The U.S. Securities and Exchange Commission, which recently levied millions of dollars in fines against major corporations for allegedly allowing data theft by cyber attackers, has found itself similarly victimized by an international insider trading ring.
On Tuesday, the SEC announced that it had brought civil charges against defendants, including individuals in Ukraine, California, Russia and Korea as well as two business entities in Hong Kong and Belize, for allegedly hacking into the SEC’s own EDGAR corporate filing database from May through at least October 2016, and trading securities on the stolen data.
The U.S. Attorney’s Office for the District of New Jersey announced parallel criminal charges Tuesday in the scheme against two Ukrainian hackers and others. The indictment was filed in the U.S. District Court for the District of New Jersey in Newark. The EDGAR system contains annual and quarterly earnings reports and corporate filings containing confidential financial information on publicly traded companies.
Marcus Christian, a partner in Mayer Brown‘s cybersecurity and data privacy practice group in Washington, D.C., and a former prosecutor in the Southern District of Florida in Miami, said Tuesday, “For me, it underscores the importance of robust cybersecurity not only for private entities with valuable information but also for government entities.”
He added, “also the question is how should the U.S. deal with individuals and groups that perpetrate these crimes. It highlights the problem. From a law enforcement perspective, it’s important to investigate the crimes and identity the suspects, but it is very important also to be able to apprehend them otherwise they may go on committing crimes with impunity.” Some of the defendants in the scheme had earlier been charged in connection with a similar criminal enterprise.
The SEC intrusion allegedly netted about $4.1 million for the hackers, according to the SEC. Using the information gleaned illicitly from at least 157 confidential filings, the group allegedly was able to make trades using the nonpublic information. The EDGAR data breach initially was disclosed by SEC Chairman Jay Clayton in September 2017. He said then that the intrusion was detected in 2016, but didn’t learn the data was being used illicitly until August 2017.
The data thieves stole thousands of documents and disseminated them to servers in Lithuania, where the information was used to make the illegal trades. One individual was able to make $270,000 in a single day, the indictment filed against Oleksandr Ieremenko and Artem Radchenko, both fugitives based in Kiev, Ukraine, alleged. The same hacker group was also involved in theft of data from the computer networks of Marketwired L.P., PR Newswire Association LLC (PRN), and Business Wire.
Clayton said in a statement on Tuesday, “This action illustrates that the SEC faces many of the same cybersecurity threats that confront exchange-listed companies, other SEC-registered entities and market participants of all types. These threats to our marketplace are significant and ongoing and often involve threats from actors outside our borders. No system can be entirely safe from a cyber intrusion.” Clayton pledged to improve security at the regulator.
Recently the SEC has been holding other organizations to account for data breaches. Last fall, Voya Financial Advisors Inc. became the first U.S. company to pay a fine to the SEC to settle charges that the company violated the Safeguards Rule and Identity Theft Red Flags Rule. The rule was enacted in 2013 and requires financial services companies to adopt policies and procedures to prevent data theft.
The Des Moines, Iowa-headquartered corporation paid a $1 million fine in September to settle the charges connected with allowing hackers in 2016 to impersonate their independent contractor representatives, thereby gaining access to passwords the intruders used to get information on more than 5,600 customers, though no unauthorized transfer of funds or securities from the accounts were linked to the attack, the SEC said at the time.
The SEC found that Voya’s alleged failure to stop the intruders from gaining access was a result of poor cybersecurity procedures, some of which had been exposed in a previous incident. The cybersecurity enforcement rule had never been used against a company before that instance. Voya didn’t admit or deny wrongdoing, and said it remediated and reported the incident.
Earlier last year, the SEC also fined Yahoo Inc., now known as Altaba Inc., $35 million in April for allegedly failing to disclose a massive data breach affecting 500 million user accounts from 2014 through 2016.
The takeaway: Whether you’re a big financial services corporation or a government regulator, increasingly sophisticated hackers, some involved in criminal or other enterprises of global scope, are after your data with potentially dire consequences.
For companies, those consequences can include enforcement actions. Britt Latham, co-chairman of Bass, Berry & Sims securities and shareholder litigation practice group, said, “recent history shows the SEC is more likely to pursue enforcement action.”
But Latham said that when he talks with clients, “it is astonishing that many still don’t have policies and procedures.” And even when they have them, “compliance with their own policies is a weakness that continues to surprise me,” he added.
“Companies have to be paying attention and educating themselves on what is the latest and greatest scheme or scam, and continue to improve and update their policies and train their people. The bad guys are only going to get more sophisticated. You have to have a big lock on the barn door and you have to improve that lock as we go forward,” he said.