(Photo: Who is Danny/Shutterstock.com)

This article is Part 2 of a three-part series discussing recent trends that warrant public companies to consider whether their insider trading policies should be updated. Part 1 provided practical guidance on mitigating risks associated with employees who may inadvertently share confidential information with others. Part 2 discusses practical suggestions for public companies to comply with Securities and Exchange Commission guidance related to how insider trading policies should address cybersecurity risks. Part 3 will provide a primer on potential legislative changes involving stock trading plans (Rule 10b5-1 Trading Plans) routinely relied upon by corporate insiders to trade their company's stock legally.

 Cybersecurity-Related Incidents Should Be Covered by Insider Trading Policies

Cybersecurity has been a high priority topic for the SEC the past few years. In September 2017, the SEC created a Cyber Unit within its Enforcement Division. This Cyber Unit had over 225 active investigations at the SEC's 2018 fiscal year end. The SEC has focused in particular on cybersecurity risks facing public companies.

The SEC twice issued cybersecurity guidance to public companies in 2018. The SEC used one of these pronouncements to opine on the need for insider trading policies to account for cyber-related incidents. Specifically, in February 2018, the SEC issued "Commission Statement and Guidance on Public Company Cybersecurity Disclosures" ("Cybersecurity Release") outlining its views on cybersecurity disclosure requirements for public companies under the federal securities laws. The Cybersecurity Release reinforced and expanded upon cybersecurity disclosure guidance issued by the SEC's Division of Corporation Finance in 2011. It further addressed a new topic—the application of insider trading prohibitions in the cybersecurity context. Later in 2018, the SEC issued a Report of Investigation that emphasized the need for public companies to implement a system of adequate internal accounting controls to address cyber-related fraud and to calibrate those controls to the current risk environment.

The Cybersecurity Release advised that information about a company's cybersecurity risks and incidents may constitute material nonpublic information. Directors, officers and other corporate insiders therefore could violate the insider trading laws, should they trade their company's securities in breach of their duty of trust or confidence while in possession of such material nonpublic information. As a result, the SEC recommended companies have policies and procedures crafted to prevent trading on the basis of material nonpublic information relating to cybersecurity risks and incidents.

The Cybersecurity Release further advised companies to be prepared to prevent illegal insider trading while the company is investigating a cybersecurity incident. More specifically, the SEC warned that, while investigating the facts surrounding a cybersecurity incident and assessing the materiality of that event, companies should expressly consider whether (and when) to invoke internal restrictions on trading in their securities. To prepare for such circumstances, the SEC recommended public companies have policies and procedures in place to "guard against directors, officers and other corporate insiders taking advantage of the period between the company's discovery of a cybersecurity incident and public disclosure of the incident to trade on material nonpublic information about the incident."

To hammer home its concern about insider trading in this context, shortly after issuing the Cybersecurity Release, the SEC charged two Equifax Corp. employees with illegally trading Equifax securities in advance of the company's September 2017 announcement of a massive data breach. The SEC filed a civil action against former Equifax Chief Information Officer Jun Ying. A federal court subsequently entered a final judgment permanently enjoining Ying from violating the anti-fraud provisions of the federal securities laws and requiring Ying to pay disgorgement and prejudgment interest. Ying pleaded guilty in a parallel criminal action to criminal insider trading charges and was sentenced to four months in prison, fined $55,000 and ordered to pay over $117,000 in restitution. Separately, former Equifax manager Sudhakar Reddy Bonthu was charged by the SEC with insider trading and consented to a court order permanently enjoining him from violating the anti-fraud provisions of the federal securities laws. Bonthu also pleaded guilty to insider trading charges in the parallel criminal action and was sentenced to eight months of home confinement, fined $50,000 and ordered to disgorge over $75,000.

Recommendations for Consideration

In light of the SEC's purposeful effort to warn and guide public companies on insider trading risks in the cybersecurity context, we recommend that in-house counsel review their company's policies and procedures and revise as needed to comport with the guidance discussed above. In doing so, we suggest counsel consider the following:

1. Clearly defining insider trading in company policies to include cybersecurity incidents as potential material nonpublic information regarding the company.

2. Establishing a process to impose trading blackouts and/or preclearance requirements with respect to transactions in the company's securities by insiders while the company is investigating an actual or potential cyberattack incident.

3. Ensuring that policies on trading restrictions apply to the employees expected to gain knowledge of cybersecurity incidents forged against the company (including personnel in the information technology department).

4. Having employee training sessions to address changes made to the company's insider trading policies.

Michael J. Rivera is a member in the Washington, D.C., office of Bass, Berry & Sims PLC. He represents businesses and individuals in securities enforcement proceedings and internal investigations. He may be reached at [email protected].

Abby Yi is an associate in the Washington, D.C., office of Bass, Berry & Sims PLC. She represents companies in connection with internal and government investigations concerning white collar and corporate compliance matters. She may be reached at [email protected].