In the first criminal charges brought in connection with the Equifax data breach, the United States Attorney for the Northern District of Georgia announced yesterday the indictment of Jun Ying, a former Chief Information Officer of a U.S. business division of Equifax, on charges of insider trading in violation of federal securities laws. At the same time, the SEC announced parallel civil charges against Ying. Both the indictment and the SEC complaint allege that Ying was not specifically informed that Equifax had been breached, but, as a result of his position, was made aware of enough confidential information to—according to his own contemporaneous text messages—“put 2 and 2 together” to infer that “[w]e may be the one breached.” After deducing this material information, Ying allegedly conducted internet research on the 2015 data breach of Experian, another major credit bureau, and its negative impact on Experian’s stock price. Immediately following his internet search, Ying allegedly exercised all of his vested stock options and sold those Equifax shares for a total of $950,000 in proceeds, avoiding more than $117,000 in losses that he would have incurred had he still been holding the shares at the time the data breach was publicly announced more than a week later. The SEC is seeking disgorgement of an amount equal to the losses Ying allegedly avoided, civil monetary penalties, an order barring Ying from ever serving as an officer or director of a public company, and an injunction enjoining Ying from further violating the federal securities laws. The indictment charges Ying with two counts of criminal securities fraud, which, if he is convicted, carry a maximum sentence of 45 years.
The indictment and SEC complaint make clear that government agencies are focused on investigating insider trading cases involving possession of material non-public information (“MNPI”) concerning cybersecurity incidents or risks. As recently discussed in our memorandum on the new SEC cybersecurity guidance, this makes it all the more critical that companies consider reviewing their incident response plans to determine whether they should include a procedure to ensure review of whether to close the trading window upon learning of a cybersecurity incident, pursuant to the company’s insider trading policy or if otherwise warranted under the circumstances. Notably, while Equifax had closed its trading window for individuals who were aware of the breach, Ying was not subject to the blackout and allegedly learned of the breach through indirect means, and thus the charges also emphasize the potential need for companies to review their controls and training with respect to the handling of MNPI.