Non-Public Financial Information Leak

The exploratory study of the role of cyber security in non-public information leaks will examine whether firms properly oversee the online security measures takes to protect non-public financial information both within the organization and with the affiliated service providers. In addition, we will attempt to identify certain service providers which are more likely to be associated with leaks and determine if those are associated with weak cyber security measures.

Recent scandals have demonstrated the preponderance of trading based on insider information in financial markets. In one of the more prominent insider trading scandals, Raj Rajaratnam of Galleon Group, was recently convicted of a series of illegal trades based on a network of non-public information he received from company insiders, among them Rajat Gupta, the former head of McKinsey & Company, who served as a director on the board of Goldman Sachs. Another major case has involved the large hedge fund SAC Capital, where traders have used complex networks to relay non-public information from corporate insiders to fund equity traders. These leaks involved some of largest traded technology firms, including Dell and Nvidia, and resulted in hundreds of millions of illicit gains. These examples involve leaks from company insiders, however, many of the cases prosecuted by the SEC involve leaks, not only from company insiders, but also from third parties who are exposed to the non-public information, such as accountants, lawyers, and even PR firms and Financial Printers. So far, the focus has been on human-to-human information transfer, but this must not necessarily always be the case.

While human-to-human leaks of non-public information poses a challenge to law-enforcement, a far bigger challenge may be posed by leaks generated from cyber space. In October 2012, R.R. Donnelley and Sons Co., a "Financial Printer" accidently leaked Google's earnings report hours before the scheduled release by filling an online draft of the release with EDGAR. Concurrently, The sophisticated data theft from Target Corp. demonstrates the potential for leaks of material information through cyber hacks. While the primary objective in the Target hack was apparently customer and credit card information, it is more than conceivable that other non-public information was retrieved, including non-public financial information, which could potentially be used for illegal trading activity.

Pareek and Zuckerman (2014) have found in a recent study that large price moves during the final 30 minutes of trading, prior to a scheduled after-hours earnings announcement, predict the direction of the earnings surprise (SUE) and post-announcement returns. However, the result does not hold for longer time frames (3 hours and beyond), suggesting that the information is obtained only a short-time prior to the scheduled release. Brenner et al. (2014) have found a similar result in options trading prior to merger announcements. Pareek and Zuckerman (2014) also find that some firms tend to be "repeat offenders" and are more likely to have consecutive leaks.

Despite the circumstantial evidence suggesting that material non-public information may be leaked through cyberspace, little to no research has been done to try to identify the sources of these leaks and to examine whether the security measures taken by firms and affiliated entities (accounting, legal, printing, PR, etc.) are appropriate in preventing such leaks. Unlike hacks designed to obtain credit card or other personal financial information, hacks designed to obtain non-public corporate information may cause just as much damage, but are less visible due to the nature of information obtained. Moreover, firms may have far less incentive to disclose such hacks.

This is the first study to highlight the risk of trading based on non-public information obtained via cyber hacks. As such, policy implications based on the finding of such a study may be far-reaching.