At a press conference this morning in Newark, NJ, federal authorities will announce criminal charges against nine individuals in a hacking and insider trading scheme that generated $30 million in illegal profits. Importantly, the SEC will also bring a parallel lawsuit, marking yet another important “outsider trading” enforcement action by the SEC. Today’s SEC actions, however, are far more complicated than they seem – and will require the SEC enforcement staff to prove-up insider trading violations not just with circumstantial evidence but also with malware-reverse engineering evidence – a first for the SEC enforcement staff.
You can read all about the history of the SEC and outsider trading in a recent Stark on IR Posting and you can read about the SEC’s new foray into malware reverse engineering in my most recent Compliance Week column, which includes the following:
“Outsider trading is the next wave for both hackers and securities swindlers. If allowed to swell, it could dramatically affect the integrity of the global financial marketplace. Of all the regulators and law enforcement agencies who mark securities fraud as their territory, the SEC stands alone in its expertise, experience, and wherewithal, so it is not surprising that the 2nd Circuit validated the SEC’s outsider-trading theory (albeit with a malware reverse-engineering glitch).
Whether the SEC builds its own malware reverse-engineering team in-house or engages experts from the private sector, the SEC’s foray into malware reverse engineering will not only be complicated; it will be costly. Malware reverse engineers charge hourly rates akin to a law firm partner’s, and even finding specialists with malware reverse-engineering skills is a challenge. Many malware specialists are self-taught or are “home-grown” within digital forensic firms, and educational institutions are only just beginning to turn out graduates with malware skills.
Only time will tell whether the SEC’s outsider-trading dragnet will go down in history as the right move to protect investors or will instead be labeled yet another gratuitous jurisdictional expansion borne more from cyber-security bluster than common sense. But under any circumstance, the SEC’s outsider-trading dragnet is a bold one. Whether anticipated or not, thanks to Dorozhko, malware reverse engineering know-how is clearly the SEC dragnet’s prerequisite.”