SSRN Id3107123

INFORMED TRADING AND CYBERSECURITY BREACHES*
Forthcoming, Harvard Business Law Review (2018)
March 14, 2018†
Abstract: Cybersecurity has become a significant concern in corporate and

commercial settings, and for good reason: a threatened or realized cybersecurity
breach can materially affect firm value for capital investors. This paper explores
whether market arbitrageurs appear systematically to exploit advance knowledge of
such vulnerabilities. We make use of a novel data set tracking cybersecurity breach
announcements among public companies to study trading patterns in the derivatives
market preceding the announcement of a breach. Using a matched sample of
unaffected control firms, we find significant trading abnormalities for hacked targets,
measured in terms of both open interest and volume. Our results are robust to
several alternative matching techniques, as well as to both cross-sectional and
longitudinal identification strategies. All told, our findings appear strongly
consistent with the proposition that arbitrageurs can and do obtain early notice of
impending breach disclosures, and that they are able to profit from such information.
Normatively, we argue that the efficiency implications of cybersecurity trading are
distinct—and generally more concerning—than those posed by garden-variety
information trading within securities markets. Notwithstanding these idiosyncratic
concerns, however, both securities fraud and computer fraud in their current form
appear poorly adapted to address such concerns, and both would require nontrivial
re-imagining to meet the challenge (even approximately).
*
We thank Jack Coffee, Jeff Gordon, Alexander Guembel, Laurie Hodrick, Colleen Honigsberg, Gur
Huberman, Mark Lemley, Jusin McCrary, Mitch Polinsky, Fernan Restrepo, and workshop
participants at Columbia Law School, the Santa Fe Institute, Stanford Law School, the Toulouse
School of Economics, and the University of Toronto for helpful comments and discussions. Kailey
Flanagan and Hanna K. Song provided excellent research assistance. This draft is a companion piece
to an eponymous technical manuscript offering a more detailed theoretical analysis. All errors,
regrettably, are ours.
†
First Version: December 2, 2017. © 2018 by Joshua Mitts and Eric Talley. For the most recent
version of this paper, please visit https://ssrn.com/abstract=3107123.
Electronic copy available at: https://ssrn.com/abstract=3107123

MAR. 2018 INFORMED TRADING AND CYBERSECURITY BREACHES ii
INFORMED TRADING AND CYBERSECURITY BREACHES
Table of Contents
1. INTRODUCTION ........................................................................................................................1
2. EMPIRICAL EVIDENCE OF INFORMED CYBER-TRADING...................................6
DATA SOURCES ............................................................................................................................................ 6
EMPIRICAL DESIGN ..................................................................................................................................... 9
CROSS-SECTIONAL ANALYSIS .............................................................................................................. 13
DIFFERENCE-IN-DIFFERENCES ANALYSIS ........................................................................................ 18
3. NORMATIVE IMPLICATIONS: IS CYBER-TRADING SPECIAL? ....................... 23
PRICE DISCOVERY .................................................................................................................................... 24
DISTRIBUTIONAL FAIRNESS .................................................................................................................. 25
MARKET LIQUIDITY ................................................................................................................................. 26
ALLOCATIVE EFFICIENCY ...................................................................................................................... 27
4. PRESCRIPTIVE CHALLENGES ........................................................................................ 28
SECURITIES FRAUD LIABILITY ............................................................................................................. 33
LIABILITY UNDER THE CFAA .............................................................................................................. 42
SYNOPSIS ..................................................................................................................................................... 45
5. CONCLUSION........................................................................................................................... 47

MAR. 2018 INFORMED TRADING AND CYBERSECURITY BREACHES 1
1. Introduction
The ascendancy and impact of the information economy during the last
quarter century have been dramatic and unprecedented. Fully one fifth of the
preeminent Dow Jones Industrial Index in the mid-1990s was composed of Eastman
Kodak, Bethlehem Steel, F.W. Woolworth, International Paper, Sears Roebuck and
Union Carbide. Amazon and Google were little-known startups. Apple Computer—
which didn’t make this cut—was a moribund upstart from the 1980s; Facebook and
Bitcoin were still a decade away from inception. How times have ever changed.
The digitization of the world's economy has hastened profound changes in
commerce, record-keeping, law enforcement, personnel policy, banking, insurance,
securities markets, and virtually all aspects of services and manufacturing sectors.
And yet, a key pillar of the digital economy—the ease of accessing/copying/
distributing information at scale—is also frequently its Achilles Heel, in the form of
cybersecurity risk. The massive and cataclysmic data breach of Equifax in
September 2017, for example, which compromised highly confidential information
of tens of millions of clients (including Social Security numbers), was hardly the first
of its kind—nor will it be the last. For more than a decade, firms and organizations
that store confidential data digitally have been targets (potential or actual) of similar
types of attacks often with analogously cataclysmic implications for victims.
Within securities-market settings, of course, one person’s catastrophe can be
another’s arbitrage opportunity. And so it came to be in the late summer of 2016,
when Muddy Waters Capital—a well-known short hedge fund—opened a
confidential line of communication with MedSec, a start-up cybersecurity firm
claiming to have discovered a serious security software flaw in the pacemakers
produced by St. Jude Medical, a then-public medical device company (knee-deep in
the process of being acquired by Abbot Laboratories). Only after taking a substantial
short position in St. Jude did Muddy Waters publicly disclose the device’s
vulnerability,1 causing an immediate fall in St. Jude's stock price in excess of eight
percent. 2 Similar patterns of material changes in value after disclosure of a
cybersecurity event are now commonplace.3
Muddy Waters' securities-market play around St. Jude’s data breach
disclosure is perhaps unsurprising—particularly when (a) cybersecurity breaches can
have material price effects in capital markets; and (b) the underlying vulnerability
1
See http://www.muddywatersresearch.com/research/stj/mw-is-short-stj/ (August 2015).
2
See Goldstein, Matthew, Stevenson, Alexandra and Picker, Leslie, 2016. “Unusual Pairing Makes
Public Bet vs. Pacemakers.” New York Times (Sept. 8, 2016 at B1).
3
To take a current example, Uber's recent disclosure of a cybersecurity loss of client payment records
caused an outside investor (Softbank) to reduce its valuation assessment of Uber by nearly a third.
See Financial Times, "SoftBank share purchase discounts Uber by 30%" (Nov. 27, 2017).

involved potentially confidential data. Trading in the securities of compromised

issuers is, after all, far safer than trafficking directly in the stolen information itself.
Indeed, fencing such protected data directly is almost always a criminal offence
under state and federal law. 4 In contrast, buying low and selling high (or selling high
and buying low) in securities markets is a venerated capitalist ritual. At the same
time, the St. Jude / Muddy Waters kerfuffle raises intriguing questions about how
widespread such cybersecurity-related trading is, whether material arbitrage rents are
available, and who tends to earn them. And, to the extent that appreciable arbitrage
rents exist, might they directly or indirectly subsidize cyber-hacking---effectively
catalyzing destructive activity solely for the purpose of trading on the basis of the
harms and risks it creates? Is it possible to detect such activities by observing the
footprint of trading patterns? Should such coordinated behavior be more heavily
regulated by authorities?
In this paper, we consider public-company announcements of cybersecurity
breaches, analyzing how they interact with securities-market trading activity.
Specifically, we consider the phenomenon of securities-market trading on the basis
of advanced knowledge of a cybersecurity breach (“informed cyber-trading”).
Conceptually, such information arbitrage opportunities are eminently plausible, and
privately informed traders can typically exploit their information so long as there is
sufficient independent market activity (e.g., among liquidity or noise traders) to
provide “cover” for the informed arbitrageur. Thus, informed traders plausibly have
a strong incentive to take short positions against the hacked firms—positions that
should be observable in securities market activity. We test this proposition
empirically, making use of a novel data set corporate data breaches involving
publicly traded companies. Using a variety of means to match breached firms against
comparators with no announced vulnerabilities, we find significant trading
abnormalities in the put option market for hacked firms, measured both through open
interest and trading volume. Our results, moreover, appear robust to a variety of
matching techniques as well as to cross-sectional and time-series analysis. We view
these results as consistent with the proposition that arbitrageurs tend to have early
notice of impending cybersecurity breach disclosures, and that they trade on the basis
of that information.
Although our principal focus is positive and empirical in nature, our findings
also hold relevance for larger normative / prescriptive debates about whether such
trading practices warrant additional legal proscription. Normatively, the debate over
how (or whether) securities law should regulate informed trading is complex,
balancing concerns over price discovery, liquidity, and allocative efficiency.
Informed cyber-trading shares many of these traits; but it also tees up other
efficiency concerns that are contextually unique. If significant arbitrage rents from
advance knowledge of cybersecurity risks were wholly undeterred, several
4
See, e.g., 18 U.S. Code §§ 1028A and 1030 (discussed infra in Section 4).

inefficient investment distortions plausibly follow, both by “hackers” (including

cybersecurity firms) attempting to expose vulnerabilities and introduce costs that
would not otherwise come to light; and by issuers themselves, anxious to expend
efforts to frustrate (or divert) hackers’ attention. Moreover, the profits obtained via
these trading opportunities may enhance hackers’ incentives to exploit security
vulnerabilities, leading to greater dissemination of stolen personal information,
impersonation and identity theft. These represent real economic costs not present in
garden variety information-trading contexts. Consequently, informed cyber-trading
plausibly justifies enhanced legal scrutiny of those who profit from the activity.
Nevertheless, several variations of informed cyber-trading appear to perfectly
legal under current practices. To be sure, it is almost certainly unlawful for an agent
or fiduciary to trade on a firm’s material non-public information, or for third parties
to conspire to steal such information, or for a person to spread false information
about a cybersecurity risk in order to manipulate stock prices. That said, if third
parties were simply to use computer queries to access, discover, trade upon, and then
expose bona fide cybersecurity vulnerabilities (as Muddy Waters and MedSec were
alleged to have done), they would face little scrutiny under current law. They would
not violate market manipulation proscriptions, which require the introduction of
inaccurate information into the market. 5 Nor would they appear to run afoul of
received insider trading theories, which still require the breach of a confidential or
fiduciary relationship (though courts are actively revisiting this requirement as of this
writing).6 Perhaps the closer match on liability grounds would be the provisions of
the Computer Fraud and Abuse Act (CFAA), which (notwithstanding its name) does
not require a showing of intent to defraud in order to trigger liability. But the CFAA
remains relatively untested in these contexts, and its remedies provisions are
generally limited to concrete remediation costs. In short, the task of redesigning law
to address the costs of informed cyber-trading is a sizable ask, posing a difficult
prospective challenge for policy makers and regulators alike.
Our analysis contributes to a growing literature on cyber-security threats in
law, economics and computer science, assimilating to a larger literature on informed
trading in securities markets. From a conceptual perspective, several contributions in
5
See, e.g., SEC v. Masri, 523 F. Supp. 2d 361, 373 (S.D.N.Y. 2007).
6
U.S. v. O'Hagan, 521 U.S. 642 (1997). Several federal courts have recently contemplated an
extension to insider trading doctrine to reach (so-called) “outsider traders”— informed traders who
are neither corporate fiduciaries nor have breached a confidential relationship, but who use deceptive
means to hack into another’s computer system. See, e.g., S.E.C. v. Dorozhko, 574 F.3d 42, 51 (2nd
Cir. 2009) ("misrepresenting one's identity in order to gain access to information that is otherwise off
limits, and then stealing that information is plainly deceptive within the ordinary meaning of the
word…. [D]epending on how the hacker gained access, it…could be, by definition, a deceptive device
or contrivance that is prohibited by Section 10(b) and Rule 10b--5.") Nevertheless, no court to our
knowledge has firmly embraced this expansion to date. We discuss this nascent strand of case law
(sometimes referred to as “outsider trading”) in Section 4, infra.
6
See, e.g., Gordon, Lawrence A., & Martin P. Loeb. ”The economics of information security
investment.” ACM Trans. on Info. & Sys. Sec. (TISSEC) 5.4: 438-57 (2002) (reviewing literature).

computer science 7 have developed frameworks for analyzing self-protection

decisions among firms that are potential cybersecurity risks, arguing that firms that,
in a world of scarce resources, firms may optimally “triage” their self-protection
efforts based on a cost-benefit calculus. Such calculus can often give rise to
collective action problems of either under- or over-investment in protection,8 when
(say) interconnected firms within a network make individual decisions about
security. Others in information sciences have analyzed the problem from the
standpoint of timing,9 asking whether targets should invest pro-actively before an
attack or reactively afterward. If reactive investment is possible to mitigate an
existing attack (and the information of such an attack becomes known), it may well
be optimal to under-invest in proactive technology and utilize such mitigation efforts
once attacks are detected.
Although we are unaware of significant market pricing literature on informed
cyber-trading per se, the efficiency implications of informed trading has been richly
explored using seminal frameworks from information economics which demonstrate
how informed traders can simultaneously catalyze price discovery and impede to
market depth and liquidity.10 Empirically, our analysis draws on a growing literature
computer science identifying misconfiguration flags to predict vulnerability to
hacking, as well as estimating latency periods for cybersecurity vulnerability
breaches (of between one and twelve months before disclosure). 11 Finally, the sub-
strand of the literature closest to ours studies how stock prices react to the disclosure
of cybersecurity breaches. One notable study in this area12 presents a meta-analysis
of 37 papers containing 45 empirical studies of the effect of information-security
7
See, e.g., Gordon, Lawrence A., and Martin P. Loeb. ”The economics of information security
investment.” ACM Transactions on Information and System Security (TISSEC) 5.4 (2002): 438-457
(reviewing literature).
8
See Lelarge, Marc. ”Coordination in network security games: a monotone comparative statics
approach.” IEEE Journal on Selected Areas in Communications 30.11 (2012): 2210-2219.
Kunreuther, Howard, & Geoffrey Heal. ”Interdependent security.” J. Risk & Uncertainty 26.2-3
(2003): 231-249. Making a similar point using a framework based on a terrorism scenario);
Lakdawalla, Darius N. and Talley, Eric L., Optimal Liability for Terrorism (October 2006). NBER
Working Paper No. w12578. Available at SSRN: https://ssrn.com/abstract=935571 (similarly
applying such arguments to terrorism scenarios, and arguing that overinvestment in strategic target
hardening by potential victims may justify allowing attacked parties to lodge a cause of action against
non-attacked entities for over-protection).
9
See Böhme, Rainer, and Tyler Moore. ”The “iterated weakest link” model of adaptive security
investment.” Journal of Information Security 7.02 (2016): 81.
10
See Kyle, Albert S. “Continuous Auctions and Insider Trading.” Econometrica 53:6 (1985), pp.
1315-1335; Milgrom, Paul & Stokey, Nancy, ”Information, trade and common knowledge”. J. Econ.
Th. 26(1): 17–27 (1982); L.R. Glosten and P.R. Milgrom. “Bid, Ask and Transaction Prices in a
Specialist Market with Heterogeneously Informed Traders,” Journal of Financial Economics, 14:71–
100, 1985.
11
See Liu, Yang, et al. ”Cloudy with a Chance of Breach: Forecasting Cyber Security Incidents.”
USENIX Security Symposium 2015.
12
See Spanos, Georgios, and Lefteris Angelis. ”The impact of information security events to the stock
market: A systematic literature review.” Computers & Security 58 (2016): 216-229. Zhang, Jing, et
al., ”On the Mismanagement and Maliciousness of Networks.” NDSS. 2014.

breaches on public-company stock prices from 2003 to 2015. The authors find that
75.6% of the studies measure statistically significant stock-price reactions to the
disclosure of cybersecurity breaches. 20 out of 25 studies find negative and
significant stock-price reactions for victim firms, and none of these find significant
positive reactions for victim firms. Several other studies have found positive and
significant stock-price reactions for information security firms, plausibly reflecting
the additional demand for their services in the wake of security breaches. And,
consistent with our findings, at least one significant study finds evidence of pre-
announcement information leakages associated with cybersecurity vulnerabilities.13
That said, we are unaware of any prior study measuring trading patterns in the
months preceding the disclosure and the central legal implications of such patterns,
as we explore here.
An important caveat to our analysis warrants attention before proceeding.
Although our empirical results are strongly consistent with the type of informed
cyber-trading that occurred in the Muddy Waters / St. Jude episode, trading activity
by other market participants could produce similar results. If, for example,
employees or managers of the target firm discovered early evidence of a
cybersecurity breach or a vulnerability, they might also attempt to profit from that
information prior to disclosure, and their activity would similarly be observable in
our data. Although many of the policy considerations highlighted earlier would apply
to this type of trader too, existing law is already well equipped to deal with it – since
insiders at the firm typically owe duties of “trust and confidence,” the breach of
which will clearly trigger insider trading liability under current law. In many ways,
in fact, it is the curiously distinct legal treatment accorded insiders and outsiders in
this space that makes the topic an interesting one to ponder.
Our analysis proceeds as follows. Section 2 presents our core empirical
analysis of informed cyber-trading. Using a novel data set of publicly disclosed
cybersecurity incidents, we demonstrate unusual activity in the put-option market in
the weeks leading up to the disclosure, measured through “open interest” and trading
volume. Section 3 discusses the normative implications of our findings, arguing
that—relative to garden-variety informed trading—cyber-trading plausibly deserves
greater legal scrutiny under federal securities law. Section 4 delves further into
whether current legal institutions are equipped to take on the added threats of
informed cyber-trading. Here we argue that contemporary securities fraud and
computer fraud law appear, at least individually, unfit for the challenge, both
suffering from distinct forms of under-inclusiveness. While long-term statutory
reforms may provide a durable response, in the shorter term a more expedient elixir
13
See Arcuri, Maria C., Marina Brogi, and Gino Gandolfi. ”The effect of information security
breaches on stock returns: Is the cyber-crime a threat to firms?” Eur. Fin. Mgmt. Meeting, 2014
(finding find that the mean cumulative abnormal return to 128 cybersecurity disclosures is -.029 in the
(-20,+20) window, but shrinks to -0.003 in the (-1,1) window).

is likely to be maintaining the status quo, in which both doctrines play a supporting
role in concert with expert regulators (such as the SEC), who should remain
involved. Section 5 concludes.
2. Empirical Evidence of Informed Cyber-Trading

In this section, we dispense with the long-winded lawyerly prologue, 14
cutting directly to the chase to (a) describe our approach for detecting informed
trading in advance of cybersecurity breach announcements; and (b) report on our
core empirical findings.
Data Sources
Our analysis marshals a unique data set of announced corporate data breaches
provided by the Identity Theft Resource Center (ITRC). Since 2005, the ITRC has
collected and published an annual list of data breaches “confirmed by various media
sources and/or notification lists from state governmental agencies.” The ITRC's data
breach report includes both exposure of personally identifying information—i.e., any
incident “in which an individual name plus a Social Security number, driver's license
number, medical record or financial record (credit/debit cards included) is potentially
put at risk because of exposure”—as well as exposure of username and passwords
that are not necessarily tied to an identifiable individual. One example of an ITRC
data breach report—for a 2015 breach of Hyatt Hotels—is reproduced in Figure 1:
Figure 1: Specimen Identity Theft Resource Center Data Breach Report (Hyatt Hotels 2015).
The categories of information included in the report are: (1) internal ITRC identifier
of the breach, (2) the company which was attacked, (3) the state in which that
company is located, (4) the date the breach was published, (5) the type of the breach,
(6) the category of the breach, (7) whether personal records were exposed, (8) how
many records were exposed, and (9) a textual description of the breach. In addition,
the ITRC provides details on the source of information about the breach, e.g., a news
media report or disclosure by (or through) a governmental agency.15
14
Dispirited lawyerly types can nonetheless savor the opportunity to luxuriate in the palaverously
doctrinal denouement comprising Section 4, infra.
15
State privacy laws often require companies to notify individuals whose personal information may
have been compromised (see, e.g., N.H. Rev. Stat. Â§ 359-C:19). Moreover, specific federal laws

The ITRC identified 4,580 data breaches from 2010 to 2016. While the vast
majority of these incidents involve private companies, nonprofits and governmental
actors, out of this group, we were able to match 145 breaches to publicly traded
companies. 16 To give a sense for the nature of the information contained in the
textual descriptions of these 145 events, Figure 2 presents a bi-gram word cloud,
which draws the most frequent consecutive word pairs in these descriptions with a
size proportional to the term’s frequency --- i.e., larger words appear more frequently
in the textual descriptions. As Figure 2 shows, the most popular terms in these
descriptions reflect information that would typically be the subject of a data breach,
i.e., personal information, email address, credit cards, addresses, social security
numbers, etc.
Figure 2: Bi-Gram Word Cloud for ITRC Data Breach Reports
In order to conclude that transactions involving these victims of data breaches

are not due to random chance alone, it is necessary to compare these data breaches to
some sort of baseline (i.e., a “control” group). Even if there were no trading on
corporate data breaches—for example, if we were to simply draw public companies
and calendar dates at random—some firms would still experience unusually large (or
small) trading activity for independent reasons. It is therefore necessary to establish a
baseline group that can serve as a counterfactual, a comparison set that allows us to
sometimes require disclosure, e.g., when health concerns are implicated (HIPPA), or if the breach is
sufficiently material to require disclosure by a publicly traded company under the securities laws.
Although there is no general duty to disclose all material information under the securities laws, but
cybersecurity vulnerabilities may fall into one of the enumerated categories of material event
disclosure required under Form 8-K.
16
For reasons detailed below, we end up using a smaller sample to ensure adequate comparability
between firms and industries.

claim that but for the hacker-trader activities, target firms and the baseline group are
similar in all other relevant ways, at least on average. If but-for causation in this
sense appears to hold, then we are justified in concluding that observed differences
attributable (at least in part) to hacker trading or tipping.
We examine two primary sources of data in order to measure possible hacker
trading and tipping. First, we consider approximately at-the-money (ATM) equity
put options written on the common stock of victim firms. An equity put option is
effectively a downside bet on a firm's stock: it gives its holder the right (but not the
obligation) to sell the firm’s stock at a specified price (the “strike price”) on a
specific expiration date (also known as the “maturity” date for the option). If one
denotes the strike price of a put option as 𝐾, its maturity date as 𝑇, and the firm’s
stock price on the maturity date as 𝑇 as 𝑆𝑇 , then the holder of a put option who acts
to maximize her payoff will receive the greater of (𝐾 − 𝑆𝑇 ) or zero at the time of
expiry.17 In other words, she receives the difference between the strike price and the
stock price at maturity if the former exceeds the latter. If the stock price at maturity
is higher than the strike price, she will rationally not exercise the put option because
that would cost her money; she is better off doing nothing. 18
Put options reflect a downside bet on the firm's stock because the value of a
put option increases as the firm's stock price at maturity decreases. Put simply, the
lower the stock price, the more the put option is worth: put options are thus
directionally negative bets on the value of the firm. Because the directional
implications of a data breach are unambiguously negative for a targeted firm --- that
is, one would be hard-pressed to find an example of a successful data breach that
should lead to an increase in the stock price of the victim firm --- put options are
likely to become more valuable upon revelation of a successful data breach. This
implies that market demand for put options may reflect at hackers or their “tippees”
may seek to exploit information, known only to them, about a successful data breach.
As noted above, we restrict our analysis to put options that are close to at the money
--- that is, they have a delta between 0.4 and 0.6.19 Within this range, the strike price
is likely to be relatively close to the current price of the firm's stock. We do so
because a put option that is out of the money is likely to be less responsive to
changes in the underlying price of the firm's stock.
17
For example, suppose the stock’s market price at maturity is $5 and one holds a put option with
strike price of $8. The holder can profit from this contract by (a) buying the stock at market price ($5)
and then exercising the option, delivering the stock to the option counterparty (for $8) and pocketing
the difference ($3).
18
The discussion in the text simplifies things a bit by presuming a “European” put option, which is
exercisable only on expiration. A similar (though slightly more complicated) analysis would attend
an “American” option, which is exercisable on any date up to (and including) the maturity date.
19
The delta of a put option refers to the sensitivity of the put’s value to changes in the underlying
stock price, or |𝜕𝑝𝑡 /𝜕𝑆𝑡 |.

We measure market demand for put options in two ways. The first is open
interest, which refers simply to the number of outstanding put-option contracts on the
stock of a particular underlying firm. The second is volume, which refers to the
quantity of put-option contracts that change hands between buyers and sellers over a
particular window of time. Both measure the extent to which traders in the market
are seeking to place downside bets on the prospects of victim firms.
In order to facilitate meaningful comparisons that are straightforward to
interpret, we aggregate our dataset to the firm-event level. That is, the unit of
analysis in our study is an average measure of trading in a given firm's put options
over a time window relative to a data breach event. For example, we refer below to
average open interest of put options for a particular firm over the two months prior to
disclosure of the data breach. If, hypothetically, there were two events and two firms
for each event, there would be four observations, each reflecting the average open
interest for each firm in the two months prior to each event. In the following
subsection, we describe how we design our empirical study to maximize the
reliability of inferences as to the link between corporate data breaches and the
demand for put option.
Empirical Design
We wish to evaluate empirically whether there is heightened trading in put
options prior to the announcement of corporate data breaches. To do so, we rely on
the well-developed literature on causal inference in empirical economics. To be sure,
our hypothesis is inherently descriptive in nature---we do not suppose that data
breaches causally increase put option trading, but rather that individuals who are
aware of data breaches prior to the rest of the market may be directly trading or
tipping others as to the presence of these vulnerabilities prior to disclosure. Formally
speaking, this thesis requires only a correlation between the execution of corporate
data breaches and market demand for put options.
Nonetheless, we are aware that an analysis of this sort is vulnerable to
spurious correlations. The problem of forming a valid counterfactual—what level of
put option trading would have emerged even in the absence of a data breach—is a
vexing challenge that applies to our study just as much as with a classical causal
inference project. For this reason, we employ methods to estimate the average
treatment effect of data breaches, keeping in mind the importance of forming a valid
counterfactual to evaluate whether observed put option demand can actually be
attributed to data breaches.
We thus estimate two basic kinds of empirical designs, each of which relies
on a different dataset. The first is a cross-sectional estimation, which simply asks: is
there a heightened level of open interest and trading volume in the put options of
data breach targets, prior to revelation of the data breach by the victim firm? To
minimize the likelihood that this simple comparison between firms for each event is

contaminated by other events that may give rise to put option trading, this estimation
focuses on the two months immediately preceding announcement of the data breach.
In this specification, we ask whether the average level of open interest and trading
volume during this two-month is higher for firms who are the victims of data
breaches. As described below, we employ propensity-score matching20 to ensure that
treatment and control firms are as similar as possible.
This cross-sectional specification, however, is vulnerable to the critique that
firms may differ for unobserved reasons that can lead to greater overall demand for
put options. To address this concern, we consider an alternative difference-in-
differences design, which allows each firm-event in our dataset to have a baseline
level of open interest and trading volume of put options. In this difference-in-
differences specification, we compare the change in open interest and volume of put
options from a baseline period --- eight to sixteen months prior to announcement of
the data breach --- to the period of interest --- eight months prior to the day of
announcement.
In our difference-in-differences design, we use this eight-month cutoff for
two reasons. First, this corresponds roughly to the average period of time during
which a hacker is aware of a successful data breach.21 Moreover, a visual inspection
of the data shows that this is also approximately the time when time trends begin to
diverge between treatment and control firms---prior to this point, they are roughly
parallel, as we show below.
We aggregate pre-post differences to the firm-event level and compare these
differences between treatment and control firms. As with the cross-sectional design,
we employ propensity score matching on observable firm-level covariates, measured
as of the year prior to the attack, to ensure that similar firms are compared to each
other. This heightens the plausibility of the counterfactual inference that treatment
and control firms would have similar counterfactual outcomes. Along with showing
that the parallel trends assumption is satisfied, this evidence suggests that observed
differences in put option trading are likely to be linked to corporate data breaches
and not spuriously arising as a result of other differences between firms.
As noted previously, both of our specifications employ propensity-score
matching, 22 which matches each treatment observation to one or more control
observations which are similar along several covariates. We generate a propensity
score and thus matching observations by estimating a logistic regression on the
following covariates: (1) 4-digit SIC industry code (i.e., an indicator for each), (2)
log of market capitalization, (3) log of total assets, (4) log of net income, and (5) log
20
See Abadie, A. and Imbens, G. W. (2006), Large sample properties of matching estimators for
average treatment effects. Econometrica, 74(1):235–267.
21
Research by Symantec has shown that hackers tend to exploit security vulnerabilities for an average
of ten months prior to discovery by the affected firm (Bilge and Dumitras, 2012).
22
See Abadie & Imbens, supra n. __

of total liabilities. In our view, it is essential to compare within industry because

firms in different industries are very different from each other.
Table 1: Summary Statistics: Cross-Sectional Dataset
Table 2: Summary Statistics: Difference-in-Differences Dataset
For these reasons, we are forced to drop those firms in industries which are too small
to allow for obtaining a meaningful matched control group. Indeed, while many of
these smaller industries contain several firms, many small-cap firms are too illiquid
to have frequent options trading. Limiting the sample to those firms for which we

have sufficient information over the relevant time periods yields 46 treatment firm-
event pairs and 3,319 control firm-event pairs in the difference-in-differences dataset
and 51 treatment firm-event pairs and 3,425 control firm-event pairs in the
difference-in-differences dataset. 23 Tables 1 and 2 present summary statistics on
these datasets.
The validity of our propensity-score matching method to estimate causal
effects turns on the extent to which the treatment and control groups are balanced,
that is, likely to exhibit the same counterfactual outcomes even in the absence of
treatment. Of course, there are a relatively small number of public companies with
liquid options in each 4-digit SIC code industry, so any matching procedure will fall
short of achieving perfect balance. Nonetheless, we perform a series of tests to verify
balance in the distribution of treatment and control firms.
We begin by visually comparing the distribution of the propensity score for
both the cross-sectional and difference-in-difference datasets when estimated using
the full set of covariates. Figure 3 shows this distribution before and after matching
for the cross-sectional and difference-in-difference datasets, respectively. 24 The
similarity in the density of the two propensity scores suggests that the two groups are
balanced on the propensity score.
Figure 3: Propensity Score Balance Tests for Cross Sectional (Left Panel) and Difference-in-
Differences Data Sets (Right Panel). In both left and right panels, the density of propensity scores is
plotted for treatment groups (solid lines) and control groups (dashed lines), comparing the raw
controls with the propensity-score matched observations.
Due to the relatively small number of public firms with liquid equity options
in each SIC code, achieving greater balance on one covariate inevitably involves a
loss of balance on another (to some extent). For this reason, in a later subsection, we
present results using propensity-score matching on individual covariates, as well as
all of the covariates together, to illustrate that the results do not depend on which
23
The latter contains more firms than the former because it covers a longer time period.
24
In these figures, the propensity score is estimated on the subsample which contains nonzero open
interest, but the results are virtually identical when estimating on the subsample that contains nonzero
trading volume.

covariates are included.

Table 3 compares covariate means in the cross-sectional and difference-in-
differences dataset between the raw and matched samples. While the matching is
unable to achieve perfect balance across all of the covariates simultaneously, this
table shows that each specification leads to near-perfect balance on a different
covariate. As shown below, the consistency of the coefficient estimates across these
different specifications in significance and magnitude strongly suggests that the
results are not driven by spurious variation in covariate balance.
Cross Sectional Matching
Difference in Differences Matching
Table 3: Balance Test on Individual Covariates for Cross Sectional (upper panel) and Difference-in-
Differences (lower panel) matched-sample specifications. The raw mean in the largest possible
subsample for each covariate is given in the first column. While the matching is unable to achieve
perfect balance across all of the covariates simultaneously, this table shows that each specification
leads to near-perfect balance on a different covariate.
Cross-Sectional Analysis
We begin by estimating the average treatment effect (“ATE”) for the targeted
firms by propensity score matching 25 them with non-targeted comparators over a
variety of economic indicia. Normalizing the disclosure date to 0 for all breached
firms, we compare (logged) open interest and (logged) volume of targeted firms to
their matched counterparts over the interval [-60,0], corresponding to approximately
the two-month period that precedes the first disclosure of the data breach.26 Here, our
identification strategy is based on the assumption that this interval is likely to be
unknown to anyone other than the hacker (and its tippees) and corporate officers who
25
See Abadie & Imbens, supra n. __
26
We show below that the results are not driven by the choice of this interval.

may have become aware of the data breach. First, we estimate the difference in log
open interest on outstanding put options between treatment and control firms for a
variety of matching covariates. The results are shown in the following Table:
Table 4: Cross Sectional Estimation; Log Open Interest
As the first row of Table 4 illustrates, there is an average increase of between .36 and
.75 log points in the open interest of the put options written on target firms, and the
result is consistent and statistically significant across specifications. To get an
intuition behind the economic significance of the coefficients reported above, recall
from Table 1 that the mean log open interest was around 4.60. Thus, an open-interest
coefficient estimate of 0.7 in the full model (see Column 4) corresponds to roughly
0.70/4.60 = 15% of the mean logged open interest.
Next, we estimate differences in log trading volume of outstanding put
options between treatment and control firms. The results are shown in Table 5. As
the Table shows, there is an average increase of between .53 and 1.28 log points in
trading volume of put options written on target firms. The result grows in both
magnitude and significance as additional covariates are included in the propensity
score matching, indicating that initial statistical insignificance may embody
estimation noise driven by over-weighting of firms that are dissimilar.

Table 5: Cross Sectional Estimation; Log Volume
As to the economic significance of these coefficients, recall from Table 1 that the
mean log volume was 1.62. Thus, the point estimate of 1.28 in the full model
corresponds to roughly 79% additional trading volume of put options in the targets of
corporate data breaches relative to the control group. All told, in addition to their
statistical significance, our cross-sectional estimates for both open interest and
volume appear to represent relatively large economic effects as well.
Although Tables 4 and 5 already perform some robustness analysis as to our
matching covariates, we also conducted a robustness check on our propensity score
method. Specifically, we re-estimated the treatment effect with all covariates across
three other matching schemes for identifying treatment effects: inverse-probability
weighting, 27 inverse-probability weighting with regression adjustment, 28 and
regression adjustment.29 The results are shown in the panels of the following Table,
which demonstrates significant consistency across scoring methodologies.
27
See Imbens, G. W. (2000). The role of the propensity score in estimating dose-response functions.
Biometrika, 87(3):706–710.
28
See Wooldridge, J. M. (2007). Inverse probability weighted estimation for general missing data
problems. Journal of Econometrics, 141(2):1281–1301.
29
See Lane, P. W. and Nelder, J. A. (1982). Analysis of covariance and standardization as instances
of prediction. Biometrics, pages 613–621.

Log Open Interest
Log Volume
Table 6: Alternative Matching Methods; Cross-Sectional Analysis; Log Open Interest (upper
panel) and Log Volume (lower panel)

We also explored whether our results are an artifact of the two-month interval
[-60,0], re-estimating the models matching on the full set of covariates using a
variety of time event windows. The results for open interest and volume are shown in
the following Table.
Log Open Interest
Log Volume
Table 7: Alternative Time Horizons; Cross-Sectional Analysis; Log Open Interest (upper panel)
and Log Volume (lower panel)

While it is clear from Table 7 that some subsamples yield higher t-statistics
than others, the point estimates are consistent in sign and magnitude regardless of the
time window.
Difference-in-Differences Analysis
One potential concern with the results in the prior Section is that no matter
how careful we are in matching treatment with control firms, our treatment firms
could still differ from our controls on some durable, unobserved dimension(s). To
address this concern, we estimate a difference-in-differences specification which
estimates a baseline level of open interest and volume on outstanding put options of
target firms over the interval [-480, -240], i.e., approximately sixteen months to eight
months prior to disclosure of the data breach. 30 Our D-in-D design compares
treatment-control differences during this baseline period to the analogous differences
the interval [-240, 0], i.e., approximately eight months prior to disclosure up to the
date of announcement. As explained previously, we aggregate the change in the log
average open interest and log volume of put options between the two periods by
firm-event, so there is one observation per firm-event. We then employ propensity
score matching with robust standard errors to ensure that treatment and control firms
are as balanced as possible on observable covariates and proceed to estimate the
ATE on this outcome (i.e., the difference in log open interest and log volume).
The key identifying assumption of a difference-in-differences analysis is that

treatment and control firms follow parallel trends in the matched sample. We plot
these parallel trends on log open interest in the following Figure:
Figure 4: This figure plots time trends for log average open interest (left panel) and trading volume
(right panel) on put options between treatment and control firms in the matched sample. The pre-
treatment period (in days) is the interval [- 480, -240), and the post-treatment period is the interval [-
240; 0].
30
We show below that the results are not driven by the choice of this specific interval.

An eyeballing assessment of these parallel trends figures suggests that,

indeed, the two groups appear to follow parallel trends prior to divergence during
this eight-month period preceding disclosure of the data breach. This strengthens the
causal interpretation of differences during this eight-month period. The parallel trend
graph for open interest clearly shows the increase in the number of outstanding put
options in the treatment group. Differences in volume, on the other hand, seem
driven by a decrease in the control group. (We note that both represent valid
identification approaches for inferring average treatment effects in a difference-in-
differences design.)
Proceeding to the statistical analysis, as before we first estimate the
difference in pre-post differences of log open interest / log volume between
treatment and control firms. The results of each estimation are shown in Table 8. As
can be seen from the upper panel of the table, for open interest we estimate an
average treatment effect of between .26 and .32 log points in the pre-post difference
in open interest of put options written on target firms, and the result is consistent and
statistically significant across nearly every specification. The only insignificant
specification has the fewest covariates included, but the point estimate is similar and
thus the insignificance is likely to be driven by noise in the data. Similar results
emerge from our volume estimations (bottom panel), where we find an average
positive treatment effect of between .23 and .36 log points. 31 As with the cross-
sectional estimation, the result is significant and increases in magnitude as additional
covariates are included in the propensity score matching, indicating that initial
statistical insignificance may simply reflect estimation noise driven by over-
weighting of firms that are more different from each other.
As with our cross-sectional estimations, we test how sensitive these results
are to the propensity-score matching method. Specifically, we re-estimate the
average treatment effects from Table 8 with all covariates, again using three distinct
alternative methods for matching. These sensitivity tests are illustrated in Table 9
below. As before, we continue to find that our results are largely robust, remaining
positive and significant for nearly every matching method, and similar in magnitude
to the propensity-score estimation.
31
Comparing to the summary statistics in Table 2, the economic significance of the estimated
coefficients is somewhat smaller than in the cross-sectional analysis; but it is still appreciable.

Log Open Interest
Log Volume
Table 8: Difference in Differences Estimation; Log Open Interest (upper panel); Log Volume (lower
panel)

Log Open Interest
Log Volume
Table 9: Alternative Matching Techniques; Diff-in-Diff; Log Open Interest (upper panel) and Log
Volume (lower panel)

Finally, as above, we consider whether the results are robust to our choice of
the interval in the Difference-in-Differences approach, altering the “pre” / “post”
treatment specifications. The re-estimated results using a variety of different time
horizons for open interest and volume are shown in the following Table:
Log Open Interest
Log Volume
Table 10: Alternative Time Horizons; Difference-in-Differences Analysis; Log Open Interest (upper
panel) and Log Volume (lower panel)

While some subsamples yield higher t-statistics than others, all point estimates are
consistent in sign and magnitude regardless of the time window.
All told, our empirical analysis uncovers relatively pronounced evidence of
market trading abnormalities in the options market prior to the public disclosure of a
cybersecurity threat. While the magnitude of the effect varies (as it invariably does)
on the precise estimation methodology, our results appear to be robust across the
conventional alternative candidates. Although we are tempted at this stage simply
to call it a day—relegating the practical details of policy responses to some unnamed
future commentator—our professional duty (or our authorial zeal) impels us further
to ask (a) whether the findings above pose a normative problem that securities law
should address; and (b) if so, whether the tools already exist and/or are being
developed for the task at hand. It is to these questions we now turn.
3. Normative Implications: Is Cyber-Trading Special?

Having detailed the empirical evidence that informed cyber-trading appears
to occur in practice, we now turn to the “so what?” question: That is, does informed
trading in advance of a cybersecurity breach disclosure raise important and
idiosyncratic policy concerns for the efficient operation of capital markets? If it
does, then there would be a prima facie efficiency case for tailoring legal rules in
order to account for cyber-trading concerns. If, in contrast, the concerns raised by
informed cyber-trading are largely identical to those of “garden variety” information
trading contexts, then would be no reason to treat the activity with any special degree
of legal or regulatory scrutiny.
In the policy debate surrounding informed securities market trading—as well
as how/whether it should be regulated legally—finance-oriented commentators have
advanced at least four policy dimensions worthy of attention32: (1) price discovery,
(2) distributional fairness, (3) market liquidity, and (4) allocative efficiency. We
discuss each in turn below. Our analysis suggests that while informed cyber-trading
does not seem particularly special when viewed against any of the first three
dimensions on this list, it raises potentially unique efficiency concerns as to the
fourth, plausibly justifying sui-generis regulatory scrutiny.
32
See, e.g., Jonathan R. Macey, Insider Trading: Economics, Politics, and Policy 21-47 (AEI Press
1991). Another relevant policy dimension concerns strategic incentives of corporate insiders
themselves (such as whether to delay disclosure of information in order to permit informed trading).
Id. We exclude these considerations here, since the predominant set of issues concerns non-statutory
insiders.

Price Discovery
Consider first the desideratum of pricing efficiency: i.e., the proposition that
capital markets should be structured to facilitate the systematic adjustment of prices
to incorporate relevant information about the “fundamentals” underlying traded
securities. When satisfied (at least roughly), pricing efficiency assists market
participants in making sound portfolio choices, and it helps firms to finance value-
enhancing projects. Indeed, as has long been known (and celebrated) by economists,
market prices are often an excellent mechanism to summarize and convey
information about the underlying economic attributes of an asset (e.g., its scarcity,
riskiness, etc.), a benefit that frees many market participants (though perhaps not all)
from the costly task of having to investigate and verify such matters directly.33 A
closely related corollary to pricing efficiency follows immediately: that it is
preferable for securities prices to adjust rapidly as market and company
fundamentals change, rather than on a delayed or attenuated basis (where pricing
inaccuracies persist). Such rapid price “discovery” ensures that relevant information
about market fundamentals flows to individuals as quickly as possible, further
enabling them to make sound portfolio choices.
To the extent one views price discovery as important (and most economists
do), it typically counsels for a permissive stance on informed trading. Although most
securities markets are thought to reflect relevant publicly available information
(sometimes called “semi-strong” efficient), informed trading can sharpen that
accuracy by hastening the incorporation of new information into market price. If
informed traders to are permitted to trade freely on the basis of their information, the
argument goes, their own trading activity will systematically drive up (or down) the
price of a financial asset whenever it is under- (or over-) priced based on the newly-
arrived information. 34 Indeed, not only will the prospect of arbitraging the
information be attractive to such traders, but it will also motivate at least some of
them to monitor new information in the first place. The ensuing price change
effectively transmits the import of that new information to other market participants,
providing a public good that enhances overall pricing efficiency.
Informed cyber-trading shares many of these traits. Given a known
vulnerability that will soon be disclosed, informed trading induces market prices to
approach fundamentals. Moreover, one might argue, the ability to profit from that
information helps induce aspiring arbitrageurs to discover information about
vulnerabilities. Thus, in our view, the relative merits of informed trading for price
33
See, e.g., F.A. Hayek, The Use of Knowledge in Society, 35 Am. Econ. Rev. 519,528 (1945). It is
worth noting, of course, that when the set of underlying economic attributes at stake is sufficiently
varied and rich, price—a unidimensional piece of information—may become a less reliable
embodiment of such attributes. See, e.g., A. Chakraborty & Bilge Yılmaz, “Manipulation in Market
Order Models.” Journal of Financial Markets, 7(2): 187–206 (2004).
34
See, e.g., Manne, Henry, Insider Trading and the Stock Market (1966); Macey, supra note __.

discovery remain relatively consistent (at least on first approximation) when one
compares informed cyber-trading to garden variety information trading. There does
not seem to be much of a compelling argument—at least on the basis of this
desideratum—that counsels for more rigorous relative scrutiny.
Distributional Fairness
The desideratum of pricing efficiency just discussed consciously accepts the
reality that the price discovery process will—by definition—produce (informed)
winners and (uninformed) losers in individual trades, and that their interaction
through the market will provide a public good of price discovery. From a pure
Kaldor-Hicks efficiency perspective, this outcome seems eminently defensible, since
winners and losers in the trading market are largely engaged in making / receiving
transfer payments from one another—activities that play a neutral role in efficiency
calculus. At the same time, to the extent that one’s measure of economic welfare also
places weight on distributional equity, 35 the transfer payments that facilitate price
discovery may matter too—particularly if the identity of the winners and losers in
this process is highly correlated across trades and over time, permitting certain
traders to make systematic arbitrage rents at the expense of others. To the extent that
winning and losing is systematic in information trading, the prospect of a
consistently unlevel playing field in securities markets might well be a significant
welfare cost of price discovery—one that attenuates the case for pursuing perfect (or
near perfect) pricing efficiency.36
Although economic-minded commentators vary in the extent to which they
value distributive equity concerns in the context of informed trading, 37 resolving this
longstanding disagreement proves unnecessary here: for distributive fairness
concerns—while plausibly relevant—shed little additional light on the problem in
the context of informed cyber-trading. To be sure, given the scarcity of
programming/hacking talent and access to large trading platforms, it is plausible that
35
See, e.g., Hal R. Varian, “Distributive Justice, Welfare Economics, and a Theory of Fairness,” 4
Philosophy and Public Affairs 223-47 (1975) (advancing such a theory).
36
It should be noted that the “level playing field” rationale for securities law—a rough proxy for
distributive fairness—has largely been rejected as a formal statutory goal by courts. See, e.g.,
Chiarella v. United States, 445 U.S. 222 (1980) (rejecting the “level playing field” desideratum
advanced by the SEC). Remaining mindful of the difference between “is” and “ought,” however, it is
worthwhile pondering fairness anyway, since it remains a relevant normative criterion from a policy
perspective.
37
See generally Michael J. Fishman; Kathleen M. Hagerty, “Insider Trading and the Efficiency of
Stock Prices,” 23 RAND J. Econ. 106-122 (1992); Kim Krawiec, “Fairness, Efficiency, and Insider
Trading: Deconstructing the Coin of the Realm in the Information Age,” 94 N’Western L. Rev. 443
(2001). There is also a longstanding debate about whether distributional fairness concerns—even if
relevant from a welfare perspective—should enter into liability standards at all, or rather should be
capitalized into tax-and-transfer systems. See Louis Kaplow & Steven Shavell, Fairness Versus
Welfare (Harvard Press 2002). This argument is particularly unhelpful here, however, since securities
markets are global and many participants are beyond the taxing authority of any single governmental
actor.

informed cyber-traders may enjoy systematic rents across firms, across transactions
and over time. It is also plausible that their informed trades bring information of
tremendous value to the market through the pricing mechanism, tipping off not only
uninformed traders but also the firms themselves about the risk of a hack. That said,
a similar (if not identical) set of tradeoffs appears manifest in virtually any informed
trading context. Consequently, there does not appear to be a compelling reason to
accord greater (or lesser) scrutiny to informed cyber-trading than any other type of
informed trading activity.
Market Liquidity
A third consideration that often attends the insider trading debate—and one
that combines the two aforementioned concerns—concerns market liquidity. To the
extent that informed parties are allowed to participate in market trading, they will
typically transact their business alongside or with uninformed market participants,
who know that they stand a large chance of being taken advantage through their
trades. In markets known to be populated with information traders, however,
uninformed market participants can become understandably reluctant to trade.
Indeed, the very fact that a (possibly) informed trader wishes to buy/sell a financial
asset may itself constitute a strong signal that one stands to lose by serving as
counterparty to the proposed transaction. In fact, in the extreme case where the
predominant driver of trade private information, trading among uninformed
counterparties can shut down completely, leading to the near collapse of a market38 –
a consequence that is, ironically enough, deeply antithetical to price discovery.
Informed traders, therefore, play simultaneously heroic and parasitic roles in their
relationship with other traders: They heroically contribute to price discovery; but
they parasitically require liquidity-trader participation order to make information
arbitrage profitable, since their very presence can systematically deter such
participation. 39 Consequently, even when pricing efficiency is of vital importance
and distributive equity concerns are assumed away, it may be efficiency enhancing
for market regulators to embrace a compromise where information trading is
permitted, yet limited in magnitude to a level that does not engender market
dysfunction or illiquidity.40
As above, however, the importance of depth and liquidity in capital markets
in the context of informed cyber-trading does not seem systematically distinct from
its importance in the general context of informed trading. In both cases, extreme
prevalence of private information can cause markets to seize up, thereby justifying
(at least potentially) some outer limits on ability of participants to exploit
information advantages. Though the precise boundary that such limits should demark
38
Milgrom & Stokey, supra n. __
39
See Kyle, supra n. __
40
See Stoll, supra n. __; Glosten & Milgrom, supra n. __.

is far from clear, there is also little reason to think that its location is dramatically
different in the context of informed cyber-trading.
Allocative Efficiency
Finally, informed trading in securities markets can foment a host of different
issues related to allocative efficiency, in which market participants may incur costly
expenditures in order to facilitate and/or prevent the transfer payments that attend
information arbitrage. Aspiring informed traders, for example, may overinvest in
acquiring inside information about existing (but as-yet-undisclosed) risks, or in
keeping such information proprietary, hoping to exploit it maximally for personal
advantage. Potential market counterparties, in turn, may respond by overinvesting
themselves, suspicious that their counterparty is an informed trader attempting to
exploit their ignorance. The issuers, too, might get into the mix, attempting to avoid
the costs and embarrassment of having a third party expose a latent problem or risk.
In the end, prices would no doubt be exceedingly accurate, reflecting (and quickly
adjusting) to each new change in information. But such pricing efficiency provides
little if anything in the way of public goods, since market participants have little to
learn, having already incurred substantial costs to acquire that information directly. 41
As with the analysis above, informed cyber-trading shares several of the
same allocative efficiency concerns as those that apply to the more general
information-trading scenario: Traders and firms may have similar sorts of incentives
to invest “too much” (from a social perspective) in divining latent facts. We submit,
however, that at least two additional considerations make informed cyber-trading
different—and in many respects more worrisome—than the general case. They are as
follows:
 First, unlike the garden-variety case of informed trading—where the underlying
new information happens independently—with informed cyber-trading the new
information is, in a meaningful respect, an endogenous harm that is substantially
“created” by the hacker to be visited on the firm. Where the hacker actively steals
proprietary data (such as employee social security numbers), this endogeneity is
obvious. But even when the hacker merely exposes an existing vulnerability, the
hacker’s actions are still akin to imposing a harm on the target. For example, the
underlying vulnerability exposed might have gone undetected for the foreseeable
future, had it not been for the prospect of extracting cyber-trading rents.
Moreover, the cybersecurity vulnerability—once exposed—can easily
compound, furnishing a digital roadmap for countless nefarious actors seeking to
exploit the target’s likely vulnerabilities. 42 (Even if the target is able to conjure
41
See Zohar Goshen & Gideon Parchomovsky, “On Insider Trading, Markets, and ‘Negative’
Property Rights in Information,” 87 U. Va. L. Rev. 1230 (2001).
42
Muddy Waters’ research report on St. Jude, for example, contained a detailed 34-page description
of how to exploit two different vulnerabilities in the St. Jude pace-makers, including step-by-step

up a quick fix for the specific hack disclosed, its software vulnerability may be
far more systematic, and in any event the exposed firm often becomes target
practice for other hackers in the wake of the initial disclosure, driving the cyber-
trader’s profits higher still.) In many respects, then, hacker creates and then
imposes a unique harm on the targeted company—one that is qualitatively
different from garden-variety “exogenous” information shocks serendipitously
observed by an information trader. Allowing a coordinated hacker-trader team to
capture these arbitrage gains, then, would implicitly subsidize the very harm-
creating activity that is being “discovered” in the first instance.
 Second, and relatedly, when hackers have an enhanced incentive to create such
harms, targets also have an enhanced incentive to undertake costly precautionary
measures meant to deter (or divert) hacker activity. In many situations, such
undertakings can be considerable, such as investing in added internal cyber-
hacking squads, or offering attractive third-party “bounties” to those who detect
and bring forward unknown vulnerabilities. These incentives are perhaps
maximal in instances where a target’s risk of hacking increases when it is
identified as the “weakest link” among potential targets. For in such settings, a
type of “arms race” to self-protect can ensue among potential targets, whereby
each effectively “doubles down” on the equilibrium influence costs borne by
hackers and targets alike.43
Informed cyber-trading therefore raises unique allocative efficiency
considerations relative to garden-variety information trading. Consequently, policy-
minded legal actors might do well at least to consider whether—in the light of these
sui-generis costs—informed cyber-trading warrants heightened scrutiny by courts. In
the next section, we consider whether legal institutions under the status quo are up to
the task.
4. Prescriptive Challenges
The previous sections have established (a) that informed cyber-trading in the
securities markets occurs at a statistically and economically significant scale, and (b)
that the practice raises certain idiosyncratic policy concerns that are not generically
present in canonical cases of informed. In the light of these observations, we now
turn to the prescriptive question of how legal institutions might address informed
cyber-trading in those circumstances where policy concerns justify special scrutiny.
More concretely, our approach here is to inform the pragmatic discussion as to (a)
whether current law acts to deter informed cyber-trading trading, and (b) if not, how
instructions detailing even what type of equipment to purchase on internet shopping sites (such as e-
Bay) to consummate the hack. See Muddy Waters Research Report, supra note 1, at 2-9.
43 We consider these incentives in detail in a technical companion piece. See Mitts & Talley,
Informed Trading and Cybersecurity Breaches: Technical Companion (unpublished manuscript 2017)
(available from authors upon request).

one might adapt current legal institutions to address more effectively informed
cyber-trading activity. We will advance the thesis that—outside of certain special
contexts—under current law the prospects for trader liability is a surprisingly
tenuous fit with normative policy concerns, and is more frequently either ineffectual
or. The two most promising ways to adapt current law to address informed cyber-
trading—extending insider-trading liability to “outsiders,” or expanding the reach of
the Computer Fraud and Abuse Act (CFAA)—both fall short (in different ways) in
addressing the distinct normative quandaries raised by the practice.44
To frame and situate our prescriptive discussion, consider Table 11 below,
which subdivides the legal policy question by positing the possibility that the hacker
and the trader may be different persons with different individual interests:
Table 11: Representation of Hacker’s and Trader’s Interaction
The columns of the Table posit that the objectives of the “hacker” (a term we use
broadly, to include both “white hat” and “black hat” hackers) can be motivated either
by a desire (i) to exploit the target’s vulnerabilities in order to steal data; or (ii)
merely to detect and publicize such the target’s vulnerabilities. The rows, in contrast,
denote the trader’s interaction with the hacker, distinguishing contexts where the
trading entity is either (i) independent from the hacker (e.g., it learns of the hack
through independent means) or (ii) directs, coordinates or transacts with the hacker
in pursuit of a common aim. 45 (While intermediate interests / degrees of
coordination are no doubt possible, Table 11 represents an adequate as a first
approximation for our analytic task.)
44
The discussion below seems particularly timely in the light of the recent high-profile cybersecurity
breaches, including the attack on the SEC's EDGAR website, a database of draft corporate filings – a
natural goldmine for hackers seeking material nonpublic information ("MNPI") prior to public
disclosure. Hannah Kuchler, Hackers Target Weakest Links for Insider Trading Gain, FINANCIAL
TIMES (Oct. 3, 2017), https://www.ft.com/content/13a317ce-a561-11e7-9e4f-7f5e6a7c98a2;
Alexandra Stevenson & Carlos Tejada, S.E.C. Says It Was a Victim of Computer Hacking Last Year,
N.Y. TIMES (Sept. 20, 2017), https://www.nytimes.com/2017/09/20/business/sec-hacking-attack.html.
45
In cases where the hacker and trader are the same person, of course, the degree of coordination
between the two is complete, so that such situations would fit easily into the top row of Table 11.

Each resulting permutation from this two-by-two matrix (denoted Scenario I

through Scenario IV) entails slightly different normative and doctrinal
considerations, thereby warranting slightly different analysis. Scenario I, wherein the
trader works actively with the hacker to steal confidential data, corresponds to the
strongest normative policy concerns, since the breach involves the loss of
confidential information and the coordinated efforts of the trader and hacker (which
can in turn facilitate explicit or implicit incentive structures that exacerbate ex ante
hacking/protection incentives). Scenario II, while stopping short of outright data
theft, also tends to entail many of the policy concerns of Scenario I, since the
exposure of vulnerabilities can (as noted above) visit “harms” on the target that are
effectively subsidized through coordination with a trader. The remaining cells
correspond to situations where the trader independently learns that of a hacker’s
outright theft (Scenario III) or mere detection of vulnerabilities (Scenario IV), but
without coordinating efforts with the hacker. As suggested above, these scenarios
present weaker cases for placing liability on the trader, since (a) trading incentives
are (by hypothesis) divorced from hacking incentives, and (b) the trader’s activity
might even expose (via the price) the existence of the hack to the public and the
target.46 As a rough approximation, then, an efficiency-minded legal decision maker
would tend to place the greatest amount of scrutiny on the upper row of the Table
(Scenarios I and II). As we show below, however, current law does not appear to
have the same reach. Even the “easiest” case for scrutiny—Scenario I—can prove to
be a stretch in establishing liability (particularly for traders), with perhaps the most
leverage coming through criminal sanctions; the levers for civil liability (brought
either by government regulators or private parties) appear even more limited and/or
untested under current law. And, while current law could be adapted to be a better
prescriptive “fit,” doing so would require either structural statutory reform, or that
courts to be receptive to novel (and largely untested) innovations.
To help illustrate our claims, consider the seemingly “easy” case of Scenario
I, where a trader explicitly coordinates with and/or directs a hacker to purloin
confidential data from a target company. As noted above, this permutation presents
the strongest policy case for legal / regulatory scrutiny. And, as it happens, this
particular scenario has garnered disproportionate attention to date from courts and
regulators. Here, it appears that courts have been open to applying both federal
securities and data breach statutes to impose legal exposure on both hackers and
traders.47 Interestingly, however, the doctrinal divinations needed to impose liability
46
This is not to say that one would have no concerns in these permutations. For example, one could
argue that when an unaffiliated trader learns of an active theft of data (Scenario III), the trader should
be under a “Good Samaritan” – like duty to disclose the information. That said, such considerations
do not appear to raise sui-generis normative concerns in the case of data breach when compared to
other possible latent harms discovered by a trader.
47
See Vollmer, Andrew N., Computer Hacking and Securities Fraud (September 24, 2015). 47 Sec.
Reg. & L. Rep. 1985 (October 19, 2015); Virginia Law and Economics Research Paper No. 26.
Available at SSRN: https://ssrn.com/abstract=2679092

risk on such actors—while admirably creative—are still an awkward fit with the type
of legal oversight one might design from a blank slate to deal with informed cyber-
trading.
Our analysis of these considerations need not be confined to abstract
hypotheticals, however: For the legal dimensions of Scenario I are evolving even as
of this writing—in the form governmental complaints in an interrelated cluster of
high-profile actions (the “Dubovoy case”).48 These cases constitute in many ways a
virtually perfect case study of Scenario I. In its civil complaints filed in 2015 and
2016, the SEC charged more than 40 defendants with securities fraud and related
charges stemming from an alleged international hacking-and-trading scheme
organized by Ukrainian nationals Ivan Turchynov and Aleksandr Ieremenko (the
“Dubovoy Hackers”).49 The U.S. Attorney’s Offices for the District of New Jersey
and the Eastern District of New York followed with criminal actions against a subset
of the named defendants in the SEC case, including the Dubovoy Hackers and traders
(including hedge fund managers and their investment firms 50) located both in the
U.S. and abroad (“Dubovoy Traders”).51
According to government documents, the Dubovoy Hackers repeatedly “used
deceptive means”52 over a five-year period to breach computer networks at several
U.S. business newswire services (e.g., Marketwired, PR Newswire, and Business
Wire) 53 extracting material non-public information (MNPI) in the form of
“confidential earnings information for numerous publicly-traded companies from
press releases that had not yet been released to the public.” The Hackers then sold
the purloined data to the Dubovoy Traders, 54 as part of an orchestrated and
coordinated plan. Indeed, the government asserts that the Dubuvoy Traders even
provided the Hackers with “shopping lists” of desired press releases, accessed the
48
Complaint, SEC v. Dubovoy, et al., No. 2:15-cv-06076-MCA-MAH (D.N.J., filed August 10,
2015). Indictment, U.S. v. Korchevsky et al., No. 15-cr-00381 (E.D.N.Y., filed Aug. 5, 2015).
Indictment, U.S. v. Turchynov et al., No. 15-cr-00390 (D.N.J., filed Aug. 6, 2015). A subsequent
complaint named additional defendants. See Complaint, SEC v. Zavodchiko et al, No. 2:16-cv-00845
(D.N.J., filed Feb. 17, 2016).
49
Jonathan Stempel, SEC Brings New Charges Over Global Press Release Hacking Scheme,
REUTERS (Feb. 18, 2016), https://www.reuters.com/article/us-trading-cyber-sec/sec-brings-new-
charges-over-global-press-release-hacking-scheme-idUSKCN0VR25N.
50
Cory Bennett, Hackers Cash in with Insider Trading, The Hill (Aug. 16, 2015),
http://thehill.com/policy/cybersecurity/251174-hackers-cash-in-with-insider-trading; Nate Raymond,
Russia Investor, Funds Pay $18 Million to Settle U.S. Press Release Hacking Case, Reuters (Mar. 25,
2016), https://www.reuters.com/article/us-insidertrading-cyber-sec/russia-investor-funds-pay-18-
million-to-settle-u-s-press-release-hacking-case-idUSKCN0WR1A4.
51
SEC, SEC Charges 32 Defendants in Scheme to Trade on Hacked News Releases, Press Release
2015-163 (Aug. 11, 2015), https://www.sec.gov/news/pressrelease/2015-163.html.
52
Complaint ¶ 71, SEC v. Dubovoy, et al., No. 2:15-cv-06076-MCA-MAH (D.N.J., filed August 10,
2015).
53
Indictment ¶ 14, U.S. v. Turchynov et al., No. 15-cr-00390 (D.N.J., filed Aug. 6, 2015).
54
Complaint ¶¶ 1-3, SEC v. Dubovoy, et al., No. 2:15-cv-06076-MCA-MAH (D.N.J., filed August
10, 2015).

stolen MNPI through secured overseas computer servers,55 and then “used that stolen
[MNPI] to trade securities and reap over $100 million in unlawful profits.”56 The
Dubovoy Traders are further alleged to have used “deceptive means,” including the
use of multiple fictitious accounts and entities, to conceal their trading activities.57
In its criminal indictment of the Traders, the government alleged a series of
transgressions under federal criminal law, including:58
 Securities Fraud under Rule 10b-5, in violation of 15 U.S.C. §§ 78j(b)
(Manipulative and Deceptive Devices) and 78ff (Penalties), 17 CFR 240.10b-
5 (Employment of Manipulative and Deceptive Devices), and 18 U.S.C. §2
(Principals).
 Fraud and Related Activity in Connection with Computers, in violation of 18
U.S.C. § 1830 (a.k.a., the Computer Fraud and Abuse Act, or “CFAA,”
discussed below).
 Wire Fraud, in violation of 18 U.S.C. §§ 1343 and 1349 (Attempt and
Conspiracy).
 Money Laundering Conspiracy, in violation of 18 U.S.C. § 1956(h)
(Laundering of Monetary Instruments).
The securities fraud and CFAA charges play prominent roles here, since (a) they
embody the most general-purpose charges in the informed cyber-trading context; and
(b) they constitute critical predicate offenses for criminal liability under wire fraud
and money laundering statutes. The majority of individuals indicted by the DOJ
reached plea agreements with federal prosecutors between December 2015 and
August 2016, pleading guilty to the wire fraud conspiracy counts, with the DOJ
dropping most of the predicate criminal charges.59 Such criminal settlements are not
uncommon, and—in a sense—they provide a measure of deterrence to others who
would attempt similar conduct in the future. And yet, the Dubuvoy plea agreements
55
U.S. Dept. of Justice, Hacker Sentenced To 30 Months In Prison For Role In Largest Known
Computer Hacking And Securities Fraud Scheme, Press Release (May 22, 2017),
https://www.justice.gov/usao-nj/pr/hacker-sentenced-30-months-prison-role-largest-known-computer-
hacking-and-securities.
56
2015).
57
Id. ¶ 7.
58
Indictment ¶¶ 112-145, U.S. v. Turchynov et al., No. 15-cr-00390 (D.N.J., filed Aug. 6, 2015). In
addition to the offenses listed in association with the Dubovoy Traders, it may be of interest that the
Dubovoy Hackers were also charged with crimes such as conspiracy to commit fraud and related
activity in connection with computers, fraud and related activity in connection with computers, and
aggravated identity theft. The Eastern District of New York charged the defendants with an
overlapping set of crimes: Conspiracy to Commit Wire Fraud, Conspiracy to Commit Securities
Fraud, Securities Fraud, and Money Laundering Conspiracy. Indictment ¶¶ 45-55, U.S. v.
Korchevsky et al., No. 15-cr-00381 (E.D.N.Y., filed Aug. 5, 2015).
59
U.S. Dept. of Justice, Hacker Sentenced To 30 Months In Prison For Role In Largest Known
Computer Hacking And Securities Fraud Scheme, Press Release (May 22, 2017),
https://www.justice.gov/usao-nj/pr/hacker-sentenced-30-months-prison-role-largest-known-computer-
hacking-and-securities.

also leave open the interesting question of whether the predicate securities fraud
and/or CFAA charges themselves would have had traction had they been pursued to
trial.60 We thus consider each below, in turn.
Securities Fraud Liability
Consider first the allegations of securities fraud. Here, in pursuing its
criminal claims, the government had the benefit of additional enforcement expertise:
As frequently happens in securities fraud contexts, 61 the Securities and Exchange
Commission (SEC) coordinated with federal prosecutors, and it also filed a series of
independent civil claims alleging securities fraud by the Dubuvoy traders. These
allegations62 include:
 Section 10(b) of the Securities Act of 1934 (“‘34 Act”) and Rule 10b-5
thereunder63.
 Section 17(a) of the Securities Act of 1933 (“‘33 Act”)64.
 Sections 20(b)65 and (e)66 of the ‘34 Act.
60
It bears noting that the defendants were also charged with identity theft under federal law, which
might also have carried weight as a predicate offense for wire fraud / money laundering.
61
See Mary Jo White, “All-Encompassing Enforcement: The Robust Use of Civil and Criminal
Actions to Police the Markets,” (March 31, 2014).
62
Complaint ¶¶ 222-234, SEC v. Dubovoy, et al., No. 2:15-cv-06076-MCA-MAH (D.N.J., filed
August 10, 2015).
63
August 10, 2015) (“By engaging in the conduct described above, defendants knowingly or recklessly,
in connection with the purchase or sale of securities, directly or indirectly, by use the means or
instrumentalities of interstate commerce, or the mails, or the facilities of a national securities
exchange: (a) employed devices, schemes or artifices to defraud; (b) made untrue statements of
material facts or omitted to state material facts necessary in order to make the statements made, in
light of the circumstances under which they were made, not misleading; and/or (c) engaged in acts,
practices, or courses of business which operated or would operate as a fraud or deceit upon any person
in connection with the purchase or sale of any security…By engaging in the foregoing conduct
defendants violated, and unless enjoined will continue to violate, Section 10(b) of the Exchange
Act.”).
64
August 10, 2015) (“Defendants, by engaging in the conduct described above, knowingly or recklessly,
in connection with the offer or sale of securities, by the use of the means or instruments of
transportation, or communication in interstate commerce or by use of the mails, directly or indirectly:
(a) employed devices, schemes or artifices to defraud; (b) obtained money or property by means of
untrue statements of material facts, or omissions to state material facts necessary in order to make the
statements made, in light of the circumstances under which they were made, not misleading; and/or
(c) engaged in transactions, practices or courses of business which operated or would operate as a
fraud or deceit upon the purchaser…By engaging in the foregoing conduct, defendants violated, and
unless enjoined will continue to violate, Section 17(a) of the Securities Act.”).
65
Section 20(b) of the ’34 Act “broadly prohibits violating federal securities law through the means of
another person.” William D. Roth, The Role of Section 20(b) in Securities Litigation, Harvard Bus.
Law Rev. Online (Dec. 9, 2015), http://www.hblr.org/2015/12/the-role-of-section-20b-in-securities-
litigation/. Complaint ¶¶ 232-234, SEC v. Dubovoy, et al., No. 2:15-cv-06076-MCA-MAH (D.N.J.,
filed August 10, 2015) (“By engaging in the foregoing conduct, the trader defendants violated Section
10(b) of the Exchange Act [15 U.S.C. § 78j(b)] and Rule lOb-5 [17 C.F.R. § 240.10b-5], thereunder
through or by means of the hacker defendants. By engaging in the foregoing conduct, pursuant to
Section 20(b) of the Exchange Act [15 U.S.C. § 78t(b)], defendants, except Ieremenko and

As with the criminal case, Rule 10b-5 plays a starring—and indeed central—role
here, as several of the other charges effectively “bootstrap” to the 10b-5 allegations.
Note, however, that CFAA claims are wholly absent in the SEC’s complaint (since
CFAA enforcement is not part of the Commission’s regulatory mandate).
Several of the SEC’s parallel cases remain pending as of this writing, and it
appears most have been stayed pending the resolution of remaining criminal
actions. 67 That said, at least two opinions have already emanated from the civil
actions, both relevant to our inquiry here. First, shortly after the SEC complaint was
filed, the District Court in New Jersey entered a temporary restraining order freezing
defendants’ assets and an order to show cause why a preliminary injunction should
not enter.68 A subset of the Dubovoy Traders (the “Amaryan Defendants”) appealed
this order. 69 On October 16, 2015, the court issued an opinion (the “Amaryan
Opinion”) granting the SEC’s motion for a preliminary injunction because it had
“raise[d] a strong inference that the Amaryan Defendants violated federal securities
laws . . . .” 70 On February 12, 2016, hedge fund Memelland Investments Ltd.
(“Memelland”), another of the Dubovoy Traders, filed a motion to dismiss under
FRCP 12(b)(6). On September 29, 2016, the court issued a second opinion (the
“Memelland Opinion”) denying Memelland’s motion because “the SEC particularly
pled its fraud and aiding and abetting claims,” giving rise to a strong inference that
Memelland acted with scienter to “deceive, manipulate or defraud.”71 As of February
2018, the Amaryan and Memelland Opinions appear to be the only two opinions
released in this matter, though the SEC has reached settlements with several of the
Dubovoy Traders.72
Turchynov, violated, an unless enjoined will continue to violate Section 10(b) of the Exchange Act
[15 U.S.C. § 78j(b)] and Rule 1 Ob-5 [17 C.F .R. § 240.1 Ob-5], thereunder.”).
66
August 10, 2015) (“Through their illicit trading, payments to the hacker defendants, instruction about
which releases to obtain, and other means alleged in this Complaint, the trader defendants knowingly
provided substantial assistance to, and thereby aided and abetted~ the hacker defendants in connection
with the hacker defendants' violations of the securities laws. By engaging in the foregoing conduct,
pursuant to Section 15(b) of the Securities Act and Section 20(e) of the Exchange Act, defendants,
except Ieremenko and Turchynov, violated, an unless enjoined will continue to violate Section 17(a)
of the Securities Act [15 U.S.C. § 77q(a)] and Section 10(b) of the Exchange Act [15 U.S.C. § 78j(b)]
and Rule 10b-5 [17 C.F.R. § 240.10b-5], thereunder.”)
67
John Reed Stark, Think the SEC EDGAR Data Breach Involved Insider Trading? Think Again.,
D&O DIARY (Oct. 2, 2017), https://www.dandodiary.com/2017/10/articles/cyber-liability/guest-post-
think-sec-edgar-data-breach-involved-insider-trading-think/.
68
SEC v. Dubovoy, No. CV 15-6076, 2016 WL 5745099, at *2 (D.N.J. Sept. 29, 2016).
69
Id.
70
SEC v. Dubovoy, No. CV 15-6076, 2015 WL 6122261, at *4 (D.N.J. Oct. 16, 2015).
71
SEC v. Dubovoy, No. CV 15-6076, 2016 WL 5745099, at *1, 5 (D.N.J. Sept. 29, 2016).
72
SEC, Trader Agrees to Settle Claims Relating to Hacked News Release Scheme; SEC's Recovery to
Date in Connection with the Scheme Exceeds $52 Million, Litigation Release No. 23530 (May 4,
2016), https://www.sec.gov/litigation/litreleases/2016/lr23530.htm (For example, “Without admitting
or denying the allegations in the SEC's complaint, Makarov agreed to be permanently enjoined from
violating Section 10(b) of the Securities Exchange Act of 1934 and Rule 10b-5 thereunder and
Section 17(a) of the Securities Act of 1933 and pay disgorgement of $100,000.”).

But what about the underlying merit of the securities fraud allegation
(whether criminal or civil)? Here, things become surprisingly opaque. The familiar
10b-5 claim for securities fraud charges turns on the showing—in connection with
the purchase or sale of any security—of the use a device, scheme, or artifice to
defraud; an act, practice, or course of business which operates or would operate as a
fraud or deceit; or, the making of any untrue statement (and in certain cases,
omission) of a material fact. 73 As noted above, Rule 10b-5 is extremely general,
covering both conventional fraud and “insider trading” claims; and both are at least
theoretically in play in the case of informed cyber-trading. At the same time, both
prove to be awkward fits in many plausible factual scenarios.
The offense of “insider trading” is not explicitly codified in Rule 10b-5, but
instead emerged as a judicial construction of the Rule that effectively equates an
informed trader’s silence (in appropriate circumstances) with an affirmative
misstatement of material fact. In this respect, the doctrine is a bit of catch-all,
broadening the application of the Rule beyond a strict construction of its text. 74
Nevertheless, even when read in this broad fashion, insider trading has time-honored
boundaries that make it a difficult fit, even in Scenario I.
There are two predominant pathways to prove insider trading under Rule
10b-5, frequently referred to as the “classical” and “misappropriation” theories. The
classical theory—developed first—teaches that “a corporate insider 75 (with a
fiduciary duty to the corporation’s shareholders) may not trade in the securities of his
or her corporation on the basis of material information not generally known to the
investing public, and which, if made public, would substantially affect the judgment
of a reasonable investor.” 76 The classical theory was easily expanded to cover
73
The specific text of Rule 10b-5 reads as follows:
It shall be unlawful for any person, directly or indirectly, by the use of any means
or instrumentality of interstate commerce, or of the mails or of any facility of
any national securities exchange,
(a) To employ any device, scheme, or artifice to defraud,
(b) To make any untrue statement of a material fact or to omit to state
a material fact necessary in order to make the statements made, in the light
of the circumstances under which they were made, not misleading, or
(c) To engage in any act, practice, or course of business which operates or
would operate as a fraud or deceit upon any person, in connection with the
purchase or sale of any security.”
17 C.F.R. § 240.10b–5.
74
Stark, supra note __.This judicial construction has a long pedigree: the U.S. Supreme Court held in
Superintendent v. Bankers Life that the antifraud provisions should be applied broadly, such that
“Rule 10b-5 prohibit[s] all fraudulent schemes in connection with the purchase or sale of securities,
whether the artifices employed involve a garden type variety of fraud, or present a unique form of
deception.” Superintendent of Ins. of State of N. Y. v. Bankers Life & Cas. Co., 404 U.S. 6, 10 n.7
(1971); Robert Steinbuch, Mere Thieves, 67 MD. L. REV. 570, 574 (2008).
75
These include statutory insiders under Section 16A, as well as certain “constructive” insiders who
are in a relationship of trust and confidence with the issuer. See Dirks, at note 14.
76
Hagar Cohen, Cracking Hacking: Expanding Insider Trading Liability in the Digital Age, 17 Sw. J.
Int'l L. 259, 265 (2011). See generally Chiarella v. United States, 445 U.S. 222 (1980).

“tippee” outsiders who receive MNPI from “tipper” insiders (who themselves
receive a personal benefit from tipping) and trade with knowledge (actual or
reasonable) that the insider(s) breached their duties by tipping for personal benefit.77
Misappropriation theory—developed later—further expanded insider trading
liability such that “a person violates Rule 10b-5 when he misappropriates
confidential information for the purpose of securities trading, in breach of a duty
owed to the source of the information, rather than to the shareholders of the [issuing]
corporation.”78 The misappropriation theory thus reached certain types of corporate
outsiders who nonetheless “deal in deception” against a third-party owner of
information by ““pretend[ing] loyalty to the principal while secretly converting the
principal's information for personal gain.”79
Under either classical or misappropriation theory, then, the insider-trading
prohibition has come to be understood to mean that “individuals may not purchase or
sell securities based on knowledge of nonpublic information that they legally
obtained or possessed as a consequence of their employment or similar
circumstances.” 80 That is, the linchpin for deducing whether actionable insider
trading has occurred under the Rule is by “equating a breach of fiduciary or
fiduciary-like duty [toward the information’s rightful owner] with the fraud
requirement.”81
And therein lies the rub: As capacious as insider trading theories have
become, the accepted doctrinal framework squares poorly with the canonical case of
informed cyber-trading (as well as the facts of Dubuvoy), where the hacker and
trader are neither fiduciaries of the target nor of a third party information “owner”.82
Indeed, it is hard to see how Scenario I would trigger any liability under the received
insider trading framework, since no fiduciary relationship is breached when a hacker
targets an unrelated company’s MNPI, and then passes such information in a
coordinated fashion to a trader. Simply (if ironically) pier, “mere thieves” of
MNPI—even those who profit from it through market transactions—are not insiders
according to Rule 10b-5.83
That said, a series of recent cases have experimented with an alternative
application of Rule 10b-5 to informed cyber-trading—one that characterizes the
77
Cohen, supra note 76 at 266-67. See, e.g., Dirks v. SEC, 463 U.S. 646 (1983); Salman v. United
States, 137 S. Ct. 420 (2016). Even after Salman, it remains somewhat unclear what knowledge the
trading tippee(s) must have about the original tipper’s motives.
78
Cohen, supra note 76 at 267. See generally United States v. O'Hagan, 521 U.S. 642 (1997).
79
O'Hagan, 521 U.S. at 653.
80
Id. at 575 (emphasis added).
81
Id.
82
See Stark, supra n. __.
83
Steinbuch, supra note 74 at 589 (“Conventional wisdom had held that mere thieves cannot be liable
for trading on stolen confidential information because they lack a fiduciary relationship to the source
of the information and, therefore, do not deceive that source”).

conduct not strictly as a species of insider trading per se, but rather as a hybrid with
conventional securities fraud, in which the cyber-traders make use of a “deceptive
device” in relation to securities transactions. Because it leans on a conventional
fraud claim, this extension dispenses with the burden of demonstrating the breach (or
even the existence) of any fiduciary relationship. That said, it is a “[f]ar more
complex and challenging” theory of liability for government regulators to pursue.84
Under several accountings, the government’s theory represents a new paradigm of
unlawful “outsider trading” under Rule 10b-5 to reach “a third and new category of
securities miscreant — ‘outsiders’ — who do not work for (or with) the company,
and who do not owe a duty to anyone.”85 This new category aims to capture trading
on the basis of MNPI obtained via computer hacking in situations (like Scenario I),
lacking the fiduciary relationship required by insider trading law, but still reflecting
the requisite degree of deception. Should courts prove receptive to this theory, it
could certainly represent a bona fide threat of securities fraud exposure against a
trader in Scenario I who coordinates with a hacker to detect / trade on stolen data.
But what would a new theory of outsider trading look like? While still in
nascent stages of development, the SEC has advanced the idea that cyber-trading
“outsiders” can nonetheless be culpable under 10b-5 when, as part of the hack, they
“are masquerading as company insiders….”86 In other words, under this theory, the
deception element mandated by Rule 10b-5 relates “directly to the hacking or
unauthorized computer access and is a bit more attenuated from the securities
transaction.”87 Note that coordination between the hacker and trader envisaged by
Scenario I (in the form of a common plan, scheme, or transaction) appears to be
critical to this theory as well; for without such coordinated efforts (i.e., the hacker
and trader act independently), it would be difficult to say that the deceptive hack was
also “in connection with the purchase or sale of any security” requirement, another
critical requirement of Rule 10b-5.
The emerging theory of outsider trading bears a strong resemblance to
Donald Langevoort’s development of the idea of “intentional deception” should
serve as a trigger of fraud liability, arguing that “[s]o long as an element of
intentional deception was present in the action, the resulting trading would seem to
satisfy the ‘in connection with’ requirement and lead to liability under Rule 10b-5.”88
84
Id.
85
Stark, supra note __.
86
Id.
87
Id.
88
Donald C. Langevoort, Insider Trading Regulation, Enforcement, and Prevention § 6:14. See also
United States v. Falcone, 257 F.3d 226, 233–34 (2d Cir. 2001) (“O'Hagan 's [sic] requirement that the
misappropriated information ‘ordinarily’ be valuable due to ‘its utility in securities trading,’…appears
to be a more generally applicable factor in determining whether section 10(b)'s ‘in connection with”
requirement is satisfied. That requirement is met in a case where, as here, the misappropriated
information is a magazine column that has a known effect on the prices of the securities of the
companies it discusses.”)

Propounding the normative desirability of this test, Langevoort concludes, “[T]here

is little reason to believe that gaining a trading advantage by deceptive theft is any
less deserving of proscription under Rule 10b-5 than gaining a trading advantage by
a secretive breach of fiduciary duty.”89
While the outsider trading model remains a relatively untested prototype, the
SEC has asserted facially similar charges against several outsider trading defendants
for years.90 A decade ago, in SEC v. Dorozhko,91 the SEC had its best (and sole)
opportunity thus far to establish a beachhead for outsider trading theory. In
Dorozhko, Second Circuit confronted the question of “whether, in a civil
enforcement lawsuit brought by the [SEC] under Section 10(b) of the [’34 Act],
computer hacking may be ‘deceptive’ where the hacker did not breach a fiduciary
duty in fraudulently obtaining [MNPI] used in connection with the purchase or sale
of securities.” 92 In the case, the SEC alleged that Dorozhko hacked into the
computer network of an investor relations and web-hosting company to access
unreleased earnings reports for IMS Health, Inc., which indicated that the company
would miss its expected earnings, and subsequently traded on this MNPI through the
purchase of put options. 93 The Southern District of New York found that
Dorozhko’s behavior “might be fraudulent and might violate a number of federal and
state criminal statutes,” but that his behavior did not violate Section 10(b) because
Dorozhko did not owe a fiduciary duty to either the web-hosting company or to the
hacked company. 94 Accordingly, it denied the SEC’s request for a preliminary
injunction freezing Dorozhko’s trading account.
A unanimous three-judge panel on the Second Circuit reversed and granted
the injunction.95 Acknowledging that the SEC’s claim was “not based on either of
the two generally accepted theories of insider trading,” Judge Cabranes’ opinion
noted that the complaint was “nonetheless based on a claim of fraud” and accorded
attention to “whether this fraud is ‘deceptive’ within the meaning of Section
10(b).”96 Notably, the Second Circuit explained that “what is sufficient [to establish
a breach of Section 10(b)] is not always what is necessary.” 97 Because Dorozhko’s
actions—hacking to gain access to and trade on MNPI—allegedly constituted an
“affirmative misrepresentation” (as opposed to the nondisclosure in the insider-
trading context)98, and because violation of the “affirmative obligation in commercial
89
Id.
90
See e.g., SEC v. Lemus, Havel & Viiseman, et al. (2005), SEC v. Blue Bottle (2007), and SEC v.
Stummer (2008), which were never contested in court. Stark, supra note 82.
91
SEC v. Dorozhko, 574 F.3d 42, 43, 44 (2d Cir. 2009).
92
SEC v. Dorozhko, 574 F.3d 42, 43, 44 (2d Cir. 2009).
93
Id. at 44.
94
Id. at 45.
95
Id. at 43, 51.
96
Id. at 45.
97
Id. at 49.
98
Id. at 48, 49.

dealings not to mislead” is “a distinct species of fraud,” the Second Circuit held that
he could be liable under the antifraud rules despite the absence of a fiduciary
relationship.99
Having made the general point that a fiduciary relationship is not necessarily
required under Section 10(b), the Second Circuit remanded the case to decide the
fact-specific question of “whether the computer hacking in this case…as opposed to
computer hacking in general…involved a fraudulent misrepresentation that was
‘deceptive’ within the ordinary meaning of Section 10(b)”. 100 In doing so, the Court
gave guidance regarding the ordinary meaning of “deceptive,” which “covers a wide
spectrum of conduct involving cheating or trading in falsehoods” and “irreducibly
entails some act that gives the victim a false impression.” 101 The Court infused
ambiguity into its (otherwise clear) opinion by stating, “In our view, misrepresenting
one’s identity in order to gain access to information that is otherwise off limits, and
then stealing that information is plainly ‘deceptive’ within the ordinary meaning of
the word. It is unclear, however, that exploiting a weakness in an electronic code to
gain unauthorized access is ‘deceptive,’ rather than being mere theft.”102 Thus, the
Second Circuit asked the District Court to take a deeper dive into “how the hacker
gained access” in order to determine whether the actions constituted “a ‘deceptive
device or contrivance’ that is prohibited by Section 10(b) and Rule 10b– 5.” 103
Unfortunately (at least for us), Second Circuit panel’s invitation in Dorozhko was
never formally taken up by the District Court on remand: Dorozhko’s attorney lost
touch with his client and the trial court later granted summary judgment for the SEC.
104
A fair reading of the opinion nevertheless suggests that trading on hacked

information might constitute actionable securities fraud, but only if accompanied by
some manifested deception. According to one prominent commentator “hacking
might not be a securities fraud if, for instance, it was based on discovering
weaknesses in software rather than, a deception, such as a hacker using hijacked
employee credentials.” 105 Thus, while negligently weak computer systems that
“leav[e] a virtual door open for an online intruder” might not open the door to
“deception,” the use of malware and the tools/processes more generally associated
with the popular perception of hackers might suffice.106 Regulators and courts will
no doubt grapple with defendants about where to draw this line should outsider-
trading theory gain a greater jurisprudential following.
99
Id. at 49.
100
Id. at 51.
101
Id. at 50.
102
Id. at 51 (emphasis added).
103
Id.
104
Stark, supra note 82.
105
Id.
106
Id.

Dorozhko’s unrequited invitation for doctrinal development is just one reason

why Dubovoy represents a potentially watershed important moment for informed
cyber-trading under federal securities law. The Dubovoy pleadings are instructive,
and they clearly evince the government’s deep familiarity with the language in
Dorozhko, attempting to squeeze the underlying allegations within its ambit. For
example, The SEC’s complaint alleges that the Dubovoy Hackers used deception as
follows107.
The hacker defendants used deceptive means to gain unauthorized access to
the Newswire Services’ computer systems, using tactics such as: (a)
employing stolen username/password information of authorized users to
pose as authorized users; (b) deploying malicious computer code designed
to delete evidence of the computer attacks; (c) concealing the identity and
location of the computers used to access the Newswire Services’ computers;
and (d) using back-door access-modules.
Moreover, the SEC’s initial complaint alleges that the Dubovoy Traders used
deception to conceal their activities through shell entities and misleading
payments,108 multiple trading accounts,109 and a secure server.110
Based on the preliminary opinions thus far produced in the case, it appears
courts have been sympathetic to such arguments.111 For example, in the Amaryan
Opinion, without specifically elaborating on the legal standard required by Section
10(b) or Rule 10b-5, the District Court suggests that “the evidence submitted by the
SEC raises a strong inference that the Amaryan Defendants violated federal
107
2015). Stark, supra note 82.
108
2015) (“The Dubovoy Group defendants attempted to conceal the illegal payments by sending them
from Tanigold Assets, one of Arkadiy Dubovoy's companies, and mislabeling them as payments for
‘technological equipment’ and ‘building equipment.’”).
109
2015) (“The Dubovoy Group defendants tried to conceal their fraud by deceptively spreading their
illicit trading across numerous accounts at more than 10 brokerage firms in the names of various
individuals and entities. Through this strategy, they hoped to avoid detection by brokers, regulators,
and law enforcement.”).
110
2015) (“Pavel Dubovoy provided instructions, which informed the reader how to log in to the server
and download files and advised users to conceal the identity of the computer they used to access the
server.”).
111
See, e.g., SEC v. Dubovoy, No. CV 15-6076, 2016 WL 5745099, at *4, 5 (D.N.J. Sept. 29, 2016)
(Suggesting that: (i) “The scheme alleged in the Amended Complaint is a complex one, involving a
number of individuals, entities, and straw owners who worked together to perpetrate a complex, high-
tech fraud.”; (ii )“These circumstances also support a strong inference that Memelland acted with
scienter,” where “’[s]cienter is a mental state embracing intent to deceive, manipulate or defraud, and
can be established by showing recklessness.”; and (iii) “Memelland's sophistication, the temporal
proximity of its trades to the publication of the press releases, the similarity of its trading pattern to
other Trader Defendants with conspicuous ties to the Hacker Defendants, its shared IP channels with
the Dubovoy Group, and the fact that the stolen press releases contained financial information that
had not yet been reported in the news all strongly support an inference that Memelland intended to
participate in the fraud.”

securities laws.”112 And, even more recently, the SEC obtained a default judgment
against several trading defendants on highly similar facts. In SEC v Iat Hong, et al.,
several traders were charged with hacking into a law firm (by installing malware and
compromising accounts that enabled access to law firm email accounts) and
fraudulently trading on MNPI. In the default judgment, the judge concluded that the
evidence “sufficiently demonstrates that Defendants directly, indirectly, or through
or by means of others, hacked into the nonpublic networks of two New York-
headquartered law firms and stole, through deception, confidential information
covering several publicly-traded companies” and then “reaped illegal profits by
trading on the stolen [MNPI]” in violation of Sections 10(b) and 20(b) of the ’34 Act
and Rule 10b-5 thereunder, among other securities laws.113 While this was a default
judgment rather than a litigated case, the SEC no doubt welcomes the judge’s
description of this hacking as deceptive.
Notwithstanding its evident traction in judicial opinions, outsider-trading
theory has attracted a chorus of critics decrying its many alleged infirmities. Many of
them have been wary of a significant expansion of insider trading based an
amorphous concept of “deception,” and have instead argued that misappropriation
theory can capture many of the most concerning hacker-trader conspiracies. 114
Others have lodged even stronger opposition to the concept of liability for outsiders
under the antifraud provisions, arguing that the new theory opens an unwieldy and
unnecessary Pandora ’s Box. 115 Andrew Vollmer, for example, has argued that
“[t]he government had the ability to charge one or more reasonable and appropriate
crimes against the hacker and trader defendants but reached out too far to include
securities fraud.” 116 And, even sympathetic judicial opinions (such as Dorozhko)
have held that computer hackers do not typically commit insider trading, and do so
only if they employ deception in their hack and such deception ultimately gives rise
to trading. When either is absent, a hacker’s actions are too far removed from the
trading to be considered “in connection with” the purchase or sale of securities. 117
Backing up to the broader perspective, the overall “fit” of securities fraud law
to informed cyber-trading appears far from perfect. It is all but obvious that
conventional insider trading models (classical and misappropriation) are ill-equipped
to deal with cyber-traders. By requiring a fiduciary-like relationship with either the
112
SEC v. Dubovoy, No. CV 15-6076, 2015 WL 6122261, at *4 (D.N.J. Oct. 16, 2015).
113
Default Judgment ¶ 11, SEC v. Hong et al., No. 16-cv-9947 (S.D.N.Y. filed May 5, 2017),
https://regmedia.co.uk/2017/05/10/china_sec.pdf.
114
Steinbuch, supra note 74 at 594-95 (“O'Hagan and its progeny should not be read as requiring a
fiduciary relationship under the misappropriation theory. Both the underlying purpose of the
misappropriation theory and courts' interpretation of it demonstrate that the theory encompasses the
acts of nonfiduciaries.”).
115
Vollmer, supra note 47 (“The recent computer hacking cases are important because they create
dangers from over-zealous pursuit of securities law violations…Some bad acts are not securities
fraud.”).
116
Id.
117
Id.

company or a third-party owner of MNPI, classical and misappropriation theory

simply fall flat by focusing on factors that have questionable normative relevance
here. The emerging theory of “outsider trading”—to the extent it gains traction—is a
somewhat better fit, but hardly a bespoken one. On the one hand, the theory would
seem to require some type of coordination between the hacker and the trader (i.e., the
top row of Table 11), consistent with our normative analysis. Yet, by hinging an
offence on an affirmative deception by the hacker, outsider-trading theory fails to
capture an important subset of problematic informed cyber-trading, where the hacker
/ trader team are “merely guileless thieves,” utilizing brazen (but not deceptive)
means to access unauthorized information. Hence, even if outsider-trading theory
gains jurisprudential traction (a long-shot proposition in its own right), securities law
would remain substantially under-inclusive relative to the normative challenge at
issue. 118
Liability Under the CFAA
If securities law stumbles in the task of addressing problematic normative
issues surrounding informed cyber-trading, what might? The criminal indictment of
the Dubuvoy Traders provides a possible clue, in a charge that many would find
more esoteric: violation of the Computer Fraud and Abuse Act119 (CFAA). Although
not within the regulatory remit of the SEC, the CFAA has both criminal and civil
enforcement mechanisms that might, in theory, be better adapted tools for the
normative task at hand.
Originally promulgated in 1986 (and expanded through amendment several
times since), the CFAA prohibits essentially three categories of conduct: (1) using
unauthorized access to fraudulently acquire valuable information from a computer;
(2) causing damage through the unauthorized transmission of computer passwords;
and (3) causing unauthorized damage to computer data or causing damage to
computer. 120 Although the liability provisions of the CFAA are quite general, they
tend to concentrate actions whereby one accesses a “protected computer” either
“without authorization” or in a manner that “exceeds authorized access.”121
The term “protected computer” refers not to the level of security protocols
that protect the compromised data, but rather to the intended use of the compromised
computer. Under the Act, this definition includes any computer that is used (i)
118
It is certainly possible that the definition of deceptive may be expanded even further to entail not
only affirmative misrepresentations but also unauthorized access to “digital trespassing”
(unauthorized access to data), or alternatively a violation of some other statutory fraud proscription
(such as the CFAA). Such a reform, however, would be an even more profound break from existing
jurisprudence.
119
18 U.S.C. § 1030.
120
Audra Dial & Daniel G. Schulof, “The Computer Fraud and Abuse Act: An Underutilized
Litigation Weapon” (available at ). The precise contours of the Act are slightly broader. See 18
U.S.C. § 1030(a).
121
Office of Legal Education Executive Office for United States Attorneys, “Prosecuting Computer
Crimes” (June 2013) (hereinafter OLE).

by/for the federal government, (ii) by/for a financial institution, or (iii) in or affecting
interstate commerce.122 These categories have been interpreted broadly: for example,
courts have read the “interstate commerce” flag to be triggered by the use of any
computer connected to the Internet—regardless of whether located inside or outside
the United States—as affecting interstate commerce.123
The elements of the CFAA that concern “authorization” tend to subdivide
defendants into two groups. “Outsiders”—third parties with no affiliation with the
target and enjoying no authorization to access the protected content; and
“Insiders”—parties (such as employees, customers, and contractors) who, pursuant
to some relationship with the target, have (or previously had) some limited
authorization to access data, but transgressed that authorization on the date of the
breach. Interestingly, the Act tends to treat insiders who exceed their authorization
with some degree of deference, requiring actual intent by the insider to damage the
computer for liability to follow. Outsiders are subject to less accommodation, and
may be found liable for intentional, reckless or other damage caused by their digital
trespass.124 In recent years, moreover, some courts have been willing to “convert”
insiders into outsiders—stripping them of their more protected status—when the
insider breaches its duty of loyalty to the target (such as when the insider pursues
interests antithetical to the interests of the target).125
The CFAA insider/outsider distinction—particularly as augmented by the
aforementioned fiduciary breach conversion—stands in stark contrast with insider
trading doctrine under Rule 10b-5 (as discussed above 126 ). There, the liability
standard aggressively envelops insiders who breach a fiduciary duty to access data,
while developing alligator arms vis-à-vis outsiders, even under the nascent “outsider
trading” theory (which still hinges awkwardly on deception by the hacker). Thus, at
122
18 U.S.C. § 1030(e)(2).
123
See, e.g., US v. Drew, 259 F.R.D. 449, 457 (C.D. Cal. 2009) (“[T]he latter two elements of the
section 1030(a)(2)(C) crime [obtaining information from a protected computer] will always be met
when an individual using a computer contacts or communicates with an Internet website.”); US v.
Trotter, 478 F.3d 918, 921 (8th Cir. 2007) (“No additional interstate nexus is required when
instrumentalities or channels of interstate commerce are regulated”); Paradigm Alliance, Inc. v.
Celeritas Technologies, LLC, 248 F.R.D. 598, 602 (D. Kan. 2008) (“As a practical matter, a computer
providing a ‘web-based’ application accessible through the internet would satisfy the ‘interstate
communication’ requirement.”); 18 U.S.C. § 1030(e)(2)(B) (2001) (amending the CFAA to include
Internet-connected computers outside the US).
124
US v. Phillips, 477 F.3d 215, 219 (5th Cir. 2007) (discussing legislative history).
125
See, e.g., Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006); Shurgard Storage
Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121, 1125 (W.D. Wash. 2000); Ervin &
Smith Advertising and Public Relations, Inc. v. Ervin, 2009 WL 249998 (D. Neb. 2009); ViChip
Corp. v. Lee, 438 F. Supp. 2d 1087, 1100 (N.D. Cal. 2006) (same); NCMIC Finance Corp. v. Artino,
638 F. Supp. 2d 1042, 1057 (S.D. Iowa 2009) (“[T]he determinative question is whether Artino
breached his duty of loyalty to NCMIC when Artino obtained information from NCMIC’s
computers.”).
126
See TAN __-__, supra.

least on this critical dimension, the CFAA seems to be a better “fit” for addressing
informed cyber-trading.
On the other hand, CFAA liability is far clunkier than securities law in
engaging other facets of the policy challenge, such as the degree of coordination
between the hacker and trader (the rows of Table 11). Recall that securities fraud
exposure tends to “scale down” when the hacker and trader are completely
independent from one another, since the deceptive hack is remote from and thus
arguably not “in connection with” the purchase and sale of securities. This
retrenchment seems normatively justified, since the lack of coordination
substantially reduces the danger that cyber-trading activity subsidizes hacking and
defensive activity. Under the CFAA, in contrast, the relevance of coordinated
activity fades. Although a trader who operates independent of the hacker can
probably avoid CFAA liability, the hacker’s exposure appears not to change.
A second area of misfit concerns the civil provisions of the CFAA, and in
particular the measure of damages available to private parties. Although the Act
provides civil remedies (both injunctive and in damages) for persons injured by
unauthorized access or computer fraud, the level of monetary damages available has
historically been quite limited. Under the Act, monetary relief is explicitly limited to
economic damages.127 Moreover, most courts interpreting the statute have measured
economic damages against the Act’s definition of a “loss,” which equates to “any
reasonable cost to any victim, including the cost of responding to an offense,
conducting a damage assessment, and restoring the data, program, system, or
information to its condition prior to the offense, and any revenue lost, cost incurred,
or other consequential damages incurred because of interruption of service.”128 An
obvious limitation to this provision is that the consequential damages (including
stock price fall) associated with the breach must be related to an interruption of
service. In cases where a data breach simply results in the unauthorized access or
downloading of data with no “service interruption,” such consequential losses may
well be unavailable. 129 In the absence of significant broadening of this
interpretation, it seems unlikely that private parties will tend pursue civil CFAA
127
18 U.S.C. § 1030(g).
128
18 U.S.C. § 1030(e)(11).
129
John DiGiacomo, Civil Actions Under the Computer Fraud and Abuse Act, Revision Legal (Feb.
4, 2015), https://revisionlegal.com/internet-lawyer/civil-actions-computer-fraud-abuse-act/#_ftnref23.
See also Nexans Wires S.A. v. Sark-USA, Inc., 166 F. App'x 559, 562–63 (2nd Cir. 2006) (holding
that plaintiff’s claim for lost revenue due to defendant’s misappropriation of its confidential data did
not constitute a cognizable loss under the CFAA “[b]ecause it is undisputed that no interruption of
service occurred in this case”). But c.f. EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 585
(1st Cir. 2001) (observing that—in an “increasingly electronic world”—the CFAA covers more than
just the cost of physical damage and may also include “the value to the victim of what has been stolen
and the victim’s costs in shoring up its security features”). In contrast, private actions under securities
law generally give a plaintiff (here target stockholders who traded during the fraud) a full measure of
loss, which—given the nature of the transaction—tends to coincides with the informed trader’s gain
from the trade.

litigation vigorously against informed cyber-traders; most of the work will be left to
criminal enforcement.
This last observation raises a final shortcoming of CFAA liability: the
relative absence of regulatory expertise for the DOJ to draw upon in pursuing CFAA
claims against informed cyber-traders. As noted above,130 federal prosecutors have
long enjoyed a secret weapon in their securities fraud prosecutions (including insider
trading): a sophisticated and motivated regulator in the SEC, possessing an ample
budget, years of expertise, and well-trained staff and attorneys capable of unpacking
often dense and complicated transactions. Indeed, the SEC and DOJ actively tout
their cooperation and the latter’s reliance on the former’s expertise in many
complicated fraud prosecutions. CFAA claims, in contrast, are outside of the SEC’s
remit and do not come with a built-in regulator to assist with uncovering the key
facts.
Synopsis
Given the discussion above, the battle of the bands between Rule 10b-5 and
the CFAA as a legal theory for pursuing informed cyber-traders evidently yields no
clear-cut victor. On the one hand, the CFAA is far more flexible and less statutorily
ossified than Rule 10b-5—where fiduciary-duty/deception requirements severely
hamper and distort enforcement. That said, the CFAA appears less able to tailor itself
to coordinated hacker-trader schemes; it has stingy civil damages provisions; and it
has no built-in regulator to lend expertise to criminal prosecutors in investigating and
pursuing claims.
In short, both approaches fall short, and it appears that neither lends itself to
an obvious and simple fix. Certain forms of tinkering around the edges might be
possible, of course. Proponents of “outsider trading” theory, for example, may
attempt to push for an even more capacious definition of deceptive—one that
includes (say) willful and deliberate access to data that the hacker knows or has
reason to know is unauthorized (“digital trespassing”). Given the tenuous state of
flux that outsider-trading theory finds itself in, however, this strategy carries obvious
risks. Alternatively, proponents of SCAA enforcement might push courts to expand
their construction of consequential damages, granting private claimants greater
license to recover economic losses (including those capitalized through lower equity
prices). Here too, however, the statutory definitions in the SCAA (e.g., defining
“loss”) make such a construction a heavy lift in the absence of statutory amendment.
To the extent that one considers systematic statutory reform, it will also be
necessary to remain mindful of the fact that information trading is a complex
normative landscape. Simply because there are idiosyncratic dangers associated with
informed cyber-trading, it does not follow that all such trading is bad. As with any
130
See White, supra note ___.

other type of informed trading, cyber-trading can convey information through price,
not only to market participants but also to the targets of hacking themselves. Any
substantive reform to either securities law or the CFAA must remain mindful of this
tension. One intriguing possibility—which we develop in a technical companion to
this paper 131 —would broadly prohibit informed cyber-trading (along the CFAA
model), but would simultaneously exempt initial arbitrage “allowance” (e.g., a
monetary cap or a fraction of the firm’s economic heft) shielded from both criminal
fines and civil recovery. This allowance would serve as a type of “bounty” for
bringing the information to light. Once the exemption level is met, however, the
trader would be required to adhere to a “disclose or abstain” duty, refraining from
trading on the information until it has disclosed the information to the targeted issuer
and the market. If the size of the exemption is calibrated reasonably, this alternative
approach would have the benefits of (a) preserving price discovery (at least within
the limits of the exemption); (b) preserving limited incentives to uncover information
about vulnerability; and (c) catalyzing communication to the issuer about the nature
of the vulnerability, so as to streamline both hacker’s offensive efforts and the
issuer’s precautionary measures. Although we see much to commend this
prescriptive course from an economic policy perspective, we confess that it would be
a difficult change to effect under current law (in the absence of a statutory reform).132
Short of such systematic statutory reforms, however, perhaps the most
expedient strategy would be to continue some version of the status quo, where the
DOJ has nominal authority to bring enforcement actions under either 10b-5 or
SCAA, but can enlist the SEC’s investigatory assistance to help develop and focus
its claims. No doubt some investigations will prove to come up dry in uncovering
actionable securities fraud claims; but such cases will usually not announce
themselves ex ante, effectively rationalizing the SEC’s coordinated involvement (at
least early on). Where a securities fraud claim proves viable (such as in an “outsider
trading” case involving hacker deception), the SEC and DOJ can continue to pursue
a strategy much like today. Where it does not, the SEC will have to back away,
leaving the government to pursue a criminal SCAA claim should it choose, but with
the benefit in hindsight of the SEC’s factual investigation to assist them.
131
See Mitts & Talley, supra note __.
132
Difficult, but perhaps not impossible. The requirement of deception could be met by equating
cooperation between hackers and traders as deceptive; and, much of the damages jurisprudence in
insider-trading law is (and always has been) the product of precedential evolution. Our analysis
excludes the possibility of common law tort claims against an informed cyber-trader, since such
claims would have a difficulty establishing a duty by either the hacker or trader, and may well be
preempted by federal securities law anyway.

5. Conclusion
In this paper, we have considered the phenomenon of informed cyber-
hacking, whereby market arbitrageurs learn of material, yet-to-be-disclosed
cybersecurity breaches, executing trades in advance of the public disclosure. We
have demonstrated empirically that such practices appear manifest in the derivatives
market trading, where breach-disclosing firms appear to have significantly larger
open interest and trading volume in put options (relative to a variety of control
groups) in advance of the disclosure. Our results, moreover, are robust to a variety
of alternative specifications and identification strategies. We have also argued that
such market activity raises certain idiosyncratic normative concerns, potentially
justifying more capacious exposure to liability for hacker/traders in response to such
concerns. Under current law, however, it seems unlikely that such an expansion is
possible without a substantial legal and statutory reform. Recent endeavors to
expand insider trading to outsiders (including hacker-traders) who use deception to
breach a firm’s cybersecurity system may be warranted, though not a perfect fit for
the policy concerns in play. Similarly, liability under the CFAA—while not requiring
deception or fraud—still suffer from deficits in investigatory expertise, monetary
damages provisions, and appropriate tailoring for securities market harms. In the
short term, it will likely prove difficult to nudge doctrine in a way that does not run
the risk of being severely over- or under-inclusive. In the absence of a more
systematic reform (which could be years away at best), the current status quo
(including a more developed and mature doctrine of outsider trading) may be the
most expedient—even if flawed—response to informed cyber-trading.

SSRN Id3107123

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

SSRN Id3107123

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SSRN Id3107123

Uploaded by

Copyright:

Available Formats

INFORMED TRADING AND CYBERSECURITY BREACHES*

Forthcoming, Harvard Business Law Review (2018)

March 14, 2018†

Abstract: Cybersecurity has become a significant concern in corporate and

Electronic copy available at: https://ssrn.com/abstract=3107123

INFORMED TRADING AND CYBERSECURITY BREACHES

Electronic copy available at: https://ssrn.com/abstract=3107123

Electronic copy available at: https://ssrn.com/abstract=3107123

involved potentially confidential data. Trading in the securities of compromised

Electronic copy available at: https://ssrn.com/abstract=3107123

inefficient investment distortions plausibly follow, both by “hackers” (including

Electronic copy available at: https://ssrn.com/abstract=3107123

computer science 7 have developed frameworks for analyzing self-protection

Electronic copy available at: https://ssrn.com/abstract=3107123

Electronic copy available at: https://ssrn.com/abstract=3107123

2. Empirical Evidence of Informed Cyber-Trading

Electronic copy available at: https://ssrn.com/abstract=3107123

Figure 2: Bi-Gram Word Cloud for ITRC Data Breach Reports

In order to conclude that transactions involving these victims of data breaches

Electronic copy available at: https://ssrn.com/abstract=3107123

Electronic copy available at: https://ssrn.com/abstract=3107123

Electronic copy available at: https://ssrn.com/abstract=3107123

Electronic copy available at: https://ssrn.com/abstract=3107123

of total liabilities. In our view, it is essential to compare within industry because

Table 1: Summary Statistics: Cross-Sectional Dataset

Table 2: Summary Statistics: Difference-in-Differences Dataset

Electronic copy available at: https://ssrn.com/abstract=3107123

Electronic copy available at: https://ssrn.com/abstract=3107123

covariates are included.

Difference in Differences Matching

Electronic copy available at: https://ssrn.com/abstract=3107123

Table 4: Cross Sectional Estimation; Log Open Interest

Electronic copy available at: https://ssrn.com/abstract=3107123

Table 5: Cross Sectional Estimation; Log Volume

Electronic copy available at: https://ssrn.com/abstract=3107123

Log Open Interest

Electronic copy available at: https://ssrn.com/abstract=3107123

Electronic copy available at: https://ssrn.com/abstract=3107123

The key identifying assumption of a difference-in-differences analysis is that

Electronic copy available at: https://ssrn.com/abstract=3107123

An eyeballing assessment of these parallel trends figures suggests that,

Electronic copy available at: https://ssrn.com/abstract=3107123

Log Open Interest

Electronic copy available at: https://ssrn.com/abstract=3107123

Log Open Interest

Electronic copy available at: https://ssrn.com/abstract=3107123

Electronic copy available at: https://ssrn.com/abstract=3107123

3. Normative Implications: Is Cyber-Trading Special?

Electronic copy available at: https://ssrn.com/abstract=3107123

Electronic copy available at: https://ssrn.com/abstract=3107123

Electronic copy available at: https://ssrn.com/abstract=3107123

Electronic copy available at: https://ssrn.com/abstract=3107123

Electronic copy available at: https://ssrn.com/abstract=3107123

Electronic copy available at: https://ssrn.com/abstract=3107123

Table 11: Representation of Hacker’s and Trader’s Interaction

Electronic copy available at: https://ssrn.com/abstract=3107123

Each resulting permutation from this two-by-two matrix (denoted Scenario I

Electronic copy available at: https://ssrn.com/abstract=3107123