- Mike McCormick
When Insiders Profit from Cyber Breaches
One outrageous thing we learned about the Equifax breach (among many) is that three corporate executives sold company stock after the breach was discovered but not yet disclosed . Equifax stock tumbled 35% when the attack was announced, but by then insiders had already unloaded their shares and earned nearly two million dollars.
If those executives knew about the breach, this is troubling. No one should profit from a cyber-attack, especially not officers of the victim company. It would be insider trading of the worst kind, leaders profiting from their own mistakes, while consumers and shareholders suffer.
The watchdog agency that polices insider trading is the US Securities and Exchange Commission (SEC). They have yet to accuse anyone at Equifax, but reportedly asked federal prosecutors and FBI to investigate.
Last week SEC also issued updated guidance for publicly traded companies who become cyber-attack victims. While it mostly reinforces earlier rules requiring companies to disclose cyber breaches to shareholders, it also clarifies expectations on insider trading.
Earlier SEC breach disclosure rules, dating back to 2011, were written by career staffers. What’s different this time is the guidance came from the Commissioners themselves. By doing so, SEC hoped to send a strong signal to companies like Equifax.
Unfortunately, that signal was undermined by partisan divisions among the Commissioners, starkly exposed in three competing SEC press releases, all issued on the same day:
In the SEC’s primary press release, Commission Chairman Kay Clayton said “I believe that providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.” He also left the door open to further action, promising to “consider feedback about whether any further guidance or rules are needed.”
A press release from Commissioner Kara Stein stated “I am disappointed with the Commission’s limited action.” Stein wondered if “re-issuing staff guidance solely to lend it a Commission imprimatur” can realistically cause “companies, their general counsels, and their boards suddenly take notice of their cyber-related disclosure obligations because of the Commission’s new endorsement?” She felt “the Commission ignored pleas from issuers, investors, market participants, and members of Congress to do more.”
Yet another press release came from Commissioner Robert Jackson. “The guidance essentially reiterates years-old staff-level views on this issue,” Jackson lamented. “But economists of all stripes agree that much more needs to be done.”
While the latest SEC guidance breaks little new ground, and was undermined by dueling statements from the Commissioners, it does remind corporate executives that profiting from inside knowledge during a security incident is unacceptable, unethical, and illegal.
The guidance states “directors, officers, and other corporate insiders must not trade a public company’s securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company.” It asks companies to “consider how their code of ethics and insider trading policies [can include] prophylactic measures [to] protect against … insiders trading on the basis of material nonpublic information before public disclosure of the cybersecurity incident.”
SEC keeps US markets fair and free. Healthy free markets reward good business decisions and punish bad ones. When corporate leaders profit from reckless choices that hurt their company, then they have little incentive to do better, even if the company’s stock suffers. In capitalist economics, this is known as Moral Hazard. In cyber security, it’s known as Insider Threat.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.
UPDATE 3-14-2018: The SEC filed insider trading charges against Equifax CIO Jun Ying, and continues to investigate other executives who sold stock before the breach was disclosed.