- Email: [email protected]
Insider trading ahead of cyber breach announcements
Journal Pre-proof Insider Trading Ahead of Cyber Breach Announcements Zhaoxin Lin, Travis R.A. Sapp, Jackie Rees Ulmer, Rahul Parsa
PII:
S1386-4181(19)30357-X
DOI:
https://doi.org/10.1016/j.finmar.2019.100527
Reference:
FINMAR 100527
To appear in:
Journal of Financial Markets
Received Date: 3 December 2018 Revised Date:
11 December 2019
Accepted Date: 13 December 2019
Please cite this article as: Lin, Z., Sapp, T.R.A., Ulmer, J.R., Parsa, R., Insider Trading Ahead of Cyber Breach Announcements, Journal of Financial Markets, https://doi.org/10.1016/j.finmar.2019.100527. This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive version of record. This version will undergo additional copyediting, typesetting and review before it is published in its final form, but we are providing this version to give early visibility of the article. Please note that, during the production process, errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain. © 2019 Elsevier B.V. All rights reserved.
Insider trading ahead of cyber breach announcements
ZHAOXIN LIN, TRAVIS R. A. SAPP, JACKIE REES ULMER, RAHUL PARSA*
November 4, 2019 †
JEL Classifications: G14, K24, G30 Keywords: Insider trading, Form 4, cybersecurity, data breach, opportunistic trading, SEC enforcement action, asymmetric information ______________
* Travis Sapp is the corresponding author and may be reached at [email protected], ph. (515) 294-2717. Zhaoxin Lin may be reached at [email protected]. Jackie Rees Ulmer may be reached at [email protected]. Rahul Parsa may be reached at [email protected]. All authors receive correspondence at the following mailing address: College of Business, Gerdin Business Bldg. Suite 2330, 2167 Union Drive, Iowa State University, Ames, IA 50011-2027. † First version: June 6, 2018. We thank participants of the INFORMS Conference on Information Systems and Technology (CIST) 2018, Phoenix, and the 2019 Eastern Finance Association Annual Meeting in Miami for helpful comments. We also thank an anonymous referee whose comments have helped us to enhance the paper.
Insider trading ahead of cyber breach announcements
ZHAOXIN LIN, TRAVIS R. A. SAPP, JACKIE REES ULMER, RAHUL PARSA*
November 4, 2019 †
JEL Classifications: G14, K24, G30
Keywords: Insider trading, Form 4, cybersecurity, data breach, opportunistic trading, SEC enforcement action, asymmetric information ______________ * Travis Sapp is the corresponding author and may be reached at [email protected], ph. (515) 294-2717. Zhaoxin Lin may be reached at [email protected]. Jackie Rees Ulmer may be reached at [email protected]. Rahul Parsa may be reached at [email protected]. All authors receive correspondence at the following mailing address: College of Business, Gerdin Business Bldg. Suite 2330, 2167 Union Drive, Iowa State University, Ames, IA 500112027. † First version: June 6, 2018. We thank participants of the INFORMS Conference on Information Systems and Technology (CIST) 2018, Phoenix, and the 2019 Eastern Finance Association Annual Meeting in Miami for helpful comments. We also thank an anonymous referee whose comments have helped us to enhance the paper.
Abstract
Stock market reactions to cybersecurity breach announcements are generally negative. We find significant evidence of opportunistic insider trading, with insiders saving an average of $35,009 due to timely selling in the three months before the announcement of a cybersecurity breach. Late filing violations by insiders are more likely to occur near the announcement of a cyber breach. The bulk of opportunistic trading tends to occur 55 to 72 days before the public announcement. The results lend support to the U.S. Security and Exchange Commission’s recently announced goal of tightening restrictions on insider trading ahead of cyber breach announcements.
1. Introduction A senior Securities and Exchange Commission regulator said Thursday that public companies will soon face new guidelines for how they report cybersecurity breaches to investors. …William Hinman, the SEC’s recently installed director of corporation finance… also advised companies to examine their own policies for insider trading following a cyberbreach. “I think this issue is important enough, wide-ranging enough that we should tackle it at the commission level,” Mr. Hinman said. “I think it would be wise for folks to examine their insider trader policies in connection,” to a systems breach, he added. — From The Wall Street Journal Online, “SEC Says Companies Can Expect New Guidelines on Reporting Cybersecurity Breaches” by Ezequiel Minaya, Nov. 9, 2017 The expectation that a firm’s stock price will drop upon the announcement of a serious cybersecurity breach is pervasive among market-watchers. Research into the impact of cybersecurity breach announcements on firm stock price generally confirms this expectation (e.g., Ettredge and Richardson, 2003; Garg et al., 2003; Cavusoglu et al., 2003; Acquisti et al., 2006, Amir et al., 2018). For example, a recent study by Lin et al. (2018) finds an abnormal fiveday return of –1.44% surrounding the public announcement of a data breach, and this stock price decline does not reverse over the following month. Corporate insiders, who owe a fiduciary duty to the shareholders, are surely aware of this tendency for the market to reduce the value of the firm’s equity in response to a cyber breach announcement as well. In a recent highly-publicized case, Jun Ying, the chief information officer at Equifax was convicted of insider trading for selling stock ahead of the public announcement in September, 2017, of a major breach of customer data that had occurred two months earlier. Mr. Ying’s timely selling saved him an estimated $117,000 when the stock price of Equifax plummeted following the announcement of the data breach (Cowley, The New York Times, March 14, 2018).
1
As the opening quote above highlights, the U.S. Securities and Exchange Commission (SEC) is also keenly aware of the tendency for the stock price to drop at the announcement of a cybersecurity breach and the commensurate possibility for insiders to benefit from this private information by selling their stock before news of the data breach is made public. Further, the SEC has taken a recent interest in how firms handle both the disclosure of this information, as well as how firms monitor their insider trading activity surrounding such disclosure. Given both the recent prosecution for insider trading ahead of the Equifax cyber breach announcement and the SEC’s expressed concern about the extent to which such insider trading may be occurring, there is anecdotal evidence highlighting the importance and relevance of this issue. However, there appears to be no empirical evidence documenting the extent of insider trading surrounding the announcement of cybersecurity breaches. We examine this issue in detail in this paper. We analyze insider trading data for a sample of 258 cybersecurity breach announcements in the U.S. over 2011-2016. In order to identify “non-routine” versus “routine” trades, we adopt the algorithm of Cohen et al. (2012). Specifically, we require at least one trade by an insider in each of the preceding three years to classify the trades. We compare each insider’s trades in the month prior to a data breach announcement to his or her trades over the previous three years and classify any trades falling in the same calendar month repeatedly as “routine.” All other trades are classified as “opportunistic” (we use the term “non-routine” interchangeably). We find that the stock sales of 192 insiders in the three months prior to an announcement of a cyber breach save each insider an average of $35,009, and this amount is statistically significant. This is also three and a half times the average profit from insider trades in the wider population, as reported in Cziraki and Gider (2019). We also find that trades classified as routine and trades that cannot
2
be classified show (weaker) evidence of profitability from timely selling ahead of cyber breach announcements. Further analysis reveals that the amount of money saved is highest for those associated with firms in the information industry, at roughly three times that of other industries. Insiders in this industry seem better able to exploit their private knowledge, perhaps due to a deeper understanding of the negative impact a cyber breach can have on the firm. We also examine the Form 4 disclosures of insider trades that are required to be filed within two days of a trade with the SEC in order to look for evidence of late filing violations. Longer lags in reporting are suggestive of strategic behavior in trying to hide the trade and may also suggest a lax corporate culture that tolerates such reporting violations. We find that insiders in the role of CIO/CTO tend to file the latest of all roles at 12 days after a trade. We further find that filing violations are more likely to occur closer to a breach announcement. This suggests that insiders may be exploiting the filing delays to maximize the price received on multiple sales. We also find that the bulk of opportunistic trading tends to occur 55 to 72 days before the public announcement of a breach. Finally, we search the SEC website for insider trading enforcement actions related to cybersecurity announcements during our sample period, but find none prior to the 2017 Equifax incident; this type of event has clearly not been on the radar of the Commission until very recently. Our study contributes to the literature on insider trading as it pertains to a specific type of corporate event. Cybersecurity breaches are an event that corporate managers have very little control over, including the occurrence, magnitude, and timing; they merely react to it. In this sense, cyber breaches represent a unique type of corporate event, one that is less prone to
3
endogeneity concerns than other types of corporate announcements. Our study provides insight into how managers respond to such an event through insider trading. Our results also lend support to the SEC’s recently announced goal of tightening restrictions on insider trading ahead of cyber breach announcements. Based on our findings, we offer some specific policy recommendations aimed at reducing the likelihood of insider trading based on this type of material information. These include quicker disclosure of breaches by firms, the institution of trading blackouts from the time of breach discovery to public disclosure, and stepped up enforcement by the SEC as a deterrent.
2. Background and related literature 2.1 Insider trading Insiders have access to privileged information about the firm and are therefore subject to enhanced scrutiny and regulation, especially regarding their trading of company stock. Insiders often hold a relatively large amount of company stock in relation to their personal wealth, either due to being a founder, affiliate, or receiving compensation through stock and stock options. Some employees are also able to buy company stock at a discount, or may do so if they believe the firm is undervalued. Insider trades may thus be motivated by liquidity or diversification needs, as well as a desire to acquire stock at a bargain price or convey a signal to the market about the health of the firm. If an insider trades based on material non-public information (information that would likely affect stock value), then the SEC would view this as a legal violation and may choose to bring charges against the individual involved, if a case can be built. However, detecting illegal insider trading is a challenge.
4
Investors as well as academics and regulators routinely monitor and study the trades of insiders to glean information about the company’s health and prospects or to detect signs of illicit behavior. A number of studies, beginning in the late 1960s, have examined whether insider trades are informative for predicting future stock returns.1 Seyhun (1998) reviews this literature and finds that the results are mixed, but there is some evidence of useful information in insider trades that can lead to profits. Jeng et al. (2003) report that insider purchases earn abnormal returns of 6% annually, while insider sales do not earn significant abnormal returns. Rather than focusing on the trade type or on the return around the trade itself, Cohen et al. (2012) focus on the trading history of the insider to identify informative from non-informative trades, and they find that this method works exceptionally well. Insiders who place trades in the same calendar month over a period of three years are classified as routine, or non-informative. When three years of trading history with at least one trade per year does not exist, the trades are not classified. All other trades are considered informative or “opportunistic.” They report that a portfolio strategy that emulates the trades of opportunistic traders yields value-weighted abnormal returns of 82 bps per month (9.84% annually), while abnormal returns associated with routine traders are essentially zero. They further find that opportunistic traders are significantly more likely to have SEC enforcement action taken against them, and reduce trading following waves of SEC insider trading enforcement actions.
2.2 Cybersecurity breaches There have been numerous studies that explore stock market reactions to information security incidents. Early research into this topic reported strongly negative stock market
1
See, for example, Lorie and Niederhoffer (1968), Jaffe (1974), Finnerty (1976), Elliot et al. (1984), Givoly and Palmon (1985), Seyhun (1986), and Rozeff and Zaman (1988), and Muelbroek (1992).
5
reactions to information security breach announcements (Ettredge and Richardson, 2003; Garg et al., 2003; Cavusoglu et al., 2004; Acquisti et al., 2008). Other studies did not find any significantly negative impact (Campbell et al., 2003; Hovav and D’Arcy, 2003; Kannan et al., 2007). Wang et al. (2013) demonstrate that the market reacts in different ways to different types of cybersecurity breaches, depending upon the nature of the affected firm’s financial disclosures. Amir et al. (2018) find that firms tend to withhold information on the most severe cyberattacks until disclosure is forced upon them. Overall, the literature shows that firms and investors can typically expect at least a temporary drop in stock price after the announcement of a cybersecurity breach. A recent study by Mitts and Talley (2018) examines informed trading in the put options market by outsiders to the firm ahead of cyber breach announcements. They note that such activity is not illegal per se, in contrast to trading by corporate insiders —a topic they do not explore. Trading in the options market is a viable strategy to exploit insider information, but when done by insiders is illegal and is subject to SEC enforcement action. For example, in the case of the Equifax data breach mentioned above, a software product development manager for Equifax named Sudhakar Bonthu pled guilty to buying put options ahead of the breach announcement. These illegal trades, placed through his wife’s brokerage account, earned him a profit of $75,000 when the breach was announced. As the case of Mr. Bonthu illustrates, insider transactions in the options market can also be lucrative. However, insider transactions in the options market are relatively uncommon, as reported in studies such as Augustin et al. (2015), who examine informed trading in the options market ahead of takeover announcements. They analyze insider filings and find that not a single options transaction was executed by registered insiders in the 30-day run-up to the announcement. Our paper focuses solely on stock
6
transactions, which are far more common. To the extent that insiders may tip others to trade (Meulbroek 1992, Ahern 2017), such transactions would not show up in our sample. The occurrence of a cybersecurity breach represents an external shock to the firm. The ability of managers to avoid these breaches is limited, but may be influenced by the amount of investment in cybersecurity that the firm chooses to make. Due to the limited budget for IT security investment, the uncertainty of security performance, and the likelihood of data breaches, firms take a cost-benefit trade-off approach to defending their assets. Angst et al. (2017) find that IT security investments can mitigate the likelihood of data security breaches. Gordon and Loeb (2002), Gordon et al. (2003), and Gal-Or and Ghose (2005) conclude that a firm should not necessarily focus its investments on information sets with the highest vulnerability, but may be better off instead concentrating its efforts on assets with midrange vulnerabilities. Moreover, Anderson (2001) argues that neither technical solutions nor economic markets alone can solve security problems due to the difficulty of estimating the costs and benefits of success and failure. In practice, most organizations simply react to a breach by absorbing the financial losses and meeting any regulatory mandates involved (Liberti, 2008). Overall, firms can reduce the frequency and severity of cyber breaches through investments in cybersecurity, but cannot eliminate the possibility of a cyber breach. This raises the prospect that some corporate officers may be inclined to sell their stock if they simply believe that their firm is especially prone to cybersecurity breaches due to weaknesses in cyber defenses. In cases where the manager believes an attack is imminent, she may choose to sell some stock. We can envision three scenarios in which this can play out in the data. First, some of these sales may not be followed by a cybersecurity breach at all —in this case, we would observe some opportunistic sales, but these would not be followed by any breach
7
announcement. Second, some of these sales may be followed by a cybersecurity breach, but this breach may take place in the distant future. This would mean that some sales are too far away from the actual breach event to be detected in the data. Third, some insider sales occur shortly before cybersecurity breach announcements. Here, the manager either traded after they became aware of the breach, or they correctly inferred that there would be a breach. In all three cases, the insider trade is opportunistic and not routine. Our study focuses on insider sales that occur shortly before cybersecurity breach announcements.
2.3 Disclosure On the issue of disclosure, cybersecurity breaches present a challenge. Oftentimes, cybersecurity breaches are not evident to the firm or its stakeholders until long after the initial breach. Depending on the nature of the cybersecurity breach, it is possible that many firm stakeholders would never be notified of a breach. For example, a web portal may be brought down by a distributed denial-of-service attack. To a customer or a supplier, this could seem to be the result of an equipment or power failure, until told otherwise by the firm and/or the media. A more typical scenario is when an attacker steals customer or employee data and, unless the firm notifies the affected parties, the aggrieved party would likely have no ability to connect the stolen information, or more importantly, the use of that stolen information, to the specific firm from which it was stolen. In light of this information asymmetry problem, authorities have issued regulations for notifying aggrieved parties after a data breach of sensitive information. Currently, 48 out of 50 states in the U.S. have data breach notification laws. Other jurisdictions, such as Canada, the European Union, Australia, New Zealand, and Japan, also have data breach notification laws.
8
These notification laws vary in terms of requirements and penalties for non-compliance, but generally state that a firm must give notice of a data breach to affected parties within a certain time frame of discovering the breach. There are a number of caveats to various statutes, including whether or not the breach is still under active investigation and whether or not the data were encrypted. Given the increasingly sophisticated nature of cyber attackers, it can become extremely difficult for firms to detect whether a breach occurred, as well as the extent and nature of the breach. As the Target Corp. data breach and the Democratic National Committee headquarters breach illustrate (Radichel, 2014; Johnson, 2017), firms can also have operational and political reasons to defer investigation of a breach, which increases the uncertainty and information asymmetry around cybersecurity breaches. Essentially, there is a lack of information transparency around cybersecurity breaches to firm stakeholders. Does this issue, combined with the general assumption that stock prices will decline after announcing a breach, lead to the possibility of insider trading before a cybersecurity breach is announced? Our study provides insight on this question.
3. Data and method We collect data on incidents of information security breaches for the January 2011 through December 2016 period from the Privacy Rights Clearinghouse. Our initial search identified 5,787 events, but of these we drop 5,515 because they occurred at private firms, which have no publicly traded stock. We analyze the descriptions of each breach and delete any nonconforming events, such as (a) encrypted data loss, (b) clearly not cyber-related (payment dropbox broken into), (c) not a breach (initial report was later contradicted), and (d) confounding event (lawsuit over trade secrets theft). For the remaining data, we search for confounding events
9
such as earnings reports or merger and acquisition news near the announcement date and exclude these from the sample. We also check multiple news sources, including social media, to ensure we have the earliest public release of the breach information. The final dataset has 258 cybersecurity data breach incidents.2 The number of records breached ranges from 50 to three billion. Hacking accounts for nearly half of the breaches, followed by unintended document loss. Insider breach and portable device breach rank third and fourth, respectively. Panel A of Table 1 reports the median characteristics of the sample firms compared to the Compustat universe. Our sample firms are considerably larger, with a median market capitalization of $17.7 billion compared to only $170 million for the median Compustat firm. They are also more profitable than the typical Compustat firm, as measured by profit margin, ROA, and ROE. Our sample firms have a median book-to-market ratio of 0.38 compared to 0.52 for the Compustat universe, placing our firms more on the growth side of the growth-value spectrum. It seems plausible that larger firms and growth firms have more valuable information that a hacker would target. Our sample firms also have a higher beta and have experienced a higher stock return over the prior year compared to the typical firm. Panel B of Table 1 shows that the sample of breached firms represents a wide variety of industries, with the most common being finance and insurance, information technology, manufacturing, and retail trade. Manufacturing is the only somewhat surprising category for a large number of breaches, as we would expect these firms to be less plentiful sources of consumer data. The retail trade category encompasses online businesses. In order to obtain abnormal returns at the breach announcement, we conduct an event study using the Capital Asset Pricing Model (CAPM) market model, focusing on the five-day window [-2, +2] surrounding the public announcement date. As a robustness check, we also 2
A list of the sample of firms is given in an Online Appendix.
10
compute Fama-French and Carhart abnormal returns. The results are given in Table 2, including abnormal returns over a shorter three-day window and over a one-month (21-trading day) window. The average abnormal return at the announcement of a cyber breach is a stock price decline of 1.44% measured over five days, with a t-statistic of -6.75. We note that 71% of the 258 breach announcements resulted in an abnormal stock price decline, implying that, while likely, a forecast of a stock price drop by an insider may not always materialize ex post. The results from the Fama-French and Carhart models are similar, so we focus on the simple CAPM alphas throughout the study. We note that these results are consistent with those obtained by Lin et al. (2018), who examine the same data sample. Insiders are required to report their trades to the SEC on Form 4 Table 1 and this information is made public. For each data breach firm, we retrieve insider trading data from the Thomson Insiders database, including filing date, insider name, insider role, transaction type, transaction price, and number of shares transacted. We also obtain daily equity data from the Center for Research in Security Prices (CRSP), including closing stock price and number of shares outstanding. The insider trades we track are those under the legal definition used by the SEC for an insider — managers, those on the board of directors, and affiliates holding 10% of shares or more. Corporate executives are commonly compensated with stock and stock options as a way to mitigate principal-agent problems in the firm and better align managerial incentives with the interests of the shareholders. This means that corporate insiders have large amounts of stock in their own firm, relative to their other holdings, and periodically engage in trading that stock (usually selling). Insiders are forbidden under the law from trading on material information that is not known to the general public and are also prohibited from trading ahead of planned major
11
announcements, such as earnings releases. However, it would be naïve to believe that all insider trades are done simply for liquidity or diversification purposes and convey no information about the firm. All insiders know things about the firm that the public does not, and it is impossible for them to forget these things before they trade. Some traders surely transact opportunistically based on the non-public information they have. The challenge is to identify such trades in the midst of many trades done simply for liquidity purposes. Two recent papers propose algorithms for identifying insider trades as informative or non-informative. Gunny and Zhang (2012) propose a measure that is centered on the date of the trade and examines whether stock price goes up or down over a surrounding window in order to classify the trade as either informative or liquidity-based. This measure has the drawback that it assumes that opportunistic traders always profit, by definition. Cohen et al. (2012) propose a new classification scheme that does not depend on the stock’s returns. Instead, they examine the trading history of the insider during the prior three years to look for a pattern, defined as a trade placed in the same month each year. These are classified as being routine and uninformative. All other trades are classified as non-routine, or opportunistic, and potentially convey private information. They show that this filtering scheme effectively weeds out half of all insider trades; the half that has no predictive power for future returns or firm news. The remaining half of trades contains all of the predictive power in the insider trading universe, information which they show is considerable. They apply their approach to classify individual traders, placing them into either routine or opportunistic buckets at the start of each year, and they also apply their approach to classify individual trades as either routine or opportunistic. They find that either classification method is empirically robust and informative for predicting future stock returns.
12
For the purpose of identifying opportunistic insider trades, we adopt the Cohen et al. (2012) algorithm, applied at the individual trade level (see Table III of Cohen). State and federal governments have been exerting pressure on companies to rapidly investigate and disclose cyber breaches, especially when the loss of personal data is involved. Accordingly, we are primarily interested in stock selling activity by insiders that falls within a three-month window before a cyber breach announcement. In order to classify the insider sales during this window as either routine or opportunistic, we obtain all insider trading data for the three years prior to the breach announcement window. For example, if the breach for a firm occurred in January 2011, then we examine insider trading data from October 2007 through January 2011 in order to classify any stock sales occurring in the three-month window October 2010 to January 2011. If a pattern is detected with sales falling in the same calendar month over three years, then the insider trade is classified as routine. If the insider lacks three years of trading history, then we take a conservative approach and leave the trade unclassified. All other trades are classified as opportunistic. As there may be multiple trades on different days or months by the same insider, all opportunistic sells are then aggregated by insider per breach. The dollar amount of shares sold is multiplied by the five-day cumulative abnormal return (CAR) from the cyber breach announcement to determine the amount of money saved, or the abnormal profit to the insider, from the timely sale.
4. Results 4.1 The frequency of insider trades Insiders who are seeking to benefit from private information are likely to trade more frequently. How much selling is there by insiders at these firms compared to the wider universe?
13
To answer this question, we obtain all insider sell transactions on our sample firms for the five years leading up to the cyber breach announcement. This yields 94,721 stock sales transactions by 2,050 insiders, giving an average of 9.24 sales per year. For comparison, Cziraki and Gider (2019) report 2.80 insider trades per year, of which 77%, or 2.16 transactions, are sales. In general, our sample contains a more active group of traders. Focusing just on the three months leading up to the cyber breach announcement, we find that insiders average 7.63 sales over this shorter window, still exceeding the average number of sells reported by Cziraki and Gider (2019) on an annual basis. If we pro-rate this number to an annual figure, we would have 30.52 sales per year, a significant contrast to the sample average, and much higher than the broader sample of firms. We note that the median firm in Cziraki and Gider has a size of $729 million with a bookto-market ratio of 0.40, whereas our sample firms are much larger at $17 billion and a book-tomarket ratio of 0.38. They examine small growth firms whereas we examine large growth firms.
4.2 The classification of insider trades For each of the 258 cyber breach announcements in our sample, we examine the three months prior to when the breach is publicly announced to search for insider trading activity. Due to the widespread common knowledge that breaches are bad news for the company and typically prompt a drop in stock price, we solely focus on insider sales of stock. Classification of each sale is based on the Cohen et al. (2012) algorithm. During the three-month window prior to a cyber breach announcement, we identify 575 routine trades, 807 opportunistic trades, and 1,302 trades that cannot be classified. Insiders exhibiting only routine trades during the three-month window are classified as “routine.” Insiders exhibiting one or more non-routine trades during the three-
14
month window are classified as “opportunistic,” and their non-routine trade or trades are retained for further study. Table 3 lists the number of insiders trading right before cyber breach announcements both by type of trade (routine, opportunistic, and unclassified) and by year of the sample. Panel A shows data for a three-month window prior to the public announcement, the trading window that we primarily focus upon throughout this study. Panel B presents data for a one-month window prior to the public announcement. We observe that there are significantly more trades identified as opportunistic than routine in both the three-month and one-month windows. We also note that further examination of the unclassified trades reveals that most of them would likely end up in the opportunistic category if longer trading histories were available for these insiders. Cohen et al. (2012) report that 52% of insider sales are classified as routine versus 48% that are opportunistic in a sample of 48,460 trades. The comparable figures from our sample show that out of 1,382 insider sales within three months of a breach announcement, 575 are classified as routine and 807 as opportunistic, giving proportions of 41.6% routine versus 58.4% opportunistic. As in Cohen et al., we ignore the unclassified trades. A one-sample binomial proportion test was performed to examine whether or not the proportion of opportunistic trades in our sample is equal to that reported by Cohen et al. The test results in a t-statistic of 7.73, indicating strong rejection of the hypothesis. We conclude that our sample of insider selling ahead of cyber breach announcements is much more heavily tilted toward opportunistic selling than is the wider population of all insider sales. Cohen et al. (2012) report that 64% of insider stock purchases are routine and 36% are opportunistic. In our sample, there is very little buying activity in the three months before cyber
15
breach announcements, and of this scant purchasing, none of it is classified as opportunistic. We perform a one-sample binomial proportion test to examine whether or not the proportion of opportunistic buys in our sample (0%) is equal to that reported by Cohen et al. (36%). The test results in a t-statistic of 11.05, indicating strong rejection of the hypothesis. Compared to the wider population of all insider purchases, our sample is significantly different, with no opportunistic buys ahead of a cyber breach announcement.
4.3 The profitability of insider trades The main results of our study focus on the money saved by insiders selling stock per each cyber breach event, and these results are shown in Table 3. Although we are primarily interested in opportunistic selling, we also present results from sales that are classified as routine and from unclassified sales. To calculate the money saved, we obtain the market value of the shares sold by the insider from the Form 4 filings, which list the number of shares sold and the transaction price. We then multiply these amounts by the breach event’s corresponding five-day CAR obtained from the event study, reflecting the stock’s change in value from the cyber breach announcement. Thus, an insider who sells $100,000 worth of stock just before a public breach announcement that causes a 10% drop in stock value has saved herself $10,000. Panel A of Table 3 reports the results for trades occurring during the three months prior to the cyber breach announcement. The results show the average dollar amount of money saved by an insider through opportunistic trades is equal to $35,009, with a highly significant t-statistic of 2.78. The 90th percentile of the distribution of money saved is $136,808. The average amount of money saved varies by year, but is always positive, from a low of $21,079 in 2013 to a high of
16
$70,512 in 2016.3 The mean dollar amounts saved are higher than the medians, indicating rightskewness in the distribution, with an overall significant median of $7,880 (t = 5.12). We note that there are few routine trades and that the magnitude of money saved seems large, primarily due to a single year, but is insignificant overall. The median money saved from routine trades is $7,104 (t = 1.78) and is close in magnitude to that of opportunistic trades. Unclassified trades comprise the largest category of trades and show an insignificant mean of $4,702, whereas the median is $3,839 and is highly significant. This is noteworthy as there appears to be information in these trades, even though the magnitude of median profits is half that of opportunistic trades. Cziraki and Gider (2019) report that, per trade, insiders earn an average (median) abnormal profit of approximately $4,000 ($141). When aggregating an insider’s trades over a three-month period, the same timeframe that we examine in our study, they report an average (median) dollar profit of $10,000 ($255). We are unable to conduct a t-test, but note that our average amount of money saved is approximately three and a half times this amount, and the median is approximately thirty times larger than their median profit. Figure 1 illustrates the average amounts saved through opportunistic trades by year. The figure shows that opportunistic profits seem to exhibit a U-shaped wave pattern over the sample period. Indeed, the pattern is accentuated if one focuses on trading only in the one-month period prior to the public breach announcement. Cohen et al. (2012) show that opportunistic trading waxes and wanes with the prominence of SEC enforcement actions, which may help to explain this pattern. 3
We remove one extreme outlier in 2014 that is due to Bill Gates of Microsoft Corp. Two months prior to Microsoft’s January 1, 2014, announcement of a cybersecurity breach, Mr. Gates “non-routinely” sold $711 million worth of stock. Microsoft stock abnormally fell 2.69% at the announcement, thus saving Mr. Gates $19.1 million. Including this extreme outlier would raise the 2014 average money saved per insider from $30,261 to $712,536 and the overall sample average from $35,009 to $133,815 in money saved per insider. Although this would make our results look more impressive, we felt that dropping this extreme outlier gives a more tempered and realistic view of the empirical distribution.
17
Panel B of Table 3 presents results for the money saved by trades from the insider selling stock within one month of each cyber breach announcement. At a sample size of 70, the number of observations for opportunistic trades is clearly smaller as the trading window has shrunk from three months to one month. The mean amounts saved each year are all positive, though with greater variability than the three-month results, ranging from $3,481 in 2013 up to $145,583 in 2016. The overall mean is a significant $44,359 (t = 2.08). The median savings are negative in one year of the sample (2013), but are otherwise positive overall at $4,890 (t = 2.99). There are only 17 observations for routine trades, making it difficult to draw strong conclusions from this category. The mean money saved is insignificant, whereas the median shows a significant $11,205. The unclassified trades once again are the largest category, with 193 observations. We find that the mean money saved is large and significant at $25,879 (t = 2.58). The median has a similar magnitude as in the three-month window at $3,431 and is significant. We draw the following conclusions overall. Savings from opportunistic trades are always significant, whether measured as mean or median, and at the one-month and the three-month preannouncement windows. Unclassified trades seem to behave similar to opportunistic trades, though in a weakened fashion. Routine trades are relatively infrequent in the sample and are influenced by outliers, making it difficult to draw strong inferences about this category. Some sample firms experience repeat cyber breaches and some of the same insiders of these firms may place non-routine trades surrounding these separate cyber breach events. We find that the 807 non-routine stock sales of 170 corporate insiders in the three months prior to the announcement of 192 distinct cyber breaches saves each insider an average of $35,009 per event, as reported in Panel A of Table 3. If the savings are aggregated by insider, without regard to distinct cyber breach events, then the 170 insiders saved an average of $39,549 each.
18
How do the profits earned by insiders selling ahead of cyber breach announcements compare to trading profits from insiders who opportunistically trade at other times? To examine this question, we compare the percentage profits of our sample of opportunistic insider trades to that reported by Cohen et al. (2012) for all opportunistic insider trades over their 22-year sample period. They report that a portfolio exploiting the trades of opportunistic sellers earns a valueweighted CAPM alpha of 34 bps per month (4.16% annualized, t = 1.73). Our sample of 192 cyber breach announcements with opportunistic insider sales has CAPM abnormal 21-tradingday profits of 126 bps (16.21% annualized, t = 2.64). The difference between the annualized returns is 12.06% with a t-statistic of 1.83. Cohen et al. report that a portfolio mimicking opportunistic sellers has a Carhart value-weighted alpha of 9 bps per month (1.09% annualized, t = 0.50), whereas we find a one-month Carhart alpha of 109 bps (13.89% annualized, t = 2.49). The difference between annualized returns is 12.81% with a t-statistic of 2.14. We conclude that the opportunistic selling activity we find ahead of cyber breach announcements is significantly more profitable than the typical opportunistic selling in the wider population. Finally, we look for evidence of insider buying after the announcement of a cyber breach. Buying could occur to exploit a price decline, or in order to support the company’s stock by signaling confidence in its value. We examine insider purchases in the two-month window following the breach announcement and measure imputed profits from three days before the announcement to the date of purchase. For example, if an insider purchased stock 14 days after the breach announcement at a stock price that was 5% less than the price prevailing three days before the announcement, that is considered a 5% profit. We identify 65 purchases in the two-month post-announcement window transacted by 33 corporate insiders. The average percentage profit, aggregated by insider, is 3.71%, with a t-
19
statistic of 2.18. Thus, it appears that some insiders exploit the decline in value after a cyber breach announcement to “buy cheap.” In dollar terms, the imputed average amount of money made is $63,853, although the dollar profits are noisier and have a t-statistic of only 1.04. We note that buying stock after the public release of news is not a legally questionable form of insider trading. When considering the average size of money saved from insider trades ($35,009), it is natural to ponder whether the dollar amount justifies the risk undertaken by opportunistic trading. The CIO charged in the Equifax breach was compensated in the millions and only saved an estimated $117,000 through his sale of stock ahead of the breach announcement. Bhattacharya and Marshall (2012) examine whether the economic motive for illegal insider trading is strong and conclude that it is not. They posit whether other potential motives that could be either psychological in nature, such as hubris, or sociological in nature, such as company culture, are at work. Thus, the magnitude of average profits we find does not diminish the finding of significant insider selling ahead of cyber breach announcements. The absence of likely economic justification for engaging in this risky insider trading simply implies that other motives are at play.
4.4 The timing of insider trades We next explore the timing of opportunistic insider trades. The laws governing disclosure vary by state, with some states as recently as 2018 tightening the time window allowed for disclosure of a data breach to consumers. Currently, 18 states require that disclosure occur within a specific timeframe that ranges from 30-90 days, while 32 states simply specify that disclosure be made as quickly as possible and without unreasonable delay. As a result of the regulatory
20
push for quicker disclosure, the average number of days between breach discovery and public disclosure has fallen from 83 days in 2014, to 48 days in 2018.4 For our 2011-2016 sample period, the longer disclosure window is largely applicable. We hypothesize that insiders who wish to benefit from their inside knowledge of a cybersecurity breach would be more likely to sell soon after becoming aware of the breach, rather than waiting until close to the announcement date. This is because selling close to the release of negative news would be more likely to attract scrutiny. We identify a total of 807 non-routine stock sales by insiders in the 90-day run-up to a cyber breach announcement in our sample. Panel A of Figure 2 displays the average dollar amount of stock sold each day over the 90 calendar days prior to a cyber breach announcement by these insiders. Market value is the Form 4 reported number of shares sold multiplied by the reported transaction price. The figure shows that much of the selling occurs well before the announcement date. In particular, there is a cluster of selling activity that runs from approximately day -65 to day -48 prior to the announcement day. The line graph overlaid in Panel A of Figure 2 illustrates the total amount of money saved by the time of sale from the 807 opportunistic trades in the three-month run-up to the public announcement. How do the two graphs differ in Panel A? There is no guarantee that selling stock will result in a profit, since stock price does not always decline at the announcement. Indeed, the results in Table 1 indicate that only 71% of our sample firms demonstrate an abnormal drop in stock value following the announcement of a cybersecurity breach. While Figure 2 displays the average dollar amount of stock sold, it also shows the actual money saved that is realized ex post by each trade and displays the sum total each day in event time. Note that for some days the 4
According to the Data Breach Intelligence report issued on October 29, 2018, by Risk Based Security, Inc., the average number of days between breach discovery and reporting was 83.2 in 2014, 73.8 in 2015, 64.6 in 2016, 47.0 in 2017, and 47.5 in 2018.
21
opportunistic trades show a net loss, although these are a small minority. The bulk of abnormal profits seem to be realized from stock sales placed around 73 to 62 calendar days prior to the breach announcement. Panel B of Figure 2 shows the clustering of selling activity. In it we show the cumulated average amount of stock opportunistically sold by an insider over the 90-day window and compare it to a distribution of uniform selling. We see relatively low-dollar selling activity, then a substantial jump over [-65, -48], then a return to relatively smaller dollar amounts of selling activity nearer the announcement date.
4.5 The industry and relationship role of insiders who trade Panel A of Table 4 reports the amount of money saved by 192 insiders who sold stock ahead of breach announcements, classified by the industry of the firm with which the insider is affiliated. The industry of each firm is determined from the first two digits of its North American Industry Classification System (NAICS) code. Industries with fewer than four observations are lumped together into an Other Assorted category. From a sample size of 42, we see that insiders affiliated with the information industry avoid the greatest losses through their trades, with mean savings of $74,794 and median savings of $11,738. Both are statistically significant. Insiders affiliated with the finance and insurance industry come in second at $37,484 in average savings, and the Other Assorted category, which is comprised of tiny samples of insider trades from six industries, ranks third at $22,455. The large trading profits found within the information industry suggest that insiders in this industry especially know how to exploit their inside knowledge. We note that the average five-day CAR for breach announcements in the Information industry is 0.0142, approximately equal to the sample average CAR of -0.0144. Therefore, the higher dollar
22
profits of insiders in the Information industry are not driven by larger market reactions, but are solely driven by the trading characteristics of the insiders. Each insider who transacts in company stock must list their relationship to the firm on their Form 4 disclosure filed with the SEC. For the 192 insiders who sold opportunistically within three months prior to a cyber breach announcement, we tabulate the average amount of money they saved according to the primary relationship role listed in their Form 4 SEC filing. Panel B of Table 4 presents the results, sorted from the largest average amount of money saved down to the least. The most common relationship roles listed are Officer (97), Director (31), CEO (20), General Counsel (15), and CFO (10). Based on the Cohen et al. (2012) algorithm, all of these insiders sold opportunistically. However, the relatively large category of Director, which accounts for 31 of the 192 insiders who sold, reports an average loss of $3,513. One interpretation is that this group possessed, ex post, less private information than perhaps they thought they did. What of those who did save money? Of particular note is that the category of Chief Information/Technology Officer ranks fourth in terms of money saved, at $73,630 per insider, higher than for CFO, Officer, General Counsel, and Director. This category includes those holding the job roles of either Chief Information Officer (CIO) or Chief Technology Officer (CTO), and when focusing on the question of knowledge that could be traded on ahead of a cybersecurity breach disclosure, would seem to be among the most well-informed insiders. Depending upon how the firm is organized, the CIO or CTO is informed early on of a cybersecurity breach in the firm, oversees the investigation of the breach, and is most likely to quickly grasp the full potential extent of any resulting damage. However, we caution that, based on the small number of CIO or CTO insider sales, one should not place undue weight on this particular finding. The well-populated
23
categories of Officer, CEO, and CFO all show average money saved ranging from $15,717 for Officers to $90,431 for CEOs.
4.6 Delays in trade reporting We next examine the number of days after an insider transaction until the transaction is disclosed on Form 4 to the SEC. The law requires reporting within two days. Betzer and Theissen (2010) are the first to examine insider reporting delays, and they find that prices are distorted when the reporting of insider trades is delayed. Betzer et al. (2015) find that stealth trading, where insiders delay reporting their trades while placing additional trades, allows them to transact at lower average prices. They report that 29% of all insider trades are reported after the two-day deadline. They argue that insiders who are more closely monitored (and who therefore may be facing higher litigation risks) are less likely to file their trades late. We look for evidence of strategic activity in our sample by examining five years of insider trading data prior to the cyber breach announcement. We find that filing violations occur in 20% of the sample. Violations are of interest as they could indicate an effort to conceal trading activity through delayed reporting, and may also indicate a lax corporate culture and lack of monitoring. Furthermore, we wish to see which characteristics are associated with late filing and to test whether violations increase near cyberbreach announcements. Panel A of Table 5 displays the number of days to file according to industry, where industries are identified by the first two digits of the NAICS code. Industry categories containing less than 100 observations are not displayed. The overall sample average is 3.11 days to file, with a median of 2 days. Insiders at firms in the Information industry take 2.35 days to file on average, which is significantly greater than 2 days, but does not constitute a large violation. The
24
service industries tend to have the longest reporting delays, averaging 6 – 8 days. Panel B displays the number of days taken to file by the insider according to the primary relationship role listed in their Form 4 SEC filing. Relationship categories with fewer than 100 observations are not displayed. Chief Information/Technology Officer is the largest filing delay category at 11.98 days on average, significantly greater than 2 days. This finding is of particular interest as this job role is the most likely to have intimate knowledge of a cybersecurity breach. We next examine the factors predicting late filing using a logistic regression. The dependent variable is equal to one if the number of days to file is greater than two days. Explanatory variables include the log of the number of shares traded, the log of the trade value, the log of the firm’s market capitalization, the percentage of shares traded out of shares outstanding, the number of days between the trade and the announcement of a cyber breach, a dummy to indicate an opportunistic trade, and the money saved from the trade. We also include dummy indicators if the trader was the CEO, CFO, CTO/CIO, or COO. The base case encompasses all other insider roles. Betzer et al. (2015) conduct a similar exercise, but they focus more on non-trade-related characteristics as explanatory variables. Results are reported in Table 6. A larger number of shares traded is correlated with filing delays. This type of trade is likely to produce a larger price impact. The size of the firm is also significant, with insiders at larger firms more likely to have filing delays. Consistent with Betzer (2015), we find that larger value trades are less likely to be delayed. The coefficient on number of days between the trade and the announcement is negative and highly significant, indicating that trades closer to the breach announcement are more likely to be delayed. This finding is interesting as it indicates possible strategic behavior by the seller related specifically to the cyber breach announcement. Insiders may be exploiting the filing delays to maximize the price
25
received on multiple sales. The opportunistic trade dummy is not significant, nor is the amount of money saved from the trade. Hence, those who delay filing are no more likely to profit from the trade ex post. CEOs, who are likely to be well-informed, are significantly more likely than the base case to delay filing their trade report. We note that this result is in contrast to Betzer et al. (2015), who find that the CEO is less likely than other insider categories to delay filing.
5. Policy implications Corporate insiders are defined as those who serve as the company’s officers and directors, or any beneficial owners of more than 10% of the company’s stock. Under U.S. law, those who either have a fiduciary responsibility to the firm, such as corporate executives, or do not have a fiduciary responsibility to the firm but are aware that they are trading on material private information, can be held liable for illegal insider trading. Trades by insiders are legal as long as they are promptly disclosed and are not based upon material non-public information. Corporate insiders have a duty to either disclose material information to the public or abstain from trading on it, as trading would be considered a misappropriation of information and a violation of their fiduciary responsibility (Bhattacharya, 2014). Cyber breaches constitute material non-public information as evidenced by the average stock price reaction to their announcement, as well as the stated opinion of SEC staff in recently released guidance.5 We find significant evidence of loss avoidance by insiders through selling stock ahead of cyber breach announcements. Therefore, the first policy implication of our study is that corporate managers should abstain from trading based upon this information while disclosing it to the
5 The SEC guidance states that “directors, officers, and other corporate insiders must not trade a public company’s securities while in possession of material non public information, which may include knowledge regarding a significant cybersecurity incident experienced by the company.” See https://www.sec.gov/rules/interp/2018/3310459.pdf.
26
public as quickly as possible. The best way to disclose the occurrence, costs, and consequences of such incidents is through filing Form 8-K (or Form 6-K for foreign filers) with the SEC. By disclosing material information in this manner, the risk of selective disclosure is minimized, and doing so promptly reduces the risk of trading on material non-public information. A second policy implication of our findings is that firms should institute a blackout period for selling stock by all insiders from the time a cyber breach is discovered until the breach has been made public. Such a firm-wide blanket policy would make clear that the company does not want to risk the reputational damage that an SEC investigation or enforcement action would inflict upon the firm and that it takes its fiduciary obligations to its shareholders seriously. Our third policy recommendation pertains to SEC enforcement. We search for all SEC enforcement actions on the SEC website that occurred during our 2011-2016 sample period and cross-check them with our sample firms, finding nine matches. We examine whether an insider who has been charged also shows up in our sample as having sold stock ahead of a cyber breach. There are zero matches to specific insiders in our sample from these enforcement actions. Hence, we find no SEC enforcement actions related to insider trading around cybersecurity breaches. This apparent lack of enforcement until the prosecution resulting from the 2017 Equifax breach raises our third policy implication. Specifically, to the extent that insiders do not fear getting caught, enhanced scrutiny by the SEC, along with more frequent enforcement of both late filing violations and insider trading violations would likely reduce such behavior by insiders. This may help prevent the type of illegal insider trading exhibited by Equifax’s software engineer who sold put options through his wife’s brokerage account, trading which would not be technically covered by a blackout on trading company stock.
27
6. Conclusion This study is the first we are aware of to draw an association between insider trading and cybersecurity breach announcements. We employ an established algorithm that has been documented by Cohen et al. (2012) to effectively separate information-based insider trades from routine liquidity trades. We find that insider sales ahead of cyber breach disclosures produce significant abnormal savings for the sellers as the stock declines post disclosure. The implication is that some insiders seem willing to take advantage of the information asymmetry between the firm and equity markets through the strategic timing of their stock sales. While the average magnitude of economic damages is relatively nominal, the exploitation of private information by insiders sows distrust between stakeholders and the firm’s management and serves to erode investor confidence in the integrity of financial markets. Our findings not only bolster the SEC’s recently stated directive to companies “to examine their insider trader policies in connection to a systems breach,” but also have public policy implications now that information-based trading ahead of cyber-breach disclosures has been documented. Our conclusions are drawn from aggregate results based on a robust algorithm for identifying informative trades and do not establish the intent of any particular trade or trader. However, our findings allow us to make some general policy suggestions. Firm managers should move to disclose cyber breaches more quickly and, until disclosure has been made, should refrain from trading. An SEC enforcement action for insider trading can cause enormous reputational damage and further loss in firm value. Being aware that opportunistic insider trading occurs in the aftermath of a cybersecurity breach can allow for education processes to be developed, preventative procedures put in place, and internal vigilance and monitoring to be maintained. Finally, the surprising lack of SEC enforcement has undoubtedly allowed this type
28
of information-based trading to persist without threat of consequence. Enhanced scrutiny and enforcement by the SEC would likely serve to curb this practice. There are potential limitations of this research. A number of cybersecurity breaches are not disclosed for various reasons. However, this would not affect our results because there would then be no negative information disclosed to the public to impact stock price for these firms or that could be traded on by insiders. Another potential issue is if the time between the discovery of the breach and its public disclosure is especially long, then our three-month window in which we look for insider sells may fail to capture such trading activity. For example, there might be a law-enforcement hold on information release while an investigation is conducted. However, we believe that three months prior to the public announcement represents a reasonable period of time for most firms to conduct an investigation and publicize their findings. Finally, this research only applies in the realm of firms publicly traded in U.S. markets. There are a large number of cybersecurity breach reports for privately-held firms, non-profits, and governmental agencies. While insider selling of public stock may not be an issue for these organizations, there could be other insider activities that exploit information asymmetry, for example in private fund-raising markets, and take advantage of cybersecurity breaches to the detriment of their stakeholders.
29
References
Acquisti, A., A. Friedman, and R. Telang, 2008, Is there a cost to privacy breaches? An event study. Working paper, Carnegie Mellon University. Ahern, K. R., 2017, Information networks: Evidence from illegal insider trading tips, Journal of Financial Economics 125, 26-47. Amir, E., S. Levi, and T. Livne, 2018, Do firms underreport information on cyber-attacks? Evidence from capital markets, Review of Accounting Studies 23(3), 1177-1206. Anderson, R., 2001, Why information security is hard: An economic perspective, in Proceedings of the 17th Annual Computer Security Applications Conference, Los Alamitos, CA: IEEE Computer Society, pp. 358-365. Angst, Corey M., E. S. Block, J. D’Arcy, and K. Kelley, 2017, When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches, MIS Quarterly 41(3). Augustin, P., M. Brenner, and M. Subrahmanyam, 2015, Informed options trading prior to takeover announcements: Insider trading? Working paper. Betzer, A., and E. Theissen, 2010, Sooner or later: An analysis of the delays in insider trading reporting, Journal of Business Finance and Accounting 37, 130-147. Betzer, A., J. Gider, D. Metzger, and E. Theissen, 2015, Stealth trading and trade reporting by corporate insiders, Review of Finance 19, 865-905. Bhattacharya, U., 2014, Insider trading controversies: A literature review, Annual Review of Financial Economics 6, 385-403. Bhattacharya, U., and C. D. Marshall, 2012, Do they do it for the money? Journal of Corporate Finance 18, 92-104. Campbell, K., L. A. Gordon, M. P. Loeb, and L. Zhou, 2003, The economic cost of publicly announced information security breaches: empirical evidences from the stock market. Journal of Computer Security 11, 431-448. Cavusoglu, H., B. Mishra, and S. Raghunathan, 2004, The effect of internet security breach announcements on market value of breached firms and internet security developers. Internat. Journal of Electronic Commerce 9(1) 69-105. Cohen, L., C. Malloy, and L. Pomorski, 2012, Decoding insider information, Journal of Finance 67, 1009-1043.
30
Cziraki, P., and J. Gider, 2019, The dollar profits to insider trading, Working paper. Elliot, J., D. Morse, and G. Richardson, 1984, The association between insider trading and information announcements, Rand Journal of Economics 15, 521-536. Ettredge, M. L., and V. J. Richardson, 2003, Information transfer among internet firms: the case of hacker attacks. Journal of Information Systems 17(2) 71-82. Finnerty, J., 1976, Insiders and market efficiency, Journal of Finance 31, 1141-1148. Gal-Or, E., and A. Ghose, 2005, The economic incentives for sharing security information. Information Systems Research 16(2), 186–208. Garg, A., J. Curtis, and H. Halper, 2003, Quantifying the financial impact of IT security breaches. Information Management and Computer Security 11(2) 74-83. Givoly, D., and D. Palmon, 1985, Insider trading and the exploitation of inside information: Some empirical evidence, Journal of Business 58, 69-87. Gordon, L., and M. Loeb, 2002, The economics of information security investment, ACM Transactions on Information and System Security 5(4), 438-458. Gordon L., M. Loeb, and W. Lucyshyn, 2003, Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy 22(6), 461–485. Gunny, K., and T. Zhang, 2012, Strategic informed trading by corporate executives and firm value, Working paper, Singapore Management University. Hovav, A., J. D’Arcy, 2003, The impact of denial-of-service attack announcements on the market value of firms. Risk Management and Insurance Review 6(2) 97-121. Jaffe, J., 1974, Special information and insider trading, Journal of Business 47, 410-428. Jeng, L., A. Metrick, and R. Zeckhauser, 2003, Estimating the returns to insider trading: A performance evaluation perspective, Review of Economics and Statistics 85, 453-471. Johnson, K., 2017, “DNC cyber attack by Russia highlighted delayed response, FBI chief says,” USA Today, last accessed on June 25, 2018 at https://www.usatoday.com/story/news/politics/2017/03/21/dnc-cyber-attack-russiahighlighted-delayed-response-fbi-chief-says/99455634/ Kannan, K., J. Rees, and S. Sridhar, 2007, Market reactions to information security breach announcements: an empirical study. International Journal of Electronic Commerce 12(1), 6991.
31
Kwon, J., J. Rees Ulmer, and T. Wang, 2013, The association between top management involvement and compensation and security breaches, Journal of Information Systems, 27(1), 219-236. Liberti, L., 2008, Survey results: Reduce the cost of compliance while strengthening security, CA Advisor: Security Management Newsletter. Liu, Z., R. Parsa, J. Rees Ulmer, and T. Sapp, 2018, Quantifying losses from cyber breaches: An objective, verifiable, insurable measure, Iowa State University, Working paper. Lorie, J., and V. Niederhoffer, 1968, Predictive and statistical properties of insider trading, Journal of Law and Economics 11, 35-53. Mitts, J., and E. Talley, 2018, Informed trading and cybersecurity breaches, Harvard Business Law Review, Forthcoming. Meulbroek, L. K., 1992, An empirical analysis of illegal insider trading, Journal of Finance 47, 1661-1699. Radichel, T, 2014, “Case study: Critical controls that could have prevented Target breach” Sans Institute InfoSec Reading Room, last accessed on June 25, 2018 at https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controlsprevented-target-breach-35412 Rozeff, M., and M. Zaman, 1988, Market efficiency and insider trading: New evidence, Journal of Business 61, 25-44. Seyhun, H. N., 1986, Insiders' profits, costs of trading, and market efficiency, Journal of Financial Economics 16, 189-212 Seyhun, H. N., 1998, Investment intelligence from insider trading, MIT Press, Cambridge. Wang, T., K. Kannan,, and J. Rees Ulmer, 2013, The association between the disclosure and the realization of information security risk factors, Information Systems Research, 24(2) 201218.
32
Table 1 Sample firm characteristics Panel A of the table reports median values of various financial and market variables, where all financial ratios have been winsorized at the 1% and 99% quantiles. Variables for the Compustat universe are reported for all available firms from 2011 through 2016. Market capitalization is in billions of dollars. Total debt, cash, and R&D are each expressed as a percentage of total assets. The year-end daily stock volatility, beta, and stock return are computed from CRSP daily stock returns. A test of the difference in medians is reported in the p-value column. Panel B displays sample firm industries, where industries are identified by the first two digits of the NAICS code.
Panel A: Financial Characteristics Compustat Universe
Our Sample
p-value
170
17,765
0.000
11.43 5.85
22.48 5.06
0.000 0.044
Market Capitalization Debt Ratio (%) Cash Ratio (%) Profit Margin (%)
3.47
6.48
0.000
ROA (%) ROE (%)
1.69 6.00
5.26 12.03
0.000 0.000
R&D (%)
3.81
1.92
0.000
Book-to-Market Daily Stock Volatility (%)
0.52 1.86
0.38 1.76
0.018 0.394
Beta
0.90
1.10
0.000
Annual Return (%)
0.78
7.94
0.000
Panel B: Industries Obs
Percent
Accommodation and Food Services
Industry
11
4.3%
Admin, Support, Waste Mgmt, Remediation Svcs Arts, Entertainment, and Recreation
10 1
3.9% 0.4%
2
0.8%
Finance and Insurance Information
71 48
27.5% 18.6%
Manufacturing
49
19.0%
Other Services Professional, Scientific, and Technical Services
1 14
0.4% 5.4%
2
0.8%
42 4
16.3% 1.6%
Utilities
1
0.4%
Wholesale Trade
2
0.8%
258
100%
Construction
Real Estate Rental and Leasing Retail Trade Transportation and Warehousing
Total
33
Table 2 Abnormal returns from cybersecurity breach announcements The table reports cumulative abnormal returns (CARs) from a sample of 258 public announcements of cybersecurity data breaches over the 2011-2016 period. Abnormal returns are computed using the CAPM, the Fama-French 3factor model, and the Fama-French-Carhart 4-factor model. Abnormal returns are reported for four windows surrounding the announcement day: [-1, +1], [-2, +2], [-2, +18], and [-10, +30]. T-statistics are in parentheses. 3-day
5-day
21-day
41-day
CAPM Mean CAR
-1.18% (-7.30)
-1.44% (-6.75)
-1.26% (-2.64)
-1.44% (-2.53)
# of positive CARs % positive
76 29%
75 29%
105 41%
109 42%
Fama-French Mean CAR
-1.10% (-6.81)
-1.36% (-7.47)
-1.15% (-2.66)
-1.38% (-2.25)
FF-Carhart Mean CAR
-1.09% (-6.69)
-1.38% (-7.55)
-1.09 (-2.49)
-1.31% (-2.16)
34
Table 3 Money saved by insiders selling ahead of cybersecurity breach announcements Panel A of the table reports the average dollar amount of money saved by each insider whose trades executed within three months prior to a cyber breach announcement were identified as non-routine. Panel B reports the average amount of money saved for non-routine insider sales executed in the one month prior to a breach announcement. The dollar amount saved is calculated by aggregating the number of shares sold and multiplying this number by the five-day CAR at the announcement date. T-statistics are in parentheses.
Panel A: 3 months before announcement Opportunistic Year 2011 2012 2013 2014 2015 2016 All
Obs. 15 29 70 27 20 31 192
Mean 37,651 30,261 21,079 31,410 38,500 70,512 35,009 (2.78)
Routine
Median 16,828 11,718 3,523 13,998 19,920 266 7,880 (5.12)
Obs. 3 – 5 6 – 11 25
Mean 132,000 – 49,759 4,447 – 261,087 141,737 (1.24)
Unclassified Median 71,992 – 61,024 3,619 – 7,104 7,104 (1.78)
Obs. 63 83 121 61 56 56 440
Mean 52,447 23,974 62,340 25,811 -231,814 12,484 4,702 (0.19)
Median 7,115 5,058 2,466 5,262 -697 5,333 3,839 (8.01)
Panel B: 1 month before announcement Opportunistic Year 2011 2012 2013 2014 2015 2016 All
Obs. 6 14 25 8 4 13 70
Mean 72,319 27,503 3,481 27,168 22,302 145,583 44,359 (2.08)
Median 48,934 2,644 -1,659 11,751 14,873 4,116 4,890 (2.99)
Routine Obs. 3 – 3 2 – 9 17
Mean 42,454 – 40,685 1,671 – 108,910 72,526 (1.27)
Unclassified Median 25,020 – 226,889 1,671 – 11,205 11,205 (2.65)
Obs. 33 29 45 37 12 36 192
Mean 5,015 25,978 61,092 35,488 3,201 1,424 25,879 (2.58)
Median 4,522 4,847 1,637 11,788 -83 4,283 3,431 (5.61)
35
Table 4 Money saved by insiders according to industry and relationship role For the sample of 192 insiders who sold opportunistically within three months prior to a cyber breach announcement, Panel A of the table shows the average amount of money saved by the insiders according to the industry in which their firm operates. Industries are identified by the first two digits of the NAICS code. The category Other Assorted represents insider trades in six industries. Panel B shows the average amount of money saved by the insiders according to the primary relationship role listed in their Form 4 SEC filing. The category Other Assorted represents insider trades in seven relationship roles. *, **, and *** denote significance at the 10%, 5%, and 1% levels, respectively.
Panel A: By Industry Industry Information Finance and Insurance
Mean
Median
Std. Dev.
Obs.
74,794 37,484
11,738 13,990
258,750 213,444
42 51
Mean t-stat 1.87* 1.25
Median t-stat 4.17*** 3.08***
Other Assorted
22,455
9,386
75,168
12
1.03
2.02**
Accommodation and Food Services Retail Trade
17,978 17,276
16,828 -2,588
15,608 81,048
7 35
3.05*** 1.26
2.27** 0.34
Admin, Support, Waste Mgmt, Remediation Svcs
15,098
16,683
102,515
10
0.47
0.32
Manufacturing
14,796
7,654
95,632
35
0.92
1.01
All
35,009
7,880
174,491
192
2.78***
5.12***
Mean
Median
Std. Dev.
Obs.
Mean t-stat
333,538 142,613
46,389 16,704
610,339 413,654
4 11
1.09 1.14
0.50 0.60
CEO
90,431
86,442
247,007
20
1.64
2.01**
Chief Info/Technology Officer CFO
73,630 17,043
1,507 13,923
163,530 27,655
4 10
0.90 1.95*
0.50 1.58
Officer
15,717
6,465
61,949
97
2.50**
3.66***
General Counsel Director
8,648 -3,513
17,347 1,691
86,992 143,649
15 31
All
35,009
7,880
174,491
192
Panel B: By Relationship Role Relationship Role President Other Assorted
0.39 -0.14 2.78***
Median t-stat
1.03 1.44 5.12***
36
Table 5 Late filing of Form 4 insider trades The table displays the number of days after an insider transaction until the transaction is disclosed on Form 4 to the SEC. Five years of insider trading data prior to the cyber breach announcement is examined. Panel A displays the number of days to file according to industry. Industries are identified by the first two digits of the NAICS code. Industries containing less than 100 observations are not displayed. Panel B displays the number of days taken to file by the insider according to the primary relationship role listed in their Form 4 SEC filing. Relationship categories with fewer than 100 observations are not displayed. The last column of each panel gives results of a test for whether the mean number of days to file is greater than two (the law requires reporting within two days). *, **, and *** denote significance at the 10%, 5%, and 1% levels, respectively. Panel A: By Industry Mean
Median
Std. Dev.
Obs.
Other Services (except Public Administration)
7.96
1
90.11
234
1.01
Professional, Scientific, and Technical Services
5.76
2
32.04
567
2.79***
Manufacturing Retail Trade
5.07 4.71
2 1
64.40 54.20
14,222 5,590
5.68*** 3.74***
Finance and Insurance
3.21
2
27.37
18,358
6.00***
Admin, Support, Waste Mgmt, Remediation Svcs Construction
3.09 2.98
2 2
46.53 5.35
2,235 1,915
1.11 8.05***
Information
2.35
1
11.07
47,884
6.97***
Accommodation and Food Services Wholesale Trade
1.86 1.77
1 1
5.02 6.60
1,521 1,699
– –
Transportation and Warehousing
1.59
1
4.84
450
–
All
3.11
2
32.91
94,824
10.40***
Relationship Role
Mean
Median
Std. Dev.
Obs.
t-stat H0: µ >2
Chief Info/Technology Officer Director
11.98 5.67
2 2
80.87 48.87
576 11,175
2.96*** 7.93***
General Counsel
5.31
1
57.50
3,088
3.20***
Officer Officer and Treasurer
4.32 3.97
2 2
49.77 10.28
20,815 155
6.74*** 2.38***
Chief Operating Officer
2.99
2
28.40
1,105
1.16
CFO Chairman of the Board
2.57 2.49
1 1
7.77 17.78
3,748 864
4.48*** 0.82
Director and Beneficial Owner
2.22
1
7.16
998
CEO President
2.19 2.13
1 2
17.36 5.45
26,653 1,914
Beneficial Owner of more than 10%
1.75
1
3.35
1,036
–
Officer, Director, and Beneficial Owner Officer and Director
1.65 1.47
2 1
0.68 2.92
9,417 13,010
– –
All
3.11
2
32.91
94,824
Industry
t-stat H0: µ >2
Panel B: By Relationship Role
0.99 1.76** 1.02
10.40***
37
Table 6 Predicting late filing of Form 4 insider trades The table displays the results of a logistic regression predicting whether the number of days after an insider transaction until the transaction is disclosed on Form 4 to the SEC exceeds two. If the days until reporting exceeds two, then the form is filed late. Percent Shares Traded is the fraction of shares that the insider sold out of the total shares outstanding in the firm. There are 1,551 observations, with 395 of them exceeding two days (i.e., being filed late).
Variable
Coefficient
z-Statistic
Constant
1.11
1.93
Ln(Num Shares Traded)
0.15
2.37
-0.40 0.17
-4.89 2.97
0.22
1.49
-0.00 0.15
-6.06 0.79
0.00
0.72
1.78 -1.40
9.91 -4.36
0.56
1.06
Role = COO Dummy
-1.49
-1.98
McFadden R2
0.181
Ln(Trade Value) Ln(Market Cap) Percent Shares Traded Days Between Trade & Announcement Opportunistic Trade Dummy Money Saved from the Trade Role = CEO Dummy Role = CFO Dummy Role = CTO/CIO Dummy
38
Figure 1 Money saved by insiders selling ahead of cybersecurity breach announcements The figure shows the average dollar amount of money saved, for each year of the sample, by an insider whose stock sales were classified as non-routine and occurred within three months prior to the firm publicly announcing a cyber data breach.
$80,000 $70,000 $60,000 $50,000 $40,000 $30,000 $20,000 $10,000 $0 2011
2012
2013
2014
2015
2016
39
Figure 2 Timing of insider sales We identify 808 non-routine stock sales by insiders in the 90-day run-up to a cyber breach announcement in our sample. In Panel A, the figure shows the average market value of stock sold each day over the 90 calendar days prior to a cyber breach announcement by these insiders. Market value is the Form 4 reported number of shares sold multiplied by the reported transaction price. The figure also shows the total dollar amount of money saved each day by these insiders. The amount of money saved is shown as of the day the stock was sold. Money saved is computed as the Form 4 reported number of shares sold multiplied by the reported transaction price multiplied by the applicable five-day cumulative abnormal return (CAR) on the stock from the public breach announcement. In Panel B, the figure shows the daily cumulative average dollar amount of stock sold over the 90 calendar days prior to a cyber breach announcement by insiders whose trades are identified as non-routine. The straight red line indicates the expected distribution if stock sales were uniformly dispersed across the 90-day period.
50
5.0
40
4.0
30
3.0
20
2.0
10
1.0
0
0.0
-10
Total Money Saved ($ million)
Value of Shares Sold ($ million)
Panel A: Value of shares sold and money saved by insiders
-1.0 -90 -85 -80 -75 -70 -65 -60 -55 -50 -45 -40 -35 -30 -25 -20 -15 -10 -5 Event Day
0
Value of Shares Sold by Insiders Total Money Saved by Insiders Shown as of the Day the Stock was Sold
40
Panel B: Cumulative average amount of stock sold 300
250
$ millions
200
150
100
50
0 -90 -85 -80 -75 -70 -65 -60 -55 -50 -45 -40 -35 -30 -25 -20 -15 -10
-5
0
Event Day
41
Insider Trading Ahead of Cyber Breach Announcements Highlights • • • •
•
Our sample has more opportunistic selling than the population of all insider sales. Insiders save $35,009 due to selling in the 3 months before the announcement. Insiders save $44,359 due to selling in the 1 month before the announcement. The bulk of opportunistic trading occurs 55 to 72 days before the announcement. Late filing violations are more likely to occur near the announcement of a breach.
PII:
S1386-4181(19)30357-X
DOI:
https://doi.org/10.1016/j.finmar.2019.100527
Reference:
FINMAR 100527
To appear in:
Journal of Financial Markets
Received Date: 3 December 2018 Revised Date:
11 December 2019
Accepted Date: 13 December 2019
Please cite this article as: Lin, Z., Sapp, T.R.A., Ulmer, J.R., Parsa, R., Insider Trading Ahead of Cyber Breach Announcements, Journal of Financial Markets, https://doi.org/10.1016/j.finmar.2019.100527. This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive version of record. This version will undergo additional copyediting, typesetting and review before it is published in its final form, but we are providing this version to give early visibility of the article. Please note that, during the production process, errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain. © 2019 Elsevier B.V. All rights reserved.
Insider trading ahead of cyber breach announcements
ZHAOXIN LIN, TRAVIS R. A. SAPP, JACKIE REES ULMER, RAHUL PARSA*
November 4, 2019 †
JEL Classifications: G14, K24, G30 Keywords: Insider trading, Form 4, cybersecurity, data breach, opportunistic trading, SEC enforcement action, asymmetric information ______________
* Travis Sapp is the corresponding author and may be reached at [email protected], ph. (515) 294-2717. Zhaoxin Lin may be reached at [email protected]. Jackie Rees Ulmer may be reached at [email protected]. Rahul Parsa may be reached at [email protected]. All authors receive correspondence at the following mailing address: College of Business, Gerdin Business Bldg. Suite 2330, 2167 Union Drive, Iowa State University, Ames, IA 50011-2027. † First version: June 6, 2018. We thank participants of the INFORMS Conference on Information Systems and Technology (CIST) 2018, Phoenix, and the 2019 Eastern Finance Association Annual Meeting in Miami for helpful comments. We also thank an anonymous referee whose comments have helped us to enhance the paper.
Insider trading ahead of cyber breach announcements
ZHAOXIN LIN, TRAVIS R. A. SAPP, JACKIE REES ULMER, RAHUL PARSA*
November 4, 2019 †
JEL Classifications: G14, K24, G30
Keywords: Insider trading, Form 4, cybersecurity, data breach, opportunistic trading, SEC enforcement action, asymmetric information ______________ * Travis Sapp is the corresponding author and may be reached at [email protected], ph. (515) 294-2717. Zhaoxin Lin may be reached at [email protected]. Jackie Rees Ulmer may be reached at [email protected]. Rahul Parsa may be reached at [email protected]. All authors receive correspondence at the following mailing address: College of Business, Gerdin Business Bldg. Suite 2330, 2167 Union Drive, Iowa State University, Ames, IA 500112027. † First version: June 6, 2018. We thank participants of the INFORMS Conference on Information Systems and Technology (CIST) 2018, Phoenix, and the 2019 Eastern Finance Association Annual Meeting in Miami for helpful comments. We also thank an anonymous referee whose comments have helped us to enhance the paper.
Abstract
Stock market reactions to cybersecurity breach announcements are generally negative. We find significant evidence of opportunistic insider trading, with insiders saving an average of $35,009 due to timely selling in the three months before the announcement of a cybersecurity breach. Late filing violations by insiders are more likely to occur near the announcement of a cyber breach. The bulk of opportunistic trading tends to occur 55 to 72 days before the public announcement. The results lend support to the U.S. Security and Exchange Commission’s recently announced goal of tightening restrictions on insider trading ahead of cyber breach announcements.
1. Introduction A senior Securities and Exchange Commission regulator said Thursday that public companies will soon face new guidelines for how they report cybersecurity breaches to investors. …William Hinman, the SEC’s recently installed director of corporation finance… also advised companies to examine their own policies for insider trading following a cyberbreach. “I think this issue is important enough, wide-ranging enough that we should tackle it at the commission level,” Mr. Hinman said. “I think it would be wise for folks to examine their insider trader policies in connection,” to a systems breach, he added. — From The Wall Street Journal Online, “SEC Says Companies Can Expect New Guidelines on Reporting Cybersecurity Breaches” by Ezequiel Minaya, Nov. 9, 2017 The expectation that a firm’s stock price will drop upon the announcement of a serious cybersecurity breach is pervasive among market-watchers. Research into the impact of cybersecurity breach announcements on firm stock price generally confirms this expectation (e.g., Ettredge and Richardson, 2003; Garg et al., 2003; Cavusoglu et al., 2003; Acquisti et al., 2006, Amir et al., 2018). For example, a recent study by Lin et al. (2018) finds an abnormal fiveday return of –1.44% surrounding the public announcement of a data breach, and this stock price decline does not reverse over the following month. Corporate insiders, who owe a fiduciary duty to the shareholders, are surely aware of this tendency for the market to reduce the value of the firm’s equity in response to a cyber breach announcement as well. In a recent highly-publicized case, Jun Ying, the chief information officer at Equifax was convicted of insider trading for selling stock ahead of the public announcement in September, 2017, of a major breach of customer data that had occurred two months earlier. Mr. Ying’s timely selling saved him an estimated $117,000 when the stock price of Equifax plummeted following the announcement of the data breach (Cowley, The New York Times, March 14, 2018).
1
As the opening quote above highlights, the U.S. Securities and Exchange Commission (SEC) is also keenly aware of the tendency for the stock price to drop at the announcement of a cybersecurity breach and the commensurate possibility for insiders to benefit from this private information by selling their stock before news of the data breach is made public. Further, the SEC has taken a recent interest in how firms handle both the disclosure of this information, as well as how firms monitor their insider trading activity surrounding such disclosure. Given both the recent prosecution for insider trading ahead of the Equifax cyber breach announcement and the SEC’s expressed concern about the extent to which such insider trading may be occurring, there is anecdotal evidence highlighting the importance and relevance of this issue. However, there appears to be no empirical evidence documenting the extent of insider trading surrounding the announcement of cybersecurity breaches. We examine this issue in detail in this paper. We analyze insider trading data for a sample of 258 cybersecurity breach announcements in the U.S. over 2011-2016. In order to identify “non-routine” versus “routine” trades, we adopt the algorithm of Cohen et al. (2012). Specifically, we require at least one trade by an insider in each of the preceding three years to classify the trades. We compare each insider’s trades in the month prior to a data breach announcement to his or her trades over the previous three years and classify any trades falling in the same calendar month repeatedly as “routine.” All other trades are classified as “opportunistic” (we use the term “non-routine” interchangeably). We find that the stock sales of 192 insiders in the three months prior to an announcement of a cyber breach save each insider an average of $35,009, and this amount is statistically significant. This is also three and a half times the average profit from insider trades in the wider population, as reported in Cziraki and Gider (2019). We also find that trades classified as routine and trades that cannot
2
be classified show (weaker) evidence of profitability from timely selling ahead of cyber breach announcements. Further analysis reveals that the amount of money saved is highest for those associated with firms in the information industry, at roughly three times that of other industries. Insiders in this industry seem better able to exploit their private knowledge, perhaps due to a deeper understanding of the negative impact a cyber breach can have on the firm. We also examine the Form 4 disclosures of insider trades that are required to be filed within two days of a trade with the SEC in order to look for evidence of late filing violations. Longer lags in reporting are suggestive of strategic behavior in trying to hide the trade and may also suggest a lax corporate culture that tolerates such reporting violations. We find that insiders in the role of CIO/CTO tend to file the latest of all roles at 12 days after a trade. We further find that filing violations are more likely to occur closer to a breach announcement. This suggests that insiders may be exploiting the filing delays to maximize the price received on multiple sales. We also find that the bulk of opportunistic trading tends to occur 55 to 72 days before the public announcement of a breach. Finally, we search the SEC website for insider trading enforcement actions related to cybersecurity announcements during our sample period, but find none prior to the 2017 Equifax incident; this type of event has clearly not been on the radar of the Commission until very recently. Our study contributes to the literature on insider trading as it pertains to a specific type of corporate event. Cybersecurity breaches are an event that corporate managers have very little control over, including the occurrence, magnitude, and timing; they merely react to it. In this sense, cyber breaches represent a unique type of corporate event, one that is less prone to
3
endogeneity concerns than other types of corporate announcements. Our study provides insight into how managers respond to such an event through insider trading. Our results also lend support to the SEC’s recently announced goal of tightening restrictions on insider trading ahead of cyber breach announcements. Based on our findings, we offer some specific policy recommendations aimed at reducing the likelihood of insider trading based on this type of material information. These include quicker disclosure of breaches by firms, the institution of trading blackouts from the time of breach discovery to public disclosure, and stepped up enforcement by the SEC as a deterrent.
2. Background and related literature 2.1 Insider trading Insiders have access to privileged information about the firm and are therefore subject to enhanced scrutiny and regulation, especially regarding their trading of company stock. Insiders often hold a relatively large amount of company stock in relation to their personal wealth, either due to being a founder, affiliate, or receiving compensation through stock and stock options. Some employees are also able to buy company stock at a discount, or may do so if they believe the firm is undervalued. Insider trades may thus be motivated by liquidity or diversification needs, as well as a desire to acquire stock at a bargain price or convey a signal to the market about the health of the firm. If an insider trades based on material non-public information (information that would likely affect stock value), then the SEC would view this as a legal violation and may choose to bring charges against the individual involved, if a case can be built. However, detecting illegal insider trading is a challenge.
4
Investors as well as academics and regulators routinely monitor and study the trades of insiders to glean information about the company’s health and prospects or to detect signs of illicit behavior. A number of studies, beginning in the late 1960s, have examined whether insider trades are informative for predicting future stock returns.1 Seyhun (1998) reviews this literature and finds that the results are mixed, but there is some evidence of useful information in insider trades that can lead to profits. Jeng et al. (2003) report that insider purchases earn abnormal returns of 6% annually, while insider sales do not earn significant abnormal returns. Rather than focusing on the trade type or on the return around the trade itself, Cohen et al. (2012) focus on the trading history of the insider to identify informative from non-informative trades, and they find that this method works exceptionally well. Insiders who place trades in the same calendar month over a period of three years are classified as routine, or non-informative. When three years of trading history with at least one trade per year does not exist, the trades are not classified. All other trades are considered informative or “opportunistic.” They report that a portfolio strategy that emulates the trades of opportunistic traders yields value-weighted abnormal returns of 82 bps per month (9.84% annually), while abnormal returns associated with routine traders are essentially zero. They further find that opportunistic traders are significantly more likely to have SEC enforcement action taken against them, and reduce trading following waves of SEC insider trading enforcement actions.
2.2 Cybersecurity breaches There have been numerous studies that explore stock market reactions to information security incidents. Early research into this topic reported strongly negative stock market
1
See, for example, Lorie and Niederhoffer (1968), Jaffe (1974), Finnerty (1976), Elliot et al. (1984), Givoly and Palmon (1985), Seyhun (1986), and Rozeff and Zaman (1988), and Muelbroek (1992).
5
reactions to information security breach announcements (Ettredge and Richardson, 2003; Garg et al., 2003; Cavusoglu et al., 2004; Acquisti et al., 2008). Other studies did not find any significantly negative impact (Campbell et al., 2003; Hovav and D’Arcy, 2003; Kannan et al., 2007). Wang et al. (2013) demonstrate that the market reacts in different ways to different types of cybersecurity breaches, depending upon the nature of the affected firm’s financial disclosures. Amir et al. (2018) find that firms tend to withhold information on the most severe cyberattacks until disclosure is forced upon them. Overall, the literature shows that firms and investors can typically expect at least a temporary drop in stock price after the announcement of a cybersecurity breach. A recent study by Mitts and Talley (2018) examines informed trading in the put options market by outsiders to the firm ahead of cyber breach announcements. They note that such activity is not illegal per se, in contrast to trading by corporate insiders —a topic they do not explore. Trading in the options market is a viable strategy to exploit insider information, but when done by insiders is illegal and is subject to SEC enforcement action. For example, in the case of the Equifax data breach mentioned above, a software product development manager for Equifax named Sudhakar Bonthu pled guilty to buying put options ahead of the breach announcement. These illegal trades, placed through his wife’s brokerage account, earned him a profit of $75,000 when the breach was announced. As the case of Mr. Bonthu illustrates, insider transactions in the options market can also be lucrative. However, insider transactions in the options market are relatively uncommon, as reported in studies such as Augustin et al. (2015), who examine informed trading in the options market ahead of takeover announcements. They analyze insider filings and find that not a single options transaction was executed by registered insiders in the 30-day run-up to the announcement. Our paper focuses solely on stock
6
transactions, which are far more common. To the extent that insiders may tip others to trade (Meulbroek 1992, Ahern 2017), such transactions would not show up in our sample. The occurrence of a cybersecurity breach represents an external shock to the firm. The ability of managers to avoid these breaches is limited, but may be influenced by the amount of investment in cybersecurity that the firm chooses to make. Due to the limited budget for IT security investment, the uncertainty of security performance, and the likelihood of data breaches, firms take a cost-benefit trade-off approach to defending their assets. Angst et al. (2017) find that IT security investments can mitigate the likelihood of data security breaches. Gordon and Loeb (2002), Gordon et al. (2003), and Gal-Or and Ghose (2005) conclude that a firm should not necessarily focus its investments on information sets with the highest vulnerability, but may be better off instead concentrating its efforts on assets with midrange vulnerabilities. Moreover, Anderson (2001) argues that neither technical solutions nor economic markets alone can solve security problems due to the difficulty of estimating the costs and benefits of success and failure. In practice, most organizations simply react to a breach by absorbing the financial losses and meeting any regulatory mandates involved (Liberti, 2008). Overall, firms can reduce the frequency and severity of cyber breaches through investments in cybersecurity, but cannot eliminate the possibility of a cyber breach. This raises the prospect that some corporate officers may be inclined to sell their stock if they simply believe that their firm is especially prone to cybersecurity breaches due to weaknesses in cyber defenses. In cases where the manager believes an attack is imminent, she may choose to sell some stock. We can envision three scenarios in which this can play out in the data. First, some of these sales may not be followed by a cybersecurity breach at all —in this case, we would observe some opportunistic sales, but these would not be followed by any breach
7
announcement. Second, some of these sales may be followed by a cybersecurity breach, but this breach may take place in the distant future. This would mean that some sales are too far away from the actual breach event to be detected in the data. Third, some insider sales occur shortly before cybersecurity breach announcements. Here, the manager either traded after they became aware of the breach, or they correctly inferred that there would be a breach. In all three cases, the insider trade is opportunistic and not routine. Our study focuses on insider sales that occur shortly before cybersecurity breach announcements.
2.3 Disclosure On the issue of disclosure, cybersecurity breaches present a challenge. Oftentimes, cybersecurity breaches are not evident to the firm or its stakeholders until long after the initial breach. Depending on the nature of the cybersecurity breach, it is possible that many firm stakeholders would never be notified of a breach. For example, a web portal may be brought down by a distributed denial-of-service attack. To a customer or a supplier, this could seem to be the result of an equipment or power failure, until told otherwise by the firm and/or the media. A more typical scenario is when an attacker steals customer or employee data and, unless the firm notifies the affected parties, the aggrieved party would likely have no ability to connect the stolen information, or more importantly, the use of that stolen information, to the specific firm from which it was stolen. In light of this information asymmetry problem, authorities have issued regulations for notifying aggrieved parties after a data breach of sensitive information. Currently, 48 out of 50 states in the U.S. have data breach notification laws. Other jurisdictions, such as Canada, the European Union, Australia, New Zealand, and Japan, also have data breach notification laws.
8
These notification laws vary in terms of requirements and penalties for non-compliance, but generally state that a firm must give notice of a data breach to affected parties within a certain time frame of discovering the breach. There are a number of caveats to various statutes, including whether or not the breach is still under active investigation and whether or not the data were encrypted. Given the increasingly sophisticated nature of cyber attackers, it can become extremely difficult for firms to detect whether a breach occurred, as well as the extent and nature of the breach. As the Target Corp. data breach and the Democratic National Committee headquarters breach illustrate (Radichel, 2014; Johnson, 2017), firms can also have operational and political reasons to defer investigation of a breach, which increases the uncertainty and information asymmetry around cybersecurity breaches. Essentially, there is a lack of information transparency around cybersecurity breaches to firm stakeholders. Does this issue, combined with the general assumption that stock prices will decline after announcing a breach, lead to the possibility of insider trading before a cybersecurity breach is announced? Our study provides insight on this question.
3. Data and method We collect data on incidents of information security breaches for the January 2011 through December 2016 period from the Privacy Rights Clearinghouse. Our initial search identified 5,787 events, but of these we drop 5,515 because they occurred at private firms, which have no publicly traded stock. We analyze the descriptions of each breach and delete any nonconforming events, such as (a) encrypted data loss, (b) clearly not cyber-related (payment dropbox broken into), (c) not a breach (initial report was later contradicted), and (d) confounding event (lawsuit over trade secrets theft). For the remaining data, we search for confounding events
9
such as earnings reports or merger and acquisition news near the announcement date and exclude these from the sample. We also check multiple news sources, including social media, to ensure we have the earliest public release of the breach information. The final dataset has 258 cybersecurity data breach incidents.2 The number of records breached ranges from 50 to three billion. Hacking accounts for nearly half of the breaches, followed by unintended document loss. Insider breach and portable device breach rank third and fourth, respectively. Panel A of Table 1 reports the median characteristics of the sample firms compared to the Compustat universe. Our sample firms are considerably larger, with a median market capitalization of $17.7 billion compared to only $170 million for the median Compustat firm. They are also more profitable than the typical Compustat firm, as measured by profit margin, ROA, and ROE. Our sample firms have a median book-to-market ratio of 0.38 compared to 0.52 for the Compustat universe, placing our firms more on the growth side of the growth-value spectrum. It seems plausible that larger firms and growth firms have more valuable information that a hacker would target. Our sample firms also have a higher beta and have experienced a higher stock return over the prior year compared to the typical firm. Panel B of Table 1 shows that the sample of breached firms represents a wide variety of industries, with the most common being finance and insurance, information technology, manufacturing, and retail trade. Manufacturing is the only somewhat surprising category for a large number of breaches, as we would expect these firms to be less plentiful sources of consumer data. The retail trade category encompasses online businesses. In order to obtain abnormal returns at the breach announcement, we conduct an event study using the Capital Asset Pricing Model (CAPM) market model, focusing on the five-day window [-2, +2] surrounding the public announcement date. As a robustness check, we also 2
A list of the sample of firms is given in an Online Appendix.
10
compute Fama-French and Carhart abnormal returns. The results are given in Table 2, including abnormal returns over a shorter three-day window and over a one-month (21-trading day) window. The average abnormal return at the announcement of a cyber breach is a stock price decline of 1.44% measured over five days, with a t-statistic of -6.75. We note that 71% of the 258 breach announcements resulted in an abnormal stock price decline, implying that, while likely, a forecast of a stock price drop by an insider may not always materialize ex post. The results from the Fama-French and Carhart models are similar, so we focus on the simple CAPM alphas throughout the study. We note that these results are consistent with those obtained by Lin et al. (2018), who examine the same data sample. Insiders are required to report their trades to the SEC on Form 4 Table 1 and this information is made public. For each data breach firm, we retrieve insider trading data from the Thomson Insiders database, including filing date, insider name, insider role, transaction type, transaction price, and number of shares transacted. We also obtain daily equity data from the Center for Research in Security Prices (CRSP), including closing stock price and number of shares outstanding. The insider trades we track are those under the legal definition used by the SEC for an insider — managers, those on the board of directors, and affiliates holding 10% of shares or more. Corporate executives are commonly compensated with stock and stock options as a way to mitigate principal-agent problems in the firm and better align managerial incentives with the interests of the shareholders. This means that corporate insiders have large amounts of stock in their own firm, relative to their other holdings, and periodically engage in trading that stock (usually selling). Insiders are forbidden under the law from trading on material information that is not known to the general public and are also prohibited from trading ahead of planned major
11
announcements, such as earnings releases. However, it would be naïve to believe that all insider trades are done simply for liquidity or diversification purposes and convey no information about the firm. All insiders know things about the firm that the public does not, and it is impossible for them to forget these things before they trade. Some traders surely transact opportunistically based on the non-public information they have. The challenge is to identify such trades in the midst of many trades done simply for liquidity purposes. Two recent papers propose algorithms for identifying insider trades as informative or non-informative. Gunny and Zhang (2012) propose a measure that is centered on the date of the trade and examines whether stock price goes up or down over a surrounding window in order to classify the trade as either informative or liquidity-based. This measure has the drawback that it assumes that opportunistic traders always profit, by definition. Cohen et al. (2012) propose a new classification scheme that does not depend on the stock’s returns. Instead, they examine the trading history of the insider during the prior three years to look for a pattern, defined as a trade placed in the same month each year. These are classified as being routine and uninformative. All other trades are classified as non-routine, or opportunistic, and potentially convey private information. They show that this filtering scheme effectively weeds out half of all insider trades; the half that has no predictive power for future returns or firm news. The remaining half of trades contains all of the predictive power in the insider trading universe, information which they show is considerable. They apply their approach to classify individual traders, placing them into either routine or opportunistic buckets at the start of each year, and they also apply their approach to classify individual trades as either routine or opportunistic. They find that either classification method is empirically robust and informative for predicting future stock returns.
12
For the purpose of identifying opportunistic insider trades, we adopt the Cohen et al. (2012) algorithm, applied at the individual trade level (see Table III of Cohen). State and federal governments have been exerting pressure on companies to rapidly investigate and disclose cyber breaches, especially when the loss of personal data is involved. Accordingly, we are primarily interested in stock selling activity by insiders that falls within a three-month window before a cyber breach announcement. In order to classify the insider sales during this window as either routine or opportunistic, we obtain all insider trading data for the three years prior to the breach announcement window. For example, if the breach for a firm occurred in January 2011, then we examine insider trading data from October 2007 through January 2011 in order to classify any stock sales occurring in the three-month window October 2010 to January 2011. If a pattern is detected with sales falling in the same calendar month over three years, then the insider trade is classified as routine. If the insider lacks three years of trading history, then we take a conservative approach and leave the trade unclassified. All other trades are classified as opportunistic. As there may be multiple trades on different days or months by the same insider, all opportunistic sells are then aggregated by insider per breach. The dollar amount of shares sold is multiplied by the five-day cumulative abnormal return (CAR) from the cyber breach announcement to determine the amount of money saved, or the abnormal profit to the insider, from the timely sale.
4. Results 4.1 The frequency of insider trades Insiders who are seeking to benefit from private information are likely to trade more frequently. How much selling is there by insiders at these firms compared to the wider universe?
13
To answer this question, we obtain all insider sell transactions on our sample firms for the five years leading up to the cyber breach announcement. This yields 94,721 stock sales transactions by 2,050 insiders, giving an average of 9.24 sales per year. For comparison, Cziraki and Gider (2019) report 2.80 insider trades per year, of which 77%, or 2.16 transactions, are sales. In general, our sample contains a more active group of traders. Focusing just on the three months leading up to the cyber breach announcement, we find that insiders average 7.63 sales over this shorter window, still exceeding the average number of sells reported by Cziraki and Gider (2019) on an annual basis. If we pro-rate this number to an annual figure, we would have 30.52 sales per year, a significant contrast to the sample average, and much higher than the broader sample of firms. We note that the median firm in Cziraki and Gider has a size of $729 million with a bookto-market ratio of 0.40, whereas our sample firms are much larger at $17 billion and a book-tomarket ratio of 0.38. They examine small growth firms whereas we examine large growth firms.
4.2 The classification of insider trades For each of the 258 cyber breach announcements in our sample, we examine the three months prior to when the breach is publicly announced to search for insider trading activity. Due to the widespread common knowledge that breaches are bad news for the company and typically prompt a drop in stock price, we solely focus on insider sales of stock. Classification of each sale is based on the Cohen et al. (2012) algorithm. During the three-month window prior to a cyber breach announcement, we identify 575 routine trades, 807 opportunistic trades, and 1,302 trades that cannot be classified. Insiders exhibiting only routine trades during the three-month window are classified as “routine.” Insiders exhibiting one or more non-routine trades during the three-
14
month window are classified as “opportunistic,” and their non-routine trade or trades are retained for further study. Table 3 lists the number of insiders trading right before cyber breach announcements both by type of trade (routine, opportunistic, and unclassified) and by year of the sample. Panel A shows data for a three-month window prior to the public announcement, the trading window that we primarily focus upon throughout this study. Panel B presents data for a one-month window prior to the public announcement. We observe that there are significantly more trades identified as opportunistic than routine in both the three-month and one-month windows. We also note that further examination of the unclassified trades reveals that most of them would likely end up in the opportunistic category if longer trading histories were available for these insiders. Cohen et al. (2012) report that 52% of insider sales are classified as routine versus 48% that are opportunistic in a sample of 48,460 trades. The comparable figures from our sample show that out of 1,382 insider sales within three months of a breach announcement, 575 are classified as routine and 807 as opportunistic, giving proportions of 41.6% routine versus 58.4% opportunistic. As in Cohen et al., we ignore the unclassified trades. A one-sample binomial proportion test was performed to examine whether or not the proportion of opportunistic trades in our sample is equal to that reported by Cohen et al. The test results in a t-statistic of 7.73, indicating strong rejection of the hypothesis. We conclude that our sample of insider selling ahead of cyber breach announcements is much more heavily tilted toward opportunistic selling than is the wider population of all insider sales. Cohen et al. (2012) report that 64% of insider stock purchases are routine and 36% are opportunistic. In our sample, there is very little buying activity in the three months before cyber
15
breach announcements, and of this scant purchasing, none of it is classified as opportunistic. We perform a one-sample binomial proportion test to examine whether or not the proportion of opportunistic buys in our sample (0%) is equal to that reported by Cohen et al. (36%). The test results in a t-statistic of 11.05, indicating strong rejection of the hypothesis. Compared to the wider population of all insider purchases, our sample is significantly different, with no opportunistic buys ahead of a cyber breach announcement.
4.3 The profitability of insider trades The main results of our study focus on the money saved by insiders selling stock per each cyber breach event, and these results are shown in Table 3. Although we are primarily interested in opportunistic selling, we also present results from sales that are classified as routine and from unclassified sales. To calculate the money saved, we obtain the market value of the shares sold by the insider from the Form 4 filings, which list the number of shares sold and the transaction price. We then multiply these amounts by the breach event’s corresponding five-day CAR obtained from the event study, reflecting the stock’s change in value from the cyber breach announcement. Thus, an insider who sells $100,000 worth of stock just before a public breach announcement that causes a 10% drop in stock value has saved herself $10,000. Panel A of Table 3 reports the results for trades occurring during the three months prior to the cyber breach announcement. The results show the average dollar amount of money saved by an insider through opportunistic trades is equal to $35,009, with a highly significant t-statistic of 2.78. The 90th percentile of the distribution of money saved is $136,808. The average amount of money saved varies by year, but is always positive, from a low of $21,079 in 2013 to a high of
16
$70,512 in 2016.3 The mean dollar amounts saved are higher than the medians, indicating rightskewness in the distribution, with an overall significant median of $7,880 (t = 5.12). We note that there are few routine trades and that the magnitude of money saved seems large, primarily due to a single year, but is insignificant overall. The median money saved from routine trades is $7,104 (t = 1.78) and is close in magnitude to that of opportunistic trades. Unclassified trades comprise the largest category of trades and show an insignificant mean of $4,702, whereas the median is $3,839 and is highly significant. This is noteworthy as there appears to be information in these trades, even though the magnitude of median profits is half that of opportunistic trades. Cziraki and Gider (2019) report that, per trade, insiders earn an average (median) abnormal profit of approximately $4,000 ($141). When aggregating an insider’s trades over a three-month period, the same timeframe that we examine in our study, they report an average (median) dollar profit of $10,000 ($255). We are unable to conduct a t-test, but note that our average amount of money saved is approximately three and a half times this amount, and the median is approximately thirty times larger than their median profit. Figure 1 illustrates the average amounts saved through opportunistic trades by year. The figure shows that opportunistic profits seem to exhibit a U-shaped wave pattern over the sample period. Indeed, the pattern is accentuated if one focuses on trading only in the one-month period prior to the public breach announcement. Cohen et al. (2012) show that opportunistic trading waxes and wanes with the prominence of SEC enforcement actions, which may help to explain this pattern. 3
We remove one extreme outlier in 2014 that is due to Bill Gates of Microsoft Corp. Two months prior to Microsoft’s January 1, 2014, announcement of a cybersecurity breach, Mr. Gates “non-routinely” sold $711 million worth of stock. Microsoft stock abnormally fell 2.69% at the announcement, thus saving Mr. Gates $19.1 million. Including this extreme outlier would raise the 2014 average money saved per insider from $30,261 to $712,536 and the overall sample average from $35,009 to $133,815 in money saved per insider. Although this would make our results look more impressive, we felt that dropping this extreme outlier gives a more tempered and realistic view of the empirical distribution.
17
Panel B of Table 3 presents results for the money saved by trades from the insider selling stock within one month of each cyber breach announcement. At a sample size of 70, the number of observations for opportunistic trades is clearly smaller as the trading window has shrunk from three months to one month. The mean amounts saved each year are all positive, though with greater variability than the three-month results, ranging from $3,481 in 2013 up to $145,583 in 2016. The overall mean is a significant $44,359 (t = 2.08). The median savings are negative in one year of the sample (2013), but are otherwise positive overall at $4,890 (t = 2.99). There are only 17 observations for routine trades, making it difficult to draw strong conclusions from this category. The mean money saved is insignificant, whereas the median shows a significant $11,205. The unclassified trades once again are the largest category, with 193 observations. We find that the mean money saved is large and significant at $25,879 (t = 2.58). The median has a similar magnitude as in the three-month window at $3,431 and is significant. We draw the following conclusions overall. Savings from opportunistic trades are always significant, whether measured as mean or median, and at the one-month and the three-month preannouncement windows. Unclassified trades seem to behave similar to opportunistic trades, though in a weakened fashion. Routine trades are relatively infrequent in the sample and are influenced by outliers, making it difficult to draw strong inferences about this category. Some sample firms experience repeat cyber breaches and some of the same insiders of these firms may place non-routine trades surrounding these separate cyber breach events. We find that the 807 non-routine stock sales of 170 corporate insiders in the three months prior to the announcement of 192 distinct cyber breaches saves each insider an average of $35,009 per event, as reported in Panel A of Table 3. If the savings are aggregated by insider, without regard to distinct cyber breach events, then the 170 insiders saved an average of $39,549 each.
18
How do the profits earned by insiders selling ahead of cyber breach announcements compare to trading profits from insiders who opportunistically trade at other times? To examine this question, we compare the percentage profits of our sample of opportunistic insider trades to that reported by Cohen et al. (2012) for all opportunistic insider trades over their 22-year sample period. They report that a portfolio exploiting the trades of opportunistic sellers earns a valueweighted CAPM alpha of 34 bps per month (4.16% annualized, t = 1.73). Our sample of 192 cyber breach announcements with opportunistic insider sales has CAPM abnormal 21-tradingday profits of 126 bps (16.21% annualized, t = 2.64). The difference between the annualized returns is 12.06% with a t-statistic of 1.83. Cohen et al. report that a portfolio mimicking opportunistic sellers has a Carhart value-weighted alpha of 9 bps per month (1.09% annualized, t = 0.50), whereas we find a one-month Carhart alpha of 109 bps (13.89% annualized, t = 2.49). The difference between annualized returns is 12.81% with a t-statistic of 2.14. We conclude that the opportunistic selling activity we find ahead of cyber breach announcements is significantly more profitable than the typical opportunistic selling in the wider population. Finally, we look for evidence of insider buying after the announcement of a cyber breach. Buying could occur to exploit a price decline, or in order to support the company’s stock by signaling confidence in its value. We examine insider purchases in the two-month window following the breach announcement and measure imputed profits from three days before the announcement to the date of purchase. For example, if an insider purchased stock 14 days after the breach announcement at a stock price that was 5% less than the price prevailing three days before the announcement, that is considered a 5% profit. We identify 65 purchases in the two-month post-announcement window transacted by 33 corporate insiders. The average percentage profit, aggregated by insider, is 3.71%, with a t-
19
statistic of 2.18. Thus, it appears that some insiders exploit the decline in value after a cyber breach announcement to “buy cheap.” In dollar terms, the imputed average amount of money made is $63,853, although the dollar profits are noisier and have a t-statistic of only 1.04. We note that buying stock after the public release of news is not a legally questionable form of insider trading. When considering the average size of money saved from insider trades ($35,009), it is natural to ponder whether the dollar amount justifies the risk undertaken by opportunistic trading. The CIO charged in the Equifax breach was compensated in the millions and only saved an estimated $117,000 through his sale of stock ahead of the breach announcement. Bhattacharya and Marshall (2012) examine whether the economic motive for illegal insider trading is strong and conclude that it is not. They posit whether other potential motives that could be either psychological in nature, such as hubris, or sociological in nature, such as company culture, are at work. Thus, the magnitude of average profits we find does not diminish the finding of significant insider selling ahead of cyber breach announcements. The absence of likely economic justification for engaging in this risky insider trading simply implies that other motives are at play.
4.4 The timing of insider trades We next explore the timing of opportunistic insider trades. The laws governing disclosure vary by state, with some states as recently as 2018 tightening the time window allowed for disclosure of a data breach to consumers. Currently, 18 states require that disclosure occur within a specific timeframe that ranges from 30-90 days, while 32 states simply specify that disclosure be made as quickly as possible and without unreasonable delay. As a result of the regulatory
20
push for quicker disclosure, the average number of days between breach discovery and public disclosure has fallen from 83 days in 2014, to 48 days in 2018.4 For our 2011-2016 sample period, the longer disclosure window is largely applicable. We hypothesize that insiders who wish to benefit from their inside knowledge of a cybersecurity breach would be more likely to sell soon after becoming aware of the breach, rather than waiting until close to the announcement date. This is because selling close to the release of negative news would be more likely to attract scrutiny. We identify a total of 807 non-routine stock sales by insiders in the 90-day run-up to a cyber breach announcement in our sample. Panel A of Figure 2 displays the average dollar amount of stock sold each day over the 90 calendar days prior to a cyber breach announcement by these insiders. Market value is the Form 4 reported number of shares sold multiplied by the reported transaction price. The figure shows that much of the selling occurs well before the announcement date. In particular, there is a cluster of selling activity that runs from approximately day -65 to day -48 prior to the announcement day. The line graph overlaid in Panel A of Figure 2 illustrates the total amount of money saved by the time of sale from the 807 opportunistic trades in the three-month run-up to the public announcement. How do the two graphs differ in Panel A? There is no guarantee that selling stock will result in a profit, since stock price does not always decline at the announcement. Indeed, the results in Table 1 indicate that only 71% of our sample firms demonstrate an abnormal drop in stock value following the announcement of a cybersecurity breach. While Figure 2 displays the average dollar amount of stock sold, it also shows the actual money saved that is realized ex post by each trade and displays the sum total each day in event time. Note that for some days the 4
According to the Data Breach Intelligence report issued on October 29, 2018, by Risk Based Security, Inc., the average number of days between breach discovery and reporting was 83.2 in 2014, 73.8 in 2015, 64.6 in 2016, 47.0 in 2017, and 47.5 in 2018.
21
opportunistic trades show a net loss, although these are a small minority. The bulk of abnormal profits seem to be realized from stock sales placed around 73 to 62 calendar days prior to the breach announcement. Panel B of Figure 2 shows the clustering of selling activity. In it we show the cumulated average amount of stock opportunistically sold by an insider over the 90-day window and compare it to a distribution of uniform selling. We see relatively low-dollar selling activity, then a substantial jump over [-65, -48], then a return to relatively smaller dollar amounts of selling activity nearer the announcement date.
4.5 The industry and relationship role of insiders who trade Panel A of Table 4 reports the amount of money saved by 192 insiders who sold stock ahead of breach announcements, classified by the industry of the firm with which the insider is affiliated. The industry of each firm is determined from the first two digits of its North American Industry Classification System (NAICS) code. Industries with fewer than four observations are lumped together into an Other Assorted category. From a sample size of 42, we see that insiders affiliated with the information industry avoid the greatest losses through their trades, with mean savings of $74,794 and median savings of $11,738. Both are statistically significant. Insiders affiliated with the finance and insurance industry come in second at $37,484 in average savings, and the Other Assorted category, which is comprised of tiny samples of insider trades from six industries, ranks third at $22,455. The large trading profits found within the information industry suggest that insiders in this industry especially know how to exploit their inside knowledge. We note that the average five-day CAR for breach announcements in the Information industry is 0.0142, approximately equal to the sample average CAR of -0.0144. Therefore, the higher dollar
22
profits of insiders in the Information industry are not driven by larger market reactions, but are solely driven by the trading characteristics of the insiders. Each insider who transacts in company stock must list their relationship to the firm on their Form 4 disclosure filed with the SEC. For the 192 insiders who sold opportunistically within three months prior to a cyber breach announcement, we tabulate the average amount of money they saved according to the primary relationship role listed in their Form 4 SEC filing. Panel B of Table 4 presents the results, sorted from the largest average amount of money saved down to the least. The most common relationship roles listed are Officer (97), Director (31), CEO (20), General Counsel (15), and CFO (10). Based on the Cohen et al. (2012) algorithm, all of these insiders sold opportunistically. However, the relatively large category of Director, which accounts for 31 of the 192 insiders who sold, reports an average loss of $3,513. One interpretation is that this group possessed, ex post, less private information than perhaps they thought they did. What of those who did save money? Of particular note is that the category of Chief Information/Technology Officer ranks fourth in terms of money saved, at $73,630 per insider, higher than for CFO, Officer, General Counsel, and Director. This category includes those holding the job roles of either Chief Information Officer (CIO) or Chief Technology Officer (CTO), and when focusing on the question of knowledge that could be traded on ahead of a cybersecurity breach disclosure, would seem to be among the most well-informed insiders. Depending upon how the firm is organized, the CIO or CTO is informed early on of a cybersecurity breach in the firm, oversees the investigation of the breach, and is most likely to quickly grasp the full potential extent of any resulting damage. However, we caution that, based on the small number of CIO or CTO insider sales, one should not place undue weight on this particular finding. The well-populated
23
categories of Officer, CEO, and CFO all show average money saved ranging from $15,717 for Officers to $90,431 for CEOs.
4.6 Delays in trade reporting We next examine the number of days after an insider transaction until the transaction is disclosed on Form 4 to the SEC. The law requires reporting within two days. Betzer and Theissen (2010) are the first to examine insider reporting delays, and they find that prices are distorted when the reporting of insider trades is delayed. Betzer et al. (2015) find that stealth trading, where insiders delay reporting their trades while placing additional trades, allows them to transact at lower average prices. They report that 29% of all insider trades are reported after the two-day deadline. They argue that insiders who are more closely monitored (and who therefore may be facing higher litigation risks) are less likely to file their trades late. We look for evidence of strategic activity in our sample by examining five years of insider trading data prior to the cyber breach announcement. We find that filing violations occur in 20% of the sample. Violations are of interest as they could indicate an effort to conceal trading activity through delayed reporting, and may also indicate a lax corporate culture and lack of monitoring. Furthermore, we wish to see which characteristics are associated with late filing and to test whether violations increase near cyberbreach announcements. Panel A of Table 5 displays the number of days to file according to industry, where industries are identified by the first two digits of the NAICS code. Industry categories containing less than 100 observations are not displayed. The overall sample average is 3.11 days to file, with a median of 2 days. Insiders at firms in the Information industry take 2.35 days to file on average, which is significantly greater than 2 days, but does not constitute a large violation. The
24
service industries tend to have the longest reporting delays, averaging 6 – 8 days. Panel B displays the number of days taken to file by the insider according to the primary relationship role listed in their Form 4 SEC filing. Relationship categories with fewer than 100 observations are not displayed. Chief Information/Technology Officer is the largest filing delay category at 11.98 days on average, significantly greater than 2 days. This finding is of particular interest as this job role is the most likely to have intimate knowledge of a cybersecurity breach. We next examine the factors predicting late filing using a logistic regression. The dependent variable is equal to one if the number of days to file is greater than two days. Explanatory variables include the log of the number of shares traded, the log of the trade value, the log of the firm’s market capitalization, the percentage of shares traded out of shares outstanding, the number of days between the trade and the announcement of a cyber breach, a dummy to indicate an opportunistic trade, and the money saved from the trade. We also include dummy indicators if the trader was the CEO, CFO, CTO/CIO, or COO. The base case encompasses all other insider roles. Betzer et al. (2015) conduct a similar exercise, but they focus more on non-trade-related characteristics as explanatory variables. Results are reported in Table 6. A larger number of shares traded is correlated with filing delays. This type of trade is likely to produce a larger price impact. The size of the firm is also significant, with insiders at larger firms more likely to have filing delays. Consistent with Betzer (2015), we find that larger value trades are less likely to be delayed. The coefficient on number of days between the trade and the announcement is negative and highly significant, indicating that trades closer to the breach announcement are more likely to be delayed. This finding is interesting as it indicates possible strategic behavior by the seller related specifically to the cyber breach announcement. Insiders may be exploiting the filing delays to maximize the price
25
received on multiple sales. The opportunistic trade dummy is not significant, nor is the amount of money saved from the trade. Hence, those who delay filing are no more likely to profit from the trade ex post. CEOs, who are likely to be well-informed, are significantly more likely than the base case to delay filing their trade report. We note that this result is in contrast to Betzer et al. (2015), who find that the CEO is less likely than other insider categories to delay filing.
5. Policy implications Corporate insiders are defined as those who serve as the company’s officers and directors, or any beneficial owners of more than 10% of the company’s stock. Under U.S. law, those who either have a fiduciary responsibility to the firm, such as corporate executives, or do not have a fiduciary responsibility to the firm but are aware that they are trading on material private information, can be held liable for illegal insider trading. Trades by insiders are legal as long as they are promptly disclosed and are not based upon material non-public information. Corporate insiders have a duty to either disclose material information to the public or abstain from trading on it, as trading would be considered a misappropriation of information and a violation of their fiduciary responsibility (Bhattacharya, 2014). Cyber breaches constitute material non-public information as evidenced by the average stock price reaction to their announcement, as well as the stated opinion of SEC staff in recently released guidance.5 We find significant evidence of loss avoidance by insiders through selling stock ahead of cyber breach announcements. Therefore, the first policy implication of our study is that corporate managers should abstain from trading based upon this information while disclosing it to the
5 The SEC guidance states that “directors, officers, and other corporate insiders must not trade a public company’s securities while in possession of material non public information, which may include knowledge regarding a significant cybersecurity incident experienced by the company.” See https://www.sec.gov/rules/interp/2018/3310459.pdf.
26
public as quickly as possible. The best way to disclose the occurrence, costs, and consequences of such incidents is through filing Form 8-K (or Form 6-K for foreign filers) with the SEC. By disclosing material information in this manner, the risk of selective disclosure is minimized, and doing so promptly reduces the risk of trading on material non-public information. A second policy implication of our findings is that firms should institute a blackout period for selling stock by all insiders from the time a cyber breach is discovered until the breach has been made public. Such a firm-wide blanket policy would make clear that the company does not want to risk the reputational damage that an SEC investigation or enforcement action would inflict upon the firm and that it takes its fiduciary obligations to its shareholders seriously. Our third policy recommendation pertains to SEC enforcement. We search for all SEC enforcement actions on the SEC website that occurred during our 2011-2016 sample period and cross-check them with our sample firms, finding nine matches. We examine whether an insider who has been charged also shows up in our sample as having sold stock ahead of a cyber breach. There are zero matches to specific insiders in our sample from these enforcement actions. Hence, we find no SEC enforcement actions related to insider trading around cybersecurity breaches. This apparent lack of enforcement until the prosecution resulting from the 2017 Equifax breach raises our third policy implication. Specifically, to the extent that insiders do not fear getting caught, enhanced scrutiny by the SEC, along with more frequent enforcement of both late filing violations and insider trading violations would likely reduce such behavior by insiders. This may help prevent the type of illegal insider trading exhibited by Equifax’s software engineer who sold put options through his wife’s brokerage account, trading which would not be technically covered by a blackout on trading company stock.
27
6. Conclusion This study is the first we are aware of to draw an association between insider trading and cybersecurity breach announcements. We employ an established algorithm that has been documented by Cohen et al. (2012) to effectively separate information-based insider trades from routine liquidity trades. We find that insider sales ahead of cyber breach disclosures produce significant abnormal savings for the sellers as the stock declines post disclosure. The implication is that some insiders seem willing to take advantage of the information asymmetry between the firm and equity markets through the strategic timing of their stock sales. While the average magnitude of economic damages is relatively nominal, the exploitation of private information by insiders sows distrust between stakeholders and the firm’s management and serves to erode investor confidence in the integrity of financial markets. Our findings not only bolster the SEC’s recently stated directive to companies “to examine their insider trader policies in connection to a systems breach,” but also have public policy implications now that information-based trading ahead of cyber-breach disclosures has been documented. Our conclusions are drawn from aggregate results based on a robust algorithm for identifying informative trades and do not establish the intent of any particular trade or trader. However, our findings allow us to make some general policy suggestions. Firm managers should move to disclose cyber breaches more quickly and, until disclosure has been made, should refrain from trading. An SEC enforcement action for insider trading can cause enormous reputational damage and further loss in firm value. Being aware that opportunistic insider trading occurs in the aftermath of a cybersecurity breach can allow for education processes to be developed, preventative procedures put in place, and internal vigilance and monitoring to be maintained. Finally, the surprising lack of SEC enforcement has undoubtedly allowed this type
28
of information-based trading to persist without threat of consequence. Enhanced scrutiny and enforcement by the SEC would likely serve to curb this practice. There are potential limitations of this research. A number of cybersecurity breaches are not disclosed for various reasons. However, this would not affect our results because there would then be no negative information disclosed to the public to impact stock price for these firms or that could be traded on by insiders. Another potential issue is if the time between the discovery of the breach and its public disclosure is especially long, then our three-month window in which we look for insider sells may fail to capture such trading activity. For example, there might be a law-enforcement hold on information release while an investigation is conducted. However, we believe that three months prior to the public announcement represents a reasonable period of time for most firms to conduct an investigation and publicize their findings. Finally, this research only applies in the realm of firms publicly traded in U.S. markets. There are a large number of cybersecurity breach reports for privately-held firms, non-profits, and governmental agencies. While insider selling of public stock may not be an issue for these organizations, there could be other insider activities that exploit information asymmetry, for example in private fund-raising markets, and take advantage of cybersecurity breaches to the detriment of their stakeholders.
29
References
Acquisti, A., A. Friedman, and R. Telang, 2008, Is there a cost to privacy breaches? An event study. Working paper, Carnegie Mellon University. Ahern, K. R., 2017, Information networks: Evidence from illegal insider trading tips, Journal of Financial Economics 125, 26-47. Amir, E., S. Levi, and T. Livne, 2018, Do firms underreport information on cyber-attacks? Evidence from capital markets, Review of Accounting Studies 23(3), 1177-1206. Anderson, R., 2001, Why information security is hard: An economic perspective, in Proceedings of the 17th Annual Computer Security Applications Conference, Los Alamitos, CA: IEEE Computer Society, pp. 358-365. Angst, Corey M., E. S. Block, J. D’Arcy, and K. Kelley, 2017, When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches, MIS Quarterly 41(3). Augustin, P., M. Brenner, and M. Subrahmanyam, 2015, Informed options trading prior to takeover announcements: Insider trading? Working paper. Betzer, A., and E. Theissen, 2010, Sooner or later: An analysis of the delays in insider trading reporting, Journal of Business Finance and Accounting 37, 130-147. Betzer, A., J. Gider, D. Metzger, and E. Theissen, 2015, Stealth trading and trade reporting by corporate insiders, Review of Finance 19, 865-905. Bhattacharya, U., 2014, Insider trading controversies: A literature review, Annual Review of Financial Economics 6, 385-403. Bhattacharya, U., and C. D. Marshall, 2012, Do they do it for the money? Journal of Corporate Finance 18, 92-104. Campbell, K., L. A. Gordon, M. P. Loeb, and L. Zhou, 2003, The economic cost of publicly announced information security breaches: empirical evidences from the stock market. Journal of Computer Security 11, 431-448. Cavusoglu, H., B. Mishra, and S. Raghunathan, 2004, The effect of internet security breach announcements on market value of breached firms and internet security developers. Internat. Journal of Electronic Commerce 9(1) 69-105. Cohen, L., C. Malloy, and L. Pomorski, 2012, Decoding insider information, Journal of Finance 67, 1009-1043.
30
Cziraki, P., and J. Gider, 2019, The dollar profits to insider trading, Working paper. Elliot, J., D. Morse, and G. Richardson, 1984, The association between insider trading and information announcements, Rand Journal of Economics 15, 521-536. Ettredge, M. L., and V. J. Richardson, 2003, Information transfer among internet firms: the case of hacker attacks. Journal of Information Systems 17(2) 71-82. Finnerty, J., 1976, Insiders and market efficiency, Journal of Finance 31, 1141-1148. Gal-Or, E., and A. Ghose, 2005, The economic incentives for sharing security information. Information Systems Research 16(2), 186–208. Garg, A., J. Curtis, and H. Halper, 2003, Quantifying the financial impact of IT security breaches. Information Management and Computer Security 11(2) 74-83. Givoly, D., and D. Palmon, 1985, Insider trading and the exploitation of inside information: Some empirical evidence, Journal of Business 58, 69-87. Gordon, L., and M. Loeb, 2002, The economics of information security investment, ACM Transactions on Information and System Security 5(4), 438-458. Gordon L., M. Loeb, and W. Lucyshyn, 2003, Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy 22(6), 461–485. Gunny, K., and T. Zhang, 2012, Strategic informed trading by corporate executives and firm value, Working paper, Singapore Management University. Hovav, A., J. D’Arcy, 2003, The impact of denial-of-service attack announcements on the market value of firms. Risk Management and Insurance Review 6(2) 97-121. Jaffe, J., 1974, Special information and insider trading, Journal of Business 47, 410-428. Jeng, L., A. Metrick, and R. Zeckhauser, 2003, Estimating the returns to insider trading: A performance evaluation perspective, Review of Economics and Statistics 85, 453-471. Johnson, K., 2017, “DNC cyber attack by Russia highlighted delayed response, FBI chief says,” USA Today, last accessed on June 25, 2018 at https://www.usatoday.com/story/news/politics/2017/03/21/dnc-cyber-attack-russiahighlighted-delayed-response-fbi-chief-says/99455634/ Kannan, K., J. Rees, and S. Sridhar, 2007, Market reactions to information security breach announcements: an empirical study. International Journal of Electronic Commerce 12(1), 6991.
31
Kwon, J., J. Rees Ulmer, and T. Wang, 2013, The association between top management involvement and compensation and security breaches, Journal of Information Systems, 27(1), 219-236. Liberti, L., 2008, Survey results: Reduce the cost of compliance while strengthening security, CA Advisor: Security Management Newsletter. Liu, Z., R. Parsa, J. Rees Ulmer, and T. Sapp, 2018, Quantifying losses from cyber breaches: An objective, verifiable, insurable measure, Iowa State University, Working paper. Lorie, J., and V. Niederhoffer, 1968, Predictive and statistical properties of insider trading, Journal of Law and Economics 11, 35-53. Mitts, J., and E. Talley, 2018, Informed trading and cybersecurity breaches, Harvard Business Law Review, Forthcoming. Meulbroek, L. K., 1992, An empirical analysis of illegal insider trading, Journal of Finance 47, 1661-1699. Radichel, T, 2014, “Case study: Critical controls that could have prevented Target breach” Sans Institute InfoSec Reading Room, last accessed on June 25, 2018 at https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controlsprevented-target-breach-35412 Rozeff, M., and M. Zaman, 1988, Market efficiency and insider trading: New evidence, Journal of Business 61, 25-44. Seyhun, H. N., 1986, Insiders' profits, costs of trading, and market efficiency, Journal of Financial Economics 16, 189-212 Seyhun, H. N., 1998, Investment intelligence from insider trading, MIT Press, Cambridge. Wang, T., K. Kannan,, and J. Rees Ulmer, 2013, The association between the disclosure and the realization of information security risk factors, Information Systems Research, 24(2) 201218.
32
Table 1 Sample firm characteristics Panel A of the table reports median values of various financial and market variables, where all financial ratios have been winsorized at the 1% and 99% quantiles. Variables for the Compustat universe are reported for all available firms from 2011 through 2016. Market capitalization is in billions of dollars. Total debt, cash, and R&D are each expressed as a percentage of total assets. The year-end daily stock volatility, beta, and stock return are computed from CRSP daily stock returns. A test of the difference in medians is reported in the p-value column. Panel B displays sample firm industries, where industries are identified by the first two digits of the NAICS code.
Panel A: Financial Characteristics Compustat Universe
Our Sample
p-value
170
17,765
0.000
11.43 5.85
22.48 5.06
0.000 0.044
Market Capitalization Debt Ratio (%) Cash Ratio (%) Profit Margin (%)
3.47
6.48
0.000
ROA (%) ROE (%)
1.69 6.00
5.26 12.03
0.000 0.000
R&D (%)
3.81
1.92
0.000
Book-to-Market Daily Stock Volatility (%)
0.52 1.86
0.38 1.76
0.018 0.394
Beta
0.90
1.10
0.000
Annual Return (%)
0.78
7.94
0.000
Panel B: Industries Obs
Percent
Accommodation and Food Services
Industry
11
4.3%
Admin, Support, Waste Mgmt, Remediation Svcs Arts, Entertainment, and Recreation
10 1
3.9% 0.4%
2
0.8%
Finance and Insurance Information
71 48
27.5% 18.6%
Manufacturing
49
19.0%
Other Services Professional, Scientific, and Technical Services
1 14
0.4% 5.4%
2
0.8%
42 4
16.3% 1.6%
Utilities
1
0.4%
Wholesale Trade
2
0.8%
258
100%
Construction
Real Estate Rental and Leasing Retail Trade Transportation and Warehousing
Total
33
Table 2 Abnormal returns from cybersecurity breach announcements The table reports cumulative abnormal returns (CARs) from a sample of 258 public announcements of cybersecurity data breaches over the 2011-2016 period. Abnormal returns are computed using the CAPM, the Fama-French 3factor model, and the Fama-French-Carhart 4-factor model. Abnormal returns are reported for four windows surrounding the announcement day: [-1, +1], [-2, +2], [-2, +18], and [-10, +30]. T-statistics are in parentheses. 3-day
5-day
21-day
41-day
CAPM Mean CAR
-1.18% (-7.30)
-1.44% (-6.75)
-1.26% (-2.64)
-1.44% (-2.53)
# of positive CARs % positive
76 29%
75 29%
105 41%
109 42%
Fama-French Mean CAR
-1.10% (-6.81)
-1.36% (-7.47)
-1.15% (-2.66)
-1.38% (-2.25)
FF-Carhart Mean CAR
-1.09% (-6.69)
-1.38% (-7.55)
-1.09 (-2.49)
-1.31% (-2.16)
34
Table 3 Money saved by insiders selling ahead of cybersecurity breach announcements Panel A of the table reports the average dollar amount of money saved by each insider whose trades executed within three months prior to a cyber breach announcement were identified as non-routine. Panel B reports the average amount of money saved for non-routine insider sales executed in the one month prior to a breach announcement. The dollar amount saved is calculated by aggregating the number of shares sold and multiplying this number by the five-day CAR at the announcement date. T-statistics are in parentheses.
Panel A: 3 months before announcement Opportunistic Year 2011 2012 2013 2014 2015 2016 All
Obs. 15 29 70 27 20 31 192
Mean 37,651 30,261 21,079 31,410 38,500 70,512 35,009 (2.78)
Routine
Median 16,828 11,718 3,523 13,998 19,920 266 7,880 (5.12)
Obs. 3 – 5 6 – 11 25
Mean 132,000 – 49,759 4,447 – 261,087 141,737 (1.24)
Unclassified Median 71,992 – 61,024 3,619 – 7,104 7,104 (1.78)
Obs. 63 83 121 61 56 56 440
Mean 52,447 23,974 62,340 25,811 -231,814 12,484 4,702 (0.19)
Median 7,115 5,058 2,466 5,262 -697 5,333 3,839 (8.01)
Panel B: 1 month before announcement Opportunistic Year 2011 2012 2013 2014 2015 2016 All
Obs. 6 14 25 8 4 13 70
Mean 72,319 27,503 3,481 27,168 22,302 145,583 44,359 (2.08)
Median 48,934 2,644 -1,659 11,751 14,873 4,116 4,890 (2.99)
Routine Obs. 3 – 3 2 – 9 17
Mean 42,454 – 40,685 1,671 – 108,910 72,526 (1.27)
Unclassified Median 25,020 – 226,889 1,671 – 11,205 11,205 (2.65)
Obs. 33 29 45 37 12 36 192
Mean 5,015 25,978 61,092 35,488 3,201 1,424 25,879 (2.58)
Median 4,522 4,847 1,637 11,788 -83 4,283 3,431 (5.61)
35
Table 4 Money saved by insiders according to industry and relationship role For the sample of 192 insiders who sold opportunistically within three months prior to a cyber breach announcement, Panel A of the table shows the average amount of money saved by the insiders according to the industry in which their firm operates. Industries are identified by the first two digits of the NAICS code. The category Other Assorted represents insider trades in six industries. Panel B shows the average amount of money saved by the insiders according to the primary relationship role listed in their Form 4 SEC filing. The category Other Assorted represents insider trades in seven relationship roles. *, **, and *** denote significance at the 10%, 5%, and 1% levels, respectively.
Panel A: By Industry Industry Information Finance and Insurance
Mean
Median
Std. Dev.
Obs.
74,794 37,484
11,738 13,990
258,750 213,444
42 51
Mean t-stat 1.87* 1.25
Median t-stat 4.17*** 3.08***
Other Assorted
22,455
9,386
75,168
12
1.03
2.02**
Accommodation and Food Services Retail Trade
17,978 17,276
16,828 -2,588
15,608 81,048
7 35
3.05*** 1.26
2.27** 0.34
Admin, Support, Waste Mgmt, Remediation Svcs
15,098
16,683
102,515
10
0.47
0.32
Manufacturing
14,796
7,654
95,632
35
0.92
1.01
All
35,009
7,880
174,491
192
2.78***
5.12***
Mean
Median
Std. Dev.
Obs.
Mean t-stat
333,538 142,613
46,389 16,704
610,339 413,654
4 11
1.09 1.14
0.50 0.60
CEO
90,431
86,442
247,007
20
1.64
2.01**
Chief Info/Technology Officer CFO
73,630 17,043
1,507 13,923
163,530 27,655
4 10
0.90 1.95*
0.50 1.58
Officer
15,717
6,465
61,949
97
2.50**
3.66***
General Counsel Director
8,648 -3,513
17,347 1,691
86,992 143,649
15 31
All
35,009
7,880
174,491
192
Panel B: By Relationship Role Relationship Role President Other Assorted
0.39 -0.14 2.78***
Median t-stat
1.03 1.44 5.12***
36
Table 5 Late filing of Form 4 insider trades The table displays the number of days after an insider transaction until the transaction is disclosed on Form 4 to the SEC. Five years of insider trading data prior to the cyber breach announcement is examined. Panel A displays the number of days to file according to industry. Industries are identified by the first two digits of the NAICS code. Industries containing less than 100 observations are not displayed. Panel B displays the number of days taken to file by the insider according to the primary relationship role listed in their Form 4 SEC filing. Relationship categories with fewer than 100 observations are not displayed. The last column of each panel gives results of a test for whether the mean number of days to file is greater than two (the law requires reporting within two days). *, **, and *** denote significance at the 10%, 5%, and 1% levels, respectively. Panel A: By Industry Mean
Median
Std. Dev.
Obs.
Other Services (except Public Administration)
7.96
1
90.11
234
1.01
Professional, Scientific, and Technical Services
5.76
2
32.04
567
2.79***
Manufacturing Retail Trade
5.07 4.71
2 1
64.40 54.20
14,222 5,590
5.68*** 3.74***
Finance and Insurance
3.21
2
27.37
18,358
6.00***
Admin, Support, Waste Mgmt, Remediation Svcs Construction
3.09 2.98
2 2
46.53 5.35
2,235 1,915
1.11 8.05***
Information
2.35
1
11.07
47,884
6.97***
Accommodation and Food Services Wholesale Trade
1.86 1.77
1 1
5.02 6.60
1,521 1,699
– –
Transportation and Warehousing
1.59
1
4.84
450
–
All
3.11
2
32.91
94,824
10.40***
Relationship Role
Mean
Median
Std. Dev.
Obs.
t-stat H0: µ >2
Chief Info/Technology Officer Director
11.98 5.67
2 2
80.87 48.87
576 11,175
2.96*** 7.93***
General Counsel
5.31
1
57.50
3,088
3.20***
Officer Officer and Treasurer
4.32 3.97
2 2
49.77 10.28
20,815 155
6.74*** 2.38***
Chief Operating Officer
2.99
2
28.40
1,105
1.16
CFO Chairman of the Board
2.57 2.49
1 1
7.77 17.78
3,748 864
4.48*** 0.82
Director and Beneficial Owner
2.22
1
7.16
998
CEO President
2.19 2.13
1 2
17.36 5.45
26,653 1,914
Beneficial Owner of more than 10%
1.75
1
3.35
1,036
–
Officer, Director, and Beneficial Owner Officer and Director
1.65 1.47
2 1
0.68 2.92
9,417 13,010
– –
All
3.11
2
32.91
94,824
Industry
t-stat H0: µ >2
Panel B: By Relationship Role
0.99 1.76** 1.02
10.40***
37
Table 6 Predicting late filing of Form 4 insider trades The table displays the results of a logistic regression predicting whether the number of days after an insider transaction until the transaction is disclosed on Form 4 to the SEC exceeds two. If the days until reporting exceeds two, then the form is filed late. Percent Shares Traded is the fraction of shares that the insider sold out of the total shares outstanding in the firm. There are 1,551 observations, with 395 of them exceeding two days (i.e., being filed late).
Variable
Coefficient
z-Statistic
Constant
1.11
1.93
Ln(Num Shares Traded)
0.15
2.37
-0.40 0.17
-4.89 2.97
0.22
1.49
-0.00 0.15
-6.06 0.79
0.00
0.72
1.78 -1.40
9.91 -4.36
0.56
1.06
Role = COO Dummy
-1.49
-1.98
McFadden R2
0.181
Ln(Trade Value) Ln(Market Cap) Percent Shares Traded Days Between Trade & Announcement Opportunistic Trade Dummy Money Saved from the Trade Role = CEO Dummy Role = CFO Dummy Role = CTO/CIO Dummy
38
Figure 1 Money saved by insiders selling ahead of cybersecurity breach announcements The figure shows the average dollar amount of money saved, for each year of the sample, by an insider whose stock sales were classified as non-routine and occurred within three months prior to the firm publicly announcing a cyber data breach.
$80,000 $70,000 $60,000 $50,000 $40,000 $30,000 $20,000 $10,000 $0 2011
2012
2013
2014
2015
2016
39
Figure 2 Timing of insider sales We identify 808 non-routine stock sales by insiders in the 90-day run-up to a cyber breach announcement in our sample. In Panel A, the figure shows the average market value of stock sold each day over the 90 calendar days prior to a cyber breach announcement by these insiders. Market value is the Form 4 reported number of shares sold multiplied by the reported transaction price. The figure also shows the total dollar amount of money saved each day by these insiders. The amount of money saved is shown as of the day the stock was sold. Money saved is computed as the Form 4 reported number of shares sold multiplied by the reported transaction price multiplied by the applicable five-day cumulative abnormal return (CAR) on the stock from the public breach announcement. In Panel B, the figure shows the daily cumulative average dollar amount of stock sold over the 90 calendar days prior to a cyber breach announcement by insiders whose trades are identified as non-routine. The straight red line indicates the expected distribution if stock sales were uniformly dispersed across the 90-day period.
50
5.0
40
4.0
30
3.0
20
2.0
10
1.0
0
0.0
-10
Total Money Saved ($ million)
Value of Shares Sold ($ million)
Panel A: Value of shares sold and money saved by insiders
-1.0 -90 -85 -80 -75 -70 -65 -60 -55 -50 -45 -40 -35 -30 -25 -20 -15 -10 -5 Event Day
0
Value of Shares Sold by Insiders Total Money Saved by Insiders Shown as of the Day the Stock was Sold
40
Panel B: Cumulative average amount of stock sold 300
250
$ millions
200
150
100
50
0 -90 -85 -80 -75 -70 -65 -60 -55 -50 -45 -40 -35 -30 -25 -20 -15 -10
-5
0
Event Day
41
Insider Trading Ahead of Cyber Breach Announcements Highlights • • • •
•
Our sample has more opportunistic selling than the population of all insider sales. Insiders save $35,009 due to selling in the 3 months before the announcement. Insiders save $44,359 due to selling in the 1 month before the announcement. The bulk of opportunistic trading occurs 55 to 72 days before the announcement. Late filing violations are more likely to occur near the announcement of a breach.