hack every publicly-traded company for material non-public information when he can steal the same information by infiltrating a few newswire services?  Hackers are increasingly focusing on aggregators of information—cloud providers, insurance companies, even government agencies—because of the massive amount of data they collect.  And companies increasingly share data, including sensitive secrets, with third parties in the ordinary course of business.  As soon as a company provides important information (such as market-moving press releases) to a vendor, it is not the company’s security, but the vendor’s, that is at issue.  For this reason, before sharing with third parties, companies should consider questions like:  What due diligence of vendors’ cybersecurity should we conduct?  What security assurances should we require from the vendor?  How should cybersecurity risk be allocated between us and the vendor—including through contractual indemnification provisions?  Does the vendor carries adequate cybersecurity insurance?  Even before today’s announcement, the SEC encouraged public companies to look beyond their four walls to the cyber risk posed by the use of vendors: in reviewing cyber risk factors in companies’ 10-Ks and 10-Qs, SEC staff frequently asks whether company’s vendors have experienced cyberattacks, and requests a disclosure if a breach at a third-party vendor could have a material effect on the company.

Lesson 3: Bad guys go spear-phishing—so don’t ignore suspicious behavior by apparently “authorized” users.  In their announcement, federal officials made it clear that the attackers “employ[ed] stolen username/password information . . . to pose as authorized users” of the newswire services—i.e., they spear-phished and otherwise obtained valid username/password combinations to infiltrate the newswires’ systems.  When the bad guy has trusted user credentials, activity that appears attributable to “Stan in Customer Relations” may actually be malicious.  So what can a company do?  First, set up two-factor authentication—so even if the attacker has a valid username/password combination, he won’t be able to enter the network—and require employees to change their passwords often.  Second, educate employees on good “internet hygiene” such as the hazards of reusing their corporate email/password combination on other websites—websites that, if hacked, could result in the company’s trusted credentials being for sale to the highest bidder—and train them to identify and resist spear-phishing emails and emails with suspicious links.  Third, use threat-intelligence tools to determine if any of the company’s username/password combinations are for sale in the internet’s back alleys.  Finally, instead of monitoring only for unauthorized access, companies should flag and investigate instances and activity of high-volume or suspicious data transfers, whether or not the transferor is “authorized.”  Systems that look only for suspicious behavior by unauthorized users can blind the company to critical and common cyberattacks.