Print
E-MailJoshua Mitts is Associate Professor of Law and Eric Talley is Isidor & Seville Sulzbacher Professor of Law at Columbia Law School. This post is based on their recent paper.
A key pillar of the digital economy—the ease of accessing/copying/distribution at large scale—is frequently also its Achilles Heel, in the form of cybersecurity risk. The massive and cataclysmic data breach of Equifax in September 2017, compromising highly confidential information of tens of millions of clients (including Social Security numbers), is hardly the first of its kind – and it is clearly not the last. For well over a decade, firms and organizations that store confidential data digitally have been potential (and actual) targets of similar types of attacks often with analogously cataclysmic implications for victims.
In securities-market settings, of course, one person’s catastrophe can be another’s arbitrage play: And so it was that in the late summer of 2016, a short hedge fund, Muddy Waters Capital, opened a confidential line of communication with MedSec, a start-up cybersecurity firm that claimed to have discovered a serious security flaw in the pacemakers produced by St. Jude Medical, a then-public medical device. Only after taking a substantial short position in St. Jude did Muddy Waters publicly disclose the claimed vulnerability, causing an immediate fall in St. Jude’s stock price in excess of eight percent. Similar episodes of material changes in value after disclosure of a cybersecurity event are routine.
The anecdotal account of Muddy Waters’ securities-market play around St. Jude’s cybersecurity breach is perhaps unsurprising—particularly when (a) cybersecurity breaches have material effects on company valuation; and (b) the underlying breach involves potentially confidential data. At the same time, the St. Jude / Muddy Waters saga raises important questions about how widespread such informed cybersecurity-related trading is; whether significant arbitrage rents are appreciable; and who tends to earn them. And, to the extent that appreciable arbitrage rents are available, might they directly or indirectly attract cyber-hacking—effectively subsidizing destructive activity solely for the purpose of treading on the basis of the harms and risks it creates? Should such coordinated behavior be more heavily regulated by authorities or subject to suit by private litigants?
In a recently released study, we consider public-company announcements of cybersecurity vulnerabilities and/or breaches, and how they interact with trading in sophisticated securities markets. Specifically, we consider whether advanced knowledge of a cybersecurity vulnerability or breach constitutes a material arbitrage opportunity for an informed trader. Conceptually, such arbitrage opportunities are eminently plausible equilibrium phenomena, and arbitrage opportunities to information traders exist whenever there is sufficient independent trading (e.g., by liquidity or noise traders) to provide cover for the informed arbitrageur. Informed traders have a strong incentive to take short positions against the hacked firm that should be reflected in market dynamics of the underlying securities. We test these predictions empirically, making use of a novel data set corporate data breaches involving publicly traded companies. Using a variety of means to match these firms against comparator firms with no announced vulnerabilities, we find significant trading abnormalities in the put-option market for hacked firms, measured both through open interest and trading volume. These results appear robust to a variety of matching techniques as well as to cross-sectional and time-series analysis. We view these results as consistent with the proposition that arbitrageurs tend to have early notice of impending cybersecurity breach disclosures, and that they trade on the basis of that information.
Although our principal focus is positive and empirical in nature, our results also hold relevance for larger normative/prescriptive debates about whether such trading practices warrant enhanced legal proscription. Normatively, the debate over how (or whether) securities law should regulate informed trading activities is a complex one, trading off pricing efficiency, liquidity and allocational efficiency concerns. Informed cyber-trading shares many of these traits; but it also tees up other efficiency concerns that are contextually unique. If significant arbitrage profits from advance knowledge of cybersecurity risks were wholly undeterred, several investment decisions would likely follow, both by “hackers” (including cybersecurity firms) attempting to expose vulnerabilities and introduce costs that would not otherwise come to light; and by the issuers themselves, who would undertake costly efforts to frustrate (or divert) hackers’ attentions. Such expenditures represent real economic costs that are not generically present in standard information trading contexts. Consequently, such settings plausibly justify enhanced regulatory oversight of / liability exposure for informed cyber-trading.
Under currently established principles in securities law, however, much cybersecurity trading would likely be permissible. To be sure, it is almost certainly actionable (both civilly and criminally) for parties to conspire to steal proprietary information from a firm, or to spread false information about a cybersecurity risk in order to manipulate stock prices. That said, if such parties were simply to use publicly available investigatory tools to expose and then trade on bona fide cybersecurity vulnerabilities (as Muddy Waters and MedSec are said to have done), they would face few if any impediments under current law in arbitraging that information. They would not run afoul of received insider trading theories, which generally require the breach of a confidential or fiduciary relationship. And they would not violate market manipulation proscriptions, which require the injection of inaccurate information into the market. Although several federal courts are currently contemplating a significant extension to insider trading laws that would reach (so-called) “outsider traders”— informed traders who are neither corporate fiduciaries nor have breached a confidential relationship—no court has firmly embraced this expansion to date (plausibly out of justifiable concerns about overbreadth). In short, the task of redesigning securities law to address the costs of informed cyber-trading presents a difficult prospective challenge for policy makers and regulators.
The complete paper is available for download here.
