The United States Securities and Exchange Commission (SEC) said it has charged Jun Ying, former chief information officer (CIO) of a business unit of Equifax, with insider trading in connection with the massive data breach disclosed in late 2017 that put millions of customers at risk.
The SEC alleges that before Equifax’s public disclosure of the breach in September 2017, Ying exercised all of his vested Equifax stock options and then sold the shares, taking proceeds of roughly $1 million.
By selling his shares before public disclosure of the data breach, Ying avoided more than $117,000 in losses, the SEC says.
According to the SEC’s complaint, Jun Ying, who reportedly was next in line to be the company’s global CIO, allegedly used confidential information provided to him by the company to conclude that Equifax had suffered a serious breach that exposed sensitive personal information of more than 148 million U.S. customers.
The Atlanta-based company has been under fire for not explaining why it waited more than a month to warn affected customers about a risk of identity theft and fraud. Questions were also raised after four Equifax executives sold stock worth $1.8 million just prior to public disclosure of the hack. Equifax claimed that the execs had been unaware of the breach when they sold shares.
“As alleged in our complaint, Ying used confidential information to conclude that his company had suffered a massive data breach, and he dumped his stock before the news went public,” said Richard R. Best, Director of the SEC’s Atlanta Regional Office. “Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit.”
Ying has been charged with violating the antifraud provisions of the federal securities laws and seeks repayment of ill-gotten gains plus interest, penalties, and injunctive relief.
“Upon learning about Mr. Ying’s August sale of Equifax shares, we launched a review of his trading activity, concluded he violated our company’s trading policies, separated him from the company and reported our findings to government authorities,” Interim Chief Executive Officer, Paulino Do Rego Barros, Jr., said in a statement in response to the charges announced against Ying. “We are fully cooperating with the DOJ and the SEC, and will continue to do so.”
Late last month, the SEC announced updated guidance on how public companies should handle the investigation and disclosure of data breaches and other cybersecurity incidents, suggesting that executives should refrain from trading securities while in possession of non-public information regarding a significant cybersecurity incident.
The SEC itself admitted last year that it was the victim of a cyberattack in 2016 that may have allowed hackers to profit through trading on non-public information obtained from its EDGAR filing system.