This week, Steven Oakes was sentenced to three years in prison after pleading guilty to 70 charges of insider-trading and 43 serious charges of ‘alteration of electronic devices required by ASIC’.
In episode 49 of The ASIC Podcast, AISC Investigator Anthony Vardy indicated that, at the time Oakes committed his offences, the maximum penalty was 10 years imprisonment; however, laws have since changed, and the maximum penalty is now 15 years.
The alteration was discovered during the course of the investigation after forensic examination of Oakes’ devices by ASIC, which showed that Oakes had deleted data related to the investigation. These actions came just one year after the IT consultant had been charged with insider-trading.
The regulator noted the emergence of cyber-related offences in financial markets, and has called on other regulated entities to improve their own cyber resilience to mitigate these kinds of breaches.
Oakes’ plea hearing was held in the Melbourne County Court last week, with sentencing coming through earlier this week.
The conduct regulator indicated that, between the period of January 2012 and February 2016, Oakes hacked into the network of the Melbourne-based financial publisher, Port Phillip Publishing. The regulator further alleged that Oakes used this information on 70 different occasions to buy shares for 52 different companies.
Oakes‘ behaviour was captured by ASIC’s monitoring system, with the regulator then able to make the connection between the publication of the financial information and trades.
“Technology-enabled offending, including cyber-related market misconduct, has been a priority for ASIC’s Enforcement teams. Despite the sophistication of cyber criminals, ASIC can identify and investigate suspicious market activity connected to computer hacking activities, as it did in the case against Mr Oakes. Traders should be aware that ASIC continues to focus on cyber-related offending,” ASIC Commissioner Cathie Armour said, earlier this week.
The development of cyber resilience in the financial market
In 2017, ASIC released a report looking at cyber resilience preparedness in 29 large firms and 72 small and medium enterprises (SMEs) and found that 74 per cent, at the time, had well-managed systems and 66 per cent had evidence of cyber incident response plans.
At the time, Commissioner Armour said that, “Cyber resilience is not just an IT issue but one that requires a whole-of-organisation response. The dynamic nature of cyber threats requires a comprehensive and long-term commitment to cyber resilience by all organisations operating in the Australian economy.”
In episode 49 of The ASIC Podcast, the Oakes case was explored, outlining how Oakes, or Steven 666, as was his trading name, exploited the vulnerabilities in the financial publishing company. These included:
Vulnerabilities in Wi-Fi access to get login details; and
Vulnerabilities in security updates, as not everyone in the company changed their passwords.