Insider Trading Ahead of Cyber Breach Announcements

On March 14, 2018, the Securities and Exchange Commission charged a former chief information officer of Equifax with insider trading. The complaint alleged that he profited from selling stock ahead of the September 2017 public announcement of a major cybersecurity breach at the company involving the data of 148 million customers. The high-profile nature of the incident prompted federal prosecutors to investigate how much of this sort of insider trading may be occurring.

In a recent Wall Street Journal Online article, William Hinman, a senior SEC official, states that the agency intends to clamp down on this practice. He suspects that insider trading after a cybersecurity breach is widespread, but hints at  a lack of empirical evidence. “I think this issue is important enough, wide-ranging enough that we should tackle it at the commission level,” Mr. Hinman said. “I think it would be wise for folks to examine their insider trader policies in connection to a systems breach” (Minaya, The Wall Street Journal Online).

In our article, “Insider Trading Ahead of Cyber Breach Announcements,” we address this question in detail and provide an answer. Our research follows a two-step process. We first examine the abnormal stock price response to 258 cybersecurity-breach announcements from 2011-2016. We find that stock prices abnormally decline an average of 1.44 percent over the five-day period surrounding the breach announcement, and the reduction in value does not dissipate over the following month. This result is in line with previous studies that have examined breach announcement returns.

Second, we collect all insider trade data for the affected firms,  from the traders’ Form 4 filings. Separating informative from non-informative trades, or “liquidity” from “opportunistic” trades, has always presented a challenge in the literature. This is because most filtering algorithms are based upon the stock return. For example, if a stock’s price happened to go up on a particular announcement after an insider bought stock, then the insider purchase would be labeled informative and opportunistic. Such algorithms are problematic, because they impute perfect forecasting ability to insiders. Instead, we adopt the recently proposed algorithm of Cohen, Malloy, and Pomorski (2012, Journal of Finance), applied at the individual trade level, to distinguish informative from non-informative trades. The beauty of this algorithm is that it is based solely upon the insider’s past trading history. More precisely, insider trades occurring in the same calendar month over a period of three years are classified as routine and non-informative. All other trades are considered informative and opportunistic.

For example, if the breach for a firm occurred in January 2011, then we examine insider trading data from October 2007 through January 2011 in order to classify any stock sales occurring in the three-month window from October 2010 to January 2011. If there is a pattern of sales falling in the same calendar month over three years, then the insider trade is classified as routine. If the insider has insufficient trading history, then we take a conservative approach and leave the trade unclassified. All other trades are classified as opportunistic. We focus on trades that are opportunistic sales. As there may be multiple trades on different days or months by the same insider, all opportunistic sales are then aggregated by insider per breach. The dollar amount of shares sold is then multiplied by the five-day cumulative abnormal return from the first step to determine the amount of money saved by, or the abnormal profit to, the insider from the timely sale.

We find that the 807 non-routine stock sales of 170 corporate insiders in the three months prior to the announcement of 192 distinct cybersecurity breaches saves each insider an average of $35,017 per breach. The average amount of money saved varies by year but is always positive, from a low of $21,079 in 2013 to a high of $70,561 in 2016. Focusing on a one- month window before the breach announcement, we identify 70 insiders who opportunistically saved an average of $44,359, with a greater variability than in the three month results, ranging from $3,481 in 2013 to $145,583 in 2016. Although the economic significance of this amount is not as great as in  the Equifax case, the results are statistically significant. Our finding indicates that non-routine insider sales ahead of cybersecurity breach announcements clearly convey significant negative information for the firm.

We also explore the timing of opportunistic insider trades. In particular, there is a cluster of selling activity that occurs from approximately 65 days to 48 days prior to the breach announcement, followed by a return to relatively smaller amounts of selling activity nearer the announcement date.

For the 192 insiders who sold opportunistically within three months prior to a cybersecurity breach announcement, we separately tabulate the average amount of money saved by the insiders according to the primary role listed in their Form 4 SEC filing. Of particular note is that the category of Chief Information/Technology Officer ranks fourth on the list in terms of money saved, at $105,780 per insider, managing to beat out CEO, Beneficial Owner, CFO, Officer, Other Executive, and General Counsel. When focusing on the question of private information that could be traded on ahead of a cybersecurity breach disclosure, this role would seem to be that of the most well-informed inside. Depending upon how the firm is organized, the CIO or CTO is informed early on of a cybersecurity breach in the firm, oversees the responsibility for investigating the breach, and is most likely to quickly grasp the full potential extent of any damage. Other, well-populated categories of Officer, CEO, and CFO all show average money saved ranging from $16,974 for Officers to $90,431 for CEOs.

We offer some concluding thoughts. First, ours is the only research we are aware of that establishes significant insider selling ahead of cybersecurity breach announcements. The algorithm we use to classify opportunistic trades versus trades done simply to create liquidity has been proven quite robust (see the paper by Cohen et al, 2012). Our analysis finds that insider sales ahead of breach disclosures produce significant abnormal savings for the sellers as the stock declines. The implication is that some insiders seem willing to take advantage of the information asymmetry between the firm and other participants in equity markets through the strategic timing of those insiders’ stock sales. Even so, we stress that our results are an aggregation from an algorithm and do not establish the intent of any particular trade or trader.

Second, our findings not only bolster the SEC’s directive to companies “to examine their insider trader policies in connection to a systems breach,” but also have public policy implications now that the existence of information-based trading ahead of cybersecurity-breach disclosures has been documented.

Third, firm managers can use the findings from this research to take greater care with their recovery processes and protect their investor relations. An SEC enforcement action for insider trading can cause enormous reputational damage and further loss in firm value. Being aware that insider trading can occur in the aftermath of a cybersecurity breach can lead to better training, preventative procedures, and internal vigilance and monitoring.


Cohen, L., C. Malloy, and L. Pomorski. 2012, Decoding Insider Information, Journal of Finance 67 (3), 1009-1043.

Minaya, Ezequiel, “SEC Says Companies Can Expect New Guidelines on Reporting Cybersecurity Breaches” The Wall Street Journal Online, Nov. 9, 2017.

This post comes to us from Zhaoxin Lin, a PhD student at Iowa State University; and Travis R.A. Sapp, Jackie Rees Ulmer, and Rahul Parsa, professors at the university. It is based on their recent paper, “Insider Trading Ahead of Cyber Breach Announcements,” available here

Leave a Reply

Your email address will not be published. Required fields are marked *