SEC EDGAR Hack Provides Lessons for All Institutions About Cybersecurity
The U.S. Securities and Exchange Commission, which recently levied millions of dollars in fines against major corporations last year for allegedly allowing data theft by cyber attackers, has found itself similarly victimized by an international insider trading ring, according to a federal civil complaint and grand jury indictment.
January 16, 2019 at 11:11 AM
6 minute read
The original version of this story was published on Corporate Counsel
The U.S. Securities and Exchange Commission, which recently levied millions of dollars in fines against major corporations for allegedly allowing data theft by cyber attackers, has found itself similarly victimized by an international insider trading ring.
On Tuesday, the SEC announced that it had brought civil charges against defendants, including individuals in Ukraine, California, Russia and Korea as well as two business entities in Hong Kong and Belize, for allegedly hacking into the SEC's own EDGAR corporate filing database from May through at least October 2016, and trading securities on the stolen data.
The U.S. Attorney's Office for the District of New Jersey announced parallel criminal charges Tuesday in the scheme against two Ukrainian hackers and others. The indictment was filed in the U.S. District Court for the District of New Jersey in Newark. The EDGAR system contains annual and quarterly earnings reports and corporate filings containing confidential financial information on publicly traded companies.
Marcus Christian, a partner in Mayer Brown's cybersecurity and data privacy practice group in Washington, D.C., and a former prosecutor in the Southern District of Florida in Miami, said Tuesday, “For me, it underscores the importance of robust cybersecurity not only for private entities with valuable information but also for government entities.”
He added, “also the question is how should the U.S. deal with individuals and groups that perpetrate these crimes. It highlights the problem. From a law enforcement perspective, it's important to investigate the crimes and identity the suspects, but it is very important also to be able to apprehend them otherwise they may go on committing crimes with impunity.” Some of the defendants in the scheme had earlier been charged in connection with a similar criminal enterprise.
The SEC intrusion allegedly netted about $4.1 million for the hackers, according to the SEC. Using the information gleaned illicitly from at least 157 confidential filings, the group allegedly was able to make trades using the nonpublic information. The EDGAR data breach initially was disclosed by SEC Chairman Jay Clayton in September 2017. He said then that the intrusion was detected in 2016, but didn't learn the data was being used illicitly until August 2017.
The data thieves stole thousands of documents and disseminated them to servers in Lithuania, where the information was used to make the illegal trades. One individual was able to make $270,000 in a single day, the indictment filed against Oleksandr Ieremenko and Artem Radchenko, both fugitives based in Kiev, Ukraine, alleged. The same hacker group was also involved in theft of data from the computer networks of Marketwired L.P., PR Newswire Association LLC (PRN), and Business Wire.
Clayton said in a statement on Tuesday, “This action illustrates that the SEC faces many of the same cybersecurity threats that confront exchange-listed companies, other SEC-registered entities and market participants of all types. These threats to our marketplace are significant and ongoing and often involve threats from actors outside our borders. No system can be entirely safe from a cyber intrusion.” Clayton pledged to improve security at the regulator.
Recently the SEC has been holding other organizations to account for data breaches. Last fall, Voya Financial Advisors Inc. became the first U.S. company to pay a fine to the SEC to settle charges that the company violated the Safeguards Rule and Identity Theft Red Flags Rule. The rule was enacted in 2013 and requires financial services companies to adopt policies and procedures to prevent data theft.
The Des Moines, Iowa-headquartered corporation paid a $1 million fine in September to settle the charges connected with allowing hackers in 2016 to impersonate their independent contractor representatives, thereby gaining access to passwords the intruders used to get information on more than 5,600 customers, though no unauthorized transfer of funds or securities from the accounts were linked to the attack, the SEC said at the time.
The SEC found that Voya's alleged failure to stop the intruders from gaining access was a result of poor cybersecurity procedures, some of which had been exposed in a previous incident. The cybersecurity enforcement rule had never been used against a company before that instance. Voya didn't admit or deny wrongdoing, and said it remediated and reported the incident.
Earlier last year, the SEC also fined Yahoo Inc., now known as Altaba Inc., $35 million in April for allegedly failing to disclose a massive data breach affecting 500 million user accounts from 2014 through 2016.
The takeaway: Whether you're a big financial services corporation or a government regulator, increasingly sophisticated hackers, some involved in criminal or other enterprises of global scope, are after your data with potentially dire consequences.
For companies, those consequences can include enforcement actions. Britt Latham, co-chairman of Bass, Berry & Sims securities and shareholder litigation practice group, said, “recent history shows the SEC is more likely to pursue enforcement action.”
But Latham said that when he talks with clients, “it is astonishing that many still don't have policies and procedures.” And even when they have them, “compliance with their own policies is a weakness that continues to surprise me,” he added.
“Companies have to be paying attention and educating themselves on what is the latest and greatest scheme or scam, and continue to improve and update their policies and train their people. The bad guys are only going to get more sophisticated. You have to have a big lock on the barn door and you have to improve that lock as we go forward,” he said.
Read more:
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllPa. Judicial Nominee Advances While Trump Demands GOP Unity Against Biden Picks
4 minute read'Radical Left Judges'?: Trump Demands GOP Unity Against Biden's Judicial Picks
4 minute readRead the Document: 'Google Must Divest Chrome,' DOJ Says, Proposing Remedies in Search Monopoly Case
3 minute readDemocrats Give Up Circuit Court Picks for Trial Judges in Reported Deal With GOP
Trending Stories
- 1Debtor-Owner Allowed to Modify Mortgage in Bankruptcy Even if Debtor Is Not Obligor Under the Mortgage Loan
- 2Legal Chief of Retailer Beyond Exiting at Tumultuous Time
- 3Law Firm Real Estate Strategy: Attorney Offices Are Out, Conference Rooms Are In
- 4AI Governance In Practice
- 5Section 1782 Practice Pointers From Recent Decisions
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250