Some of the biggest law firms on Wall Street are scrambling to shore up their defences against cyber attacks, in the wake of a raid by Chinese hackers which led to millions of dollars of profits from insider trading.
Preet Bharara, US attorney for the southern district of New York, this week charged three individuals who he said infiltrated law firms over a period of about 18 months by hacking in to networks and servers.
Once inside, the gang targeted the email accounts of senior partners who worked on mergers and acquisitions. They then bought stock in at least five publicly traded companies which were the target of deals, netting profits of about $4m once the transactions were announced.
Reports of the probe earlier this year prompted law firms to try to plug gaps, efforts that are likely to be stepped up after the disclosure of criminal charges against the trio.
On Wednesday, New York’s Department of Financial Services added to the urgency by updating a proposed rule on cyber security regulation, which is due to come into force in March.
The rule, the first in the US, requires banks and insurers to make certain that their systems, and the systems of third-party vendors such as law firms, can handle the risks associated with cyber threats.
Two of the law firms advising on deals from which the hackers profited were Cravath, Swaine & Moore and Weil, Gotshal & Manges, according to announcements at the time. Both law firms declined to comment.
“It wasn’t us this time, but it could have been,” said a senior partner at another white-shoe law firm. “Every day people are trying to get in.”
The action is the latest in a series of cases of so-called “outsider trading”, which watchdogs see as an increasingly serious threat to securities markets.
Unlike classic insider trading, where executives trade stock based on material, non-public information learnt at the office, outsider traders typically have no connection to the company concerned and do not owe a fiduciary duty to anyone.
Last August, US authorities charged a gang of Ukrainian hackers, alleging that they made $30m in illegal profits by trading on stolen information from 150,000 press releases before they were made public.
That case inspired other Ukraine-based criminals to test the defences of big law firms, according to Flashpoint, an intelligence agency which says it picked up discussion on dark-web forums about a year ago.
The company put out an alert in March raising awareness of the risk of so-called “spear phishing”, in which hackers use highly targeted emails to trick users into inadvertently downloading software which then attacks their machines.
Similar techniques were used in the China attack, said the US government.
Law firms were seen as “kind of a soft target, because of their perceived lack of proper security hygiene”, said Vitali Kremez, a New York-based analyst in Flashpoint’s cyber crime intelligence unit.
Mr Bharara said that the Chinese hackers successfully breached “at least” two law firms, which he did not name, and targeted at least another five.
“This case of cyber-meets-securities fraud should serve as a wake-up call for law firms around the world,” he said. “You are, and will be, targets of cyber hacking, because you have information valuable to would-be criminals.”
Sample the FT’s top stories for a week
You select the topic, we deliver the news.