We cross-referenced 14,959 SEC Form 4 insider transactions and 8,505 FINRA short interest records against 12,350 public breach signals covering 2020 to March 2026. The question: does anything unusual happen in the stock market around cybersecurity breaches?
Individually, each dataset produced mostly noise. Insider transactions near breach dates were overwhelmingly routine: scheduled vestings, tax-withholding sales, 10b5-1 plan executions. Short interest fluctuations near breach dates were common enough to be expected at scale. But when both signals appeared near the same breach for the same company, we found 17 cases worth examining. A few have already drawn formal regulatory attention.
This analysis identifies temporal coincidences. It does not establish causation, intent, or misconduct.
What we measured
Three data sources, 78 publicly traded companies with both breach signals and stock market data:
- Breach signals: 12,350 events from HHS OCR filings, CISA KEV, SEC EDGAR 8-K (Item 1.05), state AG notifications, and ransomware.live claim data
- Insider transactions: 14,959 SEC Form 4 filings for officers, directors, and 10%-plus holders
- Short interest: 8,505 biweekly FINRA settlement records across 115 dates from March 2021 to February 2026
We flagged insider dispositions within seven days before a breach date, and short interest changes of 20% or more within 14 days before a breach date. We then separately identified cases where both an insider disposition and any short interest record appeared near the same breach date for the same company.
| Signal | Window | Matches | Companies |
|---|---|---|---|
| Insider dispositions before breach | 7 days | 72 transactions | 18 |
| Short interest spike (≥20%) before breach | 14 days | 14 records | 9 |
| Both insider disposition + short interest data near same breach | 7d + 14d | 17 cases | 16 |
Note: The dual-signal row identifies cases where both an insider disposition (within 7 days) and any FINRA short interest record (within 14 days) appeared near the same breach date. It does not require the 20% change threshold applied in row two. The two rows answer different questions: row two isolates significant short interest spikes; the dual-signal row identifies companies where both data types were present near a breach, regardless of the direction or magnitude of short interest change.
What "breach date" means in this analysis
Depending on the source, a breach date may represent a regulatory filing date, a ransomware group's public claim, an estimated attack date from a third-party tracker, or the date a breach appeared in a government database. None of these necessarily reflects when the company first became aware internally. An executive cannot trade on information they do not yet have, and a short seller cannot act on a breach that hasn't happened yet. Where known, we distinguish date types in the case studies below.
Dual-signal cases
Caesars Entertainment: 8 insider transactions + 6.6M shares short
On 17 August 2023, four Caesars C-suite officers recorded Form 4 dispositions on the same day - CEO Thomas Reeg ($1.03M), President Anthony Carano ($513K), CFO Bret Yunker ($513K), and Chief Legal Officer Edmund Quatmann ($257K). Four additional transactions followed on 18 August.
FINRA data shows 6,595,313 CZR shares short as of 15 August, down 5.25% from the prior period. The breach date in our dataset is 19 August 2023, sourced from Caesars' Washington AG breach notification filing. Caesars' SEC 8-K filed 14 September 2023 describes a social-engineering attack on an outsourced IT support vendor and states the company determined on 7 September that the attacker had acquired certain data.
Four C-suite officers transacting on the same day is consistent with a scheduled vesting event. The transactions preceded the breach date in our dataset. Short interest was declining, not rising. Caesars later paid a reported $15 million ransom.
UnitedHealth Group: insider disposition + rising short interest near the Change Healthcare breach
UnitedHealth Group EVP Erin McSweeney disposed of $597,582 in stock on 8 March 2024. That same day, UnitedHealth filed an SEC 8-K disclosing developments related to the Change Healthcare ransomware attack, which began on 21 February. FINRA data from the 29 February settlement shows 6,738,651 UNH shares short, up 6.33%.
This company has drawn formal scrutiny. Senator Elizabeth Warren and 13 House members wrote to the SEC requesting an investigation into insider trading concerns involving UnitedHealth executives. Separately, Crain's reported that the chairman and three executives sold $101.5 million in stock before a DOJ antitrust investigation became public. The breach ultimately affected an estimated 190 million Americans.
Microsoft: CEO disposition + 13.6% short interest increase before Midnight Blizzard disclosure
CEO Satya Nadella recorded a $524,359 disposition on 1 March 2024. The disposition was disclosed as pursuant to a Rule 10b5-1 trading plan adopted on 7 September 2023. Seven days later, Microsoft disclosed via SEC 8-K that Midnight Blizzard had used information from a January 2024 email breach to access source code repositories. FINRA shows 48,235,867 MSFT shares short as of 29 February, up 13.63% from the prior period.
Nadella's compensation was later reduced in connection with security incidents. The pre-planned nature of the sale under a 10b5-1 plan adopted months earlier makes this a case of temporal coincidence rather than anything suggestive of foreknowledge.
Benchmark Electronics: 2 insider transactions, 1 day before ransomware claim
On 5 December 2025, SVP/Chief HR Officer Rhonda Turner ($469K) and SVP/General Counsel Stephen Beaver ($411K) recorded dispositions. Both were disclosed as made pursuant to previously adopted Rule 10b5-1(c) plans. FINRA shows 1,475,457 BHE shares short as of 28 November, down 4.72%. The next day, the Everest ransomware group publicly claimed a breach, alleging theft of over 100,000 engineering files.
The pre-planned nature of both transactions under 10b5-1(c) plans, combined with declining short interest, makes this another case of temporal coincidence. CEO Jeff Benck's subsequent February 2026 sales were also pursuant to a pre-adopted Rule 10b5-1 plan.
CarMax: 13 insider transactions + 11M shares short
On 2 May 2025, ten CarMax executives - CEO, CFO, COO, General Counsel, and six others - recorded dispositions totalling $1,015,726. FINRA shows 11,065,164 KMX shares short as of 30 April, up 2.1%. The estimated attack date from ransomware.live was the same day. The breach was not publicly claimed until October 2025.
Ten executives transacting on the same day is consistent with a scheduled vesting event. The short interest increase was modest. This case demonstrates temporal coincidence, not suspicious activity.
Short interest spikes before breach dates
The following cases showed significant short interest changes in FINRA data within 14 days before a breach-related date in our dataset.
Prudential Financial: +286% in preferred shares
Six days before the breach date in our dataset (21 February 2024), the 15 February FINRA settlement shows unusual activity across multiple ticker classes:
| Ticker | Type | Short Interest | Change | Days to Cover |
|---|---|---|---|---|
| PRS | Preferred | 74,372 | +286.2% | 2.5 |
| PFH | Preferred | 118,745 | +52.4% | 5.6 |
| PRU | Common | 5,765,993 | -5.7% | 2.6 |
A +286% spike in preferred shares - instruments that typically see minimal short-selling activity - is unusual. The common stock showed only a modest decline. Activity concentrated in less liquid instruments near a breach date warrants attention, though it may reflect unrelated market dynamics in the preferred equity space.
HCA Healthcare: +37.7% before an 11-million-record breach
FINRA's 15 June 2023 settlement shows 3,168,589 HCA shares short, up 37.7%. The breach date in our dataset, sourced from the HHS OCR breach portal, is 29 June 2023 - 14 days after the short interest settlement. HCA's public breach notification was dated 10 July 2023. The breach affected approximately 11 million individuals.
CarGurus: +28.8% near a breach-related date
The 13 February 2026 settlement shows 5,618,771 CARG shares short, up 28.8% from 4,361,348. A breach-related date appears in our dataset on 14 February 2026. At 4.3 days to cover, this was a significant concentrated position. Public reporting on the CarGurus incident clusters around late February 2026; the date in our dataset may reflect an attacker-claimed date rather than a confirmed disclosure date.
MGM Resorts: +21.7% in the month before the Scattered Spider attack
FINRA's 15 August 2023 settlement shows 14,332,769 MGM shares short, up 21.7%. Twenty-four days later, the Scattered Spider attack shut down MGM's casino operations for over a week. MGM is a heavily shorted stock in normal conditions, and the 24-day gap is wide. The timing is included for completeness.
UK perspective: FCA names the short sellers
The UK Financial Conduct Authority publishes daily net short position data that identifies position holders - something FINRA data does not provide. Any entity holding a net short position of 0.5% or more of a company's issued share capital must be reported.
We matched 580 FCA position records against our UK entity database. Of 201 companies being shorted, 11 matched entities with breach signals in our data. Position holders shorting breached UK companies include Citadel Advisors, BlackRock, Marshall Wace, AQR Capital Management, and Two Sigma Investments.
The FCA dataset is a daily snapshot. Future analysis with archived FCA data would allow the same temporal cross-referencing we applied to FINRA.
What this means for third-party risk and compliance teams
For teams monitoring vendor risk or breach exposure across a portfolio, combining breach timelines with market signals adds context that breach filings alone do not provide:
- Disclosure timing scrutiny. A company where short interest spikes before public disclosure - particularly in less liquid instruments - may warrant questions about incident response timelines and notification adequacy.
- Gap between awareness and disclosure. The SEC's Item 1.05 four-business-day materiality disclosure requirement is designed to narrow this window. Where the gap appears unusually long, the pattern is worth flagging internally.
- Ongoing monitoring signal. Adding short interest tracking to entity monitoring creates an early-warning layer. A 30%+ spike in short interest for a company in your portfolio may warrant heightened scrutiny independent of any specific breach signal.
Limitations
- Dispositions include routine transactions. Form 4 dispositions encompass pre-planned 10b5-1 sales, RSU vestings, tax-withholding transactions, and discretionary sales. Most dispositions near breach dates in this dataset were routine. Where filings disclosed a 10b5-1 plan, we note it in the case study.
- Institutional holders are not insiders. Berkshire Hathaway's $230M DaVita transaction was by a 10%-plus owner, not a company officer. It accounts for 97% of the insider dollar total.
- Breach dates are not awareness dates. Signals record the earliest publicly available date, which may differ from internal awareness. Dates may represent regulatory filings, ransomware group claims, third-party tracker estimates, or government database entries.
- Short interest is biweekly. FINRA settlement dates occur every two weeks. Day-to-day changes are invisible.
- Short interest changes have many causes. Sector rotation, earnings positioning, index rebalancing, and general sentiment all drive short interest independently of breach information.
- Statistical inevitability. With 14,959 transactions, 8,505 short positions, and 12,350 breach events, some temporal coincidence within any window is expected.
Method note
Breach signals: Sourced from HHS OCR breach filings, CISA KEV, SEC EDGAR 8-K filings (Item 1.05), US state AG notifications (Washington, California), and ransomware.live claim data. Total: 12,350 signals with both an entity match and a recorded date. Date range: 2020 to March 2026.
Insider transactions: SEC Form 4 filings retrieved via data.sec.gov/submissions API for 78 entities resolved to CIK identifiers via SEC company_tickers.json. Total: 14,959 transactions. Only dispositions were analysed. Dispositions include all Form 4-reported dispositions: discretionary sales, 10b5-1 plan executions, RSU vestings, and tax-withholding transactions. Where a filing disclosed a pre-existing 10b5-1 plan, this is noted in the relevant case study.
Short interest: FINRA biweekly CSV files from cdn.finra.org covering all exchange-listed securities. Each file contains approximately 21,500 rows at roughly 2MB. We filtered to 78 matched entities across 115 settlement dates (March 2021 to February 2026). Total: 8,505 entity-period records. We also downloaded 580 UK position records from the FCA's daily net short positions Excel file, matching 24 to 11 UK entities by normalised company name.
Windows: 7-day lookback for insider dispositions, 14-day for short interest (reflecting biweekly reporting cadence). Short interest spikes were defined as a 20% or greater change from the prior settlement period. The dual-signal analysis flagged companies where both an insider disposition (within 7 days) and any short interest record (within 14 days) appeared near the same breach date, without requiring the 20% change threshold.
Dataset snapshot: March 2026.
CipherCue cross-references breach disclosures, insider filings, short interest data, and entity intelligence to surface signals for security and compliance teams. Request a demo to see how it works.
Disclaimer: This article is provided for informational and research purposes only. It does not constitute financial advice, investment advice, legal advice, or an accusation of wrongdoing against any individual or company named herein. All data was sourced from publicly available records including SEC EDGAR filings, FINRA short interest reports, and government breach notification databases. Every reasonable effort has been made to ensure accuracy, but CipherCue makes no warranty as to the completeness or correctness of the data presented. Temporal proximity between stock market activity and breach events does not imply causation, foreknowledge, or misconduct. Readers should not make investment decisions or legal judgements based on this analysis. If you believe any information in this article is inaccurate, please contact us and we will review and correct it promptly.