On June 28, 2018, the Securities and Exchange Commission ("SEC") charged Sudhakar Reddy Bonthu, a former software engineering manager at Equifax, with insider trading, alleging1 that Bonthu traded on confidential information he received while creating a website for consumers impacted by the company's September 2017 data breach, which exposed Social Security numbers and other personal information of approximately 148 million US customers.
This is the second case the SEC has filed arising from alleged insider trading related to the Equifax data breach.2 These cases underscore the importance of maintaining robust internal controls around issues of cybersecurity, as well as a process for careful monitoring of trading by those who may have material non-public information ("MNPI") about a data breach.
The SEC alleges that Bonthu was told the website he was building was for an unnamed potential client, but based on information he received, he concluded that Equifax itself was the victim of the breach. He violated company policy when he traded on this MNPI by purchasing Equifax put options. Less than a week later, after Equifax publicly announced the data breach and its stock declined nearly 14 percent, Bonthu sold the put options and netted more than $75,000, representing a return of more than 3,500 percent on his initial investment.3
These cases, as well as other SEC enforcement actions and recent guidance, highlight the SEC's focus on the intertwined issues of cybersecurity, insider trading and disclosure controls. SEC guidance released earlier this year addressed, among other things, the risk of insider trading in the event of a data breach4, and a recent speech by SEC Commissioner Robert Jackson highlighted the importance of having an insider trading policy that prohibits insiders from trading around the time of a cyber event.5
In light of this continued focus, companies should consider implementing robust internal controls and procedures that ensure adequate disclosure of material cybersecurity matters and prevent insiders from trading on MNPI related to cybersecurity risks and incidents. Specifically, companies should:
- include appropriate safeguards in their insider trading policies and procedures to protect against corporate insider trading on the basis of knowledge about a cyber incident before public disclosure of such incident is made. Companies should ensure that the procedure for defining or identifying designated persons who must pre-clear their trades in the company's stock is sufficiently broad, taking into consideration any individuals who may have access to cybersecurity-related MNPI;
- consider adding cyber events as a specific example of the types of developments that could constitute MNPI to their insider trading policy, in order to make clear that knowledge of such events may qualify as MNPI in the context of insider trading;
- consider implementing training that explores various scenarios under which the sale of company stock may be in violation of the insider trading policy and explains the risks and ramifications of trading on MNPI; and
- ensure there are procedures in place to relay cybersecurity events in a timely manner to the individual who administers the company's preclearance policy.
1 Available here.
2 In March 2018, the SEC charged a former chief information officer of a US business unit of Equifax with insider trading in advance of the company's announcement of the data breach. Jun Ying, who was next in line to be the company's global CIO, allegedly used confidential information entrusted to him by the company to conclude that Equifax had suffered a serious breach. The SEC alleges that before Equifax's public disclosure of the data breach, Ying exercised all of his vested Equifax stock options and then sold the shares, resulting in profits of nearly $1 million. The SEC's complaint is available here.
3 Bonthu was terminated from Equifax in March 2018 after refusing to cooperate with an internal investigation into whether he had violated the company's insider trading policy. In a parallel proceeding, the US Attorney's Office for the Northern District of Georgia filed criminal charges against Bonthu.
4 For additional information on the SEC's February 2018 guidance, see our prior alert, "SEC Issues Interpretive Guidance on Public Company Cybersecurity Disclosures: Greater Engagement Required of Officers and Directors".
5 Commissioner Jackson's recap of some key takeaways from this speech can be found here.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2018 White & Case LLP