In a first, the SEC has proactively approached several businesses to investigate failures in cybersecurity that may have created a new method of insider trading. The Commission’s investigation, along with a probe by the Secret Service, is focused on a group they’re calling FIN4 which they suspect to have broken into corporate email accounts to steal confidential information about mergers and acquisitions. Naturally, the SEC declined to comment exactly how broad their investigation is, or really anything else on the matter.
The investigation was spurred by a December investigation on FIN4 by security company FireEye that stated the hacking group’s primary intent is on, “compromising the accounts of individuals who possess non-public information about merger and acquisition (M&A) deals and major market-moving announcements, particularly in the healthcare and pharmaceutical industries.” FireEye also noted that the hacking group focuses on those industries due to the volatile nature of their stocks.
FIN4’s attacks on these companies are brilliant in their simplicity.
1) Identify insecure email accounts. 2) Create fake MS Outlook login pages. 3) Get somewhat computer illiterate executives, attorneys, and consultants to enter login info. 4) Profit.
So far, the SEC has asked at least eight companies to provide information on their data breaches making this the first time it’s ever approached companies about breaches in connection with an insider trading probe. Although companies are not required to disclose breaches unless they’re deemed ‘material’ under federal securities law, it appears the SEC has taken an active stance on cybersecurity despite only bringing a handful of civil cases against hackers in the past. What will that lead to after they’ve concluded their investigation? More regulations imposed on already regulation-laden industries? Or, a wakeup call to those within those industries that ‘password1234’ is not going to cut it when others are actively trying to steal their information?