Cyber security experts believe the US Securities and Exchange Commission was the latest victim of cyber criminals on the hunt for market-moving corporate secrets, following a series of attacks seeking to steal unpublished press releases, deal negotiations and economic data.
As banks increase spending on cyber security into the hundreds of millions of dollars and hire thousands of information security specialists, hackers have been looking to more vulnerable targets across the financial sector.
The SEC has said it believes its online filing system used by almost 6,000 public companies may have been hacked to reap “illicit” trading gains.
“Sun Tzu wrote in The Art of War that attackers avoid surfaces and flow to gaps like water flowing down hill,” said Nate Fick, chief executive of cyber security company Endgame. “The banks are the surfaces and the SEC was a gap.”
The SEC did not respond to a request for comment.
Cyber security experts see parallels between the attack, which took place last year but was only announced this month, and other breaches where hackers were searching for financial information including an attack on PRNewswire, which generated $100m in illegal profits, and an attack last year on two law firms that gained more than $3m using information stolen on planned mergers.
The SEC took action in both cases: indicting more than 40 people in the PRNewswire attack and obtained default judgments against the three Chinese defendants in the law firm hacking case.
Scott Borg, director of the US Cyber Consequences Unit, a non-profit research institute, warns that sensitive financial information has been “regularly stolen” by cyber criminals who use it to play the markets. In 2011, the IMF was attacked in a breach that experts believe may have been designed to steal insider information, and in 2011 and 2012, the Australian Bureau of Statistics had its key data repositories targeted by hackers.
Trading on stolen information from hacks is hard to detect in the market, with some Russian organised criminals even using computer models to keep trading under the ceilings for detection, said Mr Borg. The conventional way of spotting insider trading — examining who has access to the data and their close associates — is useless when fighting cyber criminals.
“A cyber criminal can be anywhere in the world. You have no idea who they are and no idea what the candidate list looks like,” he said.
Regulators are urging smaller financial companies to improve their cyber security, because of the risks they can pose to the whole sector.
Joseph Borg — who is not related to Scott Borg — is president of the North American Securities Administrators Association and director of the Alabama Securities Commission. He said it had found significant cyber security vulnerabilities among small investment advisers and wants to collaborate with the SEC and the industry to improve cyber security protocols.
“A small investment adviser with 50 clients can do trades for their clients with Morgan Stanley or Merrill Lynch. They are access points, nodes and weaknesses in the system,” he said.
In the UK, the Financial Conduct Authority said this month that it is stepping up its scrutiny of cyber defences beyond the large banks, which have been subject to penetration testing by the Bank of England.
“I think this is a call to refocus on the dollars and the personnel that are available to the SEC, the Office of Personnel Management and other agencies in the US that might be a little behind in terms of their security,” said Joseph Moreno, a partner at law firm Cadwalader.