The Ethics of Short Selling Cyber Victims
“Everyone agrees bug bounties, whereby companies pay hackers to tip them off about vulnerabilities, are a good idea. But now professional investors want to get in on the action, which raises hard questions about whether this is a clever market strategy that promotes security — or just sort of sleazy.
The issue became big news after a short-seller firm, Muddy Waters, announced this month that St. Jude’s medical devices had cyber vulnerabilities. The firm is poised to make money after St. Jude’s stock dropped over 5% on the news. According to a Bloomberg report, this triggered off a frenzy of investor interest that could kick off a new strategy that goes like this: “Find a company or industry that is adopting Internet-connected devices, check whether the gadgets are hackable, place your trades and publish the research.”
St. Jude’s is not exactly happy about being the guinea pig for this investment strategy: It is suing Muddy Waters, saying its announcement was false and defamatory. Meanwhile, the U.S. Food and Drug Administration says it is looking into the vulnerability claims (Muddy Waters told the agency about the claims before going public with them).
While the hedge fund crowd is tantalized by the idea of a new high yield investment strategy, the cyber-security community may have second thoughts. If this strategy of short-selling cyber victims catches on, will this create perverse incentives that result in longer lag times before problems are patched? Or will the specter of short sellers just provide another incentive for companies to take their security more seriously? It’s too soon to say for now, but we can expect to hear more about this in the future.”