As we previously discussed, nobody is safe from cybersecurity threats, and as our colleagues last reported, the US Securities and Exchange Commission (SEC) has heightened its cybersecurity scrutiny, issuing an investigative report on cyber fraud against publicly traded companies and signaling it will pursue both bad actors as well as companies failing to implement controls to detect and prevent hacking. A victim of a data breach itself, the SEC is now demonstrating how it intends to pursue bad actors.

On January 15, the SEC filed a civil suit in US District Court in the District of New Jersey related to its own hacking against individuals and business entities in Ukraine, Hong Kong, California, Belize, Russia, and Korea. The SEC alleges in the suit that the defendants hacked into the agency’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system through a variety of means—including phishing emails and malware—and stole information (namely, publicly-traded companies’ earnings information). The suit further alleges the defendants then traded securities based on the stolen information before it became public. The SEC argues all defendants were necessary participants in the “fraudulent scheme” as some defendants were required to “obtain, through deception, material nonpublic information from the SEC’s EDGAR system” and others were required to “monetize the material nonpublic information by making profitable trades.” The SEC requests the district court to permanently enjoin the defendants from engaging in unlawful conduct[1], order the return of all profits and/or gains realized from the trading, and impose civil penalties[2] on the defendants.

On the same day, the US Attorney’s Office for the District of New Jersey similarly filed a criminal indictment of 16 charges against two Ukrainian individuals relating to the EDGAR hacking. The defendants are alleged to have conspired to (and in some cases actually act to) “intentionally access” the SEC computer network “without authorization” to “steal annual, quarterly and current reports of publicly traded companies before the reports were disseminated to the investing public” and illegally profit “by selling access to the material non-public information contained in these as yet undisclosed reports and by trading in the securities of the companies before the investing public learned the information.” The charges include conspiracy to commit securities fraud[3], conspiracy to commit fraud and related activity in connection with computers[4], conspiracy to commit wire fraud[5], six instances of wire fraud[6] between May and August of 2016, and seven instances of fraud and related activity in connection with computers[7] during the same time period. The indictment calls for the return of all property related to the offenses, including property that was used or would have been used in the commission of the crimes and proceeds derived from the crimes, plus interest.