[Fathima Rena Abdulla is a 3rd-year B.A., LL.B. (Hons.) student at NUALS, Kochi]
Stock market responses to cybersecurity breaches have consistently triggered negative outcomes and, consequently, opportunistic insider trading. Through timely selling before public breach announcements, insiders employ various tactics, including buying put options, making profits, or avoiding losses from the disclosure. The Equifax data breach in the United States is a pertinent example. It exposed highly confidential information affecting millions of clients, including social security numbers. In Securities Exchange Commission v. Jun Ying, Jun Ying, who was to become Equifax’s CIO, engaged in insider trading by selling $950,000 worth of Equifax shares after learning about the data breach but before it was publicized, avoiding a loss of $117,000 and gaining over $480,000. Ying pleaded guilty, receiving a four-month prison sentence, a $55,000 fine, and a restitution order of $117,117. In another case, Securities Exchange Commission v. Bonthu, a former Equifax software engineer, Sudhakar Reddy Bonthu, profited over $75,000 through insider trading after learning of a data breach. Bonthu was sentenced to eight months of home confinement, fined $50,000, and ordered to forfeit $75,979.
Similar cyberattacks on firms storing digital confidential data have been recurrent over the past decade. The strategymore or less involves purchasing the right to sell an asset at a specified price by a specified date upon learning of a yet-to-be-publicized cybersecurity incident. Insiders essentially bet on the company’s stock price decreasing upon public revelation, positioning themselves to gain from the impending loss. Another common practice involves selling shares or exercising vested stock options after learning of a data breach but before any public announcement, raising questions about when the company and its individuals genuinely “became aware” of the breach.
This post will address three questions in this context. First, why, in the Indian context, is there a heightened chance of such events once the Digital Personal Data Protection Act, 2023 (“DPDPA”) comes into force? Second, what are the difficulties in defining a personal data breach notification as unpublished price-sensitive information (“UPSI”)? Third, what are the alternatives to solve this regulatory vacuum?
Temporal Gap Between the Personal Data Breach Notifications and Market Disclosures
Section 8(6) of the DPDPA mandates swift notifications of personal data breaches (“PDB”) to the affected data principals and the data protection board, failure of which will result in fines up to Rs. 250 crores. Under the existing framework, there is an immediate reporting obligation to CERT-In within six hours for all cybersecurity breaches, hinting at potentially stringent reporting requirements under the DPDPA. This notification is not public or “generally available” as it is served only to the affected data principals, the data protection board, or CERT-In. In contrast, the SEBI (Listing Obligations and Disclosure Requirements) (Second Amendment) Regulations, 2023, (“LODR Regulations”) introduced regulation 27(2)(ba), stipulating a quarterly reporting mandate for cyber security incidents that have to be carried within 21 days after the end of the quarter. In its consultation paper dated November 12, 2022, the Securities and Exchange Board of India (“SEBI”) previously addressed the matter, stating that immediate disclosures should be avoided since they could make the entity susceptible to additional attacks. The situation is further complicated by the public comments on SEBI’s Board Meeting Agenda dated March 29, 2023. Stakeholders suggested refining the scope of disclosure to align with CERT-In Directions. Moreover, there were reservations regarding public disclosure, emphasizing adherence to CERT-In Rules that mandate disclosure exclusively to CERT-In, proposing affirmations in quarterly compliance reports as an alternative to detailing incidents, hence not making them public. One will have to see if SEBI or the stock exchange clarifies the issues raised in the public comments.
The juxtaposition of the CERT-In and DPDPA’s imperative for swift breach notifications and SEBI’s quarterly reporting schedule introduces a temporal gap between the occurrence of a PDB and the information becoming “generally available” to the public. This time lag provides an avenue for opportunistic insider traders fueled by the uncertainties regarding classifying PDB notifications as UPSI. Under regulation 2(e) of the SEBI (Prohibition of Insider Trading) Regulations, 2015 (“PIT Regulations”), an insider is anyone in possession of UPSI or is a connected person. Hence, whether or not those aware of the PDB, like the data principal, data protection board and relevant employees are insiders depends on whether the PDB notification or the knowledge of the breach is regarded as UPSI. It provides a safe haven for these opportunistic insider trading activities if not labeled as such. If there were clarity regarding the information being labeled as UPSI, the chances of exploiting the information would substantively reduce due to the risk of litigation once it is discovered.
The following sections will delve deeper into the risks associated with insider trading due to ambiguity in classifying PDB notifications as UPSI and propose measures for resolving these regulatory ambiguities.
Ambiguity Regarding Classification of PDB Notifications as UPSI
According to regulation 2(ze) of the PIT Regulations, UPSI must fulfill a tripartite condition involving relevance to the company or its securities, non-availability to the general public, and a potential material impact on securities prices. An essential aspect to consider is the definition of UPSI in the context of mandatory PDB notifications. Such notifications are communicated exclusively to data principals, the data protection board, or CERT-In, in the current scenario, making the information not generally available. However, the ambiguity arises concerning its “price sensitivity” and direct relationship with the company or its securities. A mere PDB might lack clear financial implications and may not directly relate to the company or its securities. For example, consider a scenario where a pharmaceutical company experiences a PDB exposing the database containing its customers’ personal information. While unfortunate for the individuals involved, the compromised data does not have direct financial consequences for the company. It might be a standalone incident unrelated to the company’s operations, projects, or intellectual property. In this case, the breach may have no immediate impact on the company’s financial standing or stock value, highlighting the challenge of assessing the materiality of cybersecurity incidents that may not have direct financial implications for the affected entity. Therefore, assessing whether such a breach is “material” in the first place becomes essential.
Providing a glimmer of hope, SEBI, in a consultation paper, proposed reintroducing Item No. 6, encompassing “material events in accordance with the listing agreement,” into the UPSI definition. Material events, as specified in Schedule III of the LODR Regulations, require disclosure to stock exchanges. However, even though this seems like an improved way of classification that could include significant cybersecurity breaches, Schedule III does not clarify the uncertainty about whether or not such incidents can be labeled as UPSI. To make matters worse, observations made by SEBI suggest that numerous companies conveniently categorize only explicitly defined UPSI events provided in the illustrations to regulation 2(ze) of the PIT Regulations. Historically, price-sensitive events often revolved around key corporate transformations like mergers, acquisitions, earnings reports, or other fundamental changes. While a suspected data incident may possess the significance to be deemed a UPSI, it may not consistently align with traditional markers of significant corporate events.
Essentially, the challenge lies in aligning PDB notifications with the stringent criteria for UPSI. The proposed amendments and regulatory frameworks present opportunities for clarity but also underscore the need for a comprehensive understanding of materiality and price sensitivity. The subsequent section will further explore potential resolutions to bridge these gaps, emphasizing the importance of regulatory clarity and adaptability in navigating the complexities of insider trading risks related to PDB.
Way Forward
In the context of cybersecurity regulations, SEBI should mandate robust cybersecurity frameworks for public companies, aligning with DPDPA. Additionally, it must clarify if cybersecurity incidents fall under the definition of UPSI and Schedule III of the LODR Regulations. For instance, the Australian Securities Exchange (ASX) Listing Rulesmandate continuous disclosure for material events, including cybersecurity incidents. If the company learns of any information that a reasonable person would anticipate will significantly impact the price or value of the entity’s securities, it must notify the ASX immediately. By doing this, the time gap is avoided, and insider trading concerns are lower.
The United States Securities and Exchange Commission Guidance on Public Company Cybersecurity Disclosure (2018) emphasizes prohibiting insider trading during significant cybersecurity incidents and recommends that companies establish policies against such behaviors as blackout windows. For more clarity, objective thresholds must also be provided. For instance, companies in California must disclose data breaches affecting more than 500 customers. Additionally, SEBI should implement a continuous review mechanism to adjust thresholds based on market feedback and empirical data. Stringent disclosure requirements deter insider trading, highlighting the importance of clear regulations preventing unauthorized trading based on undisclosed cyberattacks.
– Fathima Rena Abdulla