Hacking: the future of insider dealing?
October 2015 | PROFESSIONAL INSIGHT | FRAUD & CORRUPTION
Financier Worldwide Magazine
On 10 August 2015, the US Securities and Exchange Commission (SEC) announced fraud charges against an international hacking and insider dealing ring. Ukrainian hackers are accused of tapping into press release distributors and accessing and selling sensitive financial announcements, before they were made public. That information was then used by traders around the world who made advantageous stock transactions. The case illustrates a new tactic in insider dealing as well as exposing the vulnerability of financial information in a market that is reliant on digital security.
It has often been suggested that insider dealing is a victimless crime. Whether or not this is the case, unusually with this criminal offence, it would be difficult to bring a good corresponding civil claim, for the reasons set out in more detail below. It is therefore likely that any action taken against this sort of insider dealing will be by the financial regulators, either bringing criminal proceedings or civil market abuse proceedings.
In the UK, the Criminal Justice Act 1993 (CJA), creates three distinct offences which may be committed by an insider: (i) dealing, as an insider, in price-affected securities when in possession of inside information; (ii) encouraging, as an insider, another to deal in price-affected securities when in possession of inside information; and (iii) disclosing, as an insider, inside information otherwise than in the proper performance of his employment, office or profession.
A criminal offence will only be committed under the CJA if there is a link between the relevant behaviour and the UK. For example, the insider was within the UK at the time of the alleged offence or the relevant market is regulated in the UK. The above offences carry a maximum sentence of seven years imprisonment. Custodial sentences are generally imposed in respect of almost all those convicted in the UK to date, the highest being four years imprisonment.
There is also a civil offence of market abuse which carries a wide range of sanctions; including financial penalties, a ban from working in the financial sector and public censure. The UK Financial Conduct Authority (FCA) recognises that there will be instances of market misconduct that may arguably involve a breach of both the criminal and civil regimes. However, the FCA has issued guidance stating that they may consider criminal prosecution is more appropriate in certain circumstances, including where the misconduct has resulted in significant distortion or disruption to the market, or the misconduct involved dishonesty.
These latest hacking tactics led to inside information from different countries being sent to traders located in the US, Malta, Cyprus, France and Russia, exemplifying the fact that a global response is required. Cross-border investigations are increasingly common; the FCA assisted the SEC with their investigation into these latest international violations. Despite a number of the traders being non-US nationals, located outside of the US, the SEC has asserted jurisdiction due to the hacks being executed on newswire severs located within the US.
Cases will hinge on the willingness of international authorities to share evidence and intelligence. US prosecutors continue to enjoy a high rate of convictions, in part due to the fact that they do not face the same litigation risks in the US, given that individuals are more likely to enter into plea agreements, rather than fight proceedings as they would in the UK.
Often the more effective route for redress for victims of such criminal activity is to bring civil proceedings. However, the potential victims of insider dealing would struggle to bring civil proceedings, even if they could establish loss, or had an appetite to bring proceedings. Potential victims would generally be counterparties to trades which take place using inside information, or the company whose shares are being traded. The counterparty will find it difficult to establish loss caused by the insider information, as it is usually the case that they would have made the trade anyway, and the inside knowledge held by the other party to the transaction makes no difference to this. Indeed it has been suggested that they might actually get a better price as a result of the insider information, as the trader with the inside information will be willing to give the counterparty a better price, because of their knowledge about the very significant profits which will be made on the trade.
For the same reasons that it might be difficult for a party to bring civil proceedings against the insiders or the traders, it would be difficult to bring proceedings against the wire services that were vulnerable to the information being hacked. Even in the event that a counterparty to a trade could demonstrate a loss, it would be difficult to establish the requisite relationship between the wire service and the counterparty in order to establish that the wire service owed any kind of duty to a victim of this sort of insider dealing.
It is possible that the company whose information was stolen in this way could show that there was a duty to keep its information safe, but again it is difficult to see how a loss to the company could be established.
In relation to financial crime, civil proceedings often fill the gaps left by prosecutors ensuring that the perpetrators are not sent the message that there is no risk to committing fraud. In the absence of victims with good civil claims this will not happen, meaning the regulators and prosecutors will be under pressure to ensure action is taken, either through prosecutions or civil proceedings for market abuse.
Vulnerability of financial markets in the digital age
The latest SEC case demonstrates that the technique of hacking inside information can lead to an unprecedented scale of offending, resulting in large profits for fraudsters. The hacking defendants allegedly accessed more than 100,000 press releases before they were publicly issued and those trading on that information allegedly made over $100m in unlawful profit. There is also a simultaneous SEC investigation into insider dealing by a group of hackers known as ‘FIN4’. It is alleged that FIN4 attempted to break into the email accounts of more than 100 company executives in an effort to steal material information relating to mergers and acquisitions.
Market credibility and confidence is essential for maintaining a stable financial system. Authorities from around the globe will undoubtedly be quick to respond to these latest tactics. Although it is the US authorities that are taking the lead in pursing the cases mentioned above, UK authorities are also taking action. The British Bankers Association has recognised that cyber security presents a rapidly evolving international challenge to financial markets and that a global level response is needed. Regulators are working with representatives from the financial industry to create a coordinated system to reduce exposure to cyber attack.
In response to receiving information about FIN4, the SEC requested that a number of implicated companies provide details of their cyber security failures and vulnerabilities. Investigation into cyber security is unusual for the SEC which, much like the FCA, typically relies on questionable trading activity when investigating insider dealing cases. Introducing a third party hacker erodes the traditional link between trader and insider that prosecutors look to identify. In response, it would not be surprising to see an increase in regulation around the cyber security of companies that hold sensitive financial information, as well as action taken against firms by the FCA where they identify failures in their systems and controls.
What this means
Hacking presents a dangerous new method of insider dealing. Undoubtedly, the UK relies on criminal regimes to prosecute insider dealing, and this new method does convolute the trail of evidence for prosecutors, particularly where the activity is multijurisdictional. However, given the crackdown on insider dealing we have seen from the FCA over recent years, we should expect to see them adapt their processes to rise to the challenge.
Perpetrators in the UK might seek comfort in the fact that, to date, only the US has prosecuted these cases. Concerted efforts on coordinated investigations, and the growing degree of cooperation between the SEC and foreign securities regulators, however, mean that evidence gathered abroad will generally make its way to the FCA.
William Christopher and Eve Giles are partners, and Min Weaving is a solicitor, at Kingsley Napley. Mr Christopher can be contacted on +44 (0) 207 566 2967 or by email: email@example.com. Ms Giles can be contacted on +44 (0) 207 814 1270 or by email: firstname.lastname@example.org. Ms Weaving can be contacted on +44 (0) 207 369 3845 or by email: email@example.com.
© Financier Worldwide
William Christopher, Eve Giles and Min Weaving