The Securities and Exchange Commission, which recently levied millions of dollars in fines against major corporations that lost data to cyber thieves, has been similarly victimized by an international insider trading ring.
The SEC said it filed civil charges against defendants, including people in California, Korea, Russia and Ukraine and two companies in Hong Kong and Belize, for allegedly hacking into the SEC’s EDGAR corporate filing database from May to at least October 2016 and trading securities on the stolen data.
The U.S. Attorney’s Office for the District of New Jersey announced parallel criminal charges Tuesday filed in Newark in the scheme against two Ukrainian hackers and others. The EDGAR system contains annual and quarterly earnings reports and corporate filings containing confidential financial information on publicly traded companies.
Marcus Christian, a partner in Mayer Brown‘s cybersecurity and data privacy practice group in Washington and a former Miami federal prosecutor, said, “For me, it underscores the importance of robust cybersecurity not only for private entities with valuable information but also for government entities.”
He added: “The question is how should the U.S. deal with individuals and groups that perpetrate these crimes. It highlights the problem. From a law enforcement perspective, it’s important to investigate the crimes and identity the suspects, but it is very important also to be able to apprehend them otherwise they may go on committing crimes with impunity.”
Some of the defendants faced previous charges in a similar criminal enterprise.
The SEC intrusion allegedly netted about $4.1 million for the hackers, the agency said. Using information gleaned illicitly from at least 157 confidential filings, the SECV charged the group made trades using intercepted nonpublic information.
The EDGAR data breach was disclosed by SEC Chairman Jay Clayton in September 2017. He said then that the intrusion was detected in 2016 but didn’t learn the data was being used illicitly until August 2017.
The data thieves stole thousands of documents and disseminated them to servers in Lithuania, where the information was used to make the illegal trades. One profiteer made $270,000 in a single day, said the indictment filed against Oleksandr Ieremenko and Artem Radchenko, both fugitives based in Kiev, Ukraine. The same hacker group was also involved in theft of data from the computer networks of Marketwired LP, PR Newswire Association LLC (PRN) and Business Wire.
Clayton said in a statement Tuesday: “This action illustrates that the SEC faces many of the same cybersecurity threats that confront exchange-listed companies, other SEC-registered entities and market participants of all types. These threats to our marketplace are significant and ongoing and often involve threats from actors outside our borders. No system can be entirely safe from a cyber intrusion.” Clayton pledged to improve security at the regulator.
Tthe SEC has been holding other organizations accountable for data breaches.
Last fall, Voya Financial Advisors Inc. became the first U.S. company to pay a fine to the SEC to settle charges that the company violated the Safeguards Rule and Identity Theft Red Flags Rule. The rule was enacted in 2013 and requires financial services companies to adopt policies and procedures to prevent data theft.
The Des Moines, Iowa-based company paid $1 million in September to settle the charges connected with allowing hackers in 2016 to impersonate their independent contractor representatives, thereby gaining access to passwords the intruders used to get information on more than 5,600 customers. No unauthorized transfer of funds or securities from the accounts were linked to the attack, the SEC said at the time.
The SEC found Voya’s cyberattack was a result of poor cybersecurity procedures, some of which had been exposed in a previous incident. The cybersecurity enforcement rule had never been used against a company before. Voya didn’t admit or deny wrongdoing and said it made changes and reported the incident.
Earlier last year, the SEC also fined Yahoo Inc., now known as Altaba Inc., $35 million for allegedly failing to disclose a massive data breach affecting 500 million user accounts from 2014 through 2016.
The takeaway: Whether you’re a big financial services corporation or a government regulator, increasingly sophisticated hackers, some involved in criminal or other enterprises of global scope, are after your data with potentially dire consequences.
For companies, those consequences can include enforcement actions. Britt Latham, co-chairman of Bass Berry Sims securities and shareholder litigation practice group, said, “Recent history shows the SEC is more likely to pursue enforcement action.”
But Latham said that when he talks with clients, “it is astonishing that many still don’t have policies and procedures.” And even when they have them, “compliance with their own policies is a weakness that continues to surprise me,” he added.
“Companies have to be paying attention and educating themselves on what is the latest and greatest scheme or scam, and continue to improve and update their policies and train their people. The bad guys are only going to get more sophisticated. You have to have a big lock on the barn door and you have to improve that lock as we go forward,” he said.