In the first ever insider trading case stemming from a cybersecurity attack, the SEC filed civil charges against the former Chief Information Officer of Equifax's United States Information Systems business unit for trading on material nonpublic information.
According to the SEC complaint, Jun Ying was among a select few in the company entrusted with information from which he deduced that Equifax had been the victim of a catastrophic data breach. Shortly thereafter, Mr. Ying allegedly exercised all of his vested options to buy Equifax shares, and then immediately sold those shares for total proceeds of more than $950,000. Several days later, Equifax publicly disclosed the breach, resulting in a same-day drop of nearly 14% in the firm's share value. In selling his shares prior to the public disclosure, Mr. Ying avoided more than $117,000 in losses that he would have suffered had he not sold until after news of the breach became public. Mr. Ying, who had recently been offered the position of global Chief Information Officer of Equifax, had the offer withdrawn once his trading activities were discovered, and was permitted to resign following the conclusion of an internal investigation.
In a complaint filed in the U.S. District Court for the Northern District of Georgia, the SEC alleged that Mr. Ying violated Securities Act Section 17(a) and Exchange Act Section 10(b) and Rule 10b-5. The SEC is seeking enjoinment from future violations of the aforementioned statutes and rules, disgorgement plus interest, a civil monetary penalty, and the barring of Mr. Ying from future service as an officer or director of a public company.
In a parallel case, the DOJ also filed criminal charges against Mr. Ying.
Commentary / Joseph V. Moreno
The trading activities by Mr. Ying are separate from those of the four senior Equifax executives previously identified as having sold company shares prior to public disclosure of the breach. According to an internal Equifax investigation, those executives were cleared of having violated the company's insider trading policy; however, the lesson to be derived here is the same. Companies must be diligent in implementing policies, procedures, and controls to prevent employees trading company shares following a cyber breach, a point that was emphasized in guidance issued last month by the SEC. The technical, legal, regulatory, and reputational harm suffered by companies who are the victims of cyber breaches will only be exacerbated by the discovery that employees may have profited by trading on early knowledge of a breach incident, and regulatory scrutiny of both the company and the employee will no doubt follow. The fact that Equifax discovered Mr. Ying's trading activity and self-reported it to the DOJ and the SEC weighed in Equifax's favor. However, companies that fail to implement measures to detect and prevent such illicit trading activity run the risk of eliciting an ever harsher light from regulators than would otherwise have resulted from the breach itself.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
