Cybersecurity has become a significant concern in corporate and commercial settings, and for good reason: a threatened or realized cybersecurity breach can materially affect firm value for capital investors. This paper explores whether market arbitrageurs appear systematically to exploit advance knowledge of such vulnerabilities. We make use of a novel data set tracking cybersecurity breach announcements among public companies to study trading patterns in the derivatives market preceding the announcement of a breach. Using a matched sample of unaffected control firms, we find significant trading abnormalities for hacked targets, measured in terms of both open interest and volume. Our results are robust to several alternative matching techniques, as well as to both cross-sectional and longitudinal identification strategies. All told, our findings appear strongly consistent with the proposition that arbitrageurs can and do obtain early notice of impending breach disclosures, and that they are able to profit from such information. Normatively, we argue that the efficiency implications of cybersecurity trading are distinct — and generally more concerning — than those posed by garden-variety information trading within securities markets. Notwithstanding these idiosyncratic concerns, however, both securities fraud and computer fraud in their current form appear poorly adapted to address such concerns, and both would require nontrivial re-imagining to meet the challenge (even approximately).
Joshua Mitts & Eric L. Talley,
Informed Trading and Cybersecurity Breaches,
Harvard Business Law Review, Vol. 8, 2018; Columbia Law and Economics Working Paper No. 580
Available at: https://scholarship.law.columbia.edu/faculty_scholarship/2084