UK regulators likely to scrutinise data security after alleged US insider trading hacking, says expert

The Securities and Exchange Commission (SEC) announced on Tuesday that it has charged 32 people with fraud over what it claimed was their "part in a scheme to profit from stolen nonpublic information about corporate earnings announcements". It has filed papers with a district court in New Jersey (62-page / 2.75MB PDF) which outlines the activities it said it has uncovered.

The SEC said that hackers used "advanced techniques" to access hundreds of announcements about businesses' financial results from newswire services before those services released the information publically.

It accused two men of spearheading the scheme which it claimed saw the stolen data passed on to market traders in the US, Russia, Ukraine, Malta, Cyprus and France. The traders then used the information to "place illicit trades in stocks, options, and other securities, sometimes purportedly funneling a portion of their illegal profits to the hackers", the SEC alleged.

The SEC said that in some cases the hackers and traders exploited "a very narrow window of opportunity to extract and use the allegedly hacked information" and in total had made more than $100 million in "illicit profits".

"This cyber hacking scheme is one of the most intricate and sophisticated trading rings that we have ever seen, spanning the globe and involving dozens of individuals and entities," said Andrew Ceresney, director of the SEC’s enforcement division. "Our use of innovative analytical tools to find suspicious trading patterns and expose misconduct demonstrates that no trading scheme is beyond our ability to unwind."

Financial enforcement expert Michael Ruck of Pinsent Masons, the law firm behind Out-Law.com, said the issue of cyber attacks and hacking in insider dealing activities is "a clear area of focus for market regulators along with other prosecuting agencies".

"The FCA and other market regulators will no doubt be asking questions around both the security of those whose data was stolen as well as the systems and controls of any traders involved in these activities," Ruck said.

Technology law expert Luke Scanlon of Pinsent Masons said businesses need to have a "three-step process" for managing cyber and data security risk.

"Firstly, companies need to implement a high level of security, which means having the right technology to address external threats, together with rules and processes that govern how people within their organisations interact with their systems," Scanlon said. "They need a clear strategy for engaging with regulators and those affected when a breach occurs, and a structured incident response plan which deals with both the legal consequences and reputational impact of a hack or data breach."

"This case highlights that too much of the focus of recent discussions on cyber security has been only on privacy rights. It shows that law makers need to look more at the processes and controls to be put in place to help corporations protect confidential information," he said.