DOJ and SEC charge hackers and traders after exposing scheme to steal and profit from unpublished market-moving press releases.
On August 11, 2015, federal prosecutors in the District of New Jersey and the Eastern District of New York unsealed indictments against nine individuals in the United States and Ukraine who were allegedly involved in a five-year, widespread hacking and trading scheme.1 On the same day, the Securities and Exchange Commission filed a complaint in federal district court in New Jersey making similar allegations.2 The defendants allegedly hacked into major news wires that distribute press releases, stole advance, not yet public copies of financial press releases, and traded on the basis of the information, reaping over $100 million in unlawful profits.
I. An Unprecedented Hacking and Trading Scheme
According to the indictments and parallel SEC civil complaint, the scheme involved two key groups of defendants. The first group is alleged to be comprised of sophisticated hackers who broke into the networks belonging to PR Newswire, Business Wire, and Marketwired through a variety of improper means, including brute force, SQL injection, and phishing attacks, and stole advance, nonpublic copies of financial press releases. Hundreds of publicly traded companies use these three media services to disseminate news to the market place, including earnings reports and other financial information. As standard practice, publicly traded companies may send current versions of their financial press releases to the media services several minutes to several days before publication.
The second group of defendants is alleged to be comprised of traders who received the stolen financial press releases from the hackers. The traders allegedly used the market-moving information contained in the releases as the basis for trading in stock and options relating to the relevant companies prior to the news being made public, anticipating (usually correctly) that the news in the releases would cause the value of the securities to rise or fall in their favor
The traders involved with the scheme paid the hackers handsomely for the stolen information, providing the hackers with either a flat fee or a percentage of profits on a per-trade basis. In all, over 150,000 news releases were allegedly stolen by the hackers, and the traders allegedly made over 800 trades based upon the information in those news releases. Some of these trades yielded over $1 million in profit.
II. Important Takeaways
The recent indictments and SEC complaint highlight several important lessons:
- Interactions Between Companies and DOJ and SEC on Cyber Issues Are Dramatically Increasing
The DOJ and the SEC have aggressively stepped up their efforts to address cyber threats. As a result of this increased governmental activity, the level of interaction between companies and these agencies on cyber issues has increased— and will continue to increase—dramatically, and therefore companies must be prepared to explain the security measures they have in place to maintain the confidentiality of sensitive information. The increased attention to cyber threats creates a greater burden on businesses in responding to government investigations and requests for information, and highlights companies’ need to become more familiar with the process of responding to cyber-related government inquiries.
The DOJ, for example, has made cybersecurity a primary focus of its attention. Two common scenarios in which companies interact with the DOJ on cyber issues are: (1) ongoing investigations into data breaches or other security incidents, some of which involve an investigative agency affirmatively notifying a company that it is a cybercrime victim; and (2) general public-private party outreach efforts including sharing of potential threats and vulnerabilities. In each of these scenarios, companies might interact with one or more of the following three principal DOJ components involved in cybercrime prosecutions: the Criminal Division’s Computer Crime and Intellectual Property Section (“CCIPS”), the National Security Division (“NSD”), and any one of the 93 individual United States Attorney’s Offices (“USAOs”). CCIPS is the DOJ’s cybercrime subject-matter experts. NSD is the DOJ’s national security subject-matter experts and combats cyber-based threats to national security. USAOs are the DOJ’s front lines in prosecuting cybercrime, and frequently interface with cybercrime victims. These three groups combined form a network of over 300 DOJ cyber prosecutors.
In addition to its bread-and-butter investigations, the DOJ has also addressed cybersecurity from a policy perspective. For instance, earlier this year, the DOJ hosted a “Cybersecurity Industry Roundtable” to discuss data breaches, best practices in responding to data breaches, and ongoing cybersecurity legislative initiatives. During the Roundtable, the DOJ issued a document titled Best Practices for Victim Response and Reporting of Cyber Incidents. 3 The guidance provides a checklist of steps that companies can take before, during, and after a cyber incident, and restates DOJ’s position regarding network monitoring and offensive actions colloquially known as “hacking back.” 4
The SEC has been active in the cybersecurity arena as well. In addition to overseeing the cybersecurity practices of regulated entities such as broker-dealers and investment advisers, the SEC has interpreted its broad and overarching mandate to ensure transparency in the securities marketplace as permitting the agency to regulate cybersecurityrelated disclosures of public companies and to bring cybersecurity-related enforcement actions. It is likely that the SEC will continue to police matters, such as those seen in this hacking case, where criminals have used new, cyber techniques to commit old-fashioned crimes like securities fraud and insider trading. The SEC has also proactively reached out to victimized companies to gather information in the course of its investigations. In the “FIN4” matter, for example, a group of hackers allegedly obtained inside information from various corporate bankers, lawyers, accountants, and consultants, and the SEC staff investigating the matter reached out to several victim companies requesting information about the data breaches and the tactics used by the FIN4 group to gain access to their networks. As sensitive information becomes more widely circulated through electronic means, businesses’ vulnerabilities to cyber attacks will increase, and the SEC will likely expand its oversight of the cyber arena as it relates to the financial markets. When faced with a subpoena or request for information from the SEC, companies must be prepared to answer tough questions about their cybersecurity measures, including being able to fully describe the steps they have taken to maintain the confidentiality of sensitive information in their possession.
- Third-Party Risk Management Is A Cornerstone Of A Well-Functioning Cybersecurity Program
Although the indictments and SEC complaint in the most recent action do not provide details about the contractual relationship between the public companies whose financial releases were stolen and the media services that had custody of those not yet public releases, the fact that company information was misappropriated underscores the importance of knowing who has access to a company’s most critical assets, and assuring that protections are in place to protect those assets. Moreover, recent regulatory actions have revealed an increased interest by regulators in exploring how companies manage the risks that arise when sensitive information is shared with third parties such as vendors or suppliers.
The cybersecurity chain is only as strong as its weakest link, so evaluating the cybersecurity measures taken by third parties—and confirming that strong measures have been implemented—should be considered a basic prerequisite to the sharing of confidential information with those third parties, particularly in situations where a company’s decision to share information may be questioned by regulators. Companies that share information with third parties without confirming the effectiveness of their cybersecurity programs could be challenged as acting unreasonably, and could themselves be criticized as having deficient cybersecurity programs due to their failures to account for these third party risks.
The SEC has specifically identified third party risk management as an area of concern for the financial institutions it regulates. The results of a recent cybersecurity examination sweep conducted by the SEC staff confirm that many financial institutions do not consider the cybersecurity implications of their relationships with third party vendors to the degree the SEC staff believes they should.5 The SEC survey specifically asked financial institutions several questions about cybersecurity risks arising from granting network access to vendors and other third parties. According to the sweep, while 84% of broker-dealers require cybersecurity risk assessments of third party vendors that are given access to a company network, only 72% incorporate cybersecurity requirements into their contracts with those vendors. The results for the surveyed investment advisers paint a more sobering picture: only 32% of investment advisers require cybersecurity risk assessments from third party vendors, and only 24% incorporate cybersecurity requirements into vendor contracts.
Other regulators have also recently made statements showing that they consider third party risk management to be a key element of a robust cybersecurity program. For example, the New York Department of Financial Services published a report in April 2015 detailing the results of a survey about the measures taken by banks to ensure that the banks’ third party service providers maintained reasonable cybersecurity programs.6
- The Importance of Forensics In Modern Cases
The indictments and SEC complaint highlight the growing importance of forensics in government investigations, especially investigations involving cyber-related issues. As a result, in many cases, it is essential for counsel to understand the types of forensic tools that prosecutors and other forensic computer experts have at their disposal when interacting with the government, especially as more and more cases are relying upon advanced forensic techniques to uncover misconduct. The SEC complaint in the most recent hacking case, for example, notes that the defendants “took extensive measures to conceal their fraud.” In some respects, the defendants were successful—their scheme lasted for five years. However, one of the apparent missteps the defendants made was believing that pictures taken with “a smartphone application that does not retain data” would be permanently deleted and therefore unrecoverable. While such data may be unrecoverable from the picture taker’s device, as soon as that data is transmitted to a recipient, the recipient can do as he pleases with it, which could include retaining it. If, as here, the data is later sent via email, it will likely be retained in some form. Also of note here is that computer forensic technologies have advanced by great measures in recent years, so data that is merely deleted from a hard drive or an inbox might still be recoverable in some form.
Hackers and other criminals seeking to profit off of material non-public information have found a new avenue for obtaining this valuable information: exploiting third parties that are given access to this data in good faith. It is important to remember that a well-crafted cybersecurity program must consider the protections afforded to sensitive data even once if it has left a company’s possession, especially in the face of increased cybersecurity enforcements by the DOJ, SEC, and other law enforcement entities and regulators.