Friday, February 2, 2018

Questions America Wants Answered: "Is Cyber-Insider Trading Illegal?"

Matt Levine at Bloomberg, Feb. 2:

Also governance, bad-actor waivers, crypto-kidnapping and flamethrower returns.  
Hacking insider trading!
If you can hack into a big company's computers, what should you do with that power? There are some obvious options. If the company has money, maybe you can steal its money. If it has customers, you can steal their information, and then use that information to try to steal their money, or at least send them spammy emails. Or if it is a public company, maybe you can snoop into its financial information and business plans and try to insider trade on what you find. These are all good options, in the sense that you could imagine scenarios in which they would be lucrative. But they are also all terrible options in the sense that they are blatantly illegal.

But here are a blog post and related a paper -- "Informed Trading and Cybersecurity Breaches," by Joshua Mitts and Eric Talley of Columbia -- discussing a different approach, which is that you could just trade on the fact that you could hack into the computers. Then you can disclose the hack and hope that the company's stock will go down. Cybersecurity breaches tend to be bad news. This approach is ... look, I have my doubts about how lucrative it is; cybersecurity breaches tend not to be such bad news ... but it has the advantage of not being blatantly illegal. Of being legal? I mean, that is not legal advice, but here are Mitts and Talley:
Under current securities law, however, several instantiations of informed cyber-trading would likely be permissible. To be sure, it is almost certainly unlawful for parties to conspire to steal proprietary information from a firm, or to spread false information about a cybersecurity risk in order to manipulate stock prices. That said, if such parties were simply to use publicly available investigatory tools to discover, trade upon, and then expose bona fide cybersecurity vulnerabilities (as Muddy Waters and MedSec were alleged to have done), they would face little scrutiny under current law. They would not run afoul of received insider trading theories, which generally require the breach of a confidential or fiduciary relationship.
The Muddy Waters reference is to when Muddy Waters teamed up with a group of hackers to short the stock of St. Jude Medical because, they alleged, they had discovered a vulnerability in St. Jude's pacemakers. Hacking into pacemakers to kill people: definitely illegal. Hacking into pacemakers (I mean, pacemakers that you own, in a controlled environment) to announce to the world that you can hack into pacemakers and make profits on your pacemaker-company short positions: probably fine, why not....