Regulators’ enforcement priorities evolve alongside technological changes and in response to consumer-impacting activities that are emphasized in news headlines. This trend can be seen in the SEC’s relatively recent focus on monitoring and bringing formal actions against opportunistic stock trading by corporate insiders who have knowledge of enterprise security incidents and data breaches.
As the SEC described in its 2018 guidance intended to assist public companies in preparing disclosures about cybersecurity risks and incidents: “Companies and their directors, officers, and other corporate insiders should be mindful of complying with the laws related to insider trading in connection with information about cybersecurity risks and incidents, including vulnerabilities and breaches.”
What follows is an overview of an article published in Cybersecurity Law Report (subscription paywall) last week by Greenberg Traurig’s Darren Abernethy regarding the interplay between corporate insider trading and cybersecurity incidents, including some possible planning steps for businesses to consider with legal counsel.
Insider Trading Definition and Policy Rationales
Insider trading takes different forms, but at its core involves trading on material non-public information in breach of a duty—either a fiduciary duty to the shareholders (the “classical” theory) or to the source of the information (the “misappropriation” theory),thereby making a profit or avoiding a loss. More formally, per Rule 10b(5)-1(a) of the Securities and Exchange Act of 1934 (SEC Act), it is against the law to trade a security “on the basis of material nonpublic information about that security or issuer, in breach of a duty of trust or confidence that is owed directly, indirectly, or derivatively, to the issuer of that security or the shareholders of that issuer, or to any other person who is the source of the material nonpublic information.”
Although there are many legal rationales for insider trading laws, one of the policy reasonings behind the prohibition on insider trading is that open investment markets and exchanges rely on buyers and sellers having access to the same information for market efficiency. In theory, markets reward investors for their foresight and analytical prowess, and so to permit manipulation of the system through the non-public, advance knowledge of critical information by those with the privilege of having the information is understood as a threat to the equilibrium that underpins the trading markets. Exploitation by insiders of material nonpublic information for their own gain undermines investor confidence in the fairness and integrity of globally interconnected securities markets.
Trades may be made by insiders after the advance information known by the insider is released to the public, but to do so beforehand would mean a direct advantage for the insider over other investors.
Officers, Directors, Employees
Insider trading can occur when officers, directors, and employees of an organization come into possession of information not otherwise available to the general public, and then buy or sell investment assets prior to publication of the information in order to make personal gains or prevent losses. These insiders are fiduciaries of the organization, as they act on behalf of the organization—including to manage assets and overall valuation—and so owe a duty of good faith and trust to the shareholding owners as part of acting ethically and in the organization’s best interests.
Insider Trading By Third-Parties
Insider trading can also occur with respect to individuals who provide professional services to an organization, such as lawyers, printers, cybersecurity/IT specialists, bankers, and finance professionals who may likewise be fiduciaries or, at a minimum, have access to sensitive documentation and corporate knowledge as a condition of providing services to the organization. The same may be true with respect to government officials who learn of a company’s activities on a confidential, governmental basis and then trade on the information.
Security Incidents and Insider Trading
Cybersecurity incidents—and stock market reactions to them when notified—are potentially serious business and economic matters for organizations. Public knowledge regarding the breach of a company’s data assets may negatively affect current stock price (and, by extension, a company’s overall valuation). As a result, advance knowledge of a security incident is sensitive.
Accordingly, the prevalence of U.S. state mandatory data breach notification laws, in addition to notification regimes around the world from the E.U. under the GDPR to China under its Cybersecurity Law, has increased the likelihood that organizations will have to publicize data breach events that might not have been disclosed to the market in the past.
Common forms of insider trading that could take place in relation to known or suspected data breaches, include:
- Buying put options. This entails, for example, purchasing the right to sell an asset at a specified price by a specified date upon learning of an as-yet-nonpublic cybersecurity incident. The insider is, in essence, betting that the company’s stock price will decrease when the news is known, and so is self-positioning to gain from the company’s loss.
- Selling shares or exercising vested stock options after learning of a data breach but before any public announcement of a data breach. Questions in this scenario often revolve around when the company and its individuals actually “became aware” of a breach. Difficult determinations may need to be made by regulators and prosecutors as to whether an insider had knowledge of a breach; such knowledge or information was material; and someone merely deduced or inferred something and traded on that suspicion without formal knowledge.
Prevention and Mitigation Considerations
Given the SEC’s pointed references to insider trading in the context of cybersecurity incidents, companies may wish to shore up their internal practices and prophylactic measures in this regard. A robust approach may include clarification from a policy perspective, including the use of trading bans; investment in IT and security infrastructure to best prepare for and prevent a security incident in the first place; and socializing across the organization—including to partners and service providers—that maintaining compliance with this area of the law is of paramount importance.
Ex Ante Prevent a Data Breach With Strong Cybersecurity Practices
Organizations can take certain measures in advance to decrease the likelihood of a data breach and assist with mitigation. Some of these measures include the following:
- evaluating the data flows into and out of an organization, and inventorying the various data collected (which is needed to evaluate “personal information” definitions within data breach notification laws), with an eye towards minimization—keeping only what data is necessary at present for given business activities;
- having stakeholders from across an organization participate as part of a council or team with responsibility for monitoring and reporting on privacy and security matters;
- having a thorough evaluation process and contractual obligations for potential vendors; and
- adapting very strong, scalable and active security measures, such as the Center for Internet Security’s (CIS) twenty controls and following the FTC’s “Start With Security” initiative’s breakdown of best practices involving encryption, firewalls and monitoring.
An investment in people, process, and IT security technology can allow organizations to better detect intrusions, to secure systems, and to have proper and tested procedures in place.
Clarified Corporate Policies and Trading Bans
Many organizations have general corporate policies that require employees to acknowledge that insider trading is against the law and against company policy, and that to engage in insider trading will result in disciplinary action including termination and likely charges or criminal prosecution.
But an area where many organizations could stand to provide more attention is in clarifying anti-insider policies, in particular, in relation to data breaches. The SEC has stated in guidance, “We encourage companies to consider how their codes of ethics and insider trading policies take into account and prevent trading on the basis of material nonpublic information related to cybersecurity risks and incidents. The Commission believes that it is important to have well designed policies and procedures to prevent trading on the basis of all types of material non-public information, including information relating to cybersecurity risks and incidents.” Such policies can also assist in the perception that a company wishes to avoid even the appearance of impropriety by its employees during a security incident ahead of any announcement of such an event.
For instance, clarification or heightened emphasis can be given to trading blackout periods that prevent trading by insiders when significant events or changes are taking place within a company. This could be included within an incident response plan or other company protocols in the event of a suspected data breach and must provide specificity as to how such a blackout period will be determined and communicated. Other considerations for IRPs include limiting who has access to information about an incident, storing incident documentation in access-controlled locations, and implementing a review and approval process for selling stocks post-incident.
Whereas such “significant events” historically may have been focused on mergers, acquisitions, earnings reports, or other fundamental corporate changes, a suspected data incident can rise to the level of necessitating a temporary trading ban—for the safety of the organization and its employees. Such a trading blackout period could exist for insiders from the time a suspected security incident is discovered until the time the breach has been publicly announced.
Relevant policy changes can also be reinforced through employee training to make sense of the likely scenarios where this can occur. Likewise, practicing matters with tabletop exercises and showing sample scenarios where insider trading has or hasn’t occurred can be helpful in driving home the point for insiders, employees, and staff. If not already present, companies may wish to document the likely consequences of termination and prosecution in internal employee policies and include them as part of the onboarding and offboarding process.
Vendor and Partner Contracts
Contract templates may also benefit from an update if insider trading is not addressed in them, or if clarification is needed that using nonpublic information gleaned from providing business services when engaging in securities markets activity is a financial crime.
In most contracts, it may also make sense to incorporate by reference an organization’s insider trading policy or its overall code of conduct that prevents engaging in opportunistic trading or any illegal or unethical activity. Although breach of contract may be a secondary consideration when something as serious as insider trading occurs, depending on the situation, it may nonetheless be beneficial to include such activity as grounds for termination, even beyond the likely civil liabilities and criminal consequences that could also follow.
For more information on Data, Privacy & Cybersecurity issues, visit GT’s Data Privacy Dish blog.