SEC Chairman Jay Clayton launched a sea of news stories last week when he included the following five sentence in a statement on cybersecurity:
Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems. In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.
Chairman Clayton speculates that the hackers used the purloined information for purposes of insider trading. I am not an expert in federal criminal law, but I expect that the hackers will face criminal prosecution if they are identified and captured. As a securities lawyer, my question is whether the hackers can be successfully prosecuted for insider trading.
Presumably, the hackers are not insiders because they wouldn't need to hack EDGAR to obtain the information about their own companies. Thus, the classical theory of insider trading is not likely to be a promising theory for prosecutors. Hacking certain does imply a sort of misappropriation. Is the misappropriation theory a dog that will hunt?
The misappropriation theory has its own problems, however. First, it is unlikely that prosecutors will be able to prove that the hackers owed a fiduciary duty. Second, prosecutors are unlikely to be able to point to an affirmative misrepresentation to investors.
If prosecutors want to pursue an insider trading case, they will, I suspect, rely heavily on SEC v. Dorozhko, 574 F. 3d 42 (2d Cir. 2009). In that case, the Second Circuit held that computer hacking may be deceptive for purposes of Section 10(b) of the Exchange Act even though the hacker did not breach fiduciary duty in obtaining material, non-public information that it used in trading securities. Note that Second Circuit held that hacking "may be" deceptive. The SEC argued that hacking typically occurs either by masquerading as someone else to gain access or exploiting a weakness in the computer code. The Second Circuit therefore remanded the case for the District Court to consider whether the computer hacking involved a fraudulent misrepresentation and hence deception within the meaning of Section 10(b).
The Second Circuit's opinion raises interesting questions. Typically, we think of people being misled. Can machines be deceived? Should or would the result be different if the hacker had instead of using a pilfered password to trick a machine had exploited a software weakness?