The SEC and the U.S. Secret Service are separately investigating hackers who may be breaching corporate email accounts to gather inside information on which they can then trade, Reuters reports. News of the investigations comes approximately seven months after cybersecurity firm FireEye Inc. released a December 1, 2014 report about a group of hackers called "FIN4." FireEye said that FIN4 was targeting the email accounts of top executives, lawyers and others in an effort to obtain non-public information about merger and acquisition deals and major market-moving announcements.
According to FireEye, the FIN4 hackers used spearphishing tactics to gain access to confidential emails. The hackers reportedly targeted over 100 companies -- 80% publicly-traded companies and 20% "firms advising public companies on securities, legal and M&A matters" such as such as law firms, investment banks and investor relations firms.
Yesterday, Reuters reported that the SEC has requested documents and information from at least eight public companies about data breaches at the companies. John Reed Stark, President of John Reed Stark Consulting LLC, told Reuters that to his knowledge, the SEC's request for data breach information in connection with an insider trading case is unprecedented.
Stark, a cybersecurity expert who was previously the founder and Chief of the SEC Office of Internet Enforcement, told me today that he thinks of the conduct under investigation as "outsider trading." Unlike classical insider trading, he said, there is no pre-existing relationship of trust and confidence between the source of the information and the hacker who does the trading, so the “deception” involved relates directly to the hacking or unauthorized computer access. Stark added that
the SEC’s new assault on outsider trading creates a double whammy for public companies caught up in its dragnet. Not only must the public company respond to the SEC request but the company must also independently investigate, report, contain and remediate the breach.