Profiting from Rival Firms’ Cyberattacks

In a recent case, the Securities and Exchange Commission (SEC) pursued an unconventional form of insider trading involving Medivation Inc., an oncology-focused biopharmaceutical firm and one of its former, senior executives. According to the SEC, the executive  profited from trading shares not of Medivation, but of another biopharmaceutical firm, based on his confidential information about Medivation as a merger target.

In a new study, we seek to better understand the informativeness of another form of unconventional insider trading and its role in the stock market. Specifically, we investigate whether directors or senior executives of industry peer firms (hereafter, peer insiders) obtain undisclosed cyberattack news from the attacked firm’s directors or senior executives (hereafter, target insiders) and earn abnormal profits by trading their own firm’s shares. Consider the case of Target, a Minneapolis-based retailer, which announced a massive cyberattack on December 13, 2013. Our analysis examines, for example, whether insiders of Walmart, one of Target’s industry peer firms, earned abnormal profits by trading Walmart’s shares prior to the public disclosure of Target’s cyberattack news.

Using insider transactions that occur within industry competitors of firms experiencing cyberattacks reported in the Privacy Rights Clearinghouse (PRC) and Audit Analytics over the period 2005–2017, we find that peer insiders earn 4.5 percent higher market-adjusted abnormal buy-and-hold returns over 180 calendar days than those who trade after the target firm’s cyberattack disclosure date. Thus, peer insiders exploit their information advantage over other market participants before the market learns about target firms’ news. Furthermore, peer insiders’ ability to earn abnormal profits is evident for both sales and purchase transactions.

To examine whether peer insiders’ trading profits come from private information pertaining to rival firms’ cyberattacks, we assess whether these profits are associated with the exposure of target and peer firms to cyber risk. Prior studies show that cyberattacks reveal information about target firms’ exposure to cyber risk and industry-wide cyber risk, thereby negatively affecting the market values of target and industry peer firms; however, some peer firms are less affected by such incidents and can even benefit from them. These findings suggest that peer insiders’ trading profits should be significantly related to the exposure of target and peer firms to cyber risk.

Consistent with our expectation, we find that peer insiders’ trading profitability in the pre-disclosure period is positively associated with the severity of the incident, measured by target firms’ lower abnormal returns around the cyberattack announcement date. Peer insiders’ trading profitability is also significantly related to their firms’ exposure to cyber risk, measured by peer firms’ lower abnormal returns around the rival firm’s cyberattack announcement date. We find that peer insiders avoid larger potential losses by engaging in sales in the pre-disclosure period when their firms’ exposure to cyber risk is greater, while they earn higher profits from their purchases when their firms’ exposure to cyber risk is lower. Thus, peer insiders engage in different trading strategies depending on the extent to which their firms are exposed to cyber risk: Peer insiders engage in sales when their firms’ exposure to cyber risk is higher and in purchases when such exposure is lower.

We next examine how peer insiders obtain target firms’ private information about cyberattacks and exploit such information in their trading. Among various types of social networks that help facilitate information transfers among connected parties, we focus on two types: One in which personal ties are more likely to develop and one that is less subject to regulatory oversight and market scrutiny. Prior studies on social networks indicate that the personal ties formed through nonworkplace activities (e.g., common educational background and membership in the same nonbusiness organizations) promote more trust and cooperation among connected parties, whereas professional connections that arise from employment tend to be transactional and competitive. Thus, peer insiders’ trading profitability is expected to be higher when their social ties with target insiders are formed through nonprofessional activities (hereafter, nonworkplace ties) than when these ties are formed through workplace activities (hereafter, workplace ties). Social connections are also more likely to facilitate information transfer between target and peer insiders if target insiders face weak regulatory scrutiny and stakeholder monitoring. For example, target insiders who are board members of their firms tend to be closely scrutinized by regulators and markets and face higher litigation and enforcement risk because of the requirements of their statutory and fiduciary duties. This high level of legal risk discourages target insiders who are board members from leaking information about their firms’ cyberattacks. Thus, we expect peer insiders’ trading profitability to be higher when they are connected to nonboard executives of the target firm (hereafter, nonboard ties) than when they are connected to directors of the target firm (hereafter, board ties).

We find weak evidence that peer insiders’ trading profits are higher when they are socially connected to target insiders. When we divide social ties according to the strength of personal ties between peer and target insiders and the extent of regulatory scrutiny and attention, peer insiders’ trading profitability is evident only when they are connected to target insiders through nonworkplace or nonboard ties. We do not find any evidence that peer insiders make abnormal trading profits when they are connected to target insiders through workplace or board ties.

We also examine whether our empirical findings vary across target firms with different levels of litigation risk and information asymmetry. We focus on target firms’ litigation risk because it discourages insiders from leaking their firms’ private information. We also focus on target firms’ information asymmetry because a poor information environment makes it difficult for outsiders, including peer firms’ noninsider shareholders, to access cyberattack information, which increases the value of target-specific private information. We find that the trading profits of peer insiders with nonworkplace or nonboard ties are greater when target firms have lower litigation risk (i.e., firms whose institutional stockholders do not hold large amounts of stock in peer firms, firms that operate in low-litigation industries, and firms that are located in areas with less liberal federal judges) and have a poorer information environment (i.e., younger firms, firms with higher absolute discretionary accruals, and firms with positive research and development expenses).

Finally, we examine how regulatory oversight affects informed trading by connected peer insiders by exploiting the SEC’s guidance, issued on October 13, 2011, on firms’ disclosure obligations relating to cybersecurity risk and incidents. With an increase in regulatory scrutiny, we expect target insiders’ incentives to selectively disclose news about their firms’ cyberattacks and peer insiders’ ability to exploit private information to be attenuated in the post-SEC guidance period. Consistent with this expectation, we find that peer insiders’ trading profits in the pre-disclosure period are significantly lower in the post-SEC guidance period than in the pre-SEC guidance period. This result is evident only when peer insiders have nonworkplace or nonboard ties to target insiders. However, peer insiders with nonboard ties continue to earn abnormal profits during the post-SEC guidance period. Thus, the regulatory oversight for a firm’s timely disclosure of its cyberattack information appears to be effective in limiting information-sharing among connected parties, although such sharing cannot be completely eliminated. The results indicate that the SEC’s regulatory oversight of the disclosure of cybersecurity risk appears to be effective in reducing target insiders’ incentives to share their firms’ cyberattack information with others and thus limits peer insiders’ abilities to access cyberattack information, although it does not completely eliminate such incentives and abilities.

This post comes to us from Jun-Koo Kang at the Nanyang Business School, Nanyang Technological University, Singapore; Jungmin Kim at Hong Kong Polytechnic University; and Fangbo Si at Jinan University, China. It is based on their recent paper,Profiting from Rival Firms’ Cyberattacks: Evidence from Informed Trading by Insiders with Social Ties,” available here.