In another entry for the ‘what were they thinking’ file, a second former Equifax executive has been charged with insider trading in advance of the company’s massive data breach announcement last September.
According to an SEC release, Sudhakar Reddy Bonthu, a former software engineering manager at the credit information company, traded on confidential information that he received while creating a website for consumers affected by the Equifax breach.
The breach saw 146.6 million US consumers affected, with most records containing social security numbers. Some 99 million lost their address information while 17.6 million lost their drivers’ license numbers. In the UK, a file of 15.2 million records was hacked, and 693,665 consumers had sensitive personal details exposed.
Bonthu, 44, was told that he was building a site for an unnamed client, however, he soon worked out that it was for his employer, Equifax. He allegedly used this information to buy put options in the company’s shares.
A put option is a contract to sell stock for a specific price (the ‘strike price’) within a specified period. You can purchase put options whether you own a stock or not. If a stock trades at $140 per share and you know it will go down, then purchasing a put option to sell 100 shares with a $140 strike price lets you capitalize on the stock’s movement.
If the stock drops to $95, then the put option contract becomes a valuable commodity – you can then buy stock at the lower price of $95 but the trader who offered you the option is obliged to buy it off you for the strike price of $140. A put option is therefore a way of betting that a stock will decline. (The option seller keeps the money you paid for the option in the first place. If the stock goes up, or doesn’t go down enough to cover the cost of the option, you lose.)
According to the SEC, Bonthu wasn’t betting at all. Instead, he knew that the Equifax stock would fall thanks to insider knowledge.
Equifax fired Bonthu in March after he refused to cooperate with its insider trading investigation. He has agreed to return his gains from the put option trades plus interest to settle the SEC’s civil charges, subject to court approval. However, he also faces criminal charges from the US Attorney’s Office from the Northern District of Georgia.
How involved Bonthu was in the Equifax website isn’t clear, but the company’s online guidance for affected consumers drew its own criticism last year. One publication reported that the fraud alerts website suffered from a cross-site scripting (XSS) flaw, which enabled phishers to fool victims into giving them personal information. There were also complaints that its data breach checker was giving out incorrect information.
Bonthu isn’t the first former Equifax staffer to be charged with insider trading prior to the breach announcement. Jun Ying, a former CIO at one of Equifax’s business units, was charged in March for allegedly exercising his vested Equifax stock options and selling the shares for nearly $1m. He avoided nearly $117,000 in losses through his use of insider information, the complaint said.
Confusion reigns over pre-disclosure trading
Companies risk scrutiny over share trades during the periods between discovering and disclosing security flaws, even if those trades have not been ruled illegal. Equifax previously cleared three executives of insider trading after they sold $1.8m in stock within days of the flaw’s discovery.
As data breaches and security flaws continue to affect companies’ market standing, the SEC is taking steps to guide executives in good practice around financial governance and disclosure.
In February the agency issued guidance on disclosing security breaches, warning executives that such breaches constituted ‘material information’, and noting that they must not trade while in possession of such information before it becomes public.