Federal claims that three Chinese hackers made millions in financial markets with information stolen from corporate dealmaking attorneys show U.S. law firms must invest in cybersecurity upgrades or risk losing some of their most lucrative clients.
The hacking allegations were made public Tuesday with the unsealing of a 13-count indictment accusing Iat Hong, Bo Zheng and Chin Hung of fraud, computer intrusion and insider trading in the theft of data on prospective acquisitions in the technology and pharmaceutical industries, said Prett Bharara, U.S. Attorney for Manhattan.
Hong, 26, of Macau, was arrested Sunday in Hong Kong. Zheng, 50, of Changsha, China, and Hung, also 50, of Macau, have not yet been arrested. The Securities and Exchange Commission, which filed a parallel action in civil court, identified the three as employees of information technology companies who penetrated New York law firms' computers from April 2014 through late 2015, focusing on the e-mails of partners working on mergers.
"Law firms need to upgrade their act in a number of ways," said Columbia Law School Professor John Coffee. "We've seen concerns raised about how law firm accounts are being used for money-laundering purposes, and now we're finding law firms are being victimized by hackers because they haven't engaged in the protections necessary."
Law firms specializing in mergers and acquisitions will need to hire consultants to help them set up tougher security systems, or corporations concerned about their confidential information being leaked will take their business elsewhere, Coffee said.
"Clients will demand more security," he said.
So-called M&A law firms should look at the practices of investment banks, which also handle sensitive information, he noted. "Investment banks have more security," Coffee said. "Law firms don't have as sophisticated protections as investment banking firms."
For example, he pointed to the SEC complaint, which described the hackers gaining access to one law firm's nonpublic network in April 2015 by compromising an information technology employee's user account and password. Law firms "will need to have more sophisticated systems than just giving passwords to employees," Coffee said.
Media reports have speculated that the targeted law firms included Cravath, Swaine & Moore LLP and Weil, Gotshal & Manges LLP. Both declined to comment.
While law firms, for the most part, already have sophisticated systems in place to protect themselves against employees or ex-employees that seek to trade on insider information, they are more vulnerable to hackers, said Thomas Gorman, a partner at Dorsey & Whitney in Washington who served at the Securities and Exchange Commission from 1978 to 1985, including a stint in the enforcement division.
The entire network of advisory firms involved in mergers and acquisitions will need to enhance their security, he said.
"People who want to do this can go after law firms, accounting firms, corporate advisory firms, investment banks and any of the companies that are involved," Gorman said. "All of the people involved in those deals need to step up their cybersecurity."
Information technology specialists "need to focus on how good their systems are and what they can do to make them safer," he added. "It is a continual battle of the upgrades."
This week's case marks the first time charges have been brought against foreign nationals for hacking U.S. law firms to obtain M&A data, said Isaac Boltansky, analyst at Compass Point LLC in Washington. "I expect we'll see more of this," he added.
The stolen information was used in trades on platforms operated by Manhattan broker-dealers and exchanges, according to the SEC's complaint, and trading by foreign nationals on non-U.S. exchanges might be more difficult for regulators to track.
Foreign nationals are likely to go to greater lengths to disguise their hacking and trading in the future, Coffee said.
"If you trade offshore, it is harder to detect," he said. "You could trade in the Cayman Islands."
Among the companies whose stock was affected by the trades was Intermune , a Brisbane, Calif.-based biotech firm purchased by Roche for $8.3 billion in August 2014. Court documents claim that the hackers had been tracking a different possible merger but had already purchased Intermune shares over a period of about two weeks. When the Roche deal was announced Aug. 25, the hackers sold 18,000 shares and picked up profits of almost $400,000, according to court records.
The second deal tracked by the hackers was Intel's merger with Altera. Though the $16.7 billion transaction wasn't announced until December 2015, it had been discussed for a year and the hackers had started buying shares in Altera in February, authorities said. When rumors of the deal were published in March, shares jumped 26% and the hackers allegedly sold off their shares in April, collecting $1.4 million.
The traders used the same model to track the $395 million Pitney Bowes deal with Borderfree in 2015. The trio allegedly tapped into a law firm's servers, pulled down partners' emails, then bought shares from April until May 5, the day before the deal went public. When it did, the traders sold their holdings and made $841,000, according to officials.