Eric L. Talley
Columbia Law School
Columbia University - School of Law
Informed trading and cybersecurity breaches
Cybersecurity has become a significant concern in corporate and commercial settings, and for good reason: a threatened or realized cybersecurity breach can materially affect firm value for capital investors. This paper explores whether market arbitrageurs appear systematically to exploit advance knowledge of such vulnerabilities. We make use of a novel data set tracking cybersecurity breach announcements among public companies to study trading patterns in the derivatives market preceding the announcement of a breach. Using a matched sample of unaffected control firms, we find significant trading abnormalities for hacked targets, measured in terms of both open interest and volume. Our results are robust to several alternative matching techniques, as well as to both cross-sectional and longitudinal identification strategies. All told, our findings appear strongly consistent with the proposition that arbitrageurs can and do obtain early notice of impending breach disclosures, and that they are able to profit from such information. Normatively, we argue that the efficiency implications of cybersecurity trading are distinct—and generally more concerning—than those posed by garden-variety information trading within securities markets. Notwithstanding these idiosyncratic concerns, however, both securities fraud and computer fraud in their current form appear poorly adapted to address such concerns, and both would require nontrivial re-imagining to meet the challenge (even approximately).
The ascendancy and impact of the information economy during the last quarter century have been dramatic and unprecedented. Fully one fifth of the preeminent Dow Jones Industrial Index in the mid-1990s was composed of Eastman Kodak, Bethlehem Steel, F.W. Woolworth, International Paper, Sears Roebuck and Union Carbide. Amazon and Google were little-known startups. Apple Computer—which didn’t make this cut—was a moribund upstart from the 1980s; Facebook and Bitcoin were still a decade away from inception. How times have ever changed. The digitization of the world's economy has hastened profound changes in commerce, record-keeping, law enforcement, personnel policy, banking, insurance, securities markets, and virtually all aspects of services and manufacturing sectors.
And yet, a key pillar of the digital economy—the ease of accessing/copying/ distributing information at scale—is also frequently its Achilles Heel, in the form of cybersecurity risk. The massive and cataclysmic data breach of Equifax in September 2017, for example, which compromised highly confidential information of tens of millions of clients (including Social Security numbers), was hardly the first of its kind—nor will it be the last. For more than a decade, firms and organizations that store confidential data digitally have been targets (potential or actual) of similar types of attacks often with analogously cataclysmic implications for victims.