Are Cyber-Related Securities Violations the Next Frontier in Securities Enforcement?

Perpetrators of securities fraud increasingly employ technological means to gain an unfair advantage in the markets, whether through impersonation of other market participants on social media, submission of false securities filings, exploitation of cybersecurity lapses, or concealment of insider trading. To keep pace, the SEC’s Enforcement Division has ramped up its efforts to address cyber-related securities law violations by creating a new Cyber Unit. On October 26, 2017, Stephanie Avakian, Co-Director of the SEC’s Division of Enforcement, announced the creation of the Enforcement Division’s Cyber Unit after determining that the SEC could do more “to align [its] resources with two of [its] key priorities – significantly, retail and cyber.” See Stephanie Avakian, Co-Director, Division of Enforcement, The SEC Enforcement Division’s Initiatives Regarding Retail Investor Protection and Cybersecurity (Oct. 26, 2017).

The Enforcement Division, which has already developed significant expertise in its Market Abuse unit, deems cyber-threats as sufficiently serious to warrant aggregating the division’s expertise in a dedicated unit. The Enforcement Division’s focus on cyber-related misconduct is a direct response to the increasing frequency and complexity of cyber-related schemes. This is demonstrated by cases brought by the Commission against domestic and foreign individuals who profited from manipulating the market using cyber-related deceptive devices, or against companies that failed to take reasonable measures to prevent cyber-related deception. The remainder of this article describes examples of the SEC’s enforcement efforts to date, as well as the implications for the prevention, investigation and prosecution of cyber-related misconduct.

Manipulation Through False Social Media

On November 5, 2015, the SEC filed securities fraud charges against James Craig, a Scottish trader who issued false tweets. Those tweets purported to come from securities research firms, and Craig allegedly sent them in order to manipulate the stock prices of two public companies. The Complaint alleges that on January 29, 2013, Craig issued eight tweets on a Twitter account he created to resemble a Muddy Waters research firm account. Those tweets falsely announced a Department of Justice investigation of Audience, and caused a 28 percent drop in share price. The stock price recovered several hours later, eight minutes after the real Muddy Waters tweeted that “there was no Muddy Waters report being released by them” and “Craig’s tweets were ‘a hoax.’ ’’ The Complaint also alleges that on January 30, 2013, Craig used a fake Citron Research account to tweet false information about Sarepta drug trial results being tainted, which may have prompted a 16 percent drop in stock price. (The stock price recovered before noon.) Lastly, on July 9, 2013 Craig again issued impersonated Muddy Waters tweets about Intuitive Surgical, Inc., which stated that the SEC and Department of Justice were investigating “robotic safety and alleged misconduct.” But the market did not react to these tweets. See Complaint at 5, S.E.C. v. James Alan Craig, Case No. 3:15-cv-05076 (N.D. Cal. Nov. 5, 2015).

Manipulation Through a False Filing

On May 19, 2017, the SEC filed fraud charges against Robert Murray, a Virginia-based mechanical engineer. The Complaint alleges that Murray engaged in a range of cyber-activity to manipulate Fitbit’s stock and to profit from out-of-the-money call options he purchased. According to the Complaint, Murray filed a false tender offer form on the SEC’s EDGAR system announcing a fictitious company’s intent to purchase all of Fitbit’s outstanding shares at a substantial premium, and he used a fake e-mail account, a fictitious person and a fictitious IP address in his effort to avoid detection. The fake filing caused a temporary spike in trading when the false tender offer became publicly available on November 10, 2016, and Murray sold his options for a 351 percent profit. See Complaint, S.E.C. v. Murray, 17-CV-03788 (S.D.N.Y. May 19, 2017).

Concealment of Insider Trading Scheme Using Encrypted and/or Self-Destructing Messaging Apps

The SEC filed a complaint on August 16, 2017 against seven alleged fraudsters who obtained over $5 million in profit by trading on inside information concerning impending mergers, acquisitions and tender offers, and concealed their activity by using self-destructing message apps. According to the Complaint, from October 2014 through April 2017, Rivas accessed and passed along confidential information about impending transactions involving numerous companies to the defendants Moodhe, Rodriguez, Sablon and Zoquier, who in turn traded on the information and passed along tips to the defendants Siva and Rogiers and to others. In the midst of the trading scheme, Rivas, Sablon and Rodriguez stopped communicating by telephone and text messages, and instead tried to avoid detection by communicating over an encrypted self-destructing messaging application. Rivas also used an encrypted self-destructing messaging application to tip Zoquier, to avoid creating evidence of the scheme. The SEC Market Abuse Unit used its Analysis and Detection Center’s data analysis tools to uncover the suspicious trading patterns.

On August 31, 2017, the SEC filed a lawsuit against Evan Kita, a former Celator Pharmaceuticals, Inc. employee, who tipped Daniel Perez and Richard Yu (who, in turn, tipped his father, Chiang Yu) ahead of an impending announcement about positive results in a Phase 3 clinical trial for its cancer drug, and Celator’s impending acquisition by Jazz Pharmaceuticals, Plc. Kita tipped the others in exchange for a share in their profits, and used a smartphone application that sent encrypted messages to conceal their communications. See Complaint, S.E.C. v. Kita, et al., Case No. 17-cv-06603 (D.N.J. Aug. 31, 2017). See Complaint, S.E.C. c. Rivas, et al., 1:17-cv-06192 (S.D.N.Y. Aug. 16, 2017).

Manipulation through a Direct Cyber-Attack

The SEC has also targeted individuals who profited from direct hacks into brokerage accounts. For example, on June 22, 2016, the SEC obtained an emergency court order freezing the assets of Idris Dayo Mustapha, a U.K. resident charged with hacking into at least nine online brokerage accounts in April and May 2016 to make unauthorized rapid stock purchases in at least 10 companies at increasing prices. Mustapha then profited on trades in his own accounts. See Complaint, S.E.C. v. Mustapha, 16-cv-4805 (S.D.N.Y. June 22, 2016).

Failing to Adopt Reasonable Measures to Defend Against Cyber Attacks

Broker-dealers have had to upgrade their cybersecurity policies and procedures as the SEC heightens its enforcement of the Gramm-Leach-Bliley Act’s Safeguards Rule. See Rule 30(a) of Reg. S-P (17 C.F.R. §248.30). The Safeguards Rule requires that every registered investment adviser, broker-dealer and investment company adopt written policies and procedures reasonably designed to (1) ensure the security and confidentiality of nonpublic customer information; (2) protect against any anticipated threats or hazards to the security or integrity of nonpublic customer information; and (3) protect against unauthorized access to, or use of, nonpublic customer information that could result in substantial harm or inconvenience to any customer.

Enforcement actions against registered financial institutions have made clear that the SEC intends to ensure compliance with the letter of the Safeguards Rule. In September 2015 the SEC instituted cease-and-desist proceedings against R.T. Jones Capital Equities Management, Inc. in connection with its finding that the company, a registered investment adviser, had failed to adopt written policies and procedures reasonably designed to protect customer records in violation of the Safeguards Rule. The Complaint explained that from September 2009 through July 2013, the company stored sensitive, personally identifiable information without modification or encryption on its third party-hosted web server. In July 2013, the company obtained forensic confirmation that a hacker had gained full access to data on the server.

The Order identifies several deficiencies that violated the Safeguards Rule: (i) the company’s policies and procedures did not include conducting periodic risk assessments; (ii) the company did not employ a firewall to protect the web server containing client information; (iii) the company did not encrypt client information stored on the server, and; (iv) the company did not establish procedures for responding to a cybersecurity incident.

The Order also credited the company for implementing several remedial measures, including the fact that it no longer stored personally identifiable information on its web-server; it encrypted information stored on its internal network; it installed a new firewall and logging system to prevent and detect malicious incursions; and it retained a cybersecurity firm to provide ongoing reports and advice on the firm’s information technology security. The company was ordered to cease-and-desist, was censured, and was ordered to pay $75,000. See R.T. Jones Capital Equities Mgmt., Inc., Investment Advisers Act of 1940 Release No. 4204, Admin. Proceedings File No. 3-16827 (Sept. 22, 2015).

Similarly, on June 8, 2016, the SEC instituted an administrative cease-and-desist proceeding against Morgan Stanley Smith Barney LLC (“MSSB”) for its failure to adopt written policies and procedures reasonably designed to protect customer records in violation of the Safeguards Rule. According to the Complaint, from August 2001 through December 2014, MSSB stored sensitive personally identifiable customer information on two of the firm’s portals, and may have facilitated an MSSB employee’s misappropriation of data regarding approximately 730,000 customer accounts. From December 15, 2014 to February 3, 2015, the employee conducted approximately 5,900 unauthorized searches of customer data in the two portals, posted the information on internet sites, and offered to sell more data in exchange for payment in bitcoins. Someone also hacked into the personal server on which the employee stored the stolen information, furthering the harm to customers.

The SEC found that MSSB failed to audit and/or test the effectiveness of the authorization modules, that it failed to monitor and analyze employee access to and use of the portals, and that MSSB’s policies were not reasonably designed to restrict access to confidential customer data. The SEC issued a censure and a cease-and-desist order against future violations of Regulation S-P, and ordered MSSB to pay a $1,000,000 fine. See Morgan Stanley Smith Barney LLC, Exchange Act Release No. 78021, Investment Advisers Release No. 4415, Admin. Proceeding File No. 3-17280 (June 8, 2016).

Although it involved an enforcement action by FINRA rather than the SEC, the November 2016 settlement of a FINRA action against Lincoln Financial Securities Corporation demonstrates that failure to supervise vendor relationships can also lead to sanctions against a broker-dealer for violation of the Safeguards Rule. In this instance, FINRA found that the bank failed to ensure that the vendor hired to configure the cloud server that stored customer records had properly installed antivirus software and used data encryption for stored documents, which allowed hackers to access the records of approximately 5,400 customers. FINRA also found that Lincoln Financial failed to adopt written supervisory polices regarding the storage of customer data on cloud-based systems until several months after the breach, and even then implemented a policy that was deficient.

Additionally, FINRA found that Lincoln Financial failed to ensure that its registered representatives and third-party vendors followed the firm’s data security policy and otherwise protected customer records, and had not monitored or audited vendor performance or tested and verified the security of information stored on cloud servers. FINRA censured Lincoln Financial and issued a fine of $650,000. See Lincoln Fin. Secs. Corp., Financial Industry Regulatory Authority Letter of Acceptance, Waiver and Consent No. 2013035036601 (Nov. 14, 2016).

Implications for the Securities Industry and Cyber-Enforcement

The use of cyber-tools to manipulate the market, penalties issued against securities firms for failing to do enough to prevent the firm’s vulnerability to cyber-attacks, and heightened SEC focus on cyber-related misconduct (foreshadowed by the creation of the new Cyber Unit) send a clear signal to securities firms that they need to intensify their efforts to minimize cybersecurity risks or face charges for failing reasonably to prevent fraudulent trading. For broker-dealers, investment advisers and investment companies, vigilance in identifying and minimizing cybersecurity threats is clearly required to achieve compliance with the Safeguards Rule.

Security procedures should at a minimum address many of the same concerns that have been identified for law firms, by, among other things, (i) establishing security protocols consistent with cybersecurity frameworks such as NIST or ISO 27001; (ii) developing robust information management policies; (iii) segregating personally identifiable customer information so it is not available on firm web-servers; (iv) implementing effective training of staff in cybersecurity measures and risks; (v) remaining vigilant with system updates; (vi) developing a breach response plan; and (vii) obtaining appropriate cybersecurity insurance coverage. See James Q. Walker, Must a Lawyer Protect Client Confidences from Cyber Attacks?, ABA/BNA Lawyers’ Manual on Professional Conduct (Nov. 15, 2017).

Additional guidance appears in FINRA’s 2015 Report on Cybersecurity Practices, which makes it clear that firms must perform periodic cybersecurity risk assessments, exercise strong due diligence across the life cycle of vendor relationships, and engage in collaborative self-defense by sharing information among securities firms about cybersecurity threats, attacks and preventive measures (perhaps seeking assistance from the Financial Services-Information Sharing and Analysis Center established pursuant to Presidential Decision Directive 63 on Critical Infrastructure Protection (May 22, 1998)). In addition, the SEC actions cited herein reflect the importance of encrypting information stored internally, installing appropriate firewalls, creating logging and authorization protocols, and monitoring access to confidential customer data. Firms that issue securities research should also monitor their social media presence to ensure accurate messaging by the firm and to detect false messaging by fraudsters.

Conclusion

The Enforcement Division’s creation of the Cyber Unit reflects the SEC’s recognition of the need to enhance old tools and develop new tools to investigate, uncover and prosecute violations of the securities laws. While fraudsters and regulators alike are familiar with the use of shell companies, fictitious names, fictitious accounts, and searching emails and texts for evidence of individuals accessing and sharing material nonpublic information to effect a securities fraud, the increasing use of cyber-tools to steal material nonpublic information, create false information to manipulate the stock market, and conceal manipulative conduct is a significant development that requires greater attention to other methods for detecting and investigating misconduct.

Messaging applications (e.g., Signal, Telegram, and WhatsApp) that offer end-to-end encryption and/or feature self-destructing messaging present a significant challenge for compliance professionals charged with monitoring business-related communications, and to government lawyers and investigators who typically have relied on email and text communications to investigate trading schemes. Indeed, as encrypted and self-destructing messaging becomes more popular, regulators may no longer be able to rely upon e-mails and text messages to uncover fraudulent schemes, and instead may need to rely upon whistleblowers, cooperators, assistance from manufacturers of secret messaging applications, and enhanced data analysis tools. Lawyers who represent clients in SEC enforcement actions or advise firms on securities compliance issues must study the actions pursued by the Cyber Unit and advise their clients of significant developments in the investigation, prosecution and defense of these matters.