Insider Trading Policies and Cybersecurity

The Cybersecurity Release further advised companies to be prepared to prevent illegal insider trading while the company is investigating a cybersecurity incident. More specifically, the SEC warned that, while investigating the facts surrounding a cybersecurity incident and assessing the materiality of that event, companies should expressly consider whether (and when) to invoke internal restrictions on trading in their securities. To prepare for such circumstances, the SEC recommended public companies have policies and procedures in place to "guard against directors, officers and other corporate insiders taking advantage of the period between the company's discovery of a cybersecurity incident and public disclosure of the incident to trade on material nonpublic information about the incident."

To hammer home its concern about insider trading in this context, shortly after issuing the Cybersecurity Release, the SEC charged two Equifax Corp. employees with illegally trading Equifax securities in advance of the company's September 2017 announcement of a massive data breach. The SEC filed a civil action against former Equifax Chief Information Officer Jun Ying. A federal court subsequently entered a final judgment permanently enjoining Ying from violating the anti-fraud provisions of the federal securities laws and requiring Ying to pay disgorgement and prejudgment interest. Ying pleaded guilty in a parallel criminal action to criminal insider trading charges and was sentenced to four months in prison, fined $55,000 and ordered to pay over $117,000 in restitution. Separately, former Equifax manager Sudhakar Reddy Bonthu was charged by the SEC with insider trading and consented to a court order permanently enjoining him from violating the anti-fraud provisions of the federal securities laws. Bonthu also pleaded guilty to insider trading charges in the parallel criminal action and was sentenced to eight months of home confinement, fined $50,000 and ordered to disgorge over $75,000.

Recommendations for Consideration

In light of the SEC's purposeful effort to warn and guide public companies on insider trading risks in the cybersecurity context, we recommend that in-house counsel review their company's policies and procedures and revise as needed to comport with the guidance discussed above. In doing so, we suggest counsel consider the following:

1. Clearly defining insider trading in company policies to include cybersecurity incidents as potential material nonpublic information regarding the company.
2. Establishing a process to impose trading blackouts and/or preclearance requirements with respect to transactions in the company's securities by insiders while the company is investigating an actual or potential cyberattack incident.
3. Ensuring that policies on trading restrictions apply to the employees expected to gain knowledge of cybersecurity incidents forged against the company (including personnel in the information technology department).
4. Having employee training sessions to address changes made to the company's insider trading policies.

*****

Michael J. Rivera is a member in the Washington, DC, office of Bass, Berry & Sims PLC. He represents businesses and individuals in securities enforcement proceedings and internal investigations. He may be reached at [email protected]. Abby Yi is an associate in the Washington, DC, office of Bass, Berry & Sims PLC. She represents companies in connection with internal and government investigations concerning white collar and corporate compliance matters. She may be reached at [email protected]. This article also appeared in Corporate Counsel, an ALM sibling of Business Crimes Bulletin.