• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

Dark web meets bright brokers: trading with hackers

In a scheme that brought a modern twist to an age-old story, US authorities last year charged 32 people in connection with a ‘hack meets securities fraud’ scheme in which over 150,000 yet-to-be-published press releases containing financial information were stolen from business newswires and subsequently used to make trades - netting around $100 million in illegal profits over a 5 year period.

The sophisticated scheme, which was the largest to combine computer hacking with insider trading, saw US traders allegedly retain the services of talented Ukrainian hackers to intercept press releases, including corporate data on earnings, relating to a ‘shopping list’ of more than 30 publicly listed companies such as Boeing, Hewlett-Packard, Caterpillar, and Oracle. The stolen press releases were purportedly then used by the traders, in a patient and methodological manner, to anticipate stock market moves and make around 1000 profitable trades.

In one of the indictments, the SEC suggests that the Ukrainian hackers ‘bruted’ the login details of 15 Business Wire employees – a process in which cyberattackers use a dedicated program to decode passwords through exhaustive effort using trial and error – in order to gain access to the newswires. The hackers then created a ‘video tutorial’ to help traders in New York, France, Malta, Cyprus, and Russia to see the stolen press releases, in return for which they were paid a percentage of ill-gotten profits from the traders’ subsequent investments.

The traders are alleged by the SEC to have used the stolen business wires to deliberately and carefully invest in equities, options, and contracts for difference in a market-savvy way to maximise their profits. The level of patience demonstrated is noted as being somewhat unprecedented, with investments having been made only on roughly 0.67% of press releases received. Yet still, the sums received through this illegal behaviour were so significant that the involved parties were able to invest in cars, houses, boats, and even an entire apartment complex and shopping centre.

Following a lengthy investigation involving numerous global authorities including the SEC and FBI, the parties involved were located and indicted (under US law) for:

  • hackers: computer fraud (accessing a computer to defraud and obtain something of value) and conspiracy to commit money laundering (a felony carrying a possible charge of 5 years; 10 years if the offender has a previous computer-crime conviction); and
  • traders: money laundering and securities fraud (namely insider trading),

amongst others.

Given the significant payout that this incident has shown can be gained through the cooperation of malicious internal and external actors, it is likely that the number of groups comprising of talented cyberattackers and other professional services employees (particularly within the financial services sector) will increase in the forthcoming years. With these schemes operating on a global basis, Commercial Technology associate, Alex Cravero, and Financial Regulatory associate, Chris Boylan, explore the above ‘hack meets securities fraud’ incident from an English law perspective.

English Hackers

Two competing claims to jurisdiction over hacking offences have arisen over the last decade. Some nation states subscribe to the view that jurisdiction should be afforded to the country in which a cybercrime originates, with others believing that jurisdiction lays with the country whose individuals and/or entities have been harmed by the cybercrime. With nation states unable to agree on a single, unified approach; multiple claims for jurisdiction may arise in respect of a single hacking incident.  

Suppose in this instance that the hacking activities both originated from, and harmed individuals or entities situated in, England. The hackers would be caught within the jurisdiction of the English courts under both views, and would therefore be subject to prosecution under English law – namely for offences under the Computer Misuse Act 1990 (“CMA”).

In the given ‘hack for securities fraud’ scenario, the relevant CMA offences [A2] for which the hackers would likely be tried are:

  • section 1 CMA, ‘unauthorised access to computer material’; and
  • section 2 CMA, ‘unauthorised access with intent to commit a further offence’.  

For the English courts to find the hackers guilty of these offences, prosecutors would need to demonstrate that:

  • in respect of ‘unauthorised access to computer material’:
  1. the hackers’ accessing of the computer material was unauthorised. There is no requirement of actual knowledge under section 1 CMA; it is enough simply to demonstrate that the hackers’ access was not authorised. In any event, it is likely that the hackers were aware of the unauthorised nature of their activities in the given scenario; and
  2. access was had to computer material. Although ‘computer material’ is not defined in the CMA, the English courts recognise the term as meaning any material (including documents, diagrams, and other information or any type or format) stored on a computer. The Civil Evidence Act 1968 defines the term ‘computer’ as meaning ‘any device for storing and processing information’, making section 1 of the CMA broad enough to catch business newswires stored on a company’s servers; and
  • in respect of ‘unauthorised access with intent to commit a further offence’:
  1. is guilty under section 1 CMA;
  2. has committed a further offence. The definition of ‘further offences’ is broad, and applies to any offences with a fixed sentence or term of imprisonment of five years or longer. In this scenario, the further offence would likely be the inchoate offence of conspiracy[1] to commit: (a) money laundering[2], and/or (b) insider dealing[3].

In the ‘hack for securities fraud’ scenario, if the hackers were subject to English law then it is distinctly possible that they would be found guilty of offences under sections 1 and 2 CMA. The broad nature of the CMA means and range of further offences for which hackers may be prosecuted means hackers would likely fall foul of English law in a wide-range of circumstances. If indicted, guilty hackers would face a maximum of 2 years’ imprisonment and/or a fine under section 1(3) CMA, and 5 years’ imprisonment and/or a fine under section 2(5) CMA; with the stolen funds being traced, frozen, and confiscated wherever possible. 

English Traders

Similarly to the offence of insider trading in the US, the UK has a specific offence of insider dealing that could be applied to the traders’ actions.

Part V of the Criminal Justice Act 1993 (“CJA”), which implemented the EU Insider Dealing Directive (89/592/EEC), sets out the criminal offence of insider dealing; responsibility for the prosecution of which falls on the Financial Conduct Authority (“FCA”). Since the implementation of the Market Abuse Directive (2003/6/EC) in the UK on 1 July 2005, this criminal regime has been supplemented by the introduction of civil offences for ‘insider dealing’ and ‘market manipulation’ under the market abuse regime enshrined in section 118 of Financial Services and Markets Act 2000.

Unlike with the hackers, determining who has jurisdiction over global trading offences is relatively straightforward. The FCA only has jurisdiction to bring criminal charges for insider dealing under English law where:

  • the indicted trader(s) are within the UK at the time of the alleged dealing, or any part of it;
  • the regulated market on which the dealing is alleged to have occurred is regulated in the UK; or
  • a professional intermediary used in the transaction was within the UK at the time when the traders were alleged to have carried out the specific transaction(s).

Suppose the traders fell within one of the above categories, and charges were accordingly brought by the FCA under English law. Of the 3 insider dealing offences set out under section 52 CJA, the traders would likely be considered to have ‘dealt in price-affected securities when in possession of inside information as an insider’.

To be guilty of this offence under English law, prosecutors would need to demonstrate that the indicted traders:

  • knowingly held inside information: section 56 CJA defines inside information as information which:
  1. relates to particular securities or to a particular issuer(s), and not to securities or issuers of securities generally -  the ‘shopping list’ of companies provided by the traders to the hackers;
  2. is specific or precise - the press releases or business newswires containing specific information such as corporate data on earnings;
  3. has not been made public - the unreleased nature of the stolen business newswires; and
  4. if it were made public, would be likely to have a significant effect on the price of any securities – this effect being demonstrated by the monetary gains, significant above and beyond those expected had the information been in the public domain, made by the traders when utilising such information;
  • held such inside information as an insider by knowingly receiving it from an inside source: section 57 CJA provides that information will be deemed to be from an inside source if:
  1. it comes through being a director, employee or shareholder of an issuer of securities (not necessarily the company whose securities are the subject of the insider dealing);
  2. access to the information is by virtue of employment, office or profession (for example, because the trader works for an adviser to the company); or
  3. the direct or indirect source of the information is a person within the previous two categories (for example, a spouse of a director who acquires inside information from that director).

Which will apply depends on the specific facts of the relevant case. In the given scenario, it will depend on the content and origination of each of the business newswires stolen by the hackers and used by the traders; though it is likely that all will fall within 1 of the 3 above categories; and

  • dealt with price-affected securities: Part V of the CJA applies to securities that:
  1. pursuant to section 54 CJA, satisfy conditions specified by HM Treasury; and
  2. are listed in Schedule 2 CJA.
  3. Essentially, the securities must: (a) be officially listed on an EEA exchange or be admitted to dealing on, or have their price quoted on or under, the rules of a regulated market, and (b) include shares, debt securities, warrants, depositary receipts, security options, futures and contracts for differences. In the given scheme, several of these types of financial instrument were invested in by the traders across numerous regulated markets on a global scale.  

In the ‘hack for securities fraud’ scenario, if the traders were subject to English law then it is possible that they would be found guilty of the criminal offence of insider dealing under section 52 CJA. On a guilty verdict, the indicted traders could expect a maximum of unlimited fines and/or imprisonment for a term of up to 7 years – longer than the sentences afforded to the hackers, but much less than the 20 years maximum sentence for the offence of insider trading under US law.

What does this mean for UK financial services institutions?

Increasing reliance on IT within the financial services sector, both internally-facing and externally-facing, offers cyberattackers a greater number of potential avenues through which to secure potentially significant payloads.

Firms are already having to deal with external malicious actors interested in making money through fraud, theft and sale of valuable information, and restricting access to and/or threatening to corrupt data or systems unless paid off. A prime example of this is the 2014 JPMorgan Chase data breach that resulted in the theft of 83 million customer account data records, which authorities suspect the cyberattackers had intended to use in stock manipulation schemes that utilised spam emails to boost the price of otherwise-worthless penny stocks.

On top of this, financial services institutions have to protect against numerous other attack vectors, both internal and external. Industrial espionage from industry competitors interested in gaining an economic advantage, hacktivists who wish to attack firms for political or ideological motives (including via distributed denial-of-service attacks), and employees (or those or have been granted access to systems) who misuse the institution’s systems – either accidentally or deliberately – must all be addressed by financial services firms and businesses on a continuous - and costly - basis.

However, whilst this latest ‘hack for securities fraud’ scheme highlights yet another vulnerability suffered by financial services institutions, it’s not a unique or new attack vector. This scheme is similar to one from 2005 in which a group of Estonian cyberattackers hacked into Business Wire to obtain news releases to inform their own trades, and another potential scheme from 2014 by sophisticated hackers ‘Fin4’ aimed at stealing market-sensitive information about deals from the email networks of large financial and pharmaceutical companies.

The main concern to financial services institutions in this new case, perhaps only just moreso than the fact that the global nature of the scheme and targeting of numerous business newswire service providers makes it much broader than those previously uncovered, is the fact that their own skilled employees teamed up with expert hackers; combining two separately prominent risk areas. Whilst the cost of investing in adequate cyberdefences – both internal and external - is growing, it is a necessary mitigation against the litigation risk, regulatory risk, and reputational risk posed to financial services institutions; especially where there is a risk that the public may view the firm as having failed to prevent, or to have inadequately responded to, a cyberattack.

UK firms must take note of this significant US case and adopt a holistic approach to cybersecurity across all aspects of their businesses to address the constant and evolving threat of cyberattacks. Hackers are becoming increasingly advanced in their efforts, and by teaming up with industry insiders, are threatening age-old intuitions with new-age technology.

For further information, please contact Emma Wright.

[1] Section 1(1) of the Criminal Law Act 1977

[2] Proceeds of Crime Act 2002

[3] Criminal Justice Act 1993

 [A2]There are also other non CMA offences which can be brought re hacking. If you look here the CMA cases also usually have other offences with them: http://www.computerevidence.co.uk/Cases/CMA.htm