SEC Insider Trading Charges Against Equifax Insider Highlight Need for Proper Policies and Procedures Related to Cybersecurity and Insider Trading

White & Case LLP

White & Case LLP

On June 28, 2018, the Securities and Exchange Commission ("SEC") charged Sudhakar Reddy Bonthu, a former software engineering manager at Equifax, with insider trading, alleging1 that Bonthu traded on confidential information he received while creating a website for consumers impacted by the company's September 2017 data breach, which exposed Social Security numbers and other personal information of approximately 148 million US customers.

This is the second case the SEC has filed arising from alleged insider trading related to the Equifax data breach.2 These cases underscore the importance of maintaining robust internal controls around issues of cybersecurity, as well as a process for careful monitoring of trading by those who may have material non-public information ("MNPI") about a data breach.


The SEC alleges that Bonthu was told the website he was building was for an unnamed potential client, but based on information he received, he concluded that Equifax itself was the victim of the breach. He violated company policy when he traded on this MNPI by purchasing Equifax put options. Less than a week later, after Equifax publicly announced the data breach and its stock declined nearly 14 percent, Bonthu sold the put options and netted more than $75,000, representing a return of more than 3,500 percent on his initial investment.3

Practical Considerations

These cases, as well as other SEC enforcement actions and recent guidance, highlight the SEC's focus on the intertwined issues of cybersecurity, insider trading and disclosure controls. SEC guidance released earlier this year addressed, among other things, the risk of insider trading in the event of a data breach4, and a recent speech by SEC Commissioner Robert Jackson highlighted the importance of having an insider trading policy that prohibits insiders from trading around the time of a cyber event.5

In light of this continued focus, companies should consider implementing robust internal controls and procedures that ensure adequate disclosure of material cybersecurity matters and prevent insiders from trading on MNPI related to cybersecurity risks and incidents. Specifically, companies should:

  • include appropriate safeguards in their insider trading policies and procedures to protect against corporate insider trading on the basis of knowledge about a cyber incident before public disclosure of such incident is made. Companies should ensure that the procedure for defining or identifying designated persons who must pre-clear their trades in the company's stock is sufficiently broad, taking into consideration any individuals who may have access to cybersecurity-related MNPI;
  • consider adding cyber events as a specific example of the types of developments that could constitute MNPI to their insider trading policy, in order to make clear that knowledge of such events may qualify as MNPI in the context of insider trading;
  • consider implementing training that explores various scenarios under which the sale of company stock may be in violation of the insider trading policy and explains the risks and ramifications of trading on MNPI; and
  • ensure there are procedures in place to relay cybersecurity events in a timely manner to the individual who administers the company's preclearance policy.

1 Available here.
2 In March 2018, the SEC charged a former chief information officer of a US business unit of Equifax with insider trading in advance of the company's announcement of the data breach. Jun Ying, who was next in line to be the company's global CIO, allegedly used confidential information entrusted to him by the company to conclude that Equifax had suffered a serious breach. The SEC alleges that before Equifax's public disclosure of the data breach, Ying exercised all of his vested Equifax stock options and then sold the shares, resulting in profits of nearly $1 million. The SEC's complaint is available here.
3 Bonthu was terminated from Equifax in March 2018 after refusing to cooperate with an internal investigation into whether he had violated the company's insider trading policy. In a parallel proceeding, the US Attorney's Office for the Northern District of Georgia filed criminal charges against Bonthu.
4 For additional information on the SEC's February 2018 guidance, see our prior alert, "SEC Issues Interpretive Guidance on Public Company Cybersecurity Disclosures: Greater Engagement Required of Officers and Directors".
5 Commissioner Jackson's recap of some key takeaways from this speech can be found here.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© White & Case LLP | Attorney Advertising

Written by:

White & Case LLP

White & Case LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.