It was more than a year ago that the U.S. Securities and Exchange Commission (SEC) cracked down on a group of hackers and traders who obtained confidential, non-public information about publicly traded companies by hacking websites for press releases. A recently released report by a cybersecurity company suggests that such insider trading continues, although this time with data obtained through phishing from personnel at publicly traded companies who typically file reports to investors with the SEC.
The FireEye report details a scheme in February to obtain confidential corporate information by spoofing an email purportedly from the SEC’s EDGAR filing service. When the email recipient clicked on instructions inside the attached Microsoft Word file, they unwittingly granted access to the internal corporate networks of the company. Because the scam appeared to come from a legitimate sec.gov email address, FireEye indicates several corporate executives were fooled.
Law firms have also been targets for cybercriminals looking to trade on inside information. In December, the Government brought charges against three Chinese citizens that hacked top U.S. mergers and acquisitions lawyers to obtain information about deals and profit from buying shares.
This is prime territory for the SEC whistleblower program. A person at a hacked company that turns over critical information about the scam to the SEC which allows them to stop the illicit trading could be entitled to a reward. Individuals that work for the companies trading based on the confidential and illegally obtained information could also put together the evidence to report the trades to the SEC.
In the 2015 case, one of the participants settled with the SEC for $30 million. With rewards of between 10 and 30 percent of the recovery, this enforcement action alone could have brought a whistleblower $3 to $9 million.
The potential disruption of the market by participants trading on hacked information is tremendous. It poses a definite threat to the integrity of the market and therefore we expect such information to be taken seriously by the SEC when received from a credible whistleblower. Indeed, the SEC has recognized this problem and made cybersecurity compliance a top priority for its compliance examinations of broker-dealers and other market participants. It is unlikely to take a different approach in its pursuit of enforcement actions.