Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Insider Trading Policies and Cybersecurity

By Michael J. Rivera and Abby I. Yi
December 02, 2019

Cybersecurity has been a high priority topic for the SEC the past few years. In September 2017, the SEC created a Cyber Unit within its Enforcement Division. This Cyber Unit had over 225 active investigations at the SEC's 2018 fiscal year end. The SEC has focused in particular on cybersecurity risks facing public companies.

The SEC twice issued cybersecurity guidance to public companies in 2018. The SEC used one of these pronouncements to opine on the need for insider trading policies to account for cyber-related incidents. Specifically, in February 2018, the SEC issued "Commission Statement and Guidance on Public Company Cybersecurity Disclosures" ("Cybersecurity Release") outlining its views on cybersecurity disclosure requirements for public companies under the federal securities laws. The Cybersecurity Release reinforced and expanded upon cybersecurity disclosure guidance issued by the SEC's Division of Corporation Finance in 2011. It further addressed a new topic — the application of insider trading prohibitions in the cybersecurity context. Later in 2018, the SEC issued a Report of Investigation that emphasized the need for public companies to implement a system of adequate internal accounting controls to address cyber-related fraud and to calibrate those controls to the current risk environment.

The Cybersecurity Release advised that information about a company's cybersecurity risks and incidents may constitute material nonpublic information. Directors, officers and other corporate insiders therefore could violate the insider trading laws, should they trade their company's securities in breach of their duty of trust or confidence while in possession of such material nonpublic information. As a result, the SEC recommended companies have policies and procedures crafted to prevent trading on the basis of material nonpublic information relating to cybersecurity risks and incidents.

The Cybersecurity Release further advised companies to be prepared to prevent illegal insider trading while the company is investigating a cybersecurity incident. More specifically, the SEC warned that, while investigating the facts surrounding a cybersecurity incident and assessing the materiality of that event, companies should expressly consider whether (and when) to invoke internal restrictions on trading in their securities. To prepare for such circumstances, the SEC recommended public companies have policies and procedures in place to "guard against directors, officers and other corporate insiders taking advantage of the period between the company's discovery of a cybersecurity incident and public disclosure of the incident to trade on material nonpublic information about the incident."

To hammer home its concern about insider trading in this context, shortly after issuing the Cybersecurity Release, the SEC charged two Equifax Corp. employees with illegally trading Equifax securities in advance of the company's September 2017 announcement of a massive data breach. The SEC filed a civil action against former Equifax Chief Information Officer Jun Ying. A federal court subsequently entered a final judgment permanently enjoining Ying from violating the anti-fraud provisions of the federal securities laws and requiring Ying to pay disgorgement and prejudgment interest. Ying pleaded guilty in a parallel criminal action to criminal insider trading charges and was sentenced to four months in prison, fined $55,000 and ordered to pay over $117,000 in restitution. Separately, former Equifax manager Sudhakar Reddy Bonthu was charged by the SEC with insider trading and consented to a court order permanently enjoining him from violating the anti-fraud provisions of the federal securities laws. Bonthu also pleaded guilty to insider trading charges in the parallel criminal action and was sentenced to eight months of home confinement, fined $50,000 and ordered to disgorge over $75,000.

|

Recommendations for Consideration

In light of the SEC's purposeful effort to warn and guide public companies on insider trading risks in the cybersecurity context, we recommend that in-house counsel review their company's policies and procedures and revise as needed to comport with the guidance discussed above. In doing so, we suggest counsel consider the following:

  1. Clearly defining insider trading in company policies to include cybersecurity incidents as potential material nonpublic information regarding the company.
  2. Establishing a process to impose trading blackouts and/or preclearance requirements with respect to transactions in the company's securities by insiders while the company is investigating an actual or potential cyberattack incident.
  3. Ensuring that policies on trading restrictions apply to the employees expected to gain knowledge of cybersecurity incidents forged against the company (including personnel in the information technology department).
  4. Having employee training sessions to address changes made to the company's insider trading policies.

*****

Michael J. Rivera is a member in the Washington, DC, office of Bass, Berry & Sims PLC. He represents businesses and individuals in securities enforcement proceedings and internal investigations. He may be reached at [email protected]. Abby Yi is an associate in the Washington, DC, office of Bass, Berry & Sims PLC. She represents companies in connection with internal and government investigations concerning white collar and corporate compliance matters. She may be reached at [email protected]. This article also appeared in Corporate Counsel, an ALM sibling of Business Crimes Bulletin.

|

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

How Secure Is the AI System Your Law Firm Is Using? Image

In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

Compliance and Third-Party Risk Management Image

To gauge the level of risk and uncover potential gaps, compliance and privacy leaders should collaborate to consider how often they are monitoring third parties, what intelligence they are gathering with and about their partners and vendors, and whether their risk management practices have been diminished due to cost and resource constraints.