WASHINGTON—Wall Street traders and cyber hackers are working hand-in-glove to exploit and profit off companies’ cyber vulnerabilities, posing new challenges for regulators, according to a new research paper out of Columbia Law School.
In effect, traders and companies specializing in cyber security have coordinated options trading to profit handsomely by betting against companies’ stocks after publicizing the technological vulnerabilities of those companies, according to a paper released in January by researchers Joshua Mitts and Eric Talley.
In 2016, investment research firm Muddy Waters Capital teamed up with hackers from MedSec, a medical device cybersecurity company, to discover and then expose vulnerabilities in the pacemakers created by St. Jude Medical and implanted in heart patients.
Muddy Waters bet against St. Jude’s stock, then profited when the firm’s announcement of the vulnerabilities caused St. Jude’s stock to tank on fear that resolving the vulnerabilities would cost St. Jude huge sums of money.
In the paper released in January—entitled “Informed Trading and Cybersecurity Breaches”—the authors said that the St. Jude hacking was just one of multiple cases of controversial investment strategies based on corporate cyber breaches.
“Not only are these guys discovering a weakness, they’re also publicizing the weakness to prove they’ve found it,” Talley said in a phone interview on Wednesday. “If you look at Muddy Waters’ initial announcement, it’s a 34-page step-by-step manual of how to hack these pacemakers. They uncover the flaw then leave out a trail of breadcrumbs which could be used by any number of people who actually do want to cause harm.”
St. Jude’s stock fell by 5 percent following Muddy Water’s announcement, despite St. Jude claiming that the report was “false and misleading” and full of unsubstantiated statements.
“The report claimed that the battery could be depleted at a 50-foot range. This is not possible since once the device is implanted into a patient, wireless communication has an approximate 7-foot range. This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report,” St. Jude said in a statement.
Muddy Waters, however, defended its claims and said St. Jude was being negligent by ignoring problems with its pacemakers.
“Their agenda is to manage the perception of the market in the short term from pessimism to optimism, erode the credibility of the MWC report and present confidence in the face of specific allegations while simultaneously failing (or choosing not) to insert inarguable facts to the contrary,” Muddy Waters said in a written response at the time.
At the heart of this debate and dubious stock trading strategy is the use of put options. The authors’ analysis found that large amounts of put options were often traded just ahead of cybersecurity breach announcements.
Put options provide investors with the right, but not the obligation, to sell an underlying security at a specified price and date. Investors who own put options are betting that the underlying security’s price will drop. In this case, the investors were nearly guaranteeing the stock price would drop by disclosing damaging information about St. Jude’s pacemakers.
The legality of financial transactions like this are in question, according to some experts. The research paper called for “advanced regulatory oversight” and said that current laws were limited in the degree to which hackers and traders could be prosecuted for insider or outsider trading, even when they explicitly coordinated for the sake of stealing a company’s data.
“When MedSec hacked St. Jude, they didn’t lie about their identity or impersonate employees,” said Talley. “They weren’t insiders. They weren’t even outsiders stealing someone’s information.”
“They basically just got in through a backdoor left open unwittingly by the company, so this kind of case won’t get nabbed by securities fraud,” he added.
Short of “systematic statutory reforms”, the best way to bring charges that stick could be for the Department of Justice to rely on the investigative powers of the Securities and Exchange Commission to better develop its claims against the hackers and traders.
“The SEC is really good at uncovering difficult, technical, elaborate schemes and fraud since they have well-trained computer staff for this kind of activity,” said Talley. “Whereas the DOJ is also focused on things like drug crime and civil rights issues, so they’re more all over the place.”
Overall, Talley said that companies which fail to close their “cyber backdoors” will always bear some of the responsibility for the risk of hacking.
“If you leave your backdoor open, and someone finds it and gets in, can you really argue that’s unauthorized?” Talley asked. “The fact is that you had a lapse in protecting it.”
MedSec declined to comment.