John Reed Stark

Most readers are undoubtedly familiar with the concept of “insider trading” – that is, the purchase or sale by company insiders of their personal holdings in company shares based on material non-public information. Readers may be less familiar with “outsider trading,” which is trading in shares of a company on the basis on material non-public information by individuals who do not qualify as insiders. In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, takes a look at the SEC’s track record in this area and calls for the agency to reinforce its efforts to police outsider trading. A version of this article previously appeared on Securities Docket. I would like to thank John for his willingness to allow me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article.

*****************************************

It was just a year or so ago when the SEC learned first-hand what it’s like to experience a data breach.  Like a cardiologist who suffers a heart attack and could uniquely empathize with patients, the SEC, after suffering the EDGAR data breach, could now uniquely empathize with the cybersecurity challenges faced by financial firms.

 

When the SEC sheepishly announced the data breach and the irony that stolen EDGAR information may have been used to profit in a securities fraud scheme perpetrated by the cyber-attackers, the SEC was imparted one important lesson first-hand: Outsider Trading Should be a Top SEC Enforcement Priority. 

 

Unfortunately, the SEC appears to have ignored that powerful lesson.

 

By way of background, on September 20th, 2017, Securities and Exchange Commission (SEC) Chairman Jay Clayton announced a data breach into the SEC’s Electronic Data Gathering and Retrieval (EDGAR) system, a vast database that contains information about company earnings, share dealings by top executives and corporate activity such as mergers and acquisitions. EDGAR processes roughly 1.7 million electronic filings per year.

 

According to the SEC, the hacker was able to take advantage of a “software vulnerability in the test filing component” of EDGAR, which “resulted in access to nonpublic information.” Once discovered, the problem was immediately patched, and two investigations began.  First, the SEC initiated an internal investigation into the cause of the data breach.  Second, the SEC enforcement division initiated a formal investigation into whether the cyber-attackers used material, nonpublic EDGAR information in a scheme to profit unlawfully.

 

At the time, the SEC’s EDGAR data breach announcement immediately made headlines warning of possible insider trading fraud. After all, accessing that EDGAR information before it’s disclosed publicly could allow hackers to profit by trading ahead of the information’s release.  But the headlines perpetuated a common and oft misunderstood misconception.

 

If the perpetrators of the EDGAR hack did trade on material, nonpublic information stolen from EDGAR, it was not a case of unlawful insider trading. Instead, the EDGAR hackers who traded would be charged with “outsider trading,” a much more nascent and far more dangerous securities fraud variant. Outsider trading is the kind of securities fraud that threatens the integrity of the entire global financial marketplace – and it can only get worse.

 

Given the SEC’s expertise, wherewithal, creativity and specialized resources to prosecute any kind of securities fraud, the SEC, not surprisingly, led the charge.  Since 2005, when the SEC first encountered conduct involving outsider trading, and continuing through the end of 2016, prosecuting outsider trading violations evolved into a top SEC enforcement priority.

 

But now, a year or so after the EDGAR data breach, with four (out of five) new SEC commissioners, the SEC’s interest in investigating and charging outsider trading appears to be waning and is no longer a priority.  In fact, the SEC’s initial outsider trading dragnet seems to have come to a screeching halt.  Perhaps the SEC is referring outsider trading schemes to the U.S. Department of Justice, who has broader jurisdiction (e.g. federal prosecutors can charge outsider trading as a computer crime or theft) – but no one outside of SEC staff knows for sure.

 

This article discusses the disappointing reality of the deafening silence of the SEC with respect to the plague of outsider trading, despite the fact the SEC itself has been used as a pawn for an outsider trading scheme.

 

First, a little history and background and then a more extensive analysis.

 

2005–2016: The SEC Outsider Trading Program 

Consider this scenario: A Microsoft employee sneaks into Microsoft’s CFO’s office, reads secret files about an upcoming positive earnings announcement and then buys Microsoft stock before that announcement. Is the Microsoft employee guilty of unlawful insider trading? Of course.  But suppose instead, a thief, who does not work at Microsoft, breaks into Microsoft headquarters via a basement window at midnight, reads Microsoft’s CFO’s papers about an upcoming positive earnings announcement and then buys Microsoft stock before that announcement. Is the thief guilty of insider trading? Historically, the SEC did not charge the thief with insider trading because a thief is just that, a thief, and not an insider or securities swindler.

 

From 2005–2016, however, the SEC staff changed course. The SEC began targeting the thief, because the break-in was no longer through a basement window, instead the break-in was through a virtual window, in cyberspace.  Late in 2014, and early in 2015, the SEC even went so far as to issue new and novel requests and subpoenas to public companies about any and all data breaches (or attempted breaches) they have experienced. The SEC apparently selected the public companies that, according to cybersecurity firm FireEye, had experienced recent data breaches targeting inside information. FireEye had previously released a December 1, 2014 report about a group of hackers called “FIN4.”  The report said that Fin4 was targeting the email accounts of top executives, lawyers and others in an effort to obtain non-public information about merger and acquisition deals and major market-moving announcements.

 

Ironically, the hack into the EDGAR database, which was also the subject of testimony from SEC Chairman Jay Clayton before the Senate Banking Committee brought the SEC’s previously quiet but steadfast outsider trading foray into the spotlight. Indeed, any enforcement actions against the perpetrators of the EDGAR hack would fall squarely within the recently chartered territory of outsider trading.

 

What is Outsider Trading?

Understanding the newfangled and innovative SEC jurisprudence of outsider trading begins with a quick review of traditional notions of insider trading.

 

For starters, most insider trading is perfectly legal, such as when corporate executives buy stock in their own companies as an investment. Unlawful insider trading occurs when, for instance, executives buy stock in their own company based on material, nonpublic information learned on the job.

 

The rationale for policing unlawful insider trading is that for the markets to work efficiently and fairly, everyone needs to be working with the same basic information, or at least, that those with special access to nonpublic information are prevented from taking advantage of it before other investors. The prohibition on unlawful insider trading levels the playing field and protects the integrity of financial markets.

 

Some insider trading cases are straightforward, such as when a corporate executive trades stock in his or her company before the company’s earnings announcement. The executive has a duty to not trade on corporate information, described in the law as a “fiduciary duty or other duty of trust and confidence.”

 

But the outer edges of insider trading law are murky at best, especially when it is not clear whether a fiduciary duty attaches to a given person, such as when “mere thieves” or strangers, learn and trade upon confidential financial information gained through a cyber-attack.

 

The reason for the quirks of insider trading law is that SEC statutes, rules and regulations make no explicit statutory prohibition (or even mention) of insider trading; rather, the prohibition against insider trading is actually a jumbled, garbled, judicially-created concoction, which has evolved slowly over time.

 

Judges derive insider trading violations from Section 10(b) of the Securities and Exchange Act of 1934 and Rule 10b-5 promulgated thereunder (together known as the “SEC’s antifraud provisions”), and are a “catchall” aimed at fraud, requiring some sort of “device, scheme or artifice to defraud” or some action, which would otherwise “operate as a fraud or deceit upon a person.”

 

Courts have historically found that the SEC’s antifraud provisions are not intended as a specification of particular fraudulent acts or practices, but rather are designed to tackle the infinite variety of devices by which undue advantage may be taken of investors and others. Along those lines, the Supreme Court has held in 1971, in Superintendent of Ins. v. Bankers Life & Cas. Co., found that the SEC’s anti-fraud provisions prohibit all fraudulent schemes in connection with the purchase or sale of securities, whether the artifices employed involve a garden type variety of fraud, or present a unique form of deception.

 

2005–2016: The SEC Outsider Trading Paradigm

From 2005 – 2016, the SEC extended unlawful insider trading to a third and new category of securities miscreant — “outsiders” — who do not work for (or with) the company, and who do not owe a fiduciary duty to that company, its shareholders or anyone else.

Reasoning that hack-and-trade cyber thieves were masquerading as company insiders and were therefore committing securities fraud, the SEC staff filed a series of important outsider trading enforcement actions:

 

2005: SEC v. Lohmus, Haavel & Wiseman:  The first outsider trading SEC enforcement action was SEC v. Lohmus Haavel & Viisemann, et al in 2005. The SEC charged that Lohmus, an Estonian investment bank, and two of its employees, obtained more than 360 confidential soon to be released press releases of U.S. publicly traded companies by stealthily “spidering” the BusinessWire website for material, non-public information. BusinessWire at the time was a leading commercial disseminator of news releases and regulatory filings. 

 

 

2007: SEC v. Blue Bottle, et al:  The next outsider trading SEC enforcement action was in early 2007 in SEC v. Blue Bottle et al. Blue Bottle was a Hong Kong accounting firm that the SEC charged engaged in a fraud very similar to the 2005 Lohmus’s scheme. Specifically, the SEC alleged that Blue Bottle hacked into computers of a newswire service to view press releases before they were published and then repeatedly executed transactions in the securities of 12 public companies just prior to press releases by those companies, netting $2.7 million in trading profits.

 

On April 24, 2007, the United States District Court for the Southern District of New York entered a default judgment against Blue Bottle ordering $2,707,177 in disgorgement of profits from the illegal trading, $18,047 in prejudgment interest, and an $8,121,561 million penalty equal to three times the profits from the illegal trading.

 

2007: SEC v. Oleksandr Dorozhko:  An opportunity for a judicial test of the SEC’s outsider trading theory arose once again in late 2007 in what many consider to be the seminal outsider trading case of SEC v. Oleksandr Dorozhko, an SEC outsider trading action that was initially dismissed, then reinstated after an SEC appeal.  This case is worthy of some further analysis.

 

The Dorozhko matter involved an Eastern European who bet nearly a year’s worth of his income that a stock price would drop in two days, realizing profits of $280,000 (more than 5 times his yearly income). The SEC alleged that Dorozhko gained access to material non-public information from a data breach into a third-party information dissemination computer network and made his trades based on that stolen information.

 

Specifically, Dorozhko opened an online trading account in which he deposited $42,500 in October 2007. Shortly thereafter, a hacker gained access to earnings data for IMS Health, Inc. vis-a-vis the servers of Thomson Financial, Inc., the company providing investor relations and web-hosting services to IMS.

 

According to the SEC, the hacker cloaked his identity and hid his tracks, but managed to overcome the security barriers at the site and gain unauthorized access to confidential information on the secure site.

 

Within an hour of the hacker’s obtaining this information, Dorozhko used his online trading account for the first time, purchasing almost $42,000 of IMS put options, essentially betting that IMS stock would decline significantly in the near future. Later the same day, IMS announced that its earnings were 28% below analysts’ expectations. When the market opened the next morning, the price of IMS stock dropped by about a third and Dorozhko sold his put options, realizing a profit of approximately $286,000. The SEC alleged that the hacker was Dorozhko, and charged him with outsider trading.

 

Judge Naomi Reice Buchwald, the S.D.N.Y. judge assigned to the Dorozhko matter then dismissed the SEC action, holding that absent a fiduciary duty, Dorozhko’s conduct did not amount to any kind of securities fraud.  The District Court noted that Dorozhko’s trading was not “deceptive” and that Dorozhko was not an officer, director, representative or agent of IMS Health, Thompson Financial, or any other relevant party, so Dorozhko owed no fiduciary duty to anyone. The district court found that Dorozhko was merely a hacker, an outsider with no relationship to IMS or Thomson, so he could not be liable for unlawful insider trading.

 

The District Court rejected the SEC’s outsider trading theory and held that computer hackers who steal and use information may be criminally liable for theft and computer crime, but it was too much of a stretch to charge them with any kind of securities fraud.

 

The SEC appealed the Dorozhko district court decision and the United States Court of Appeals for the Second Circuit overturned the District Court’s Dorozhko decision. The Second Circuit noted that the SEC did not need to prove the existence of a fiduciary duty because Dorozhko affirmatively misrepresented himself in obtaining the confidential information. The Second Circuit recognized that when a cyber attacker trades on stolen, exfiltrated confidential information, the SEC could charge the cyber attacker with outsider trading.

 

2008: SEC v. Michael A. Stummer:  Another outsider trading SEC matter was filed in 2008 and involved a rather primitive version of hacking and computer intrusion. The matter, SEC v. Michael Stummer, also dubbed by the media as the “Brother-in-law from Hell: Wall Street Edition,involved a day trader who: 1) snuck into his brother-in-law’s bedroom during a family get together; 2) stole his brother-in-law’s computer password; 3) logged on to his brother-in-law’s computer; 4) reviewed on the computer material, nonpublic information about a possible tender offer by the brother-in-law’s private equity firm (CI Capital Partners) of a public company (Ryan’s Restaurant Group); and 5) made profitable trades based on that information.

 

Like the other outsider trading matters before, the Stummer matter was also never contested. Stummer settled with the SEC without admitting or denying wrongdoing, and paid about a $46,000 penalty and $46,000 in disgorgement of his ill-gotten trading gains.

 

2015: SEC v. Ivan Turchynov and Oleksandr Ieremenko, et al:  In August 2015, the SEC stepped up its outsider trading efforts considerably, announcing its first major outsider trading case, charging a large outsider trading ring, filing enforcement action against 34 defendants, in parallel to DOJ federal criminal cases filed in the Eastern District of New York and the District of New Jersey in Newark. In this elaborate, multi-faceted and international prosecution, the SEC charged, that over a five-year period, Ivan Turchynov and Oleksandr Ieremenko spearheaded a scheme to hack into two or more newswire services and steal hundreds of corporate earnings announcements before the newswires released them publicly.

 

The SEC further charged that Turchynov and Ieremenko created a secret web-based location to transmit the stolen data to traders in Russia, Ukraine, Malta, Cyprus, France, and three U.S. states, Georgia, New York, and Pennsylvania. The traders were alleged to have used this nonpublic information in a short window of opportunity to place illicit trades in stocks, options, and other securities, sometimes purportedly funneling a portion of their illegal profits to the hackers. 

 

 

2016: SEC v. Evegenii Zavodchiko, Andrey Bokarev, Andreevna Alepko, Anton Maslov, et al:  In February, 2016, the SEC added more defendants to the mix, filing a second follow-on suit in New Jersey federal court against nine additional defendants including several Russian traders who were also allegedly involved the outsider trading scheme and who scored more than $19.5 million in illegal profits.

 

2016: SEC v. Jonathan Ly:  On December 5, 2016, the SEC filed another outsider trading matter alleging that Jonathan Ly, who worked in Expedia’s corporate IT services department, illegally traded in advance of nine company news announcements from 2013 to 2016 and generated nearly $350,000 in profits. According to the SEC’s complaint, Ly exploited administrative access privileges designated for IT personnel to remotely hack into computers and email accounts of senior executives and review confidential documents and pre-earnings reports. Ly particularly targeted information prepared by Expedia’s head of investor relations summarizing Expedia’s yet-to-be-announced earnings and describing how the market could react to particular announcements.

 

Ly settled at the time of the SEC charges, without admitting or denying wrongdoing, and agreed to pay disgorgement and interest and agreed to pay $375,000 .  In a parallel action, the U.S. Attorney’s Office for the Western District of Washington filed criminal charges against Ly, who concurrently pled guilty to securities fraud and was later given a 15-month sentence and three year’s supervised release.

 

2016: SEC v. Iat Hong, et al: On December 27, 2016, the SEC filed its last outsider trading case, alleging that Iat Hong, Bo Zheng, and Hung Chin executed a deceptive scheme to hack into the networks of two law firms and steal confidential information pertaining to firm clients that were considering mergers or acquisitions.  According to the SEC’s complaint, the alleged hacking incidents involved installing malware on the law firms’ networks, compromising accounts that enabled access to all email accounts at the firms, and copying and transmitting dozens of gigabytes of emails to remote internet locations. Defendants Hong and Zheng in particular coveted the emails of attorneys involved in mergers and acquisitions, as they exchanged a list of partners who performed the work at one of the law firms prior to the hack at that firm.

 

According to the SEC’s complaint, Hong, Zheng, and Chin used the stolen confidential information contained in emails to purchase shares in at least three public companies ahead of public announcements about entering into merger agreements. The SEC alleges that they spent approximately $7.5 million in a one-month period buying shares in semiconductor company Altera Inc. in advance of a 2015 report that it was in talks to be acquired by Intel Corporation.

 

 

Within 12 hours of emails being extracted from one of the firms, Hong and Chin allegedly began purchasing shares of e-commerce company Borderfree so aggressively that they accounted for at least 25 percent of the company’s trading volume on certain days in advance of the announcement of a 2015 deal. Hong and Zheng also allegedly traded in advance of a 2014 merger announcement involving InterMune, a pharmaceutical company.

 

In a parallel action, the U.S. Attorney’s Office for the Southern District of New York filed criminal charges against Iat Hong, unsealing the indictment and he was arrested by Hong Kong law enforcement authorities.  Iat Hong apparently remains in Hong Kong police custody despite a U.S. extradition request, while the whereabouts of the other defendants remain unknown.

 

Outsider Trading and Malware Reverse Engineering

Though some might argue that Dorozhko was the first formal judicial recognition of outsider trading, there was a slight snag to the Second Circuit’s reversal – which could impact the SEC’s prosecution of the outsider trading ring. The Second Circuit remanded the case to the district court for further proceedings as to the nature of Dorozhko’s hacking process — noting that hacking might not be a securities fraud if, for instance, it was based on discovering weaknesses in software rather than, a deception, such as a hacker using hijacked employee credentials.

 

The new Dorozhko trial result could have perhaps hardened outsider trading theory but, alas, after Dorozhko’s attorney confirmed he was unable to get in touch with Dorozhko, the district court granted summary judgment to the SEC and, among other relief, ordered Dorozhko to pay a civil penalty of approximately $286,000, Dorozhko’s net profit from trading the IMS put options.

 

Thus, the theory of outsider trading, while partially vetted by the Second Circuit, still remains somewhat untested i.e. the question remains whether exploiting a weakness in securities code is a mere theft or is instead a “deception” and therefore unlawful outsider trading.

 

Therein lies the rub: For the SEC staff to charge an outsider trading violation, the SEC must “reverse-engineer” the malware involved in the cyber-attack and confirm that it involved a “deception.” This is what may be causing the consternation among current SEC officials and led one former SEC Deputy General Counsel to write:

 

“The recent computer hacking cases [like Dorozhko] are important because they create dangers from over-zealous pursuit of securities law violations. The government had the ability to charge one or more reasonable and appropriate crimes against the hacker and trader defendants but reached out too far to include securities fraud.  Success on the securities fraud claims will require enlarging current law. When the government uses untested and broadened legal theories in an enforcement case, it disserves the legal system. It treats the defendants unfairly, expands the law to catch future conduct that might not be blameworthy, and encourages the SEC and criminal prosecutors to threaten arbitrary claims in the future. The securities laws and the SEC do not police the world. Some bad acts are not securities fraud.”

 

Malware: (Oh Lord) Please Don’t Let Me Be Misunderstood

The term “malware” is often misunderstood. It is often defined as software designed to interfere with a computer’s normal functioning, such as viruses (which can wreak havoc on a system by deleting files or directory information); spyware (which can gather data from a user’s system without the user knowing it.); worms (which can replicate themselves independently to spread to other computers); or Trojan horses (which are non-self-replicating programs containing malicious code that, when executed, can carry out an attacker’s actions).

 

The definition of malware is actually far broader. In the context of a cyber-attack, malware means any program or file used by attackers to infiltrate a computer system. Like the screwdriver a burglar uses to gain unlawful entry into a company’s headquarters, legitimate software can actually be malware. For example, during an APT attack, attackers might use “RAR” files as containers for transporting exfiltrated information, yet RAR files have a wide range of legitimate uses.

 

The SEC’s “Malware Pleading

Post-Dhorozko, buried quietly within the SEC’s outsider trading complaints, lies the gist of how the SEC pleads malware-related facts necessary to meet the “deception” requirement of Dorozhko.  For instance, in Paragraph 71 of the SEC Dubovoy outsider trading ring complaint and Paragraph 79 of the SEC Zavodchiko outsider trading complaint, the SEC states:

 

“The hacker defendants used deceptive means to gain unauthorized access to the Newswire Services’ computer systems, using tactics such as: (a) employing stolen username/password information of authorized users to pose as authorized users; (b) deploying malicious computer code designed to delete evidence of the computer attacks; (c) concealing the identity and location of the computers used to access the Newswire Services’ computers; and (d) using back-door access-modules.”

 

Similarly, in the SEC’s Ly Complaint, the SEC made an even more specific attempt at pleading that the outsider trading ring perpetrated a fraud, and not a theft, stating:

 

“In or about July 2013, Ly discovered that he could electronically intrude without authorization (“hack”) into Expedia senior executives’ company computers by using Expedia’s IT administrative access privileges. Through his hacks, Ly repeatedly viewed the contents of Electronic documents maintained by Expedia executives on their company computers, including the files of the Chief Financial Officer (“CFO”) and the Head of Investor Relations, without anyone’s knowledge or permission. Ly’s hacking soon expanded and relied on several deceptive means to access both company computers and email accounts of Expedia’s senior executives, including the following:

(a)  misusing Expedia’s IT administrative access privileges to conceal his identity and access of Expedia computers;

(b)  hacking, by method (a) above, into a senior IT employee’s computer and stealing a “passwords” file, which contained elevated credentials associated with an IT administrative service account (“IT Service Credentials”). The IT Service Credentials, which Ly did not have permission to use, gave him even greater levels of access to Expedia employees’ corporate accounts, including employee emails; and

(c)  misappropriating the network credentials of innocent Expedia employees to access certain Expedia email accounts (in particular, accounts for the CFO and Head of Investor Relations) while evading detection.”

 

Finally, in the SEC’s Hong prosecution, the SEC expanded their pleading even further, making the defendant’s alleged deception crystal clear in a tour-de force of outsider trading pleading:

 

“ . . . Defendants directly, indirectly, or through or by means of others hacked into Law Firm 1’s nonpublic network through deceptive means that included:

  1. Installing malware on servers in Law Firm 1’s network. “Malware” is software that is intended to damage or disable computers and computer networks, or to circumvent installed security and access controls.
  2. Using the malware to obtain broad access to nonpublic aspects of Law Firm 1’s network, including broad access to Law Firm 1’s nonpublic email systems.
  3. Compromising the user account of a Law Firm 1 Information Technology employee (hereinafter “Law Firm l IT employee”). Law Firm 1 IT employee had exceptional credentials that provided access to all other email accounts within Law Firm 1’s nonpublic network.
  4. Posing as Law Firm 1 IT employee and using his Expedia credentials to gain access to all. of Law Firm 1’s nonpublic email accounts, including the email accounts of Law Firm 1 merger and acquisition partners(such as Partner A).
  5. Engaging in additional deceptive acts to conceal the breach of the nonpublic network including disguising the activity as typical network traffic. As a result, Law Firm l’s security systems did not recognize the deceptive breach.”

 

Undoubtedly, by the end of 2016, the SEC had mastered the art of pleading deception in outsider trading cases and the SEC’s outsider trading program flourished, slowly becoming implanted in the SEC enforcement program. But regrettably, the SEC’s outsider training program has apparently disappeared, shifting dramatically from one of bold proclamations to one of resounding radio silence.

 

The SEC’s Outsider Trading Enforcement Program Since the EDGAR Data Breach

Since the EDGAR data breach, the SEC has not brought any outsider trading cases — zero, zilch, nada – and the topic of outsider trading seems markedly absent from the current laundry list of SEC enforcement priorities and concerns.

 

Indeed, a recent New York Times op-ed piece by SEC Commissioner Robert J. Jackson, Jr. and former SDNY U.S. Attorney Preet Bharara entitled, “Insider Trading Laws Haven’t Kept Up With the Crooks,” hinted at a significant rift within the SEC Commissioners about outsider trading, raising questions whether the SEC will file any future outsider trading cases ever again.

 

 

The authors write: 

“ . . . [W]hat if a hacker finds his way into a corporate computer system and trades on the sensitive information he uncovers? Will that hacker face charges of insider trading? This time, the answer depends on whether the information was obtained through sufficiently “deceptive” practices, like misrepresenting one’s identity to gain access to information, rather than just mere theft, like exploiting a weakness in computer code. Again, we think ordinary investors would be deeply concerned that any trading on the basis of hacked information might evade punishment. Insider trading law should not allow the possibility that profits obtained through illicit trading could fund the cyberattacks that the American government and companies are constantly facing . . . The uncertainty in insider trading law invites debate over the legality of misconduct that has no place in our markets.”

 

The SEC Should Restore its Robust and Vigorous Outsider Trading Enforcement Program

Empowered by the latest malware and online intrusion weaponry, cyber attackers engaging in outsider trading schemes like the EDGAR hack pose a serious threat to the integrity and security of the global financial marketplace – a threat which must be stopped dead in its tracks.

 

No longer are social security numbers, credit card information and the like the primary focuses of hackers. Information is the target – and public companies and the SEC in its EDGAR database have a lot of it.  Indeed, crooks from anywhere in the world can now use their cyber-wares to orchestrate corporate espionage and remotely trade stock based on stolen secrets.

 

Of all the regulators and law enforcement agencies who mark securities fraud as their territory, the SEC stands alone in its expertise, experience, and wherewithal, so it is not surprising that the Second Circuit validated the SEC’s outsider-trading theory (albeit with a malware reverse-engineering glitch).

 

To deter this rising 21st century menace, the SEC proceeded methodically with the Lohmus HavelBlue BottleDorozhko and even Stummer enforcement actions. Next, with its two 2016 sprawling outsider trading ring busts (Turchynov and Zavodchiko) and its first law firm hacking case (Hong), the SEC reinforced its assertion of outsider trading jurisdiction.

 

The SEC’s creativity and its use of an initially ambitious outsider trading legal theory is not surprising. SEC staffers probably found inspiration from the almost 50 year-old pivotal Supreme Court decision written by Supreme Court Justice (and former SEC Commissioner (1935) and Chairman (1936-37)) William O. Douglas and captioned Superintendent of Insurance v. Bankers Life and Casualty Co.  In that decision, Justice Douglas opined:

 

“We believe that section 10(b) and Rule 10b-5 prohibit all fraudulent schemes in connection with the purchase or sale of securities, whether the artifices employed involve a garden type variety fraud, or present a unique form of deception. Novel or atypical methods should not provide immunity from the securities laws.”

 

Would courts intervene and halt the SEC from expanding insider trading liability to hack-and-trade schemes perpetrated by Dorozhko and the litany of other outsider trading culprits? Probably not.

 

First, judicial expansion of insider trading law is a tradition; some might say even a jurisprudential national pastime. And until Congress opts to define insider trading (a debate which has been raging for decades), using judge made law remains the only way prosecutors can address the deceitful and dishonest practice of trading securities based on material, nonpublic information.

 

Second, with respect to outsider trading, the specially trained SEC staff are the most capable law enforcement organization to scrutinize, appreciate, understand and bring to justice the complex trading violations involved.

 

Finally, the SEC’s efforts targeting outsider trading, under any theory (even an aggressive one), is not only good for investors but also good for capital markets – two constituencies the SEC is sworn to protect.  The public’s reaction to the EDGAR data breach dramatically proves this point. Reporters, politicians and pundits all sounded a similar alarm: if the EDGAR hackers were caught, insider trading would be the crime

 

But whatever the vagaries of the SEC’s Depression-era insider-trading statute, when it comes to outsider trading, SEC Chairman Clayton has little choice but to dig in. As the guardian of U.S. capital markets and sworn protector of investors, the SEC cannot allow itself to become a securities fraud kingpin, inadvertently sourcing ironclad tips of nonpublic information to an online outsider trading ring.

 

Looking Ahead 

The EDGAR data breach was more than just a run-of-the-mill cyberattack (if there is such a thing).  By exploiting an SEC data security weakness and attempting to use the exfiltrated EDGAR data for trading on material, nonpublic information, the cyber-attackers ironically ensnared the SEC in its own crosshairs.

 

But there was a silver lining to it all.  Like a beat-cop who is mugged and robbed, the SEC would never look at data breach victims the same way again – or so we hoped.  Now that a year or so has passed since the SEC’s announcement of the EDGAR data breach, the SEC should take the opportunity for some reflection  — and consider their apparent abandonment of outsider trading enforcement.

 

 

The flexibility of the SEC’s statutory weaponry has always been its hallmark.  As renowned SEC scholar and Georgetown Law School professor(and former SEC staffer) Donald Langevoort wrote way back in 1993, Rule 10b-5 is an adaptive organism – and it works. Along those same lines, in 1996, William McLucas, the SEC enforcement director at the time, co-authored an article entitled, “Common Sense Flexibility and Enforcement of the Federal Securities Laws,” explaining how enforcement programs such as insider trading; foreign payments; municipal bond fraud and so many others grew out of the intentionally flexible SEC anti-fraud provisions.

 

Later, in 1999, when Steve Cutler became SEC enforcement deputy director and I was named Chief of the SEC’s Office of Internet Enforcement, we co-authored an article entitled, The SEC’s Statutory Weaponry to Combat Internet Fraud,” reiterating McLucas’s thesis in the context of the SEC’s Internet program.  In our article, Cutler and I cited the same adaptive capacity extolled by Langevoort and championed by McLucas (and the legendary Stanley Sporkin before him).

 

The SEC should get with the virtual program and redouble its efforts at policing outsider trading, an alarming and futuristic category of wrongdoing. The SEC has experienced first-hand the humility and alarm of playing the dupe in some offshore outsider trading scheme, and is clearly the best equipped to fight back. For more than 80 years, the SEC’s dedicated and vigilant enforcement staff has stood as a proud sentinel for investors, and SEC Chairman Clayton should cut the SEC enforcement staff loose and refuse to allow a preposterously strict reading of the ’34 Act’s broadly vested anti-fraud provisions to stand in its way.

 

That the SEC experienced a hack-and-trade cyber-attack was unfortunate to say the least – and the SEC’s cybersecurity failure caused a fair degree of pain for SEC staff and investors alike.  But the EDGAR data breach also provided the SEC with a rare glimpse into the perilous dangers of outsider trading plots.  And it would be even more unfortunate for the SEC to fail to learn from such an extraordinarily teachable moment.

 

_____________

John Reed Stark is president of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He has taught most recently as Senior Lecturing Fellow at Duke University Law School Winter Sessions and will be teaching a cyber-law course at Duke Law in the Spring of 2019. Mr. Stark also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of global data breach response firm, Stroz Friedberg, including three years heading its Washington, D.C. office. Mr. Stark is the author of, “The Cybersecurity Due Diligence Handbook.”