At the end of last year, the US Attorney’s Office in New York City disclosed that criminal charges had been filed earlier in 2016 against three non-US persons in a federal court in New York City, claiming that they had hacked the email of two unnamed prominent law firms, illegally obtained emails regarding pending merger and acquisition transactions, and purchased and sold securities based on such information. On the same day, the SEC filed a civil action against the same persons in the same federal court related to the same facts. As alleged in the criminal indictment and by the SEC, between approximately April 2014 through late 2015, Ian Hong, Bo Zheng and Chin Hung, all citizens of China and residents of China or Hong Kong, caused malware to be installed on the law firms’ web servers which permitted unauthorized access to the firms’ email. The defendants used this access to obtain the relevant email that contained the confidential information on which they traded. According to the SEC, the defendants derived approximately US $4 million from their illicit activities. The SEC seeks an injunction, asset freeze, disgorgement and fines against the defendants. If convicted of all their criminal charges, the defendants face maximum prison terms in excess of 20 years. One defendant, Mr. Hong, was arrested in Hong Kong on December 25 and now faces extradition to the United States. As part of their scheme,  defendants also apparently tried to hack the email of five other law firms, alleged the criminal indictment, although these efforts appear to have been unsuccessful. 

Compliance Weeds: Not just financial services firms, but all businesses of every kind should maintain a robust cybersecurity program that includes regular risk assessments, installation and upgrades of anti-malware, antivirus and other protections, vulnerability and internal and external penetration testing, and training. Unfortunately, more and more there seems to be only two types of businesses: those that have been subject to cyber-attacks and are aware of it, and those that have been subject to cyber-attacks and are not aware of it. Help ensure your business is not in the latter category. There is a plethora of literature publicly available on what should be the elements of a robust cybersecurity program; click here for an excellent succinct summary published by the Securities and Exchange Commission’s Division of Investment Management that is intended for use by registered investment companies and investment advisers, but is sufficiently generic to be useful to all. Click here to access other generic and detailed information provided by the National Institute of Standards and Technology of the US Department of Commerce, including a brochure entitled “Framework for Improving Critical Infrastructure Cybersecurity.”