The Equifax hack has taken another twist – one that raises questions that every public company should consider.
Last week, federal prosecutors charged Equifax’s former Chief Information Officer, Jun Ying, with insider trading for allegedly dumping nearly $1 million in stock before the massive Equifax breach went public. He also faces civil charges filed by the U.S. Security and Exchange Commission (SEC).
The charges should serve as a cautionary tale for all public companies, underscoring the need for “prophylactic measures” to prevent insider trading before public disclosure of a data breach.
These are the first actions filed against a current or former employee related to the Equifax hack, in which the personal information of nearly 148 million U.S. consumers was compromised including Social Security numbers, dates of birth and addresses. We have extensively covered the continuing fallout of the Equifax breach, including most recently here.
In updated cybersecurity disclosure guidance issued by the SEC last month, the Commission highlighted the risk posed by insiders who trade securities between the time a breach is discovered and its public disclosure. As we noted in our recent client alert, the Commission “encourages” public companies to implement policies and procedures – including internal controls – to prevent trading on material non-public information relating to cybersecurity risks and incidents.
The guidance should spur companies to revisit their incident response plans, and if appropriate, consider imposing a temporary trading halt for insiders in defined circumstances. Companies would be “well-served,” suggests the SEC, by implementing a trading halt plan while investigating and assessing data breaches. The guidance recommends that companies adopt trading restrictions to avoid even the “appearance of improper trading during the period following an incident and prior to the dissemination of disclosure.” Such measures, according to the guidance, should be part of comprehensive efforts to ensure that codes of ethics and internal policies properly anticipate the heightened risk of insider trading during a breach incident.
The guidance also reinforces the SEC’s renewed prioritization of cybersecurity disclosure as part of its broader mandate to regulate the threats cybersecurity incidents pose to the financial system. The SEC, for instance, also warns against disclosing cybersecurity incident information selectively and reminds companies to disclose incident information on Form 8-K to manage the risk of selective disclosure. This updated guidance thus solidifies the SEC’s position that failing to maintain adequate cybersecurity controls poses a “grave threats to investors, our capital markets, and our country.”
The government’s charges against Ying allege that he sent a text message to a colleague, saying that the hack “sounds bad.” Ying then allegedly searched the web to research how Experian’s 2015 breach impacted its stock price. Ying – it is alleged – exercised all of his available employee stock options and then sold his shares, netting nearly a million dollars in proceeds before the breach was disclosed in September 2017. The trade avoided more than $100,000 is losses, it is alleged.
These charges are not connected to concerns that surfaced shortly after the breach was disclosed that some top Equifax executives had sold shares soon after Equifax first discovered suspicious activity in its systems in late July 2017. Those executives were cleared by an internal investigation conducted by the company.
We will continue to monitor developments in this area.