The recent convictions of two traders for using hacked press releases and the settlement of SEC insider trading charges against a former Equifax manager highlight the significant insider trading risks companies face when dealing with a cyber event.  These risks come in two forms.

First, there is the risk that someone (either inside or outside the company) has gained unauthorized electronic access to material nonpublic information (“MNPI”) about the company or one of its business or transaction partners, and will use that information for illegal securities trading purposes.  On July 6, a jury in Brooklyn convicted two traders for securities fraud, money laundering and computer intrusion for using hacked press releases to trade on MNPI.  To reduce that risk, companies can adopt various cybersecurity measures such as two-factor authentication, access controls, encryption, phishing training, network segmentation, and system monitoring.  Davis Polk’s Cyber Portal 2.0, which is now available to our clients, provides detailed checklists and other resources to help companies reduce cybersecurity risks.

The second kind of insider trading risk arises when there is a cyber event that is material to the company, but not yet publicly known.  Information is “material” if a reasonable investor would consider it important in making an investment decision.  A shorthand for “materiality” in this context is information that, if known to the market, could have a negative impact on the company’s stock price.  This second risk arises when someone inside the company becomes aware of the breach and may decide to sell or short company stock, or tip a relative or friend, in anticipation of a disclosure that is likely to have a negative effect on the company’s stock price.  On July 2, Sudhakar Bonthu, a former Equifax software manager, agreed to plead guilty in a criminal insider trading case and settled a parallel civil case brought by the SEC.

In August of 2017, Bonthu had been assigned to help an unnamed Equifax client design a program that would allow the client’s customers to know if they had been affected by a data breach.  Various clues (such as the fact that the breach affected at least 100 million customers) led Bonthu to surmise that the breach victim was actually Equifax itself.  On September 1, Bonthu used his family’s private brokerage accounts to purchase put option contracts for Equifax stock, selling them a week later.  That sale was one day after the public was notified about the Equifax breach, which preceded a 33% decline in the value of Equifax shares over the following week, allowing Bonthu to realize over $75,000 in profit.  As part of the SEC settlement, Bonthu agreed to forfeit his profits.  A similar case against Jun Ying, the former Chief Information Officer of Equifax’s United States Information Systems business unit, is ongoing.  Ying is also alleged to have figured out that Equifax had been breached on his own, and to have traded Equifax stock before the breach was publicly disclosed.  The Equifax cases highlight the importance of insider trading policies and trainings addressing cyber events.

Most companies have procedures in place to keep employees from spreading or misusing confidential information that the company knows they possess.  For example, many companies have policies that provide for notification to employees who are aware of a significant corporate event that they are “blacked out” from trading (or tipping others); companies should consider using these policies when a cybersecurity event occurs.  Also, companies often require preclearance for trading by executives and others who are likely to access MNPI on a regular basis, giving the company the ability to prevent trading by people who may have access to the information (or who may have difficulty later proving that they did not have access to it).  But it is not clear that either of these practices would have prevented the trading in the Bonthu or Ying cases because the company was not aware they possessed MNPI about the breach.

Those cases illustrate that companies should consider putting employees on notice of the risks of trading with knowledge of a cyber breach as part of their insider-trading policies and trainings—in the same manner that many policies highlight the risk of trading with knowledge of items such as unannounced earnings or M&A activity.  For example, companies may want to examine their insider trading policies to ensure they expressly address cybersecurity events.  Companies should also consider requiring preclearance for senior executives, information security personnel, and anyone else likely to become aware of material non-public cyber events.

Recent SEC guidance also provides that companies experiencing a potentially material non-public cyber event should consider ways to reduce insider trading risk.  So, for any group of employees who do not have a preclearance requirement, but who might learn of an ongoing cyber event that is potentially material, companies may consider notifying them that they cannot trade until further notice or reminding them of the general restrictions under the insider trading policy of trading while in possession of MNPI.  Finally, companies should consider including cybersecurity issues in their training on insider trading, and having cyber insider incident response plans provide that potentially material cyber events are escalated to someone who is involved in making decisions on trading restrictions.

The authors gratefully acknowledge the assistance of summer associates Danielle Leibowitz and Chris Combs in preparing this entry.