On December 27, 2016, the Securities and Exchange Commission (“SEC”) filed a complaint against three Chinese nationals, alleging that they hacked two New York-based law firms, stole material nonpublic information relating to upcoming mergers and acquisitions, and traded on that stolen information, earning approximately $3 million in illegal profits. Complaint at 2, SEC v. Iat Hong
, No. 16-Civ __ (S.D.N.Y. Dec. 27, 2016) (“Complaint”). Stephanie Avakian, Acting Director of the Enforcement Division at the SEC, explained that investigators used recently developed “enhanced trading surveillance and analysis capabilities” to identify the scheme. Press Release, SEC, Chinese Traders Charged with Trading on Hacked Nonpublic Information Stolen from Two Law Firms
, Dec. 27, 2016, (“SEC Press Release”).
According to the SEC’s complaint, Iat Hong, Bo Zheng, and Hung Chin specifically targeted attorneys who represented companies in prominent mergers and acquisitions transactions (“M&A attorneys”). The defendants installed malware in the targeted law firms’ systems and compromised the accounts of the law firms’ IT employees. This enabled the defendants to gain access to the M&A attorneys’ email accounts, and they stole millions of documents relating to pending mergers and acquisitions transactions. Complaint at 12, 18–19. The law firms did not detect these security violations, and the defendants made it appear as if the extraction of data was usual traffic on the law firms’ servers. Complaint at 11. By hacking this information, the defendants identified several potential merger and acquisition transactions, including ones involving possible targets: InterMune, Inc. (a biotechnology company), Altera Corporation (a California-based manufacturer of computer chips), and Borderfree, Inc. (an e-commerce company based in Manhattan). Based on this information, the defendants purchased shares in the potential target companies, which yielded substantial profits totaling approximately $3 million.
These facts highlight the risks of “cyber theft.” In addition to targeting publicly traded companies and financial institutions, hackers are now expanding their sights to include such entities’ law firms and outside advisors. Law enforcement and regulatory agencies are taking these risks seriously, devoting considerable resources to investigating such crimes, and educating stakeholders about ways to combat—or contain—such risks. Last year, for example, the FBI and federal prosecutors in the Southern District of New York investigated an attempted hacking that targeted at least fifty law firms. Melissa Maleske, 5 Events that Rocked the Legal Industry in 2016
, Law360, Dec. 23, 2016. That investigation remains ongoing, and no related charges have been filed. In the press release accompanying these charges, the SEC stressed the importance of protecting computer networks, which “can be vulnerable targets,” and its “commitment and effectiveness in rooting out cyber-driven schemes no matter how sophisticated.” SEC Press Release.
We expect to see more of these types of charges—insider trading based on “hacked information”—in the months to come, given the priorities the DOJ and SEC have assigned to cybersecurity.