Cyber Criminals Win Playing the Insider Game

Insider stock trading is commonly associated with employees at an organization who have access to privileged information. In recent years, that privileged information has entered the crosshairs of cyber criminals seeking to gain a competitive edge in stock trading. FIN4 is one such example. Using relatively simple tactics, the large-scale cyber crime group identified by FireEye targeted individuals from more than 100 companies, predominately within the healthcare and pharmaceutical industry. It is believed their intent was to obtain access to inside information that would have a significant influence on future stock valuations, as targeted individuals were key employees who may have possessed nonpublic information about merger and acquisitions and/or other market moving announcements.

There are also examples of threat actors seeking to obtain SEC reports before they are made public from third parties, including those that disseminate press releases on behalf of companies. Earlier this year FireEye iSIGHT Intelligence reported on a threat actor seeking partners to steal SEC 10-K, 10-Q, and 8-K release reports from media companies. In addition to media relations outlets, cyber criminals have also successfully targeted law firms to steal information associated with clients, more specifically to obtain nonpublic information about mergers and acquisitions. The SEC reported on one operation conducted by Chinese hackers that reportedly resulted in almost $3 million in illicit proceeds. These operations highlight the profitability of securities-related fraud, which is undoubtedly appealing for cyber criminals.

Given the proven success of hacking being used to obtain insider information, as well as the widespread and low-cost availability of hacking tools and services available within underground marketplaces, internal risk managers and security executives must examine how their overall cybersecurity strategy addresses the cyber criminal insider trading threat. 

For starters, companies should conduct cyber risk assessments to examine the strength of defenses surrounding sensitive information that could be used to conduct non-traditional insider trading. Simply having a record of the ways sensitive information can be accessed, the damage that could be caused if sensitive information is stolen, and the defensive measures ultimately taken to prevent a potential incident from occurring will make it easier for a company to argue that it took reasonable and appropriate steps to prevent insider trading enabled by cyber crime.

It’s also important to note that cyber criminals could gain access to nonpublic information indirectly, so companies must also examine third party vendor agreements to ensure that organizations entrusted with sensitive information are taking measures to secure that information when out of the company’s control. This is similar to how traditional brick-and-mortar stores use armored car companies to move cash to a bank – businesses must put controls in place to ensure that sensitive information is protected while in transit to and at rest with a third party. 

Learn more about insider threats and cyber threats to mergers and acquisitions.

Brian E. Finch is a partner at Pillsbury Winthrop Shaw Pittman LLP and co-leader of the firm’s Cybersecurity, Data Protection and Privacy practice. He can be reached at brian.finch@pillsburylaw.com.