Cyberattack on SEC Holds Warnings for All Organizations About Data Theft
Former Miami federal prosecutor Marcus Christian said, "For me, it underscores the importance of robust cybersecurity not only for private entities with valuable information but also for government entities.”
January 16, 2019 at 11:11 AM
6 minute read
The original version of this story was published on Corporate Counsel
The Securities and Exchange Commission, which recently levied millions of dollars in fines against major corporations that lost data to cyber thieves, has been similarly victimized by an international insider trading ring.
The SEC said it filed civil charges against defendants, including people in California, Korea, Russia and Ukraine and two companies in Hong Kong and Belize, for allegedly hacking into the SEC's EDGAR corporate filing database from May to at least October 2016 and trading securities on the stolen data.
The U.S. Attorney's Office for the District of New Jersey announced parallel criminal charges Tuesday filed in Newark in the scheme against two Ukrainian hackers and others. The EDGAR system contains annual and quarterly earnings reports and corporate filings containing confidential financial information on publicly traded companies.
Marcus Christian, a partner in Mayer Brown's cybersecurity and data privacy practice group in Washington and a former Miami federal prosecutor, said, “For me, it underscores the importance of robust cybersecurity not only for private entities with valuable information but also for government entities.”
He added: “The question is how should the U.S. deal with individuals and groups that perpetrate these crimes. It highlights the problem. From a law enforcement perspective, it's important to investigate the crimes and identity the suspects, but it is very important also to be able to apprehend them otherwise they may go on committing crimes with impunity.”
Some of the defendants faced previous charges in a similar criminal enterprise.
The SEC intrusion allegedly netted about $4.1 million for the hackers, the agency said. Using information gleaned illicitly from at least 157 confidential filings, the SECV charged the group made trades using intercepted nonpublic information.
The EDGAR data breach was disclosed by SEC Chairman Jay Clayton in September 2017. He said then that the intrusion was detected in 2016 but didn't learn the data was being used illicitly until August 2017.
The data thieves stole thousands of documents and disseminated them to servers in Lithuania, where the information was used to make the illegal trades. One profiteer made $270,000 in a single day, said the indictment filed against Oleksandr Ieremenko and Artem Radchenko, both fugitives based in Kiev, Ukraine. The same hacker group was also involved in theft of data from the computer networks of Marketwired LP, PR Newswire Association LLC (PRN) and Business Wire.
Clayton said in a statement Tuesday: “This action illustrates that the SEC faces many of the same cybersecurity threats that confront exchange-listed companies, other SEC-registered entities and market participants of all types. These threats to our marketplace are significant and ongoing and often involve threats from actors outside our borders. No system can be entirely safe from a cyber intrusion.” Clayton pledged to improve security at the regulator.
Tthe SEC has been holding other organizations accountable for data breaches.
Last fall, Voya Financial Advisors Inc. became the first U.S. company to pay a fine to the SEC to settle charges that the company violated the Safeguards Rule and Identity Theft Red Flags Rule. The rule was enacted in 2013 and requires financial services companies to adopt policies and procedures to prevent data theft.
The Des Moines, Iowa-based company paid $1 million in September to settle the charges connected with allowing hackers in 2016 to impersonate their independent contractor representatives, thereby gaining access to passwords the intruders used to get information on more than 5,600 customers. No unauthorized transfer of funds or securities from the accounts were linked to the attack, the SEC said at the time.
The SEC found Voya's cyberattack was a result of poor cybersecurity procedures, some of which had been exposed in a previous incident. The cybersecurity enforcement rule had never been used against a company before. Voya didn't admit or deny wrongdoing and said it made changes and reported the incident.
Earlier last year, the SEC also fined Yahoo Inc., now known as Altaba Inc., $35 million for allegedly failing to disclose a massive data breach affecting 500 million user accounts from 2014 through 2016.
The takeaway: Whether you're a big financial services corporation or a government regulator, increasingly sophisticated hackers, some involved in criminal or other enterprises of global scope, are after your data with potentially dire consequences.
For companies, those consequences can include enforcement actions. Britt Latham, co-chairman of Bass Berry Sims securities and shareholder litigation practice group, said, “Recent history shows the SEC is more likely to pursue enforcement action.”
But Latham said that when he talks with clients, “it is astonishing that many still don't have policies and procedures.” And even when they have them, “compliance with their own policies is a weakness that continues to surprise me,” he added.
“Companies have to be paying attention and educating themselves on what is the latest and greatest scheme or scam, and continue to improve and update their policies and train their people. The bad guys are only going to get more sophisticated. You have to have a big lock on the barn door and you have to improve that lock as we go forward,” he said.
Read more:
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllDivided State Court Reinstates Dispute Over Replacement Vehicles Fees
5 minute readSecond Circuit Ruling Expands VPPA Scope: What Organizations Need to Know
6 minute read'They Got All Bent Out of Shape:' Parkland Lawyers Clash With Each Other
Courts of Appeal Conflicted Over Rule 1.442(c)(3) When Claims for Damages Involve a Husband and Wife
Trending Stories
- 1Friday Newspaper
- 2Judge Denies Sean Combs Third Bail Bid, Citing Community Safety
- 3Republican FTC Commissioner: 'The Time for Rulemaking by the Biden-Harris FTC Is Over'
- 4NY Appellate Panel Cites Student's Disciplinary History While Sending Negligence Claim Against School District to Trial
- 5A Meta DIG and Its Nvidia Implications
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250