Fraud Management & Cybercrime , Governance & Risk Management , Incident & Breach Response
SEC Charges a Former Equifax CIO With Insider Trading
Jun Ying Allegedly Dumped Stock After Deducing Equifax Had Suffered Mega-BreachA former Equifax executive faces insider trading charges from both federal regulators and federal prosecutors for allegedly dumping all of his vested stock options after determining that his company had suffered a massive data breach but before the information became public.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
On Wednesday, the U.S. Securities and Exchange Commission announced that Jun Ying, 42, the former CIO of Atlanta-based Equifax U.S. Information Solutions, has been charged with committing securities fraud by engaging in illegal insider trading.
"As alleged in our complaint, Ying used confidential information to conclude that his company had suffered a massive data breach, and he dumped his stock before the news went public," Richard R. Best, director of the SEC's Atlanta regional office, says in a statement. "Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit."
The SEC's complaint charges Ying with violating the anti-fraud provisions of the federal securities laws and seeks that he "disgorge an amount equal to the losses avoided," plus interest; pay a monetary penalty; and be prohibited "from serving as an officer or director of a public company."
Federal Prosecutors Also Charge Ying
The U.S. Attorney's Office for the Northern District of Georgia on Wednesday announced parallel criminal charges against Ying following an investigation by the FBI and assistance from the SEC.
"This defendant took advantage of his position as Equifax's USIS chief information officer and allegedly sold over $950,000 worth of stock to profit before the company announced a data breach that impacted over 145 million Americans," says U.S. Attorney Byung J. "BJay" Pak. "Our office takes the abuse of trust inherent in insider trading very seriously and will prosecute those who seek to profit in this manner. By selling when he did, Ying avoided losses in excess of $117,000."
A federal grand jury indicted Ying on Tuesday; he's due to be arraigned on the charges later this week.
Meanwhile, the SEC says its investigation into the Equifax breach continues.
Equifax Alerted Feds
Equifax says it tipped off the Department of Justice and the SEC to Ying's alleged insider trading.
"Upon learning about Mr. Ying's August sale of Equifax shares, we launched a review of his trading activity, concluded he violated our company's trading policies, separated him from the company and reported our findings to government authorities," Paulino Do Rego Barros Jr., interim CEO of Equifax, says in a Wednesday statement.
"We are fully cooperating with the DOJ and the SEC, and will continue to do so. We take corporate governance and compliance very seriously, and will not tolerate violations of our policies."
Breach Response: "Project Sparta"
Equifax first began investigating what turned out to be its record-breaking data breach after observing suspicious network traffic on July 29, 2017. Three days later, "Equifax retained the cybersecurity group at an Atlanta law firm to investigate the incident and provide legal and regulatory advice" and via the law firm, the same day, "engaged an independent cybersecurity forensic consulting firm," according to the SEC's complaint.
Over the next several weeks, Equifax executives determined that the company had suffered a massive breach, launched a breach response program and crisis response team code-named "Project Sierra" and instructed everyone on the team that the breach particulars were confidential and should not be shared outside of the team, according to a statement of facts included in the court documents. It says the company instituted a special trading blackout for everyone on the Project Sierra team.
Ying wasn't directly told that Equifax had been breached, but rather was assigned to assist Equifax's Global Consumer Solutions unit with what was billed as "a business opportunity for an unnamed client," code-named Project Sparta, according to court documents. The project was designated as "urgent," and everyone participating, including Ying and his team, were instructed to cancel their Friday evening plans and respond to all requests.
At 5:27 p.m. that day, Ying texted a co-worker that the breach they were working on "sounds bad" and noted: "We may be the one breached. . . . Starting to put 2 and 2 together," according to the SEC complaint. Later that evening, Ying learned that Equifax's CSO, chief legal officer and vice president of cybersecurity had all canceled their travel plans, it adds.
The following Monday, around 10 a.m., "Ying used a search engine to find information on the internet concerning the September 2015 cybersecurity breach of Experian, another one of the three major credit bureaus, and the impact that breach had on Experian's stock price," according to the complaint. "The search terms used by Ying were: (1) 'Experian breach'; (2) 'Experian stock price 9/15/2015'; and (3) 'Experian breach 2015.'
"Later that morning, Ying exercised all of his available stock options held at UBS Financial Services, resulting in him receiving 6,815 shares of Equifax stock, which he then sold. He received proceeds of over $950,000, and realized a gain of over $480,000. On Sept. 7, 2017, Equifax publicly announced its data breach, which resulted in its stock price falling."
Breach Impact
Equifax issued its first notification about the data breach on Sept. 7, 2017, by issuing a press release and filing a form 8-K with the SEC after the market closed that day. At the time, Equifax believed the breach had affected approximately 143 million U.S. consumers, or nearly every adult in the nation.
The company's stock price fell as a result of its data breach announcement (see Cynic's Guide to the Equifax Breach: Nothing Will Change).
Earlier this month, Equifax revised its estimate of the breach's impact to 147.9 million U.S. consumers. About 15 million U.K. consumers - of which about 860,000 are at risk of identity theft - and 8,000 Canadian consumers also saw their personal information get breached (see Equifax Breach Victims: UK Count Goes Up).
The breach led to the ousting of Equifax's global CIO and CSO, and shortly thereafter also its CEO, Richard Smith, who has subsequently appeared before Congress to testify on the breach (see More Questions Raised After Equifax CIO, CSO 'Retire').
Ying was offered the global CIO job, but when Equifax discovered that he may have engaged in insider trading, it withdrew the offer, according to the complaint. On Oct. 16, 2017, following its internal investigation into Ying's trades, Equifax determined that he had violated the company's insider trading policy and informed him that he would be sacked, according to the complaint. "At that time, Ying agreed to resign," it says.
Insider Trading Investigations
Ying isn't the only Equifax executive to have made suspiciously timed trades. Four other executives, including the CFO, collectively sold about $1.8 million worth of shares just days after July 29, 2017, when the company discovered its massive breach (see Equifax's May Mega-Breach Might Trace to March Hack).
But an investigation by Equifax concluded that none of the four Equifax knew about the suspected data breach (see Equifax: Share-Selling Executives Didn't Know About Breach).
SEC Revises Insider-Trading Guidance
The Equifax breach appears to have helped influence revised cybersecurity guidance that the SEC issued last month (see SEC Releases Updated Cybersecurity Guidance).
"Where a company has become aware of a cybersecurity incident or risk that would be material to its investors, we would expect it to make appropriate disclosure timely and sufficiently prior to the offer and sale of securities and to take steps to prevent directors and officers (and other corporate insiders who were aware of these matters) from trading its securities until investors have been appropriately informed about the incident or risk," the new guidance states.
Chris Pierson, CEO of Binary Sun Cyber Risk Advisors, a cybersecurity consultancy, tells ISMG: "Any time a company knows or suspects it has a cybersecurity incident or breach that is actively being investigated, it is incumbent upon senior management to ensure trading activity ceases - especially among those with specific inside information or who are part of the executive team."