Even powerful entities like the U.S. government’s Securities and Exchange Commission (SEC) and major news agencies are not impervious to cyberattacks, despite the significant resources they dedicate to defending the valuable information they are responsible for.
In 2015, the SEC brought charges against 32 defendants involved in hacking into two or more newswire services in order to steal corporate earnings announcements prior to public release.
The stolen data was transmitted to traders in Russia, Ukraine, Malta, Cyprus, France, and three U.S. states: Georgia, New York, and Pennsylvania.
Traders used that information to place illicit trades in stocks, options, and other securities during a narrow window of opportunity between the time when the information was extracted and when the information went public.
Fastforwarding to January 15, 2019, the SEC has now charged 9 defendants for hacking into the SEC’s EDGAR system during 2016 in order to obtain nonpublic information for use in illegal trades, similar to the 2015 case. The hacker and some of the traders were involved in both schemes.
Read the full SEC press release here.
Details Surrounding the EDGAR Hacking
The SEC’s January complaint alleges that Ukranian hacker Oleksandr Ieremenko bypassed EDGAR user authentication security and obtained test files that contained nonpublic information, including actual quarterly earnings results not yet released to the public from within the SEC server system.
Ieremenko then passed the information to different groups of traders to be exploited for illegal trading in advance of no fewer than 157 earnings releases, in much the same fashion as the 2015 case. This breach of the SEC’s system generated $4.1 million in estimated illegal profits.
Defendants were also charged in the U.S. District of New Jersey for related criminal charges.
The EDGAR Hacking: Lessons to Be Learned
This case contains a clear and urgent reminder: Effective cybersecurity policies are absolute necessities, in addition to cybersecurity testing, incident response planning and employee training.
The need for firms to address their cybersecurity policies is a growing trend in the industry and technology continues to evolve. Cybersecurity has been a focus area of the SEC for many years, which is evident in the past two years where they were featured in the SEC Exam Priorities.
This point was driven home by Enforcement Division Co-Director Stephanie Avakian:
“International computer hacking schemes like the one we charged today pose an ever-present risk to organizations that possess valuable information.”
When we consider that even a government entity like the SEC, which dedicates tremendous resources to cybersecurity, can be taken advantage of, we see the clear indication that smaller, more vulnerable targets (including private firms) must place a priority on the development and implementation of robust security policies and procedures, including an effective incident response plan to immediately control damage should a breach occur.
Help Is Available
Core Compliance & Legal Services, Inc., can help your firm create or update cybersecurity policies and procedures, incident response plans, training programs, and due diligence procedures designed to meet your firm’s business needs.
Got cybersecurity issues or questions? Click here to let us know how we can help.