Money Stuff

Is Insider Guessing Illegal?

Also bug-exploit shorting, CFIUS, Bear Stearns and bond market liquidity.

Equifax insider trading!

If you work at a public company, and it suffers a massive data breach, and you find out about it before it is public, and you sell your stock, is that illegal insider trading? I do not want to give you legal advice, and there are some nuances to the question, but the basic answer is, duh, yes. That data breach is probably material to the company's stock, and you are clearly an insider, and so if you find out about the breach and trade on it then you are breaking the law.

On the other hand, if you work at a public company, and it suffers a massive data breach, and you don't find out about it before it is public, and you sell your stock anyway because you just have a vague bad feeling about things, is that illegal insider trading? Again I do not want to give you legal advice, and there are some nuances to the question, but the basic answer is, no, probably not. That's just good luck: It can't be criminal insider trading if you don't know the nonpublic information when you trade. 

You do not usually see in-between cases. Occasionally there is a factual debate about whether the insider who traded knew about the breach, but you don't get a lot of cases where the company dropped a few hints internally about the breach and the insider made an educated guess and then traded on it. Because that is just weird.

But here is just such a weird case! The Securities and Exchange Commission and the Justice Department have charged Jun Ying, a former senior technology executive at Equifax Inc., with insider trading ahead of Equifax's announcement that it had suffered a major data breach. But no one told Ying about the breach. Instead, he was asked to help out with a thing called "Project Sparta," which, according to the SEC complaint,

involved setting up a website for consumers to determine whether they were affected by the breach, developing a suite of protective tools for consumers, and staffing call centers. ... Those Equifax employees who were only part of Project Sparta were not told that Equifax had been breached, but were instead told that they were working for an unnamed client that had experienced a large data breach.

Ying wasn't even on Project Sparta, but his team was asked to help out with it, and he sensibly said no: He "initially resisted the requests for assistance" and "expressed concern that the deadline was unrealistic." So they told him to call his boss, the global chief information officer:

During the call, the global CIO told Ying that Ying was expected to comply with the requests. The global CIO also told Ying that, at that time, Ying did not need to know why he had to comply, but that at some point, Ying would understand what was happening.

At 5:27 p.m., Ying texted the direct report he had communicated with earlier, writing: “On the phone with [global CIO]. Sounds bad. We may be the one breached. . . . Starting to put 2 and 2 together.”

He then allegedly "exercised all of his vested options to buy Equifax shares, and then immediately sold those Equifax shares for total proceeds of more than $950,000," avoiding $117,000 in losses that he would have faced after the breach was made public. 

So ... is this illegal? I mean, I don't give legal advice, but I wouldn't try it if I were you: The SEC and the Justice Department clearly think it's illegal, and it's not gonna look great to a jury. Ying did not, in the course of his work, receive the material nonpublic information that Equifax had been breached. But he did receive nonpublic information -- about Project Sparta or whatever -- that allowed him to infer that Equifax had been breached. It seems like that sort of nonpublic information, though not as material as "we have been breached," is still pretty material. A public shareholder who learned that Equifax was going around telling all of its tech people to drop everything to work on a client breach opportunity might have been able to put two and two together herself. But she didn't have that information; Ying allegedly did.

Really there ought to be more cases like this. Sometimes corporate insiders are just handed material nonpublic information in the course of doing their jobs. But even when they aren't, they have lots more opportunities to intuit that material nonpublic information than the general public does, to read tea leaves or body language to get a sense of how things are going. Investors regularly set up meetings with corporate executives so they can examine those executives' body language for hints about stock performance. If you see the executive every day at work you have lots of priceless opportunities to examine her body language. "How's it going Jane," you ask, and if she twitches and runs away maybe you dump your stock. Were you trading on material nonpublic information? What was it?

In a sense the weird thing is that corporate executives are ever allowed to trade in their company's stock. The normal way this is explained is that executives are not allowed to trade when they have material nonpublic information -- when they're negotiating a merger or dealing with a data breach or preparing the quarterly earnings release -- but are allowed to trade when they don't. Typically, companies have a window shortly after the earnings are released when they assume that executives are "cleansed" of inside information -- that everything material has been released publicly -- and so the executives are allowed to trade. (Or to set up 10b5-1 plans to trade automatically once the window is closed.) But this is mostly a polite fiction. The executives always know things about their company that public shareholders don't, and that the public shareholders would want to know. They know what long-term projects it is working on and how those projects are going, they know which other executives drink too much or spend too much time golfing, they know whether the chief financial officer looks a little shifty when you ask him about revenue-recognition policies. In practice everyone seems to draw a crude distinction between executives who have inside information about obvious short-term stock-moving things (this quarter's earnings, a merger, a data breach) and those who just have a better overall sense of the company's operations and prospects than the public does, but it's not obvious why that better overall sense would not be material to shareholders.

The fact that there aren't more cases like Ying's probably comes down to some combination of (1) most people who are smart and plugged-in enough to intuit dramatic nonpublic information (mergers, data breaches) about their companies are also probably smart enough not to trade on it and (2) there are enough people who just receive emails that say "here's some nonpublic information about a merger, don't trade on it," and who then trade on it, to keep the SEC busy. Why bother with subtle intuitive insider traders when there is a never-ending supply of dumb obvious ones? It is telling that these charges come in connection with the Equifax breach, where several of Equifax's executive officers notoriously traded after Equifax learned of the breach but before it disclosed it. Many commentators seem to have assumed that those officers must have known of the breach and traded illegally on that information, and while I find that very implausible, the SEC and Justice Department really had no choice but to investigate thoroughly. They don't seem to have found anything illegal in the executive officers' trades, but they did happen upon this novelty insider trading case -- actually Equifax "reviewed Ying’s trading and, after concluding he violated the firm’s policies, reported its findings to government authorities" -- and so they had to bring it.

Elsewhere in security breaches.

This week "hardware security firm CTS Labs published a paper and website pointing to four new classes of attack that the company says are possible against AMD chips in both PCs and servers." Advanced Micro Devices Inc. stock actually went up a bit on the day CTS published, but that seems not to have been the intent:

The CTS researchers shared their full findings with AMD only a day before going public, practically blindsiding the company. The typical disclosure window lasts for months, to give affected manufacturers a chance to address the issues. They also released their paper with almost no technical details that would allow anyone to reproduce the attacks they describe. And CTS includes an unusual disclaimer on its website that it may have "an economic interest in the performance of the securities of the companies" implicated in its reports, raising concerns from security analysts that they could benefit from a drop in AMD's stock price.

We have talked about this phenomenon before, when we discussed a paper by Joshua Mitts and Eric Talley on "Informed Trading and Cybersecurity Breaches." A basic question to ask yourself, when considering whether this sort of thing is Bad, is: Compared to what? I think in an ideal world security researchers would disinterestedly go around discovering bugs in companies' systems, the researchers would quietly report the bugs to the companies, the companies would fix the bugs and then announce that they had been fixed, and maybe they'd pay the researchers a little something as a token of their appreciation. Compared to that world, one in which the researchers blindside the companies to make money by shorting their stock seems a little crass. But there are other possible worlds! For instance, a world in which the security researchers find bugs and exploit them to hack into millions of people's computers, steal information and cause damage would probably be worse than either of the other alternatives. "If hackers who break into public companies' computers profit by buying put options and then announcing their hacks," I wrote previously, "that seems ... less bad than any of the other ways they could profit?"

Of course the incentives then shift subtly. If you find a bug and report it to the company, you'll probably only get a bounty if the bug is real, since the company is in a good position to test it. If you find a bug and use it to hack into computers and steal data, again, that will only work if the bug is real. If you find a bug, short the stock and then announce the bug, then you r profit mechanism doesn't strictly depend on the bug being real. If you can convince enough investors -- who are not necessarily technical experts -- that it is real then that is just as good as it being real. 

National security.

One obvious weird thing about Broadcom Ltd.'s bid for Qualcomm Inc. being blocked on national-security grounds by the Committee on Foreign Investment in the U.S. is that Broadcom is only barely a foreign company. It is incorporated in Singapore, but it was formed by a 2015 merger between Avago and Broadcom, both of which were based in California. Its deal team argued that it was "a quintessential American success story; a spinoff from Hewlett-Packard that only moved its legal address to Singapore to escape a corporate tax system that Trump had repeatedly branded as broken." Its chief executive officer was born in Malaysia, but lives in California and has been a U.S. citizen for 25 years. And it was planning to move its incorporation to the U.S. -- to be fair, as part of the effort to get this deal done -- and will go ahead with that move anyway despite the deal being blocked.

If it had done that move a few months before announcing the deal, instead of a few months after, CFIUS wouldn't have blocked the deal, because it wouldn't have had jurisdiction. The deal really might be a threat to U.S. national security, but CFIUS's rationale for that threat had nothing to do with exporting technology (to Singapore?). Instead, the theory was that Broadcom was "looking to take a ‘private-equity’-style direction if it acquires Qualcomm," which would involve slashing research and development and reducing U.S. innovation. But if a U.S. private equity firm did that -- or a U.S. chipmaker -- then national security concerns would be just as implicated, but CFIUS wouldn't be involved, because it wouldn't be a foreign investment in the U.S. You may agree with CFIUS's rationale, but it is an odd rationale for CFIUS, because it is not limited to foreign takeovers. Plenty of domestic takeovers, on that rationale, are just as serious a threat to national security: Who reviews those, and under what standard? 

Anyway here is a story about how Broadcom tried and failed to get the deal done, despite strong support from Qualcomm's shareholders and the oddity of CFIUS's rationale.

Happy Bear week.

To celebrate yesterday's 10-year anniversary of the fall/bailout/acquisition of Bear Stearns, the Financial Times published this retrospective of "How Jamie Dimon came to rue his Bear Stearns deal." It includes this statistic:

Today there are no ex-Bear people on JPMorgan’s 11-person operating committee, or among the five corporate officers. According to one estimate, less than 4,000 of 14,000 Bear employees at the time of the deal were still at JPMorgan within a couple of years. These days, about 2,000 remain.

How many would you have guessed? The zero Bear people on the operating committee is a bit of a failure, suggesting that JPMorgan really didn't get much in the way of cultural or risk-taking or knowledge benefits out of Bear. When you buy a big famous aggressive investment bank you don't want to swallow it up without a trace; you want to learn something from it, to have it change your culture as you digest it. The lack of senior Bear people suggests that that didn't take. But 2,000 out of 14,000 employees remaining after 10 years seems like pretty standard banking turnover? That's about 18 percent turnover a year. I was at Goldman Sachs Group Inc. in March of 2008, and of about 15 people on my desk at the time, I count two who are still at the firm. That's pretty close to Bear's ratio. Sometimes people leave banks because of disruptive acquisitions and financial crises and failed integrations, but you can't underestimate the fact that people are constantly leaving banks.

People are worried about bond market liquidity.

But as far as I can tell the SEC is slightly less worried than it used to be: In 2016 it adopted new rules requiring mutual funds to publicly report "the aggregate percentage of its portfolio investments that falls into each of the four liquidity classifications" used by the SEC, "highly liquid," "moderately liquid," "less liquid" and "illiquid." The idea was that investors who were worried about the liquidity of the funds' underlying investments could go read that disclosure and assuage or confirm their worries. But before the disclosures actually started, the SEC announced yesterday that it had changed its mind: Funds will still have to report the liquidity classifications of each of their holdings to the SEC privately, but the public disclosure will go away.

Instead, the SEC will replace it "with new disclosure in the fund’s annual shareholder report that provides a narrative discussion of the operation and effectiveness of the fund’s liquidity risk management program over the reporting period." I suppose you could argue that narrative disclosure of how the fund thinks about liquidity will give investors less detailed information than an explicit statistical breakdown, but the SEC argues that the change will "more effectively achieve the Commission’s policy goal of promoting investor understanding of the liquidity risks of the funds in which they have invested, while minimizing risks of investor confusion," and I cannot say that they are wrong? A list of liquidity buckets doesn't sound all that informative for the average retail investor; a narrative discussion of liquidity policies ... I mean, let's not kid ourselves, it's not that informative either, but at least the funds will be trying to tell you something useful. It is probably better than a contextless list of vaguely titled liquidity buckets, for the frankly unusual set of investors who are interested in their funds' liquidity.

Bloomberg Ideas.

A whole bunch of my Bloomberg colleagues --  Leonid Bershidsky, Clive Crook, Tim Culpan, Noah Feldman, Justin Fox, Ellen Huet, Nir Kaissar, Joe Nocera, Elaine Ou, Shira Ovide, Virginia Postrel, Shuli Ren, Conor Sen, Noah Smith, and Brad Stone -- will be meeting in San Francisco on March 19 and 20 for a Bloomberg Ideas event. It will be hosted by Bloomberg Beta, and will feature in-depth conversations about tech and regulation, artificial intelligence and capital markets. I will not be able to be there but it should be good; if you'd like to attend you can fill out a form here.

Me yesterday.

I wrote about Theranos Inc., the Blood Unicorn (Elasmotherium haimatos), which ran into a bit of trouble with the Securities and Exchange Commission yesterday. Here is John Carreyrou's victory lap on Theranos, which notes that "Theranos is still facing a criminal investigation led by the U.S. attorney’s office in San Francisco." And here is "Blood, Fraud and Money Led to Theranos CEO's Fall From Grace."

Things happen.

Kudlow Plunges Into New Role as Trump’s Economic Warrior. US Senate approves rules rollback to help smaller banks. "While the NYSE operates each day between 9:30 a.m. and 4 p.m., more than ever the action is compressed in the final minutes." Toys ‘R’ Us Will Proceed With Shutdown of U.S. Operations. IHeart Files for Bankruptcy With Last-Minute Creditor Deal. 'Panama Papers' law firm Mossack Fonseca shutting down. Brussels under fire over Barroso’s move to Goldman. This Multibillion-Dollar Corporation Is Controlled by a Penniless Yoga Superstar. Shrinking bond guarantees. Courting Crypto: Barclays Breaks Rank With Coinbase Deal. "Online searches for 'bitcoin' fell 82 percent from December highs, according to Google Trends." United Continental Holdings is misplacing dogs now. "The problem is United has long had a culture that some might describe as not customer-oriented and others might describe as anti-customer." Astronaut’s DNA no longer matches his identical twin. "MillerCoors has invented a generation that’s younger than millennials but old enough to legally imbibe."

If you'd like to get Money Stuff in handy email form, right in your inbox, please subscribe at this link. Thanks! 

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

    To contact the author of this story:
    Matt Levine at

    To contact the editor responsible for this story:
    James Greiff at

    Before it's here, it's on the Bloomberg Terminal.