Live From DC… the SEC’s CyberSecurities Fraud Symposium

Securities Docket is “live-blogging” today’s SEC CyberSecurities Fraud Symposium.  Stay tuned here all day for the latest updates.

12:35 pm

When the conference resumes at 1:00 pm, I am going to move this live-blog over to Twitter as an experiment.  Why?  Because (a) it will give many of you a reason to check out Twitter for the first time, and (b) I want to compare live-blogging on the traditional platform I’ve been using this morning versus Twitter, which is by nature a series of quick hits (or “tweets” in Twitter language).  Please visit Securities Docket’s page on Twitter (http://twitter.com/securitiesd) to continue to follow our updates from the SEC’s CyberSecurities Fraud Symposium.

12:00 pm: **Break for lunch until 1:00 pm**

11:50 am:

Sporkin: What if the hacker’s intent is to discover info unrelated to the material, nonpublic info he stumbles upon?

Langevoort: Must be some “coincidence” between the deception and the trading.  Was securities trading part of the scheme when it was devised?  So answer is no in the example above.

11:35 am: Sporkin:  To whom does hacker owe a duty?

Langevoort:  Statute does not mention duty.  It mentions deception.  One form of deception is breaching fiduciary duty.  Can have deception without duty.

Sporkin:  Can you have deception with no pre-existing relationship?

Langevoort:  Sure.  Manipulation is one example.  That is done by outsiders.

Sporkin:  Is face to face interaction required?

Langevoort:  Why?  No need for that.  Telephone, computer, etc. all sufficient.  Just need the communication.

Sporkin: Can a computer be “deceived?”

Langevoort: Legally, yes.  For example, you steal a security card to get into a building.  You are tricking the system into letting you in and you thereby trick the company/entity behind the system.

11:30 am: Stummer case (aka “bad brother in law”).  Stummer snuck into his brother in law’s computer to confirm rumors of a tender offer by good brother-in-law’s private equity firm.  Stummer logged on, guessed the password (a nickname), and could access emails.  Traded based on this info and made $22,000.

No real duty between the in-laws, but case was settled so SEC didn’t have to nail down the theory.

See “Brother-in-Law from Hell: Wall Street Edition” by Portfolio.com

11:25 am:

Langevoort: No one tool gets the SEC where it wants to be on insider trading.  Need to link up with different parts of the statutes.  Square peg and round hole here.  Does hacking into a computer threaten integrity of market, investor confidence, etc.?  Yes.  So SEC needs to find a way once again to get at it.

11:15 am: Lohmus Haavel–Estonians hacked into Business Wire to see merger announcements, etc. before they were released.  $7.8 million in profits.

SEC received a tip in this case from someone noticing a spike in volume in a pharmaceutical co. and later there was a takeover announcement of that company.  SEC looked into the traders and saw unusual activity.  100s of suspicious trades.  Later connected the traders to other trades in advance of news releases.

Common thread–Business Wire.  But not clear initially how the Bus. Wire info was obtained.  SEC got  records from broker-dealer the trader went through and obtained IP address.  Gave this to Bus. Wire and they matched to access to their servers.

But was there deception?  Any duty for insider trading?  SEC didn’t know but there was $30 million at risk in trader’s account.  SEC found trader deceived Bus. Wire with false info in his account application.  Trader didn’t really hack–went through the front door.  Trader also opened account in employer’s name, deceptively.  Plus, the spider program used got into a password-protected site.  SEC deemed all of this to be deceptive and brought its case and froze the $30 million.  Defendant settled pre-trial for $13 million, so no court ruling here.

11:10 am: Outsider trading (OT) does not have a pre-existing relationship of trust, unlike insider trading.

4 cases of OT: (1) Lohmus Haavel–the “Estonian Spider Hackers” I have written about many times before.

(2) Blue Bottle

(3) Dorozhko

(4) Stummer

11:00 am:

Tom Sporkin leading the discussion now on “outsider trading”: hacking to get material, nonpublic information.

10:55 am:

Next panel beginning shortly: Thomas A. Sporkin, Deputy Chief, Office of Internet Enforcement, U.S. Securities and Exchange Commission; Daniel Hawke, Regional Administrator, U.S. Securities Exchange Commission; Professor Don Langevoort, Georgetown University Law Center.

10:52 am: You know you’ve been out of the SEC a long time (since 1997 for me) when the only people you recognize at an SEC conference are on the podium.

10:50 am: Mingling at the break.  Lots of regulators/prosecutors here: SEC, USAO, FBI, DOJ here in force.  Some State AGS and CFTC.  Lots of FINRA and NASDAQ, too.  Would be an extremely bad place to commit securities fraud.  You would be immediately apprehended by 200 people in suits.

10:40 am:

Stark: There are anonymous wire services available.  No identification required.  How big of a problem is his?

Peterson:  Tough to regulate because things change so quickly.  Like Whack-a-Mole.  Need to criminalize the money laundering in general, not the tactic.

Berglas:  This is a hurdle for prosecutors.

**Break for 10 minutes**

10:30 am:

Stark:  People need to address what would happen if they are hacked with their broker.  Get an answer.

Stark: Enforcement Tips/Complaint Site gets up to 8,000 emails per day.

10:20 am:

Plesco:  Many of these frauds have hierarchical, organized groups behind them.  They look somewhat like organized crime and regulators try to use lessons learned from organized crime cases to help them respond.

Stark: Can banks be on the hook for hacked accounts causing losses?  He doesn’t believe this has been resolved by courts.  Victim here has done nothing wrong.  Some brokers have told SEC to bring more cases because they can’t afford to reimburse everyone that this happens to.  Also–what about the Thrift Savings Plan for government employees?  A year or two ago the TSP had account intrusions.  TSP site makes user agree that he/she is responsible for securing login info.

10:15 am:

Stark: It is now a given, almost, that there will be an international component to these cases.  Didn’t used to be that way when he started at SEC 18 years ago.  All countries have common ground in protecting their citizens and the Internet.

10:05 am:

Stark: Would 2-factor identification (including a token, for example) help things?

Plesco: Tokens can be hijacked, too.  May need 3-factor.

Peterson: But 2-factor is better than not, so may deter some fraudsters.  They may just move on to someone who does not have it.

10:00 am:

Stark: Any link of these financial crimes to terrorism?

Berglas:  Yes.  Often see ties.

Plesco: We see that as well.

Stark: Does evidence disappear quickly or does e-footprint survive well?

Berglas: Case-by-case, really.  Some ISPs don’t keep info for more than 30 days.  We ask them to preserve logs and to report things promptly.

Peterson: One challenge is that laws differ worldwide.  US has no data retention law.  EU does have such a law–at least 6 months and no more than 2 years.

Plesco: Bad guys game our evidentiary laws.  They know how long records are kept, etc.

9:55 am:

Stark: Are most hackers in E. Europe?

Donna Peterson, Unit Chief, Cyber Division, Federal Bureau of Investigation: This is a cottage industry in E. Europe now.  In Romania, you have a highly intelligent population that is underemployed, leading to a lot of this type of fraud.

Austin Berglas, SSA, Cyber Division, Federal Bureau of Investigation:  We now have agents over in E. Europe hunting down this type of fraud.  Able to get to source: virus writers and propagators of malware.   Target and arrest lower level players to get to bigger fish overseas.  Hacks are rarely directed at a company–usually at the end user.

9:45 am: Stock-Aid had quick results.  Unusual trading reported to NCFTA, wire transfers from E. Europe detected all due to brokerage firms sharing information.

Stark:  Who are these hackers usually?  Kids?

Plesco: Businessmen selling hacked information to highest bidders.  Not a bunch of kids hacking websites.  10,000,000 machines are “botted” to help them steal info.

Stark: Any way to secure your own computer or impossible?

Plesco: If you do everything you can, with virus software, etc., 95% of the time you can stay clean.  Bad guys hit the other 5%.

9:30 am: First panel kicks off with Ron Plesco. Discussing NCFTA (National Cyber-Forensics & Training Alliance).  “Credential fraud” a big issue — hackers getting into online stock accounts.  NCFTA began “Stock-Aid” Initiative to address.  Brokerage firms share info about suspicious activity meeting risk criteria.

9:25 am: Paredes “confident” we will overcome current challenges from financial situation.  Cites incredible cooperation of agencies and tireless efforts of SEC. Says cooperation brings together collective ideas and deliberation for a better result.  Question from audience on what we’re doing right and wrong in the current crisis, but Paredes doesn’t really answer the “wrong” side of the question.

9:20 am: Paredes stressing cooperation among regulators and criminal authorities, as well as internationally.  There needs to be “no place to hide.”  Must protect due process, too.  Highlights recent agreement among exchanges regarding insider trading enforcement.

9:15 am: New SEC Commissioner Troy Paredes delivering his “first keynote speech” right now.  Young guy–his bio says he is a 1996 Yale Law grad.

9:05 am: Intro from Stark.  Stark says purpose of the Symposium is to mark 10th year of SEC’s Office of Internet Enforcement.  Intended to be a “brainstorming session” for panelists.

First panel will be: Donna Peterson, Unit Chief, Cyber Division, Federal Bureau of Investigation; Austin Berglas, SSA, Cyber Division, Federal Bureau of Investigation; Ron Plesco, CEO, National Cyber Forensic Training Alliance

9:00 am: John Reed Stark, Chief, Office of Internet Enforcement, SEC kicking things off.  Good-sized audience of around 200 or so. This facility puts the old SEC facility at 450 5th Street to shame.  Very modern.

8:55 am: Let’s roll! Symposium is starting in 5 minutes.  New SEC auditorium is beautiful.    I will be posting on this same link all day, so keep refreshing your browser to get updates.