On March 14, 2018, the Department of Justice and the Securities and Exchange Commission (“SEC”) announced insider trading charges against a former chief information officer (“CIO”) of a business unit of Equifax, Inc. According to prosecutors, the CIO exercised options and sold his shares after he learned of a cybersecurity breach and before that breach was publicly announced. Equifax has indicated that approximately 147.9 million consumers had personal information that was compromised.
Equifax’s board of directors had previously formed a special committee to investigate trades by certain senior executives that occurred after the breach. Although the timing of those trades drew significant scrutiny from the press, investors and others, the special committee concluded that the executives were not aware of the breach when they sold their shares. It does not appear that the special committee’s investigation covered the CIO’s trades.
According to the SEC’s complaint, the CIO—who was the leading candidate to be the company’s next global CIO—allegedly used confidential information entrusted to him in the course of his employment to conclude that Equifax had suffered a serious breach. The SEC’s investigation relied on a detailed analysis of the CIO’s emails and text messages, and also found that the CIO used a search engine to find information on the Internet concerning the September 2015 cybersecurity breach of Experian, another one of the major credit bureaus, and the impact that breach had on Experian’s stock price. The search terms used by the CIO included: (1) “Experian breach”, (2) “Experian stock price 9/15/2015”, and (3) “Experian breach 2015.”
The SEC alleges that shortly after running these internet searches, but before Equifax’s public disclosure of this data breach, the CIO exercised all of his vested Equifax stock options and then sold the underlying shares, receiving proceeds from the sale of over $950,000. According to the SEC, by selling before public disclosure of the Equifax data breach, the CIO also avoided more than $117,000 in losses that he would have suffered had he not sold until after the news of the breach became public.
This case comes on the heels of the SEC’s recently issued interpretive guidance on cybersecurity. In its guidance, the SEC warned that “information about a company’s cybersecurity risks and incidents may be material nonpublic information, and directors, officers, and other corporate insiders would violate the antifraud provisions if they trade the company’s securities in breach of their duty of trust or confidence while in possession of that material nonpublic information.”
These charges are also an important reminder to companies to (1) educate employees on insider trading laws, (2) implement appropriate internal controls and procedures to oversee trading by senior employees and employees who work in sensitive areas, (3) monitor the exercise of company-issued equity awards, and (4) promptly implement blackout periods covering appropriate personnel upon discovery of a cybersecurity incident.