Making money – serious money – from a cyber breach is nothing new. Cyber-attacks are yielding record revenues for organised crime, and business is booming.
But what if you could profit with without the usual extortion, theft, cryptocurrencies – or even without hurting a real victim. Is it possible? And if so, does it happen?
The answer is yes, and it involves hackers, occasionally insiders, and the stock market.
Cyber attacks and the stock market
It’s fairly well known that a cyber attack can trigger a fall in stock price. The reputational damage, loss of revenue, fines and potential lawsuits can quickly spook investors. As such, studies of compromised companies find average stock losses of 2% within the first seven days of breach notification. While 2% may sound small, it can represent a loss (or an opportunity, dependent on your perspective) of millions – or even billions – in a short space of time. Other studies believe the losses are larger, averaging 7% – and in some individual companies it has been much more. However, the amount doesn’t actually matter that much… what does matter is that the losses are predictable.
How to make money
There are two main windows in which to profit:
- You’re a hacker and you take a financial bet against your victim, so that you profit from a fall in stock price. Your window to take this position runs from your initial compromise, right through to the breach being publicly announced.
- You work for the victim company and take a financial bet against your employer once the breach is discovered, but before any announcements are made to the market.
So, fun theory: we should add financial literacy to the list of hackers’ already enviable abilities. But if they – and insiders – are actually making money, then how does it work?
There’s two common approaches – short selling is one, and the other involves buying a financial instrument called a ‘put option’. If you’re already familiar, feel free to skip this section
‘Short selling’ explained: Adam borrows a stock from Ben, and sells it immediately to Charlotte for its market value (say $100). Adam still owes Ben the stock, and buys it at a later date when its market value has fallen to $90, gives it to Ben, and pockets $10 profit.
‘Put options’ explained: You buy the right to sell a stock in future at a pre-determined price. If the stock is $100, then you might decide to buy the right (for a small initial premium) to sell at a later date for say $97. The value of your option increases as the stock price decreases below the $97 mark – which can easily happen if your cyber-attack carries enough impact.
Unlike short-selling, put options limit your exposure if the stock price rises. However, the initial premium can negate much of your potential profit should the price fall as predicted.
So now we know what to do if we think a company stock is going to fall. But is it that simple, can a hacker or an insider start making these transactions?
Staying in the shadows
In recent years, stringent Anti-Money Laundering (AML) and Know Your Customer (KYC) requirements have been put in place in an attempt to ensure transparency. If there’s the merest whiff of crime syndicate behind a transaction, the institution making the trade ought to walk away. However, there are well known bypasses around these checks. Strategies include using a broker, hidden networks, or simply using someone else to make the trade.
Furthermore, to avoid getting caught it can make sense to ‘hide’ your victim among several other stock transactions, or even gain exposure through highly correlated stocks that always rise and fall together. It’s counterintuitive, but betting against Pepsi if your victim is actually Coca-Cola could give you the exposure you need, such is the link between the two firms’ share price.
So does it really happen?
Let’s recap the scenario – you’re a hacker who has breached a publicly listed company and you have the potential to cause carnage. As well as stealing data or holding the business to ransom – you fancy yourself as a more of a white-collar cyber-criminal. So, you short-sell your victim and wait for the profits to roll in.
The big question – does it actually happen? The answer is yes – recent research from both Columbia Law School and Iowa State University found significant trading abnormalities for hacked companies before a breach announcement, with both short selling and put options being deployed to make a profit.
Indeed, there appear to be two windows of abnormality, one around nine months before a breach announcement – which is believed to be linked to the criminals carrying out the cyber attack, and another three months before the announcement, when insiders in the victim company look to profit by making their own trades.
In addition to selling short and and buying put options, insiders also have the ability to sell their existing stock. A 2019 study by Spears Business School found significant evidence of opportunistic insider trading, with insiders saving an average of $35k by selling prior to a cybersecurity breach announcement.
The US Security and Exchange Commission can take a dim view of this kind of activity – indeed, Jun Ying, the former CIO of Equifax’s US division was sentenced to prison in 2019 for selling $950,000 of Equifax stock ahead of its breach announcement – saving him from $117,000 in personal losses. Despite this result, most cases go undetected and many believe the SEC regulation continues to be light in this area.
Can we point to any specific examples where we can see this happening? It’s actually hard to point to individual companies because these kinds of trades get lost in the noise of day-to-day volatility. It’s only when extrapolated across several hacked companies that the trends start to emerge. But there are those that stand out – Capital One for example had a clear and significant spike in put option volumes in the window before its breach announcement – however in the absence of data on who made these trades, we can’t draw any specific conclusion.
If one thing is certain it’s that criminals are always looking for new opportunities to make money. Indeed, evidence already points to profit being made from the stock market’s reaction to cybersecurity events. From a hackers’ perspective it’s worth looking out for breach ‘announcements’ from criminal groups – the Maze cybercrime group have been doing this recently, often with no evidence of actual compromise, while the REvil group continue to spin the headlines to ensure their victims stay in the media spotlight. Could these techniques be deployed in future to influence the stock-market? From an insider perspective things are moving already – the SEC are widely expected to review ‘informed trading’ around cyber breaches – although whether detection or legislation will be workable remains unknown.
*other ways to make money from the stock market and cyber attacks include:
- Stealing market sensitive information (eg M&A data) to then inform an ‘outsider trading’ strategy (yes this happens)
- Being a hedge fund and engaging a pentest to find vulnerabilities in a med-tech company you are betting against (yes this happened too)
- Any others? Let me know in the comments
- Low cost maxalt
Links to studies
https://www.tandfonline.com/doi/full/10.1080/23322039.2019.1645584 Financial market reaction to cyber attacks
https://www.sciencedirect.com/science/article/abs/pii/S138641811930357X Insider trading ahead of cyber breach announcements
https://scholarship.law.columbia.edu/cgi/viewcontent.cgi?article=3085&context=faculty_scholarship Informed Trading and Cybersecurity Breaches
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3554487 Short Selling Surrounding Data Breach Announcements
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3478263 Informed Trading in Options Markets Surrounding Data Breaches