SHORT SELLING Shorting, reporting and profiting in the era of cyber security Recent short seller collaborations with security researchers demonstrate a new trend in the evolving short seller strategy of publishing harmful information about a company and profiting from the drop in stock price. This new trend involves a public disclosure of information about a material cyber security vulnerability in a target company’s products or IT systems. This disclosure of information often results in an immediate drop in the target company’s stock price. Short sellers stand to gain millions from these e f orts in a matter of minutes with potentially lasting financial impact on targeted companies. Todd S. McClelland and Frances P. Forte of Jones Day explore the implications of this trend, and discuss mitigation approaches for those businesses that could be a f ected by such strategies. The trend described in the introduction, reached between the security researcher the company, using both public and non- however, is only a slight evolution and a short seller. The short seller public information collected from various of similar short seller strategies we or security researcher publishes the sources, alleging, among other things, have been observing for some time. researcher’s findings, and the short seller that Quindell’s CEO spent £12 million More recently, short sellers have been and security researcher share in the to build a country club and further that engaging in ‘doxing’ by exploiting profits as the company’s stock price falls. Quindell’s shares were uninvestable until the wealth of information that is Perhaps the most public example of this the identified concerns in the Gotham readily available about companies model reported to date involves St. Jude Report were fully addressed ⁵ . The and individuals over the internet, Medical, Inc. (‘St. Jude Medical’) and an information cited in the Gotham Report including social media. Normally, doxing investment report released by Muddy was alleged to have been sourced involves researching and compiling Waters Capital LLC (‘Muddy Waters’), from a vast array of sources such as the personally identifiable or sensitive discussed at greater length below. company’s corporate filings and other information about a specific person public documents, and also social media or company and then using it with The purpose of this article is to explore sources such as LinkedIn and Twitter. malicious intent. For example, during this emerging short seller model and the Ferguson protests, the hacker- provide practical considerations for Immediately following release of the activist group Anonymous began companies potentially in the cross- Gotham Report, Quindell’s share price releasing the identities and personal hairs of these short seller and security dropped almost 50% ⁶ . Given this information of Ku Klux Klan members ¹ . researcher collaborations. This significant financial impact, nothing article begins with a discussion of the suggests that short sellers will soon Methods for doxing companies Quindell example to provide further abandon the strategy employed by are becoming more sophisticated. background on the origins of this trend. Gotham. With the increasingly large Professional researchers have started We then discuss the events involving amount of open source, personal and using open source and other internet- St. Jude Medical, and the impact an embarrassing information available based data to e fg ectively manipulate a investment report on cyber security on the internet, we should expect target company’s overall stock price. If vulnerabilities had on the company. that doxing-like strategies will be researchers and short sellers collaborate We conclude with a discussion of around for the foreseeable future. to short a target company’s stock by e fg orts providers of IoT products and publishing a report with potentially others can proactively pursue to St. Jude Medical, Inc. damaging information about the mitigate these and related risks ² . On 25 August 2016, the investment company, they stand to realise significant research firm Muddy Waters announced profits if the company’s stock drops. Quindell PLC it would be heavily shorting St. Jude Quindell, a London-based publicly Medical, a global medical device The advancement of this doxing traded company, saw its value plummet manufacturer ⁷ . Muddy Water’s investment trend into the cyber security space from about £2.4 billion to £1.5 billion in report (the ‘MW Report’) stated is capturing the attention of internet- a single day after a research company, that St. Jude Medical’s implantable based technology providers, especially Gotham City Research LLC (‘Gotham’), cardioverter defibrillators (‘ICDs’), cardiac providers of so called ‘Internet of Things’ tweeted and released a report (the resynchronisation therapy implantable (‘IoT’) products. In this emerging model, ‘Gotham Report’) regarding Quindell’s cardioverter defibrillators (‘CRT-Ds’), a security researcher finds a vulnerability financial status and other financial and pacemakers should be recalled a fg ecting an IoT product. Rather than concerns ³ . The Gotham Report began by and remediated because they have share the discovery with the product’s calling Quindell “[a] country club built on significant security vulnerabilities that provider, a financial arrangement is quicksand ⁴ .” It dove into the financials of could be easily exploited by hackers ⁸ . CYBER SECURITY PRACTITIONER 4
Recommend
More recommend
