Stock short-sellers may seek to profit from accusations they float about a company’s cyber security vulnerability.
RISK REPORT: TECHNOLOGY
Be Wary of ‘Bear Raiders’
Allegations of short-
selling based on cyber
security rumors create
a new vulnerability for
By Gregory DL Morris
Allegations of lax cyber security were responsible for driving down the stock price of a major medical device-maker last summer, even though data was not accessed. It is yet another cyber risk that companies need to be wary of. And even though the device-maker’s vulnerability may have been
merely rumor-mongering in an attempt to drive down the stock price, it is a
reminder that insureds must work closely with their brokers to ensure there are
no gaps between where traditional cyber cover ends, and where policies covering
directors and officers (D&O), or errors and omissions (E&O) begin.
The case involved St. Jude Medical. It isn’t the only example of possibly short-selling a stock for profit, but it became a bellwether that got everyone’s attention.
The incident occurred when a cyber security operation called MedSec, in
collaboration with a hedge fund called Muddy Waters, went public in August 2016
with allegations that pacemakers made by St. Jude Medical were vulnerable to
hacking. The company’s stock declined, to the delight of short sellers.
Within weeks of the bear raid, St. Jude Medical sued MedSec and Muddy
Waters for defamation.
“The complaint alleged that Muddy Waters sought financial gain ‘by publicly
disseminating false and unsubstantiated information’ that frightened and misled
patients,” according to the “National Law Review.”
St Jude also “took additional measures to assure patients that cyber security
was a priority. In October, St. Jude Medical announced that it had formed a
Cybersecurity Medical Advisory Board,” according to the “National Law Review.”
By the end of 2016, the Food and Drug Administration issued “final guidance
on the post-market management of medical device cybersecurity,” according
to a blog by Suzanne B. Schwartz, associate director for science and strategic
partnerships at the FDA’s Center for Devices and Radiological Health.
“The best way to combat these threats is for manufacturers to consider cyber
security throughout the total product lifecycle of a device,” Schwartz wrote.
“In other words, manufacturers should build in cyber security controls when they
design and develop the device to assure proper device performance in the face
of cyber threats, and then they should continuously monitor and address cyber
security concerns once the device is on the market and being used by patients.”
With doctors and lawyers expressing consternation about the incident,
underwriters are urging their insureds to be rigorous in the assessments of their
own cyber security, and to take advantage of the capabilities that carriers have
assembled for dealing with breaches.
“We have been talking to our clients a lot lately about the new reality of the
economy having moved mostly online and relying on networks,” said Steve
Bridges, senior vice president of cyber risk and E&O at JLT US Specialty.
“Where business goes, the bad guys follow. The instance of short-sellers
profiting from accusations they have floated about a company’s vulnerability is
just the online version of the rumors
and allegations that have gone on in
financial markets from the earliest days.”
There may be more of it now, or
it may just be the same level of bear-raiding that just moves faster and wider
over electronic media.
One pernicious new angle is a data
breach where confidential information
about business transactions are accessed,
although data is not stolen or damaged.
“We know there have been instances
where law firms have been hacked and
“Where business goes, the
bad guys follow.”
—Steve Bridges, senior vice president of cyber
risk and E&O, JLT US Specialty
• Allegations of cyber vulnerability
can hurt a company’s stock price.
• Some accusations are seen as
attempts to profit by short-selling
• Losses may fall in a gap between
cyber and conventional D&O