Law.com Subscribers SAVE 30%
Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
Insider Trading Policies and Cybersecurity
Cybersecurity has been a high priority topic for the SEC the past few years. In September 2017, the SEC created a Cyber Unit within its Enforcement Division. This Cyber Unit had over 225 active investigations at the SEC's 2018 fiscal year end. The SEC has focused in particular on cybersecurity risks facing public companies.
The SEC twice issued cybersecurity guidance to public companies in 2018. The SEC used one of these pronouncements to opine on the need for insider trading policies to account for cyber-related incidents. Specifically, in February 2018, the SEC issued "Commission Statement and Guidance on Public Company Cybersecurity Disclosures" ("Cybersecurity Release") outlining its views on cybersecurity disclosure requirements for public companies under the federal securities laws. The Cybersecurity Release reinforced and expanded upon cybersecurity disclosure guidance issued by the SEC's Division of Corporation Finance in 2011. It further addressed a new topic — the application of insider trading prohibitions in the cybersecurity context. Later in 2018, the SEC issued a Report of Investigation that emphasized the need for public companies to implement a system of adequate internal accounting controls to address cyber-related fraud and to calibrate those controls to the current risk environment.
The Cybersecurity Release advised that information about a company's cybersecurity risks and incidents may constitute material nonpublic information. Directors, officers and other corporate insiders therefore could violate the insider trading laws, should they trade their company's securities in breach of their duty of trust or confidence while in possession of such material nonpublic information. As a result, the SEC recommended companies have policies and procedures crafted to prevent trading on the basis of material nonpublic information relating to cybersecurity risks and incidents.
The Cybersecurity Release further advised companies to be prepared to prevent illegal insider trading while the company is investigating a cybersecurity incident. More specifically, the SEC warned that, while investigating the facts surrounding a cybersecurity incident and assessing the materiality of that event, companies should expressly consider whether (and when) to invoke internal restrictions on trading in their securities. To prepare for such circumstances, the SEC recommended public companies have policies and procedures in place to "guard against directors, officers and other corporate insiders taking advantage of the period between the company's discovery of a cybersecurity incident and public disclosure of the incident to trade on material nonpublic information about the incident."
To hammer home its concern about insider trading in this context, shortly after issuing the Cybersecurity Release, the SEC charged two Equifax Corp. employees with illegally trading Equifax securities in advance of the company's September 2017 announcement of a massive data breach. The SEC filed a civil action against former Equifax Chief Information Officer Jun Ying. A federal court subsequently entered a final judgment permanently enjoining Ying from violating the anti-fraud provisions of the federal securities laws and requiring Ying to pay disgorgement and prejudgment interest. Ying pleaded guilty in a parallel criminal action to criminal insider trading charges and was sentenced to four months in prison, fined $55,000 and ordered to pay over $117,000 in restitution. Separately, former Equifax manager Sudhakar Reddy Bonthu was charged by the SEC with insider trading and consented to a court order permanently enjoining him from violating the anti-fraud provisions of the federal securities laws. Bonthu also pleaded guilty to insider trading charges in the parallel criminal action and was sentenced to eight months of home confinement, fined $50,000 and ordered to disgorge over $75,000.
|Recommendations for Consideration
In light of the SEC's purposeful effort to warn and guide public companies on insider trading risks in the cybersecurity context, we recommend that in-house counsel review their company's policies and procedures and revise as needed to comport with the guidance discussed above. In doing so, we suggest counsel consider the following:
- Clearly defining insider trading in company policies to include cybersecurity incidents as potential material nonpublic information regarding the company.
- Establishing a process to impose trading blackouts and/or preclearance requirements with respect to transactions in the company's securities by insiders while the company is investigating an actual or potential cyberattack incident.
- Ensuring that policies on trading restrictions apply to the employees expected to gain knowledge of cybersecurity incidents forged against the company (including personnel in the information technology department).
- Having employee training sessions to address changes made to the company's insider trading policies.
*****
Michael J. Rivera is a member in the Washington, DC, office of Bass, Berry & Sims PLC. He represents businesses and individuals in securities enforcement proceedings and internal investigations. He may be reached at [email protected]. Abby Yi is an associate in the Washington, DC, office of Bass, Berry & Sims PLC. She represents companies in connection with internal and government investigations concerning white collar and corporate compliance matters. She may be reached at [email protected]. This article also appeared in Corporate Counsel, an ALM sibling of Business Crimes Bulletin.
|This premium content is locked for Entertainment Law & Finance subscribers only
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
- Stay current on the latest information, rulings, regulations, and trends
- Includes practical, must-have information on copyrights, royalties, AI, and more
- Tap into expert guidance from top entertainment lawyers and experts
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers
In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.
Strategy vs. Tactics: Two Sides of a Difficult Coin
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit
Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.
The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.