Hedge Fund Hack Results in Trade Secret Loss, and Raises SEC Reporting Issues

http://blogs.orrick.com/trade-secrets-watch/files/2014/07/7Jul14-200x150.jpgData breaches may be nothing new, but they are certainly evolving into bigger and more notorious infractions. While the data breaches of yesterday may have involved accidental disclosure or disgruntled former employees, the data breaches of today are often carried out by outsiders and highly organized and sophisticated criminal groups. And hackers aren’t just after credit card information, they are often seeking proprietary information. In short: trade secrets, watch out.

And it’s not just trade secrets that are at risk; fiduciaries of public companies, or any entity regulated by the SEC, have a duty to protect the valuable assets of the company and may need to disclose material events regarding data breaches under certain circumstances.  Victim companies facing the theft of valuable customer information or company assets in a data breach may also find themselves in difficult conversations regarding corporate duties and SEC disclosures.

With large-scale, high-profile data breaches becoming more common in recent years (think the infamous Target data breach during last year’s Christmas shopping season), the SEC has made clear that data privacy is a priority inspection area. A recently reported hedge fund attack presents an interesting situation that arises at the intersection of lost trade secret data and the regulatory oversight of regulated entities.

Late last month, BAE Systems Applied Intelligence reported a successful—and rare—criminal attack on an unnamed U.S.-based hedge fund that cost the hedge fund millions of dollars over the two-month span of the attack.  The hack began with a successful phishing email sent to a member of the hedge fund’s staff. Once the attack commenced, the hackers lifted information about what trades were being made and when they were being made, before sending the details of the trades to external servers. Additionally, the hackers added slight time delays to the hedge fund’s trades, which could have provided an outsider time to make the same trade, thus gaining a trading advantage.

While the identity of the hackers is still unknown, the attack occurred in January 2013, and was brought to the attention of the hedge fund’s board soon after. Although a BAE representative was unable to confirm whether or not the hedge fund had reported the attack to the SEC or the FBI, the attack undoubtedly placed the hedge fund in a difficult situation.

In one sense, the hedge fund was a victim of a cyber attack on its confidential trading information.  In this sense, the fund would be a “victim” and would seek help from law enforcement officials to identify (and prosecute) those who stole trade secrets in the form of trading decisions. On the other hand, such thefts raise concerns that other regulatory agencies might investigate the fund itself – looking for potentially deficient protocols or antiquated security systems.  This dilemma is particularly relevant to public companies and mutual funds that have even more stringent SEC disclosure requirements than hedge funds.  And, the fiduciaries of all of these organizations face important decisions about how to handle such attacks.  Data breaches have become a much more high profile issue – both inside and outside of business of all sorts.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Orrick - Trade Secrets Group | Attorney Advertising

Written by:


Orrick - Trade Secrets Group on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.