Civil and Criminal Charges Filed in SEC Hacking

Morgan Lewis

Morgan Lewis

As we previously discussed, nobody is safe from cybersecurity threats, and as our colleagues last reported, the US Securities and Exchange Commission (SEC) has heightened its cybersecurity scrutiny, issuing an investigative report on cyber fraud against publicly traded companies and signaling it will pursue both bad actors as well as companies failing to implement controls to detect and prevent hacking. A victim of a data breach itself, the SEC is now demonstrating how it intends to pursue bad actors.

On January 15, the SEC filed a civil suit in US District Court in the District of New Jersey related to its own hacking against individuals and business entities in Ukraine, Hong Kong, California, Belize, Russia, and Korea. The SEC alleges in the suit that the defendants hacked into the agency’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system through a variety of means—including phishing emails and malware—and stole information (namely, publicly-traded companies’ earnings information). The suit further alleges the defendants then traded securities based on the stolen information before it became public. The SEC argues all defendants were necessary participants in the “fraudulent scheme” as some defendants were required to “obtain, through deception, material nonpublic information from the SEC’s EDGAR system” and others were required to “monetize the material nonpublic information by making profitable trades.” The SEC requests the district court to permanently enjoin the defendants from engaging in unlawful conduct[1], order the return of all profits and/or gains realized from the trading, and impose civil penalties[2] on the defendants.

On the same day, the US Attorney’s Office for the District of New Jersey similarly filed a criminal indictment of 16 charges against two Ukrainian individuals relating to the EDGAR hacking. The defendants are alleged to have conspired to (and in some cases actually act to) “intentionally access” the SEC computer network “without authorization” to “steal annual, quarterly and current reports of publicly traded companies before the reports were disseminated to the investing public” and illegally profit “by selling access to the material non-public information contained in these as yet undisclosed reports and by trading in the securities of the companies before the investing public learned the information.” The charges include conspiracy to commit securities fraud[3], conspiracy to commit fraud and related activity in connection with computers[4], conspiracy to commit wire fraud[5], six instances of wire fraud[6] between May and August of 2016, and seven instances of fraud and related activity in connection with computers[7] during the same time period. The indictment calls for the return of all property related to the offenses, including property that was used or would have been used in the commission of the crimes and proceeds derived from the crimes, plus interest.

[1] The SEC expressly identified the behavior as violating Exchange Act Section 10(b) (15 U.S.C. §78j(b)), Rule 10b-5 (17 C.F.R. §240.10b-5) and Securities Act Section 17(a) (15 U.S.C. §77q(a)).

[2] Pursuant to Section 21 and 21A of the Exhange Act (15 U.S.C. §78a, 78a-1).

[3] In violation of 17 C.F.R. §240.10b-5, 15 U.S.C. §§78j(b) and 78ff, 17 C.F.R. §240.10b-5 and 18 U.S.C. §371.

[4] In violation of 18 U.S.C. §§1030(a)(2)(B), (a)(2)(C), (c)(2)(B)(iii) and 371.

[5] In violation of 18 U.S.C. §§1343, 1349.

[6] In violation of 18 U.S.C. §§1343

[7] In violation of 18 U.S.C. §§1030(a)(2)(B), (a)(2)(C), (c)(2)(B)(iii) and 2.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis | Attorney Advertising

Written by:

Morgan Lewis

Morgan Lewis on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.