On June 28, 2018, the Securities and Exchange Commission ("SEC") charged Sudhakar Reddy Bonthu, a former software engineering manager at Equifax, with insider trading, alleging1 that Bonthu traded on confidential information he received while creating a website for consumers impacted by the company's September 2017 data breach, which exposed Social Security numbers and other personal information of approximately 148 million US customers.
This is the second case the SEC has filed arising from alleged insider trading related to the Equifax data breach.2 These cases underscore the importance of maintaining robust internal controls around issues of cybersecurity, as well as a process for careful monitoring of trading by those who may have material non-public information ("MNPI") about a data breach.
The SEC alleges that Bonthu was told the website he was building was for an unnamed potential client, but based on information he received, he concluded that Equifax itself was the victim of the breach. He violated company policy when he traded on this MNPI by purchasing Equifax put options. Less than a week later, after Equifax publicly announced the data breach and its stock declined nearly 14 percent, Bonthu sold the put options and netted more than $75,000, representing a return of more than 3,500 percent on his initial investment.3
These cases, as well as other SEC enforcement actions and recent guidance, highlight the SEC's focus on the intertwined issues of cybersecurity, insider trading and disclosure controls. SEC guidance released earlier this year addressed, among other things, the risk of insider trading in the event of a data breach4, and a recent speech by SEC Commissioner Robert Jackson highlighted the importance of having an insider trading policy that prohibits insiders from trading around the time of a cyber event.5
In light of this continued focus, companies should consider implementing robust internal controls and procedures that ensure adequate disclosure of material cybersecurity matters and prevent insiders from trading on MNPI related to cybersecurity risks and incidents. Specifically, companies should:
- include appropriate safeguards in their insider trading policies and procedures to protect against corporate insider trading on the basis of knowledge about a cyber incident before public disclosure of such incident is made. Companies should ensure that the procedure for defining or identifying designated persons who must pre-clear their trades in the company's stock is sufficiently broad, taking into consideration any individuals who may have access to cybersecurity-related MNPI;
- consider adding cyber events as a specific example of the types of developments that could constitute MNPI to their insider trading policy, in order to make clear that knowledge of such events may qualify as MNPI in the context of insider trading;
- consider implementing training that explores various scenarios under which the sale of company stock may be in violation of the insider trading policy and explains the risks and ramifications of trading on MNPI; and
- ensure there are procedures in place to relay cybersecurity events in a timely manner to the individual who administers the company's preclearance policy.