Ensuring investors never receive privileged information that might put them at a trading advantage is one of the most basic tenets of good investor relations. But how do you protect that information from the hackers who, according to Kate Fazzini, journalist and author of Kingdom of lies: Unnerving adventures in the world of cybercrime, are increasingly using hacked information to trade?
This is a very difficult kind of hacking to prevent, or even uncover, Fazzini tells IR Magazine. Because such hackers are seeking to trade on the information they gather, their goal is to ‘break into your networks in order to quietly observe activity and gain some kind of advantage in trading,’ she explains. ‘In order to do this, they have to be careful not to trip any alarms your firm may have in place to alert you to hacking activity.’
This also means it’s hard to say how many companies have been targeted in this way. ‘Any statistics that may be available would be based on proven cases, and it’s far more likely there are many more unproven cases,’ says Fazzini.
But that doesn’t mean companies – and, indeed, company boards – shouldn’t be on the lookout. Fazzini advises briefing your cyber-security experts to keep their eyes peeled for any ‘unusual trading activity before a material event, [particularly] coming from a region like China or Eastern Europe that may not typically be associated with investment in the security in question.’
Ultimately however, this remains a very difficult crime to prevent. Firstly, the vulnerabilities of third parties will put your own data at risk, Fazzini notes, highlighting the fact that the SEC was ‘famously hacked’ for insider information. Companies whose information was exposed in that way had few options for protecting against the theft of information housed on US government databases, she notes.
Add to this the fact that these hackers aren’t after ‘heavily guarded and encrypted’ information and are ‘motivated to be stealthy so they can take longer-term positions’ as opposed to the types of criminals who are interested in the theft of information for a rapid sale on the dark web, and the difficulties around prevention become clear.
So what advice would Fazzini offer? For a start, boards need to have a better understanding of cyber-security, even if just to ask the right questions, she says. But more than anything, it’s about understanding the importance of information. ‘Board members don’t have to be cryptologists – or even computer-literate – to do this, but they do need to understand their business,’ Fazzini continues.
For example, ‘if your business is heavily dependent on M&A and the material information of your clients, your board should be aware of what information it specifically wants to protect, and how,’ she says. ‘The responsibility of the board is to identify the company’s most critical information assets, and then decide how much risk it is willing to accept on those assets.’
Trading on hacked information isn’t the only way hackers are making money from company data. ‘In my book, I describe how one Chinese hacker made an independent business out of stealing secrets from businessmen traveling to Shanghai, then selling the information to clients as ‘bespoke’ research on their competitors,’ author Kate Fazzini tells IR Magazine, adding that ‘this kind of behavior is very difficult to track.’
– Kingdom of lies: Unnerving adventures in the world of cybercrime by Kate Fazzini is published by Macmillan Publishers
This article was published in the spring 2020 issue of IR Magazine