Wednesday, August 12, 2015

Massive Insider Trading Scheme Uncovered - Lots of Blame to Share.

A massive insider trading scheme has allegedly been uncovered by the SEC and the DOJ, according to the SEC, involving computer hacking, foreign investors, tens of millions of dollars, and years of trading activity.

Yesterday the Commission announced the filing of charges against 32 defendants, alleging that they hacked their way into computers and traded on stolen nonpublic information regarding corporate earnings announcements from the wire services who were holding earnings releases for the public companies. The press release is online at http://www.sec.gov/news/pressrelease/2015-163.html and the complaint is at the commission’s web site at http://www.sec.gov/litigation/complaints/2015/comp-pr2015-163.pdf.

I have been involved in cases involving allegations of computer fraud, and trading on undisclosed earnings announcements in the past in the URL Guessing cases,  but that was more of a misunderstanding on the part of the SEC Staff and the sloppiness of the issuers, than an organized hack. This case, at least according to the SEC, involves 5 years of advanced computer techniques to hack into two or more (un-named)  newswire services and stealing hundreds of corporate earnings announcements before they were released.

Some investors expressed surprise that the hacking of a wire service could be profitable. After all, there is a very small window of time to get the information and trade on it when you are dealing with earnings reports. One would assume that the earnings reports are delivered to the wire services minutes or an hour before its release.

You would also think that issuers would have learned from the URL Guessing cases. But apparently they have not. According to the SEC’s complaint, some of these issuers were uploading their releases days before the announcement, giving the hackers plenty of time to hack and trade.

For example, according to the complaint, while Zumiez uploaded its press release to the wire service at 1:29 pm for a 4:00 pm release, Acme Packet uploaded its press release at 5:53 pm, for release the next day at 4:05 pm, leaving the press release on a third party server for nearly 24 hours.

According to the complaint, the hacking went on for 5 years, and during that time (2010 until 2014), the hacker defendants hacked into the newswires'  computer systems and stole over 100,000 press releases before they were publicly issued.

And the hacking was apparently profitable. The SEC is alleging that the Defendants made over 100 million dollars in profits. However, keep in mind that the SEC does not concern itself with the losses. Not every trade pans out, and not every trade is profitable. The SEC however is only concerned with profits, and does not count losses.

One has to wonder what these wire services were doing all of these years, and why the hacking was not noticed.

One also has to wonder why the SEC, FINRA, and the exchanges did not notice the irregularities. Granted, we can assume that some of the press releases did not hold valuable information and there were no trades made, but according to the complaint the hackers were downloading press releases for years from the same two wire services.

While the defendants allegedly made significant sums of money, and, according to the SEC, hacked into computers to do so, one has to wonder where the responsibility of the wire services and the issuers lies in all of this.

First, the wire services had their computers hacked for years without noticing the hacks and allowing them to occur with over 100,000 press releases. While the SEC did not identify the wire services, they should have some liability to the shareholders of the issuers involved.

And the issuers – who surely share some of the blame, include Walter Energy, Caterpillar, Inc., Treehouse Foods, RadioShack, Brocade, Panera Bread, and others. Where were they during all of this – uploading their press releases, containing what is apparently very valuable information, days or hours in advance to unsecured third party vendors? Surely that is negligence and a breach of a duty to protect corporate information.

And lastly, the SEC. While they are now issuing press releases about what a great job they did in uncovering this alleged scheme, one has to wonder what the heck took them so long. These defendants are allegedly stealing over 100,000 press releases, for years, and generating millions of dollars in profits and the SEC never catches on until 4 years go by?