Call buying in FireEye spikes on August 22, 2017– the day the former Chairman of Equifax told the Lead Director about the data breach; lack of review of this trading by the Board’s Special Committee was dubious at best.

Introduction

On Monday, FTC Chairman Joseph Simons announced a settlement with Equifax that “includes at least $575 million – and up to $700 million – in monetary relief, as well as important conduct provisions” due to the company’s 2017 data breach and its lack of a quick response.

According to Commissioner Rebecca Kelly Slaughter, the majority of the payments will be compensatory, “up to $425 million in direct relief to consumers in the form of compensation for breach-related harms and extensive free credit monitoring, plus rigorous data security requirements.” This seems to be very low, less than $3 per affected person.

On Wednesday, the FTC announced a settlement with Facebook ($FB) that included an “unprecedented penalty” (italics added) of $5 billion, “the largest civil penalty by anyone anywhere ever in a privacy case.” To me, the most important aspect of the Facebook settlement was that:

“The settlement requires fundamental changes at Facebook and removes CEO Mark Zuckerberg as the company’s consumer privacy decision maker… It creates an independent committee of Facebook’s board of directors to oversee privacy decisions and requires an independent third-party assessor to evaluate the effectiveness of Facebook’s privacy program. Mark Zuckerberg also must certify every quarter that Facebook is in compliance with the new privacy program. Any false certification will be subject to civil – and criminal – penalties.”

On the other hand, in the FTC press release, Equifax is only required to undertake more standard measures such as “Designating an employee to oversee the information security program” and “Obtaining annual certifications from the Equifax board of directors or relevant subcommittee attesting that the company has complied with the order, including its information security requirements”.

I believe that future oversight at Equifax should be strengthened and go beyond the existing board at Equifax, especially given this Board’s past issues and failures! The most notable failure was the Board not being aware of the data breach and then not having a press release issued regarding the data breach until two weeks later on September 7, 2017 announcing the data breach to the public.

Recent history of the Equifax board

Prior to the May 3, 2018 Equifax annual meeting, two proxy advisory firms (CtW and ISS) called for “no” votes on reelecting certain directors. (Soon after that meeting, I released my report, “The Continuing Need for Governance Changes at Equifax – Possible Insider Trading but Not Subject to Review by Equifax Board” on Seeking Alpha. Portions of my initial report with some updates are used below.)

On April 11, 2018, CtW urged shareholders to vote against the re-election of directors John A. McKinley, Mark B. Templeton and Mark L. Feidler (currently Chairman and Lead Director at the time of the data breach last summer) at the annual meeting. Three days later, ISS recommended that shareholders vote against these three directors plus two (G. Thomas Hough and Elane B. Stock) of the three members assigned to the Special Committee that reviewed the insider trading issues. Robert D. Daleo, the third member of that Special Committee, did not run for reelection.

The primary focus behind CtW’s “no” votes was the data breach, although CtW wrote “Director McKinley, as a member of the Audit Committee, failed to provide adequate risk oversight of the company’s legal and compliance obligations, particularly with regards to its insider trading policies.”

Equifax has its insider trading policy for its employees as part of its Code of Ethics and Business Policy posted on its website (see pages 26-27), stating that employees are not allowed to trade while they have material non-public information (MNPI); this applies to trading in both Equifax securities and securities of other public companies. One has to wonder why the Board, and notably the Special Committee, took a narrower view of insider trading during the fall 2017 investigation, where they only looked at trading in Equifax securities.

Unusual options activity preceded stock price movement

As a trader who has focused on the options markets for over thirty years, I noticed unusual options trading prior to the announcement of the Equifax data breach, only this trading wasn’t in $EFX options but in the options of FireEye ($FEYE), a cybersecurity firm hired by Equifax, instead! Due to the heavy press coverage of the Equifax breach and the hearings in Congress, I had the rare opportunity to cross-reference trading data with what typically would have been internal and private Equifax matters.

Around 3:05 PM on August 22, 2017, I noticed heavy buying in the call options of FireEye. By the end of the day, 39,350 call options traded in FEYE; this was the sixth-largest daily amount of trading in FEYE calls in all of 2017. The buyers of these calls focused primarily on the $15 exercise price out to the monthly expiration of options on September 15, but also shorter-term calls expiring on August 25 (just three days later) and September 1. This options activity by the buyers amid seemingly minor news about a new product caused FEYE to increase by 3.63% from $13.77 to $14.27 that day. This option activity caused me to consider FEYE stock a “buy” at that time (August 22, 3:05 PM).

The volume of 39,350 calls was unusually heavy. It constituted the sixth-largest daily volume in FireEye calls during 2017. Two of the five larger call volume days were on the day following an earnings announcement, one was on the day of the big WannaCry ransomware story, one was on the day with news about Russian cyberattack hearings and the related cyberattack on Senator Marco Rubio’s presidential campaign, and the last was on a day when a story broke about how Symantec had once pursued FireEye as an acquisition target.

The reported news on August 22, 2017 was not significant for this day to be the day with the sixth-largest daily volume of the year in FireEye calls given the explanation above for the five days with larger activity.

In addition to the increased call volume, the 30-day implied volatility on the options increased significantly on August 22 from 32.386% to 36.921% as measured by Bloomberg, indicating aggressively bullish positioning. Implied volatility is a measure of the expected move in the underlying stock, as reflected in the price of the options. Typically, options with short expirations will not have a high implied volatility, unless a material announcement is expected before expiration. Yet the volatility of the shortest-term FireEye calls was the highest. According to Fidelity, on August 22, the closing volatility of the $15 calls for August 25 calls was 61.16%, September 1 calls was 47.97% and September 15 calls was 38.39%. This strengthens the inference that someone was expecting a large move in an extremely short period of time.

What do all of these numbers mean? In laymen's terms, it means that there was aggressive call buying, the kind where somebody knows or thinks he/she knows something special that others do not and expects the story to come out very soon.

The story behind all of these numbers became evident to me just a few weeks later on September 7, 2017, when Equifax publicly announced the data breach.

What happened to the calls that were purchased? FEYE stock did not rise to the $15 level by August 25, 2017 and the first set of calls expired worthless. The stock did not cross $15 until September 1, 2017 when the shares traded at $15.05 before closing that day at $14.89 with these calls also expiring worthless. On Friday, September 15, 2017, the stock closed at $17.34 causing these calls to have intrinsic value of $2.34 (= $17.34 - $15.00). Thus, these calls that closed at $0.31 on August 22, 2017 saw their value increase by over 650% by that September 15 expiration date! It is due to this tremendous leverage of options that information often enters the market via options rather than stock (and short-term options, in particular).

What triggered this upward movement in FEYE stock? I believe that most of the price increase was related to the announcement by Equifax of the data breach, in that September 7, 2017 press release. Although the press release did not mention Mandiant or FireEye by name, several hours later, ZD Net reported that Mandiant was hired by Equifax. A WSJ article in the October 2, 2017 edition later confirmed with detail, “On Aug. 2, Equifax contacted Mandiant, the cyber-investigative division of FireEye, Inc. to probe the breach. Mandiant was hired by Equifax’s outside counsel, and Mr. Kelley likely would have approved that decision, according to another person familiar with the matter.”

Even not counting FireEye’s 3.63% stock daily price increase on August 22, 2017, FEYE stock’s price increased by 21.51% from that August 22 close through the September 15 close. Using Bloomberg’s RV (Relative Value) screen to select a list of companies similar to FireEye for comparison purposes, the return in FEYE far exceeded the average return of 2.80% for the 16 comparable US-traded companies as selected by Bloomberg. The highest return from this group after FireEye during this period was 15.58% by Symantec.

I selected the August 22 – September 15, 2017 time range for these calculations because it started with the day of heavy FEYE call buying and ended on the September 15 expiration date.

I also selected August 22, 2017 as the start date since when former Equifax Chairman and CEO Richard Smith testified in Congressional hearings on October 2, 2017, as reported by The Wall Street Journal online that evening, Mr. Smith stated that he informed then-Lead Director Mark L. Feidler about the Data Breach and he also informed his own “direct reports” on August 22. This was the day of the suspicious trading in FireEye call options. (The reader should draw his or her own conclusions.)

While I do not know who bought the calls and there is no concrete evidence of insider trading by any Equifax (or FireEye) directors or employees in FEYE, the length of time between discovery of the breach and the reporting of the breach may have led to opportunities for insider trading. Of course, this is only secondary to the harm caused to up to 147 million individuals by the hackers who knew about the breach while the public did not.

The fact that the August 25 and September 1, 2017 calls expired worthless does not negate my thesis. One of the complaints about Equifax through the entire breach process was that the company took too long to disclose the breach. The buyers of these shorter-term calls would likely agree: they could well have believed that the information would have been disclosed earlier when they could have profited from owning these shorter-dated calls instead of seeing them expire worthless. Due to the cheaper price of these shorter-term calls, the percentage returns could have been higher than the 650% mentioned above for the September 15 calls had the breach and Mandiant’s involvement in working on it for Equifax been reported sooner.

Just because a trader loses money on a trade does not mean that he/she did not trade on inside information, obviously.

Trading issues previously reported by Equifax and the Government

When Equifax first announced the breach on September 7, 2017, the company also reported that three senior officials had sold EFX shares while the company, but not the public, was aware of the data breach. In the press release, the company stated that these three individuals had not been made aware of the data breach and that Chief Legal Officer John Kelley approved these trades that were made during Equifax’ selling window, beginning on July 28 after earnings had been released on July 26 and each of the three officers sold shares on August 1 or 2.

After the tumult, Equifax then hired WilmerHale to do a review of the trading by the senior officials for the Special Committee. When a summary report was released in early November by the company, WilmerHale had found that a fourth employee, who was also not informed of the data breach, sold Equifax shares during this period (his sale was also on August 2, 2017).

However, on March 14, 2018, the SEC and DOJ sued another Equifax employee during the time of the breach, Jun Ying, who until shortly before that date was the Chief Information Officer for the U.S. Information Solutions division, for insider trading. This cast doubt on the thoroughness of the Report of the Special Committee. The next day, Senator Elizabeth Warren sent an 11-question letter to Paulino do Rego Barros Jr., the former interim CEO, demanding answers by no later than March 29, 2018. While Senator Warren posted her letter online, I never saw the Company’s responses. (Another Equifax manager, Sudhakar Reddy Bonthu, was charged with insider trading on June 28, 2018 and plead guilty on October 16, 2018.)

The Report of the Special Committee states, “Equifax has an Insider Trading Policy applicable to all employees. Under that policy, no employee may trade in Equifax securities if he or she possesses material non-public information regarding Equifax.” (italics added)

Trading issues that should have been addressed by the Equifax Board and the Special Committee

The official Insider Trading Policy covers trading in any securities related to the MNPI held by Equifax and not just Equifax securities. While the data breach itself was material to Equifax, some examples of materiality for an outside company includes a takeover bid by Equifax for another company and, in this case, a large outside contract given to a cybersecurity company working on a project related to what CtW wrote “experts have suggested that it could be the largest and most costly data breach in corporate history.” While not all revenues went to FireEye, Equifax has disclosed that it expects to incur $275 million in breach-related costs in 2018 for a total of $439 million by year-end 2018. (This was prior to the settlement.) A thorough review of trading by the Special Committee should have included looking at issues such as trading in FireEye securities, if not initially, then after I raised this issue.

In the Methodology section of the Report, it is written, “The Special Committee reviewed over 55,000 documents, comprising emails, text messages, phone logs and other records.” While this section goes on to refer to “a targeted review of their Equifax communications, using search terms designed to identify documents concerning the incident or trading”, there was no mention of reviewing external brokerage records of senior officers and directors. That sounds an alarm bell that such reviews were either not done or produced unfavorable results that were then omitted intentionally.

This report could have been a whitewash by WilmerHale or the Equifax Special Committee could have deliberately narrowed the focus of the investigation; neither of these alternatives is acceptable. The Board should have asked for a broad investigation since, except for Former Chairman and CEO Richard Smith, no board members were made aware of the breach until August 22, 2017, the date of the unusual trading in FireEye options.

As stated above, then-Lead Director Mark L. Feidler was made aware of the data breach that very day. Other directors may also have been made aware on August 22, 2017 since Mr. Smith told Congress that by the end of that week the entire Board was aware of the Data Breach. Mr. Feidler, other board members, and direct reports of Mr. Smith may have traded in FireEye calls that day or shared that information with others that day. I don't know if this occurred, but given the happenstance of the sharing of that material non-public information on the day of unusual trading, I believe strongly that the Special Committee and WilmerHale should have looked into this. The fact that the Special Committee did not either look into this or report that it had leads to more alarm bells going off.

With all of the time-consuming (and likely expensive) work done by WilmerHale, the Board of Directors should have specifically requested all trading records of senior officers and directors from brokers and submitted them to WilmerHale for a thorough review. This is not an invasion of privacy as Registered Representatives and other staff at broker-dealers and employees at investment funds have an obligation to send copies of all outside trading account records to their firms. Under the extreme scrutiny that Equifax found itself (and still finds itself), the Special Committee should have insisted upon receiving all relevant trading information here. They could have found trading in FireEye securities or perhaps other useful data by reviewing these records. Might they have found trading in FireEye securities around August 22, 2017?

The answer to the above question about whether there was insider trading in FEYE securities does not matter as much as the fact that these questions were not raised, at least to my knowledge. The Special Committee and the Board should have investigated all trading by the Equifax staff that knew about the breach before it was made public. WilmerHale should have asked more and deeper questions than appear in the Report of the Special Committee, but apparently did not, or at least the report did not state that they did.

May 3, 2018 Voting for Board of Directors

As published in The Wall Street Journal, all board members on the ballot were re-elected. However, the three board members that received “no” recommendations from both CTW and ISS each received only 60+% positive votes despite no alternative directors being proposed and the two that only ISS objected to received roughly 80% positive votes. These numbers are significantly below the usual voting percentages for directors. Now, the FTC (and the public) is relying on this board for oversight and public protection.

Specific “yes” voting percentages are listed below:

Mark Fiedler (Chairman) 64%

John McKinley 64.6%

Mark Templeton 68.2%

G. Thomas Hough 78.8%

Elaine Stock “nearly 80%”

Conclusion

Just last month (June 2019), Jun Ying, the former Chief Information Officer of Equifax U.S. Information Solutions mentioned above “was sentenced to four months in prison to be followed by one year of supervised release, ordered to pay restitution in the amount of $117,117.61, and fined $55,000” for insider trading. The Department of Justice press release also said that “On Friday, August 25, 2017, Ying texted a co-worker that the breach they were working on ‘sounds bad. We may be the one breached.’” While not given the name of the company he was reviewing, Ying claimed that he was able to deduce that it was his own company that he was reviewing before making his trades in EFX stock.

Ironically, I am more impressed with Ying’s powers of deduction than those of the members of the Equifax board!

The Special Committee did not think to ask for trading records in all securities from those employees reviewed, did not review themselves and other directors, and did not see the connection between the date that former Chairman Smith told current Chairman Fiedler and maybe other directors about the data breach and the date of the unusual trading in FEYE calls. Additionally, either no messages were relayed from senior officers or Investor Relations [i] to the board and the board, which two proxy advisors did not have faith in during 2018, or the Special Committee did not ask. That may be the reason why the FTC, in its press release, includes a line that “the FTC encourages Equifax employees who believe the company is failing to adhere to its data security promises to email the FTC” at a special Equifax-related email address.

If that is the reason, then the FTC should be ashamed for accepting a deal with Equifax where the FTC (and the public) has to rely on this Equifax board.

Now, the public that never directly opted-in to Equifax having their private information and EFX investors have to rely on this board, of which the Special Committee did not find anyone to be involved in illegal insider trading, for oversight instead of getting a third-party independent assessor like Facebook? I wish the FTC fought for a harder deal with Equifax, one with a significantly higher cash penalty and much stronger safeguards for the future.

I hope that Judge Thrash of the U.S. District Court for the Northern District of Georgia does not approve this proposed settlement and instead seeks higher penalties, especially if he finds evidence of insider trading. It is possible that some of the people who delayed the public announcement of the data breach might have used some of that time to call their options brokers.

Since this article is being written after the news of the proposed settlement, if Judge Thrash were to not approve this settlement, the stock price might fall for this reason. Similarly, the stock could fall if news were to come about board changes at Equifax and the possible reasons behind those changes.

[i] The below is a disclosure related to my May 14, 2018 report on Seeking Alpha. I have not contacted Equifax since that report was issued.

DISCLOSURE: I attempted to contact Equifax officials in late March [2018] to work with the company to answer Senator Warren’s questions by sending an email to Mr. Paulino do Rego Barros Jr. (then-Interim Chief Executive Officer) and forwarding separate copies of this email to John J. Kelley, Chief Legal Officer and Jamil Farschi, the [then-] new Chief Information Security Officer, hired in February [2018]. I received no response to these emails.

Upon the naming of Mike Begor as the incoming CEO, I sent an email to him at his prior company and had a follow-up call and email exchange with his assistant. The response I received was “Mr. Begor is not interested in setting up a meeting at this time.”

On May 10, I sent the company a number of questions. The company responded by informing me of its insider trading policy for employees but did not respond to specific questions such as:

Has Equifax looked into whether employees and/or directors traded in FireEye (NASDAQ:FEYE) options and whether the company knows of any trading in FEYE options or other securities?

Why were no external brokerage records reviewed (or at least not mentioned in the Report)?

Did the board specifically require that the investigation exclude the trading records of senior officers?

I received the following reply:

“Equifax has an Insider Trading Policy applicable to all employees. Under that policy, no employee may trade in Equifax securities, or advise others to do so, if he or she possesses material non-public information (“MNPI”) regarding Equifax. In addition, the policy states that no employee may trade in the securities of another public company, or advise others to do so, on the basis of MNPI that such employee may have obtained as a result of his or her employment with Equifax. This policy is set forth on pages 26-27 of the Equifax Code of Ethics and Business Conduct, which is publicly-available on Equifax.com under “About Us – Corporate Governance.”

Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.