A former executive of the credit reporting company, Equifax, was charged with insider trading on Wednesday, March 14, 2018.  The accusation arose after an unpatched server was compromised leading to unauthorized disclosure of the personal information of over 145.5 million Equifax customers. According to the indictment, former Chief Information Officer Jun Ying allegedly sold nearly $1m worth of shares before the company publicly disclosed the breach.  The SEC is seeking disgorgement of the avoided losses in addition to civil monetary penalties. The SEC’s enforcement efforts here provide another example of how cybersecurity issues relate to white collar crime.

The SEC investigation relied primarily on Mr. Ying’s emails and text messages, which suggest that he searched online for information on how data breaches affected the stock price of other major credit bureaus. The SEC alleges that after running these searches, Mr. Ying exercised all of his Equifax stock options allowing him to trade in advance of the disclosure of the breach and to dodge over $117,000 in losses and gain more than $480,000 in proceeds. 

Trading by other Equifax executives, including the CFO, also are under scrutiny. The executives sold large amounts of shares before news of the breach became public, making over $2m in profits. However, a special committee formed by Equifax reportedly has cleared the executives of wrongdoing. As of today, Mr. Ying is the only executive facing criminal insider trading charges.

In its most recent Cybersecurity Guidance issued last month, the SEC stressed its concern about insider trading in connection with cybersecurity incidents. The Guidance warns that cybersecurity risks pose threats to investors as well as capital markets. Accordingly, it provides information for public companies on how and when they should disclose risks, vulnerabilities, and data breaches. 

The charges against Mr. Ying also show that preventing insider trading is an important part of a business’ comprehensive cybersecurity strategy, which can be done by paying attention to who is briefed on an incident and ensuring that these issues are anticipated in the company’s incident response plan.  In fact, a cybersecurity incident within a company should always be handled discreetly and with attention to “need to know” principles and avoidance of premature leaks to avoid tipping off hackers who may be monitoring a company’s emails in order to be able to detect any effort to dislodge them from being inside the network. 

The SEC’s rising expectations on cybersecurity risk management arrive on the heels of a broader US Government effort to address threats to public and private companies. Most recently, the US Government imposed fresh sanctions on Russian entities for cyber-attacks targeting hospitals, shipping companies, and the energy sector. This highlights the growing landscape of cybersecurity risks and signals the US Government’s interest in minimizing the damage to investors and market participants.

Companies should ensure that appropriate protocols are in place to oversee trading by senior officers, educate employees on insider trading regulations, and respond effectively to cybersecurity incidents. Clients should also remain attentive to changes in the SEC’s expectations on cyber security. Given the rising importance of cyber security in the private sector, the SEC is likely to issue further guidance for companies in the future.

The SEC press release can be read here and the compliant document can be found here

 

About Brown Rudnick

BROWN RUDNICK LLP, an international law firm with offices in the United States and Europe, represents clients from around the world in high-stakes litigation, international arbitration and complex business transactions. Clients include public and private corporations, multinational Fortune 100 businesses and start-up enterprises. The Firm also represents investors, as well as official and ad hoc creditors’ committees in today’s largest corporate restructurings, both domestically and abroad. Founded more than 70 years ago, Brown Rudnick has over 240 lawyers providing advice and services across key areas of the law. Beyond the United States, the Firm regularly serves clients in Europe, the Middle East, North Africa, the Caribbean and Latin America. With its Brown Rudnick Center for the Public Interest, the Firm has created an innovative model combining its pro bono, charitable giving and community volunteer efforts. 

FOR QUESTIONS OR MORE INFORMATION, PLEASE CONTACT:

Anupreet Amole

P: +44.20.7851.6118

F: +44.20.7851.6100