In charging former Equifax IT executive Jun Ying with insider trading, the US Securities and Exchange Commission has brought a first-of-its-kind case involving confidential knowledge of material nonpublic cyber-related information.
Ying is alleged to have sold almost $1m shares in Equifax after correctly deducing that the company had suffered a major data breach. The allegation is based around Yung acting before anything about the attack was disclosed to the public.
The SEC complaint came just three weeks after the agency released a statement and interpretive guidance warning firms of their duties to the public and investors concerning their approach to disclosure of breaches and other cyber risks. The agency said it would continue to probe public companies’ cybersecurity disclosures as well as oversight and compliance obligations, including their insider trading policies and procedures.
Similar controversies are swirling around the technology chip maker, Intel, following CEO Brian Krzanich’s decision to sell $39m in company stock with the news of the massive Meltdown and Spectre vulnerabilities that were looming internally but still hidden from the public.
The SEC said that companies must disclose such incidents to investors in a “timely” manner, and warned executives and directors explicitly not to trade in their companies shares during the sensitive period between discovering any “material” security problem, and fully informing the public.
“Directors, officers, and other corporate insiders must not trade a public company’s securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company,” the SEC said in the guidelines.
Policies and procedures must be put place or updated to guard against any corporate insider taking advantage of the period between the company’s discovery of a cybersecurity incident, and the subsequent public disclosure of that incident to trade on material nonpublic information, it said.
“Going forward, it seems clear that the Commission is likely to pay greater attention to board involvement in cybersecurity risk and incident oversight generally,” said Edward McAndrew of Ballard Spahr LLP. “As with other regulators, we also expect greater scrutiny of the investigations that follow the discovery of incidents, and the timeliness and accuracy of disclosures relating to such incidents.”
Charging Ying, an officer of a US business unit of Equifax, with insider trading offers several lessons for compliance and surveillance teams looking to improve their monitoring systems by taking in communications, transaction reports, and even the search history of employees.
‘Companies should consider the adequacy of their existing disclosure controls and procedures related to cybersecurity matters, in particular regarding timely escalation of risks and events,’ said Trudy-Anne McLeary, associate at Manatt, Phelps & Phillips law firm. “In some cases, companies may need to engage technical experts to assist in creating policies tailored to their unique risk profiles.”
In addition to policies and controls, firms are also advised that timely disclosure in SEC filings is a critical element of an overall approach to cyber events.
According to the SEC, Ying, who was next in line to be the company's global CIO, allegedly used confidential information entrusted to him by Equifax to work out that it had suffered a serious breach in advance of the company’s September 2017 announcement that hackers had accessed the social security numbers and other personal information of about 148m US customers.
Investigators said Equifax had set up an internal team to deal with the breach, limiting the number of people who knew of the situation, of which the defendant was not a part.
Through a series of communications with various colleagues, and information from other sources regarding canceled travel plans and “mad scrambling” internally, Ying allegedly concluded that Equifax must have been the victim of a data breach to which other personnel had been assigned.
In particular, following a conversation with the then-current global CIO, the defendant allegedly sent a text message to his direct report at the company, stating that he was “[o]n the phone with [global CIO]. Sounds bad. We may be the one breached.… Starting to put 2 and 2 together.”
The morning after that conversation, Ying allegedly used a search engine to find information concerning the September 2015 cybersecurity breach of Experian, another one of the three major credit bureaus, and the impact that that breach then had on Experian’s stock price. The search terms used by Ying were: (1) “Experian breach”; (2) “Experian stock price 9/15/2015”; and (3) “Experian breach 2015.”
Shortly after this, the complaint alleges, the defendant proceeded to exercise all of his vested options to purchase Equifax shares before selling them on the open market prior to any public disclosure of the data breach, raking in nearly $1m and also avoiding a potential loss of approximately $117,000.
Given how advanced monitoring techniques are at both the SEC and other regulators such as the overseer of the securities industry, the Financial Industry Regulatory Authority, any anomaly where huge blocks of stock are sold during certain sensitive periods will immediately attract attention.
The market supervisors are looking for trading activity that occurs before, during and after a large company announcement, using increasingly sophisticated technology.
Trading volume jumped significantly around Equifax during the turbulence, recording a thirty-fold leap from the previous day’s volume of approximately 518,000 shares.
Ying was called back to the office on August 29, the day after he exercised his options, while traveling on business, and informed of the breach. He was also told that the breach information was confidential, it should not be shared with anyone, and that Ying should not trade in Equifax securities. Ying did not volunteer the fact that he had exercised and sold all of his vested Equifax options two days before.
On September 15, Ying was offered the role of global CIO following his predecessors resignation when the trading activities came to light and an investigation was opened. One month later he was fired just as he offered to resign.
The SEC wants Ying to pay back the money, plus interest, that he saved by selling the shares before the disclosure, along with a judgement prohibiting him from being employed as an officer or director of any publicly traded company.
Ying is not the only executive who has faced scrutiny for selling shares ahead of the public disclosure of the breach, and three other senior executives including the chief financial officer, president of workforce solutions, and president of US information solutions, also sold hundreds of thousands of dollars in shares just days before the firm went public with the breach.
The Commission takes a dim view of the matter, and its guidance reiterates the message regarding the disclosure of cybersecurity-related matters.
The civil complaint against Ying, coming on the heels of the guidance, demonstrates the Commission’s scrutiny of the intertwined issues of cybersecurity, insider trading and disclosure controls, said McLeary.
“Viewed in tandem, the guidance and the complaint provide the beginnings of a road map to understanding the risks in this area and potential solutions,” she said. “In commencing the Equifax civil action, the Commission has certainly made clear its belief that cybersecurity incidents may well constitute material nonpublic information, but perhaps more important, it has illustrated the real-world challenges of securities compliance in the midst of responding to cyber and other major incidents.”
Experts predict the SEC will continue to examine cybersecurity disclosure and compliance obligations as it analyzes the sufficiency of the disclosures that it receives, and firms are reminded to review their insider trading policies to ensure that they specifically include cyber-related matters as one of the types of material nonpublic information on the basis of which the trading of securities is prohibited.
“Additionally, insider trading policies should be accompanied by adequate training that explores various scenarios under which the sale of company stock may be in violation of the policy, and explains the risks and ramifications of trading on material nonpublic information,” said McLeary.
Behavox runs regular closed-door roundtables for compliance, risk and surveillance professionals as part of its Compliance Community service in the UK, the US and Asia where peers get to share their knowledge and experience of market practice confidentially. Anyone interested in attending should email firstname.lastname@example.org.
Disclaimer: This content is intended to provide general information in summary form on legal and regulatory topics, current at the time of publication. It does not constitute legal advice and should not be relied upon as such.