Research: Hacking Wall Street – Restructuring the law for hackers’ trading schemes
As today one can buy Wall Street stock over the internet, a new form of securities fraudsters have recently been targeted by the US Securities and Exchange Commission (SEC). This new breed of fraudsters execute their conspiring schemes through the internet, beyond the conventional boundaries of corporate boardrooms. They are cybercriminals who attack and compromise computer networks of business corporations, financial newswires, and law firms in order to phish non-public financial data that can help them gain an edge across financial markets. Many believe that you needn’t be a Wall Street insider to be able to pull off profitable insider trading.
To respond to this, the SEC has decided to expand Section 10(b) of 1934’s Securities Exchange Act to include hackers via a new theory centered on insider trading. However, computer hackers who phish information that can be exploited for securities trading purposes are significantly different from typical defendants involved in insider trading cases. Such cases have been typically associated with two forms of defendants:
1- Corporate insiders, including directors and officers, breaching their fiduciary duty to companies’ shareholders via trading stock by relying on material non-public data, which is not disclosed to shareholders.
2- Corporate outsiders, including lawyers and broker-dealers, breaching confidentiality duty via trading securities by relying on data which was entrusted to them provided that it would not be utilized for personal gain.
On the other hand, a computer based hacker-trader is a special form of corporate outsider, who is unrelated to either the shareholders or information sources that could be exploited for personal profit. Moreover, oppositely to outsiders, who exploit their relationship to information sources for their personal profit, hackers solely rely on their technical skills in order to access insider information. In other words, even though the hacker-trader’s advantage was also clearly unfair, they leveraged it, not via privilege or unique connections, but via the rare combination of advanced technologies, criminal intentions, and risk taking.
A recently published paper delves into the challenge that lies in holding computer hacker-traders and cybercriminals liable for this modern form of insider trading. The paper adds to the currently available literature via debating that, even if courts eventually support the SEC’s suggested expansion of insider trading law to include hackers, some innovative hackers may still be able to avoid liability. The paper also provides a summary of the so-called traditional and misappropriation insider trading theories and reasons that explain why the present legal framework is not ideally structured to deal with computer hackers.
Two important hacker-trader/seller-trader cases:
The paper presents some of the Department of Justice’s (DOJ) criminal prosecutions and SEC’s enforcement actions brought specifically against computer hacker-traders. The paper focuses mainly on two cases:
1- SEC vs Dorozhko: In this case, the Second Circuit adopted a new theory of liability for computer hackers who exploit hacked information for trading purposes (i.e. hacker-traders).
2- SEC vs Dubovoy: This case involved a complex group of hackers who sold stolen insider information to hackers (i.e. hackers-sellers).
Dorozhko and Dubovoy illustrate the great difficulties associated with bringing computer hackers within the borders of insider trading law.
The paper also outlines current proposals for and against holding computer hackers liable for fraud associated with securities trading. Even though the Second Circuit took the right decision in the Dorozhko case via expanding the liability to include hacker-traders, the definition of the court for “deceptive hacking” was still limited. Consequently, Dorozhko is unlikely to extend liability to include computer hackers who engage in more advanced schemes in the future.
The paper’s bottom line:
By definition, computer hackers are extremely creative. As such, it won’t be long until they can develop innovative cyber-trading schemes that can bypass liability, since they do not actually steal insider information, as they deceivably misrepresent their identities throughout the process of purchasing securities.
The paper introduces a unique approach to SEC’s affirmative representation theory to illustrate the shortcomings of Dorozhko’s case. Instead of trying to fit hackers inside the mould of the conventional concept of insider trading and to limit liability to computer hackers that steal insider information, courts should determine if a hacker utilized “deceptive or manipulative” techniques throughout the process of trading of securities. As such, liability could apply whenever a computer hacker launches a cyberattack during a transaction involving securities, whether or not insider information was stolen. However, it still obvious that Section 10(b) is not capable of covering all cyberattacks targeting securities, e.g. nondeceptive informed forms of cyber-trading. Whether or not the government should regulate such conduct represents an even harder question to answer.