Search
GBR: Children Get Online Gambling Habit
A woman looks at a casino website on July 27, 2004 in London.  Photograph by Graeme Robertson—Getty Images

The Ethics of Short Selling Cyber Victims

Sep 10, 2016

A version of this post originally appeared in the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter.

Everyone agrees bug bounties, whereby companies pay hackers to tip them off about vulnerabilities, are a good idea. But now professional investors want to get in on the action, which raises hard questions about whether this is a clever market strategy that promotes security — or just sort of sleazy.

The issue became big news after a short-seller firm, Muddy Waters, announced this month that St. Jude's medical devices had cyber vulnerabilities. The firm is poised to make money after St. Jude's (stj) stock dropped over 5% on the news. According to a Bloomberg report, this triggered off a frenzy of investor interest that could kick off a new strategy that goes like this: "Find a company or industry that is adopting Internet-connected devices, check whether the gadgets are hackable, place your trades and publish the research."

St. Jude's is not exactly happy about being the guinea pig for this investment strategy: It is suing Muddy Waters, saying its announcement was false and defamatory. Meanwhile, the U.S. Food and Drug Administration says it is looking into the vulnerability claims (Muddy Waters told the agency about the claims before going public with them).

While the hedge fund crowd is tantalized by the idea of a new high yield investment strategy, the cyber-security community may have second thoughts. If this strategy of short-selling cyber victims catches on, will this create perverse incentives that result in longer lag times before problems are patched? Or will the specter of short sellers just provide another incentive for companies to take their security more seriously?

There is also an "ick" factor. Recall how the Pentagon, after 9/11, proposed creating a futures market to predict terrorist attacks. It was a sound idea from an economics perspective, but popular revulsion meant it was never implemented. It's likely some people will feel the same way about funds that seek to make money off cyber catastrophes.

It's too soon to say for now if the Muddy Waters model will catch on, but we can expect to hear more about this in the future.

All products and services featured are based solely on editorial selection. FORTUNE may receive compensation for some links to products and services on this website.

Quotes delayed at least 15 minutes. Market data provided by Interactive Data. ETF and Mutual Fund data provided by Morningstar, Inc. Dow Jones Terms & Conditions: http://www.djindexes.com/mdsidx/html/tandc/indexestandcs.html. S&P Index data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Terms & Conditions. Powered and implemented by Interactive Data Managed Solutions