[BreachExchange] You Might Be an Inside Trader If…You Trade on Your Unconfirmed Suspicions of a Cybersecurity Event Prior to Its Public Revelation or Disclosure

Fri Jun 29 15:00:59 EDT 2018

https://www.jdsupra.com/legalnews/you-might-be-an-
inside-trader-if-you-59933/

Earlier this year, the SEC released cybersecurity guidance addressing,
among other things, the risk of insider trading in the event of a data
breach. This risk comes in multiple forms, including the intruders trading
on stolen information and insiders trading on the knowledge of the breach
itself. The SEC demonstrated its willingness to address the latter
situation in the recent insider trading case against Jun Ying, the former
chief information officer of Equifax’s United States Information Systems
business unit.

This past March, the DOJ indicted Ying with securities fraud and insider
trading, while the SEC brought parallel civil charges. Upon discovering
that it had suffered a major cybersecurity breach, Equifax immediately
formed various response teams to address the breach. Only one of the teams
was informed that Equifax was the victim of the breach. The other teams
were told they were working on a “business” or “breach” opportunity for an
unnamed client. Initially, Equifax instituted a trading blackout, but only
for its employees who were told of the breach. Both the criminal indictment
and the SEC complaint allege that Ying, who was not on the team that was
informed of the breach, nonetheless concluded that the “unnamed client” was
actually Equifax. The complaint and indictment both cite a text Ying sent
to another employee stating that the breach “sounds bad” and “We may be the
one breached . . . I’m starting to put 2 and 2 together.” Ying subsequently
exercised all of his vested Equifax options and immediately sold those
shares for approximately $950,000, thereby avoiding more than $117,000 in
losses. The day after exercising his Equifax options, Ying was notified of
the breach by Equifax’s counsel, and instructed not to trade on that
information. An internal investigation conducted several months later
revealed Ying’s trading and he was asked to resign.

Ying’s case stands out for two reasons. First, the CIO is facing civil and
criminal liability not for trading on information he obtained, but for
independently concluding his employer was the victim of a breach. Here, the
SEC and DOJ are applying a broad interpretation of the insider trading
knowledge requirement. Under Rule 10b5-1, a trade is “made ‘on the basis
of’ material non-public information . . . if the person making the purchase
or sale was aware of the material nonpublic information when the person
made the purchase or sale.” As the CIO argued in his June 11, 2018 motion
to dismiss, the indictment “describes little more than an employee who
exercised options after being lied to by Equifax about the ‘material
nonpublic information’ at issue.”

Second, the case illustrates the need for public companies to closely
consider their procedures for responding to a breach, including their
processes for issuing trading blackouts during investigation of the breach,
and how and when to communicate with employees who are not part of the core
incident response team. Equifax demonstrates that even careful planning
cannot prevent inadvertent discovery of material non-public information.
Public companies should also consider revising their incident response
plans to include provisions for issuing trading blackouts — when to issue,
to whom, by what process, and for how long. Companies should also consider
revising their insider trading policies or offering additional employee
training to address instances in which employees may obtain (whether
directly or indirectly) non-public information regarding a potential data
breach impacting the company or its customers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180629/4f150a58/attachment.html>