SEC guidance following record cyber breach

A major case of fraud involving hackers hit the headlines this summer – a fresh reminder of the importance of sound cyber security.

The case involves 32 individuals charged with fraud by the US Securities and Exchange Commission (SEC) for taking part in a scheme to profit from stolen non-public information about corporate earnings announcements. Those charged include two Ukrainian men who allegedly hacked into newswire services to obtain the information, and 30 other defendants from inside and outside the US who allegedly traded on that information, generating more than $100m in illegal profits.

SEC chair Mary Jo White described the scheme as “unprecedented in terms of the scope of the hacking, the number of traders, the number of securities traded and profits generated”.

The SEC alleges that over a five-year period the two hackers stole hundreds of corporate earnings announcements before they were publicly released by newswires. This stolen data was then transmitted to traders in Russia, Ukraine, Malta, Cyprus, France and three US states. The traders are alleged to have used the information in a short window of opportunity to place illicit trades in stocks, options and other securities. In one instance, on 1 May 2013, the hackers and traders allegedly moved in a 36-minute period between a newswire’s receipt and release of an announcement that a company was revising its earnings and revenue projections downward. Traders began selling the company’s stock short and selling contracts for difference, making $11,000 in profits when the company’s share price fell after the news went public.

Take preventative action
Family offices and funds can take steps to protect themselves. One useful source of advice comes from the SEC’s Division of Investment Management, which has developed some succinct guidance, issued in April 2015, to help investment managers prevent external cyber-attacks. In essence, the guidance covers three key areas: assessment, strategy and implementation.

In terms of assessment, the SEC has identified five areas that should be addressed periodically:
  • the nature and sensitivity of confidential information;
  • the cyber security landscape;
  • security controls and processes;
  • effectiveness of the governance programme in managing cyber security risk;
  • the type of impact on the firm of a security breach.
There are also five key considerations in relation to strategy:
  • the use of access controls including firewalls;
  • data encryption;
  • how to address removable storage media;
  • backup and retrieval;
  • the development of incident response plans.
  • The SEC’s guidance then emphasises that implementing a cyber security strategy successfully requires proper written policies and procedures and staff training.
“It’s vital that family offices have sound strategies, governance procedures and controls in place to counter the growing cyber security risks they face,” says Alex Traill, a senior manager at Moore Stephens. “If in any doubt about the robustness of your defences, please get in touch. We have specialists who can advise on your current risk management framework and any action you need to take.”

For more information, please contact John Stanford or Alex Traill.