The SEC’s disclosure that its EDGAR system had been had hacked was big news last week, as was the accompanying disclosure that the information accessed may have been used for improper trading. In the following guest post, John Reed Stark takes a look at the interesting and important legal issues that might arise if the authorities were to try to pursue claims against persons trying to trade on the information stolen from the SEC. John is President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. I would like to thank John for his willingness to allow me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s guest post.
Last week SEC Chairman Jay Clayton announced a data breach into the SEC’s EDGAR system, a vast database that contains information about company earnings, share dealings by top executives and corporate activity such as mergers and acquisitions. The announcement immediately made headlines warning of possible insider trading fraud. After all, accessing that EDGAR information before it’s disclosed publicly could allow hackers to profit by trading ahead of the information’s release.
But if the perpetrators of the EDGAR hack did trade on material, nonpublic information stolen from EDGAR, it is not a case of unlawful insider trading. Far more complex and challenging for SEC enforcement staff, the EDGAR hackers who traded would be charged instead with “outsider trading,” a much lesser known and barely tested legal theory of securities fraud.
Consider this scenario: A Microsoft employee sneaks into Microsoft’s CFO’s office, reads secret files about an upcoming positive earnings announcement and then buys Microsoft stock before that announcement. Is the Microsoft employee guilty of unlawful insider trading? Of course.
But suppose instead, a thief, who does not work at Microsoft, breaks into Microsoft headquarters via a basement window at midnight, reads Microsoft’s CFO’s papers about an upcoming positive earnings announcement and then buys Microsoft stock before that announcement. Is the thief guilty of insider trading? Historically, the SEC did not charge the thief with insider trading because a thief is just that, a thief, and not an insider or securities swindler.
Today, however, the SEC staff has dramatically changed course. The SEC has now begun targeting the thief, because the break-in is no longer through a basement window, instead the break-in is through a virtual window, in cyberspace.
Late in 2014, and early in 2015, the SEC began issuing new and novel requests and subpoenas to public companies about any and all data breaches (or attempted breaches) they have experienced. The SEC apparently selected the public companies that, according to cybersecurity firm FireEye, had experienced recent data breaches targeting inside information. FireEye had previously released a December 1, 2014 report about a group of hackers called “FIN4.”
The report said that Fin4 was targeting the email accounts of top executives, lawyers and others in an effort to obtain non-public information about merger and acquisition deals and major market-moving announcements. Next, in August 2015, the SEC began filing enforcement actions (in parallel with criminal prosecutors) against the perpetrators of these new and novel hacking schemes the SEC had been investigating.
Hence, the genesis of a burgeoning new SEC enforcement era, pursuing an emerging and dangerous risk to securities markets – unlawful outsider trading.
Ironically, the recent hack into the EDGAR database, disclosed last week by the SEC and the subject of testimony from SEC Chairman Jay Clayton before the Senate Banking Committee will bring the SEC’s previously quiet but steadfast outsider trading foray into the spotlight. Indeed, any enforcement actions against the perpetrators of the EDGAR hack will fall squarely within the somewhat unchartered (and unsettled) territory of outsider trading.
What is Outsider Trading?
Understanding the newfangled (and innovative) SEC jurisprudence of outsider trading must begin with a quick review of traditional notions of insider trading.
For starters, most insider trading is perfectly legal, such as when corporate executives buy stock in their own companies as an investment. Unlawful insider trading occurs when, for instance, executives buy stock in their own company based on material, nonpublic information learned on the job.
The rationale for policing unlawful insider trading is that for the markets to work efficiently and fairly, everyone needs to be working with the same basic information, or at least, that those with special access to nonpublic information are prevented from taking advantage of it before other investors. The prohibition on unlawful insider trading levels the playing field and protects the integrity of financial markets.
Some insider trading cases are straightforward, such as when a corporate executive trades stock in his or her company before the company’s earnings announcement. The executive has a duty to not trade on corporate information, described in the law as a “fiduciary duty or other duty of trust and confidence.”
But the outer edges of insider trading law are murky at best, especially when it is not clear whether a fiduciary duty attaches to a given person, such as when “mere thieves” or strangers, learn and trade upon confidential financial information gained through a cyber-attack.
The reason for the vagaries of insider trading law is that SEC statutes, rules and regulations make no explicit statutory prohibition (or even mention) of insider trading; rather, the prohibition against insider trading is actually a jumbled, garbled, judicially-created concoction, which has evolved slowly over time.
Judges derive insider trading violations from Section 10(b) of the Securities and Exchange Act of 1934 and Rule 10b-5 promulgated thereunder (together known as the “SEC’s antifraud provisions”), and are a “catchall” aimed at fraud, requiring some sort of “device, scheme or artifice to defraud” or some action, which would otherwise “operate as a fraud or deceit upon a person.”
Courts have historically found that the SEC’s antifraud provisions are not intended as a specification of particular fraudulent acts or practices, but rather are designed to tackle the infinite variety of devices by which undue advantage may be taken of investors and others. Along those lines, the Supreme Court has held that the SEC’s anti-fraud provisions prohibit all fraudulent schemes in connection with the purchase or sale of securities, whether the artifices employed involve a garden type variety of fraud, or present a unique form of deception.
The “Classical” and “Misappropriation” Theories of Insider Trading.
Courts have created two general theories to guide the application of their judicially designed insider trading doctrine, the classical theory and the misappropriation theory.
Under the first theory, the so-called “classical theory,” insider trading occurs when a corporate insider trades in the securities of his or her corporation on the basis of material, non-public information. A corporate insider is entrusted with confidential information by virtue of his or her position, and in return owes fiduciary duties to the shareholders not to use that information for personal gain.
Under the second and more recently decreed so-called “misappropriation theory,” courts extended liability for securities violations beyond classical insiders to those who misappropriate material, nonpublic information for use in a securities transaction in violation of some fiduciary or fiduciary-like duty that they owe to a party.
The SEC and Outsider Trading: The New Paradigm.
Outsider trading differs from both classical theory and the misappropriation theory. It differs from classical insider trading in that there is no pre-existing relationship of trust and confidence between the source of the information and the hacker who does the trading. It differs from misappropriation theory in that the “deception” usually relates directly to the hacking or unauthorized computer access and is a bit more attenuated from the securities transaction.
In other words, with cyber thieves who trade on information stolen during a data breach, the SEC is extending unlawful insider trading to a third and new category of securities miscreant — “outsiders” — who do not work for (or with) the company, and who do not owe a duty to anyone.
The SEC staff’s legal argument for charging unlawful outsider trading is that cyber thieves are masquerading as company insiders and are therefore committing securities fraud. Though a bit of a leap, there are actually a few SEC enforcement actions that have already applied (though not truly tested) the SEC’s adoption of its new outsider trading canon.
2005: SEC v. Lemus, Havel & Wiseman.
The first outsider trading SEC enforcement action was SEC v. Lohmus, Havel & Viisemann, et al in 2005. The SEC charged that Lohmus, an Estonian investment bank, and two of its employees, obtained more than 360 confidential soon to be released press releases of U.S. publicly traded companies by stealthily “spidering” the BusinessWire website for material, non-public information. BusinessWire at the time was a leading commercial disseminator of news releases and regulatory filings.
A “spider” is a program that visits websites and reads their pages and other information in order to create entries for a search engine index. The major Internet search engines all employ spider programs, which are also known as “crawlers” or “bots.”
The SEC claimed that Lohmus became a client of BusinessWire for the sole purpose of gaining access to BusinessWire’s secure client website. The SEC alleged that once Lohmus had access, Lohmus surreptitiously utilized a more sophisticated and clandestine spider program, which provided unauthorized access to confidential information contained in impending nonpublic press releases of other BusinessWire clients, including their expected time of issuance.
The SEC further alleged that the information stolen by Lohmus allowed them to strategically time their trades around the public release of news involving, among other things, mergers, earnings and regulatory actions. Using several U.S. brokerage accounts, the SEC charged that Lohmus traded the stocks of the companies whose confidential press release information they had stolen, and purchased options to increase their profits.
The SEC’s outsider trading legal theory in Lohmus was never tested in court, because eventually Lohmus and the two charged Lohmus employees settled with the SEC, without admitting or denying wrongdoing. Among other relief, the final judgments ordered one of the employees to pay over $14 million and another to pay over $650,000 in disgorgement and penalties, while Lohmus was ordered to pay a penalty of $650,000.
2007: SEC v. Blue Bottle.
The next outsider trading SEC enforcement action was in early 2007 in SEC v. Blue Bottle et al. Blue Bottle was a Hong Kong accounting firm that the SEC charged engaged in a fraud very similar to Louis’s scheme. Specifically, the SEC alleged that Blue Bottle hacked into computers of a newswire service to view press releases before they were published and then repeatedly executed transactions in the securities of 12 public companies just prior to press releases by those companies, netting $2.7 million in trading profits.
The SEC never specified the name of the news service breached by Blue Bottle, stating only that Blue Bottle made its profits by hacking into computer networks or otherwise improperly obtaining electronic access to systems that contain information about imminent news releases. Instead, the SEC merely alleged that based on “the disparate companies” in which Blue Bottle traded, the timing of the trades and the profit they generated, the firm had tapped into a third party computer system to learn nonpublic data.
Blue Bottle’s scheme included “put” and “call” options trading, a more sophisticated trading technique. A call option is basically a contract that allows the buyer the right, but not the obligation, to buy an agreed upon amount of stock by an agreed upon date for a specific price.
With call options, the buyer is betting the stock price will go up. A put option, on the other hand, is a high-stake bet that the company’s stock will drop quickly. With puts, the investor only gets a payout if the stock goes down.
In one set of trades, Blue Bottle bought 10,500 put contracts on Symantec. Blue Bottle was betting that Symantec’s stock price would drop by Jan. 20. On Jan. 16, which was the next trading day after Blue Bottle bought the puts, Symantec issued a downward revision of its third-quarter 2007 earnings and revenue forecast. Symantec also announced more “conservative guidance” for the rest of the fiscal year. Symantec’s news came out at 7:48 that morning, and
Blue Bottle began selling its puts at 9:30 am, generating profits of over $1 million.
Despite Blue Bottle’s large profits, the SEC’s foray into outsider trading attracted very little attention; perhaps because, just like in the Lohmus SEC enforcement action, the Blue Bottle matter was never contested. Before any judge could opine on the SEC’s outsider trading theory, Blue Bottle defaulted and a final judgment was ordered, which included, among other relief, an almost $11 million penalty and disgorgement order.
2007: SEC v. Oleksandr Dorozhko.
An opportunity for a judicial test of the SEC’s outsider trading theory arose once again in late 2007 in SEC v. Oleksandr Dorozhko, an SEC outsider trading action that was initially dismissed, then reinstated after an SEC appeal.
The Dorozhko matter involved an Eastern European who bet nearly a year’s worth of his income that a stock price would drop in two days, realizing profits of $280,000 (more than 5 times his yearly income). The SEC alleged that Dorozhko gained access to material non-public information from a data breach into a third party information dissemination computer network and made his trades based on that stolen information.
Specifically, Dorozhko opened an online trading account in which he deposited $42,500 in October 2007. Shortly thereafter, a hacker gained access to earnings data for IMS Health, Inc. vis-a-vis the servers of Thomson Financial, Inc., the company providing investor relations and web-hosting services to IMS.
According to the SEC, the hacker cloaked his identity and hid his tracks, but managed to overcome the security barriers at the site and gain unauthorized access to confidential information on the secure site.
Within an hour of the hacker’s obtaining this information, Dorozhko used his online trading account for the first time, purchasing almost $42,000 of IMS put options, essentially betting that IMS stock would decline significantly in the near future. Later the same day, IMS announced that its earnings were 28% below analysts’ expectations. When the market opened the next morning, the price of IMS stock dropped by about a third and Dorozhko sold his put options, realizing a profit of approximately $286,000. The SEC alleged that the hacker was Dorozhko, and charged him with outsider trading.
The District Court in the Dorozhko matter then dismissed the SEC action, holding that absent a fiduciary duty, Dorozhko’s conduct did not amount to any kind of securities fraud. The Court noted that Dorozhko’s trading was not “deceptive” and that Dorozhko was not an officer, director, representative or agent of IMS Health, Thompson Financial, or any other relevant party, so Dorozhko owed no fiduciary duty to anyone. The district court found that Dorozhko was merely a hacker, an outsider with no relationship to IMS or Thomson, and he could not be liable for unlawful insider trading.
The district court rejected the SEC’s outsider trading theory and held that computer hackers who steal and use information may be criminally liable for theft and computer crime, but it was too much of a stretch to charge them with any kind of securities fraud.
The SEC appealed the Dorozhko district court decision and the United States Court of Appeals for the Second Circuit overturned the District Court’s Dorozhko decision. The Second Circuit noted that the SEC did not need to prove the existence of a fiduciary duty because Dorozhko affirmatively misrepresented himself in obtaining the confidential information. The Second Circuit recognized that when a cyber attacker trades on stolen, exfiltrated confidential information, the SEC could charge the cyber attacker with outsider trading.
2008: SEC v. Michael A. Stummer.
Another outsider trading SEC matter was filed in 2008 and involved a rather primitive version of hacking and computer intrusion. The matter, SEC v. Michael Stummer, also dubbed by the media as the “Brother-in-law from Hell: Wall Street Edition,”involved a day trader who: 1) snuck into his brother-in-law’s bedroom during a family get together; 2) stole his brother-in-law’s computer password; 3) logged on to his brother-in-law’s computer; 4) reviewed on the computer material, nonpublic information about a possible tender offer by the brother-in-law’s private equity firm (CI Capital Partners) of a public company (Ryan’s Restaurant Group); and 5) made profitable trades based on that information.
Like the other outsider trading matters before, the Stummer matter was also never contested. Stummer settled with the SEC without admitting or denying wrongdoing, and paid about a $46,000 penalty and $46,000 in disgorgement of his ill-gotten trading gains.
2015: SEC v. Ivan Turchynov and Oleksandr Ieremenko, et al.
In August 2015, the SEC stepped up its outsider trading efforts considerably, announcing its first major outsider trading case, charging a large outsider trading ring, filing enforcement action against 34 defendants, in parallel to DOJ federal criminal cases filed in the Eastern District of New York and the District of New Jersey in Newark.
In this elaborate, multi-faceted and international prosecution, the SEC charged, that over a five-year period, Ivan Turchynov and Oleksandr Ieremenko spearheaded a scheme to hack into two or more newswire services and steal hundreds of corporate earnings announcements before the newswires released them publicly. The SEC further charged that Turchynov and Ieremenko created a secret web-based location to transmit the stolen data to traders in Russia, Ukraine, Malta, Cyprus, France, and three U.S. states, Georgia, New York, and Pennsylvania. The traders are alleged to have used this nonpublic information in a short window of opportunity to place illicit trades in stocks, options, and other securities, sometimes purportedly funneling a portion of their illegal profits to the hackers.
According to the SEC’s complaint, Turchynov and Ieremenko hid the intrusions by using proxy servers to mask their identities and by posing as newswire service employees and customers. The two allegedly recruited traders with a video showcasing their ability to steal the earnings information before its public release.
The SEC complaint charges that in return for the information, the traders sometimes paid the hackers a share of their profits, even going so far as to give the hackers access to their brokerage accounts to monitor the trading and ensure that they received the appropriate percentage of the profits. The SEC complaint charges that the traders sought to conceal their illicit activity by establishing multiple accounts in a variety of names, funneling money to the hackers as supposed payments for construction and building equipment, and even trading in exotic derivative products such as so-called “contracts for difference” (CFDs).
Since the SEC’s filing, the SEC has already inked a $30 million settlement with Jaspen Capital Partners Limited and CEO Andriy Supranonok as well as a $4.2 million settlement with Concorde Bermuda Ltd., a Ukraine-based company, who were all accused of being involved in the scheme.
Since DOJ’s parallel criminal filing, three of the defendants, Aleksandr Garkusha, Arkady Dubovoy and Igor Dubovoy have all pled guilty to certain charges and each face up to 20 years in prison (but will likely get less under recommended federal sentencing guidelines). Here are the details of each pleading:
- Garkusha, 47, a resident of Alpharetta, Georgia, near Atlanta, pled guilty on December 22, 2015, to one count of conspiracy to commit wire fraud, becoming the first defendant criminally charged in the case to admit wrongdoing. Garkusha, who also agreed to cooperate with authorities, admitted that over a three-month period he used corporate press releases obtained before they were released publicly to make $125,000 trading in stocks. “I am very sorry I did this,” Garkusha said in court. “I know that it was against the law.”
- Igor Dubovoy, 28, also of Alpharetta, Georgia, was the second to plead guilty in the scheme, also copping on January 20, 2016 to one count of conspiracy to commit wire fraud, and according to his plea agreement, agreed to make $3 million of restitution to the newswires. According to the plea agreement, Dubovoy faces up to 20 years in prison and has agreed to pay restitution of more than $3 million to the newswires and forfeit nearly $11.5 million jointly with his father, Arkadiy Dubovoy. Prosecutors said Dubovoy must also pay a fine of $250,000 or twice the gross gain or loss from the offense. Prosecutors said Igor Dubovoy admitted to buying stolen press releases that he knew contained non-public earnings data for publicly traded companies, and that he made trades based on their contents after sending them to another trader to review.
- Arkadiy Dubovoy, 51, Igor Dubovoy’s father, also of Alpharetta Atlanta, became the third defendant to capitulate, and also pled guilty on February 18, 2016, to one count of conspiracy to commit wire fraud. Arkady Dubovoy admitted in court to buying stolen releases from the hackers, asking two other criminal defendants to decide which trades would be profitable, and agreeing to kick back half of his trading profits to the hackers.
2016: SEC v. Evegenii Zavodchiko, Andrey Bokarev, Andreevna Alepko, Anton Maslov, et al.
In February, 2016, the SEC added more defendants to the mix, filing a second follow-on suit in New Jersey federal court against nine additional defendants including several Russian traders who were also allegedly involved the outsider trading scheme and who scored more than $19.5 million in illegal profits.
The nine new defendants charged were brokerage customers of Malta-based Exante Ltd., and engaged in their allegedly illegal trading through a brokerage account held in Exante’s name. The new case involves five traders and four companies they own, and allege that the defendants reaped their unlawful profits by trading in such companies as heart valve maker Edwards LifeSciences Corp and casino operator Las Vegas Sands Corp.
Outsider Trading and Malware Reverse Engineering.
The SEC matters have been “stayed” until the federal criminal actions are resolved. While waiting for the criminal prosecutions of the outsider trading ring to end, the SEC staff may want to review the Dorozhko decision and its progeny – because a tough legal mêlée may lie ahead.
The Dorozhko matter is the sole SEC outsider trading matter that has truly been brought before a judge for actual adjudication – all of the other SEC matters have settled or remain otherwise unresolved. Thus, if any of the SEC’s outsider trading ring prosecutions are contested, there will likely ensue an exhaustive scrutiny of the SEC’s outsider trading legal jurisprudence.
Though some might argue that Dorozhko was the first formal judicial recognition of outsider trading, there was a slight snag to the Second Circuit’s reversal – which could impact the SEC’s prosecution of the outsider trading ring. The Second Circuit remanded the case to the district court for further proceedings as to the nature of Dorozhko’s hacking process — noting that hacking might not be a securities fraud if, for instance, it was based on discovering weaknesses in software rather than, a deception, such as a hacker using hijacked employee credentials.
The new Dorozhko trial result could have perhaps hardened outsider trading theory but, alas, after Dorozhko’s attorney confirmed he was unable to get in touch with Dorozhko, the district court granted summary judgment to the SEC and, among other relief, ordered Dorozhko to pay a civil penalty of approximately $286,000, Dorozhko’s net profit from trading the IMS put options.
Thus, the theory of outsider trading, while partially vetted by the Second Circuit, still remains untested i.e. the question remains whether exploiting a weakness in securities code is a mere theft or is instead a “deception” and therefore unlawful outsider trading.
Therein lies the rub: For the SEC staff to charge an outsider trading violation, the SEC must “reverse-engineer” the malware involved in the cyber-attack and confirm that it involved a “deception.” This is no simple task.
Malware: (Oh Lord) Please Don’t Let Me Be Misunderstood.
The term “malware” is often misunderstood. It is often defined as software designed to interfere with a computer’s normal functioning, such as viruses (which can wreak havoc on a system by deleting files or directory information); spyware (which can gather data from a user’s system without the user knowing it.); worms (which can replicate themselves independently to spread to other computers); or Trojan horses (which are non-self-replicating programs containing malicious code that, when executed, can carry out an attacker’s actions).
The definition of malware is actually far broader. In the context of a cyber-attack, malware means any program or file used by attackers to infiltrate a computer system. Like the screwdriver a burglar uses to gain unlawful entry into a company’s headquarters, legitimate software can actually be malware. For example, during an APT attack, attackers might use “RAR” files as containers for transporting exfiltrated information, yet RAR files have a wide range of legitimate uses.
Malware and the Outsider Trading Ring.
Whether the perpetrator of an insider-trader scheme is orchestrating SQL injections, cold fusion exploits, advanced persistent threat (APT) assaults, or any other online cyber-attack to access material, non-public information, the SEC staff will have some hefty digital forensic work to do.
For instance, in their outsider trading ring prosecutions, the SEC will have to offer evidence of the precise technical nature of the data breach – and substantiate the “deception.” Yet malware can be hiding in plain sight, making it’s reverse-engineering both an art and a science, so the SEC will need forensic investigators, incident responders, security engineers, and IT administrators to analyze the technical modus operandi of the outsider trading ring.
If the outsider trading ring data breaches occurred because a company failed to install a critical software patch, leaving a virtual door open for an online intruder, a court may find that the attack was merely breaking and entering, not a securities fraud. On the other hand, if the outsider trading ring data breaches involved the use of a rootkit (a stealthy type of malicious software, designed to hide the existence of certain processes or programs from normal methods of detection) and the kit allowed continued unauthorized access to a network, a court may find that the that the attack used the kind of “deception,” necessary to trigger SEC jurisdiction.
The SEC’s “Malware Pleading.”
Buried quietly within the SEC’s recent civil complaints charging the outsider trading ring, lies a clue as to how the SEC plans to plead malware-related facts necessary to meet the “deception” requirement of Dorozhko. In both pleadings, specifically Paragraph 71 of the first SEC outsider trading ring complaint and Paragraph 79 of the second SEC outsider trading complaint, the SEC states:
“The hacker defendants used deceptive means to gain unauthorized access to the Newswire Services’ computer systems, using tactics such as: (a) employing stolen username/password information of authorized users to pose as authorized users; (b) deploying malicious computer code designed to delete evidence of the computer attacks; (c) concealing the identity and location of the computers used to access the Newswire Services’ computers; and (d) using back-door access-modules.”
How the SEC amassed the evidence necessary to support the pleading in paragraphs 71 and 79 is unclear, perhaps from DOJ or FBI computer engineers, who assisted with the parallel federal criminal indictments from the Eastern District of New York and the District of New Jersey in Newark. Or perhaps the SEC digital forensics team gleaned the malware-related allegations from forensic images of hard drives on laptops and computers seized by Ukrainian authorities in November 2012 from the two accused hackers, Ivan Turchynov and Oleksandr Ieremenko (who remain at large).
In any case, what further evidence the SEC has deciphering the technical minutia of the ring’s cyber-attacks (in support of paragraphs 71 and 79 of their pleadings) remains to be seen. And whether the SEC can prove that the defendants in the outsider trading ring perpetrated a fraud, and not a theft, will undoubtedly ultimately be disputed by competing digital forensic experts.
A Final Note on the SEC’s Outsider Trading Jurisprudence.
The SEC creativity and its use of an ambitious outsider trading legal theory is not surprising. SEC staffers probably found inspiration from the 40 year-old seminal Supreme Court decision written by Supreme Court Justice (and former SEC Chairman) William O’Douglas and captioned Superintendent of Insurance v. Bankers Life and Casualty Co.
In that decision, Justice O’Douglas opined:
“We believe that section 10(b) and Rule 10b-5 prohibit all fraudulent schemes in connection with the purchase or sale of securities, whether the artifices employed involve a garden type variety fraud, or present a unique form of deception. Novel or atypical methods should not provide immunity from the securities laws.”
Should courts intervene and halt the SEC from expanding insider trading liability to computer hackers? I don’t think so.
First, judicial expansion of insider trading law is a tradition; some might say even a jurisprudential national pastime. And until Congress opts to define insider trading (a debate which has been raging for decades), using judge made law remains the only way prosecutors can address the deceitful and dishonest practice of trading securities based on material, nonpublic information.
Second, with respect to outsider trading, the specially trained SEC staff are the most capable law enforcement organization to scrutinize, appreciate, understand and bring to justice the complex trading violations involved.
Finally, the SEC’s efforts targeting outsider trading, under any theory (even a far-fetched one), is not only good for investors but also good for capital markets – two constituencies the SEC is expected to protect. Indeed, if the SEC were to present the facts involved in Dorozhko or in the recent outsider trading ring to a jury, a politician or even any layperson on the street, the overwhelming consensus would be that the conduct involved was the kind of securities fraud that the SEC should be policing.
The public’s reaction to the EDGAR data breach dramatically proves this point. Reporters, politicians and pundits all sounded a similar alarm: if the hackers were caught, insider trading would be the crime.
Empowered by the latest malware and online intrusion weaponry, cyber attackers engaging in outsider trading schemes like the EDGAR hack pose a serious threat to the integrity and security of the global financial marketplace – a threat which must be stopped dead in its tracks.
Of all the regulators and law enforcement agencies who mark securities fraud as their territory, the SEC stands alone in its expertise, experience, and wherewithal, so it is not surprising that the 2nd Circuit validated the SEC’s outsider-trading theory (albeit with a malware reverse-engineering glitch). But now, the recent hack of the SEC’s EDGAR system will undoubtedly shake up the world of securities fraud once again.
No longer are social security numbers, credit card information and the like the primary focuses of hackers. Information is the target – and public companies and the SEC in its EDGAR database (!) have a lot of it. Indeed, crooks from anywhere in the world can now use their cyber-wares to orchestrate corporate espionage and remotely trade stock based on stolen secrets.
To deter this rising 21st century menace, the SEC began slowly with the Lohmus Havel, Blue Bottle, Dorozhko and even Stummer enforcement actions. Then, with its sprawling outsider trading ring bust, the SEC reinforced its assertion of outsider trading jurisdiction.
The SEC deserves some serious props for stepping up to protect investors from the perils of outsider trading, an alarming and futuristic category of wrongdoing. The only losers in the equation are, unfortunately, the innocent public companies involved, whose private information was hijacked by international hacking gangs. To those victim companies, the SEC’s jurisdictional expansion and swagger exacts a double whammy, creating an unwelcome, unanticipated (and very large) expense.
Not only must the company respond to the broad and sweeping SEC requests and subpoenas related to any cyber-attack, but the company must also independently investigate, report, contain and remediate any data breach the SEC identifies. The victim company may even get hit with an SEC action for failing to disclose the breach in a timely and appropriate manner.
This begs the interesting and ironic question with respect to the EDGAR data breach:
Will the SEC enforcement division staff have to subpoena data from the SEC’s Office of Information Technology (OIT) regarding the attack, or will the SEC enforcement staff simply take the elevator to the OIT floor and gather the information themselves . . . ?
But seriously, only time will tell whether the SEC’s outsider trading dragnet is successful — and whether the trading by the EDGAR hackers trigger SEC jurisdiction.
One thing for sure is that given the EDGAR database hack, the SEC will probably never retreat from its outsider trading prosecutorial posture. Chairman Clayton’s Senate Banking Committee testimony about the hack made no mention of Dorozhko and the judicial uncertainty of outsider trading. So it seems that at least during the Clayton Era, the SEC will continue its foray into outsider trading.
Chairman Clayton probably had little choice but to dig in. As the guardian of U.S. capital markets and sworn protector of investors, the SEC cannot allow itself to become a securities fraud kingpin, inadvertently sourcing ironclad tips of nonpublic information to an online outsider trading ring.
John Reed Stark is president of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of a global data breach response firm, including three years heading its Washington, D.C. office. Mr. Stark is the author of, “The Cybersecurity Due Diligence Handbook.“