International Hacking and Insider Trading Scheme Exposes Cybersecurity Vulnerabilities at Third-Party Vendors

On August 11, 2015, the SEC announced that it was bringing fraud charges against 32 defendants for their alleged participation in a five-year, international hacking and insider trading scheme.  According to the SEC, two Ukrainian men hacked into at least two major newswire services, stole non-public copies of embargoed corporate announcements containing quarterly and annual earnings data, and provided the announcements to 30 other defendants, who traded off the information.  In parallel actions, the U.S. Attorney’s Offices for the District of New Jersey and the Eastern District of New York also announced criminal charges against some defendants named in the SEC’s action.  The SEC’s enforcement action may be a harbinger of events to come.  As we have written, cybersecurity is emerging as the SEC’s newest area of focus for enforcement actions.

The SEC’s civil action, filed in the U.S. District Court in Newark, New Jersey, alleges that the hackers and traders made more than $100 million in illicit profits by hacking into embargoed non-public company information on the newswire services’ systems and trading on that information before it was publicly released.  Specifically, the SEC charges that the Ukrainian men created a secret online location and transmitted the stolen data to traders in Russia, Ukraine, Malta, Cyprus, France, and three states in the U.S.  In turn, the traders allegedly used the non-public information to place trades in stocks, options, and other securities and either paid the hackers a flat fee or a percentage of their profits.  SEC Chairman Mary Jo White called the scheme “unprecedented” and emphasized “the scope of the hacking, the number of traders, [and] the number of securities traded and profits generated.”

This action is the latest in a string of events showing the SEC’s increasing focus on cybersecurity.  In recent years, White has asked the Commission to evaluate cybersecurity disclosure guidance and to consider whether more stringent requirements were necessary.  More recently, on February 3, 2015, the Commission released a Risk Alert on cybersecurity issues at brokerage and advisory firms, including with third-party vendors, and proposed suggestions for investors to protect themselves and their customers’ digital data.

As we previously wrote, the Risk Alert noted that most firms conducted periodic firm-wide cybersecurity risk assessments, but far fewer subjected vendors to similar scrutiny.  Many firms failed to require vendors to conduct adequate cybersecurity assessments because they did not incorporate security requirements into agreements with vendors.  FINRA’s “Report on Cybersecurity Practices,” released the same day as the SEC’s Risk Alert, also emphasized that even clients who have negotiated security provisions with third party-vendors should make sure they are exercising their audit rights under the agreements and assessing whether vendors are upholding their contractual obligations regarding cybersecurity.  The recent hacking and insider trading scheme seems poised to incentivize companies to do so.  Regardless of the strength of the involved companies’ internal cybersecurity, hackers were able to exploit weaknesses in the cybersecurity of company data once it was transferred to third party newswire services.  Given the SEC’s interest in cybersecurity in recent years, the global and sophisticated nature of this cyberattack on third party vendors may serve as the catalyst that irrevocably changes the cybersecurity landscape for companies in their relations with third-party vendors.