First the Cyberattack Hits. Then the Insider Trading.

Illustration by Nick Little

Illustration by Nick Little

Researchers share their striking evidence of pre-disclosure spikes in options trading.

When companies get hacked, do their own employees and informed outsiders use that information in trading before the breach is disclosed?

The answer is yes, according to our latest research.

The Equifax case — a breach that jeopardized the personal data of up to 143 million people but went unreported for more than a month after surfacing — is a good example of how things can go south quickly. The weeks-long disclosure gap provided abundant opportunity for those in the know to take advantage of the information, and insiders did.

Using firm-level historical options trading activity from OptionMetrics, we investigated informed trading activity in equity options prior to firms’ cybersecurity breach disclosures. We found pervasive directional options activity, consistent with strategies that yield abnormal returns to investors with private information.

This research follows on our previous work showing that many firms leverage discretion on when they reveal a breach. While some sectors, such as healthcare, have strict rules around disclosure, firms in less regulated industries often take advantage of variations in reporting requirements, sometimes not releasing information for an extraordinary length of time. However, a delay in disclosing the information is sometimes a result of the companies’ trying to get a handle on the situation so that when they do make an announcement, the impact may be less, as they can show what they have done about it.

Importantly, there is a cost of disclosure, and delayed reporting of breaches creates informed trading opportunities. Firms and management that choose to disclose a breach can face fines and costly litigation, potentially risking client relationships, reducing access to financing, and increasing insurance premiums. Conversely, choosing silence means they may be able to avoid these costs altogether. If the information does eventually come out, their added risks may include some extra fees or penalties that can be insignificant compared to the total cost of litigation.

Finally, unless the company voluntarily discloses it was the source of a breach, it may be difficult to trace where it happened. This uncertain traceability creates further disincentives to disclose. For instance, Target Corp. revealed that in December 2013, hundreds of millions of sets of personal information were compromised. However, for other companies that do not make a disclosure, it may be difficult to trace the source to them, as breaches can affect more than one organization at a time.

Trading Prior to Cybersecurity Disclosures

To arrive at our conclusions, we examined public sources of data breaches from 2005 through 2018 to analyze the impact of incidents on public companies. We considered numerous aspects of the firms, including history, data breach characteristics, and other variables, to determine whether breaches are more likely to happen with larger or smaller firms, and in which types of industries.

We leveraged OptionMetrics data to analyze behavioral approaches to trading, including looking at potential strategies informed investors might use to maximize profits or minimize risk.

We looked at specific cases where investors might try to avoid large losses associated with upcoming negative news about a cybersecurity incident at their firm, and we also looked at the behavior of investors who might be aware of a breach and want to maximize their profits. To ensure that the data was randomized, we controlled for earnings announcements and other timely news activity. We also compared these behaviors to how investors might otherwise react on a daily basis.

We found pervasive directional options trading activity consistent with strategies that yield abnormal returns to investors who possess pre-disclosure breach information, supporting our hypothesis that informed trading associated with data breach announcements does happen. We found two types of options trading activity: one commonly associated with less sophisticated investors using pre-breach disclosure information to gain profits or hedge losses and another often observed among more experienced investors using more sophisticated strategies involving puts and calls.

We observed bearish call and hedging put strategies increasing prior to the official breach announcements. These effects were most significant for out-of-the-money, at-the-money, and in-the-money put options, which typically have the highest liquidity. Additionally, we found a spike in investors buying insurance against a stock crashing right before that company told the world it had been hacked. An increase in deep out-of-the-money trades indicates that informed investors expect negative news in the future. We also saw that the options trading activity before a firm’s breach disclosure was related to the negative abnormal stock returns the firm experienced after the disclosure. Thus the pre-disclosure trading activity was consistent with informed investors profiting from or buying insurance against a stock crashing right before the company told the world it had been hacked.

More informed trading is also significantly associated with lower quality compliance controls in breached firms.

The Scrutiny Effect

An overall structural shift toward greater awareness about data breaches can be observed since October 2009. Since then, increased scrutiny of breaches and greater awareness of trading around them have resulted in a decrease in informed trading before official announcements.

While during the early years cybersecurity drew less attention, we observe interest changing over time, with a sharp rise in Google queries in October 2009 that has stayed relatively high since. We attribute the increased awareness to President Obama’s promoting awareness in many of his speeches and the promotion of National Cybersecurity Awareness Month, which since 2009 has held a theme during its celebration every October. Additionally, two big data breaches happened prior to October 2009 — at Heartland Payment Systems, impacting more than 130 million accounts, and at the National Archives and Records Administration, affecting millions of U.S. military veterans — prompting people to think about security more.

Exploitation + Enforcement

Ours is among the first studies to use options trading data to analyze breach-related informed trading prior to the public disclosure of a breach event.

Unlike with short-selling in the stock market, which might gain a lot of attention, the reasons for options trades are often harder to identify and trace, and therefore may be less risky for informed traders. One might also more inexpensively leverage options positions. As such, the options market might be a good place to look to reveal negative news on breaches sooner.

Findings on the level of internal controls for reporting breaches and how they impact the likelihood of informed trading activity are also revealing. Much like with using a camera in a store to discourage theft, it appears that if regulatory controls are high, they may reduce informed trading around breaches. Conversely, if reporting requirements are low, it may be easier for someone outside of the investigation team to obtain, and trade on, information on a breach.

We hope these insights will help the Securities and Exchange Commission and other regulatory entities as they assess the need for initiatives in data-breach information handling and disclosure to reduce the likelihood of nonpublic information-based trading before official breach announcements.

Our research findings confirm the importance of having a unified legal and regulatory framework in place — and the presence of profiteers who exploit its absence.



Andy Naranjo is the John B. Hall professor of finance and the chairman of the Eugene F. Brigham Finance, Insurance, and Real Estate Department at the Warrington College of Business at the University of Florida, where he has published extensively on a range of financial assets and markets.

Svetlana Petrova is an assistant professor of finance at the University of New Hampshire’s Peter T. Paul College of Business and Economics, where her research revolves around fintech, cybersecurity, empirical investments, and behavioral finance.

For more information, see “Trading Ahead of the Disclosure: Cybersecurity Breaches and Informed Trading.”

Related