Yesterday, the Securities and Exchange Commission (SEC) announced charges against nine defendants for participating in a scheme to hack into the SEC’s Electronic Data Gathering, Analysis and Retrieval system (EDGAR), the SEC’s online system through which issuers make their required company filings, and extract material non-public information (MNPI) for use in illegal trading.
The SEC’s complaint alleges the hacker employed a variety of deceptive techniques in order to obtain MNPI that could be used to profitably trade securities. The MNPI allegedly came from “test filings”, which issuers sometimes submit privately to EDGAR in advance of making official public filings in order to ensure EDGAR will properly process the filings as intended. The test filings might comprise, for example, quarterly earnings results.
The hacker allegedly obtained such test filings, and then transmitted MNPI to traders who, in connection with approximately 157 earnings announcements, used it, within narrow time windows, to place profitable securities trades before the information was made public, producing over $4.1 million in gains.
The SEC’s complaint alleges the scheme was part of a effort dating back to at least May 2016, the first phase of which targeted newswire services in order to similarly trade on information that had not yet been released to the public. The SEC’s complaint charges each of the defendants with violating the federal securities antifraud laws and related SEC antifraud rules and seeks to impose financial penalties.
Cyber security is something the SEC and other international financial regulators have been increasingly focused on, often urging market participants to make dealing with potential attacks a priority.
Last month, SEC Chairman Jay Clayton spoke of cybersecurity as one of three market risks the SEC is monitoring, along with Brexit and the transition away from LIBOR.
He noted the SEC is focused on cybersecurity from five perspectives:
- Issuer disclosure—to ensure investors are sufficiently informed about the material cybersecurity risks and incidents affecting the companies in which they invest;
- Market oversight—to prioritize cybersecurity in the SEC’s examinations of market participants, including broker-dealers and investment advisers;
- SEC’s own cybersecurity risk profile—to assess and improve the SEC’s own security controls;
- Enforcement—to target cyber-related misconduct, including hacking to obtain MNPI;
- Investor education perspective—to inform investors about “cybersecurity hygiene” and red flags of cyber fraud.
In February 2018, the SEC also issued interpretive guidance to assist companies in preparing disclosure on cybersecurity risks and incidents. The guidance reinforced the SEC’s earlier 2011 guidance and expanded it to address two new topics: the importance of cybersecurity policies and procedures and the application of insider trading prohibitions in the cybersecurity context.
For example, with respect to risk factors, the guidance reminds companies to disclose the risks associated with cybersecurity and cybersecurity incidents if such risks are among the most significant factors that make investments in the company’s securities speculative or risky (as required by Item 503(c) of Regulation S-K and Item 3.D of Form 20-F). Companies are to consider the following issues, among others, in evaluating their cybersecurity risk factor disclosure:
- the occurrence of prior cybersecurity incidents, including their severity and frequency;
- the probability of the occurrence and potential magnitude of cybersecurity incidents;
- the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks;
- the aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third party supplier and service provider risks;
- the costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers;
- the potential for reputational harm;
- existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs; and
- litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.
The guidance also notes that in meeting their disclosure obligations, companies may need to disclose previous or ongoing cybersecurity incidents or other past events in order to place discussions of these risks in context.
In the UK, the Financial Conduct Authority (FCA) has also demonstrated its increasing concern over cybersecurity, last November releasing a report of its findings from a cross-sector survey of 296 firms conducted in 2017 and 2018 testing their cyber and technology resilience. Under Principle 11 of the FCA Handbook regarding relations with the regulator, the FCA expects firms to report to it major technology outages and cyber-attacks. The report noted that cyber-attacks accounted for 18 per cent of the operational incidents reported to the FCA between October 2017 and September 2018.