02/26/2014 12:13 pm ET | Updated Apr 28, 2014

The Wire

On Friday the NYS attorney general's office announced that the news-release company Business Wire would stop selling direct access to corporate earnings reports. The idea is to prevent some market participants from having market moving information before others.

The issue is that some hedge funds had set up to machine-read company earnings news releases and send commensurate trade orders in as little as 50 milliseconds. And that for earnings releases that were scheduled for 4 p.m., and therefore meant to be public after the market closed, 50 milliseconds was enough time for these funds to get orders in faster than the exchange could close the stock. (This is a problem because if the market is open while the news is released unwitting investors would be picked off by those with fastest access to the information. This is why about 99 percent of companies announce their earnings while the market is closed. )

In eliminating direct access, which gave the funds an extra 200 milliseconds to execute this strategy, NYS attorney general Eric Schneiderman hopes to cut down on what he calls "insider trading 2.0." He went on to say that "traditional insider trading is small potatoes compared to these new high-speed race-rigging practices."

He is correct that direct access does bestow an advantage on those that can pay for it -- though in this case they have about half a second to capitalize on it . Enough time to take a fair amount of money out of someone else's pocket, but if the edge were to be gained for a longer period of time, the damage would be far worse.

Yet there is a situation were some could have inside information for hours and neither Schneiderman nor anyone else has addressed it publicly. In short, these earnings releases are exposed to hackers for several hours before the releases are made public -- and while the market is open. Obtaining earnings information in the middle of the trading day, hours before the rest of the market, would be worth an enormous amount of money (the average stock moves 6 percent the day of its earnings release... 6 percent a day is 1500 percent a year).

I called PR Newswire, part of the duopoly along with Business Wire that earns fees for distributing corporate news releases, and an executive there told me it was their practice to receive an earnings release from a reporting company up to several hours before the designated distribution time. Thus if the report were to be released between 4pm and 6pm (as roughly 40 percent of them are) then PRN would have it around 11 a.m.. And if that were to be snooped on in transit, or hacked while sitting in embargo at PRN, the perpetrator would have 5 hours to conduct illegal trades. If there can be significant damage done in half a second of information advantage, what could be done in 36,000 times that amount of time?

An obvious question is how safe is PRNs' holding pen? The PRN executive confirmed to me that the pen was online, but he bristled at the idea that anyone could breach their data. When I replied that Target stores probably felt the same way until someone stole 70 million credit card numbers from them he replied 'our data is perfectly secure... the SEC signs off on our security practices regularly.'

I referred him to a recent WSJ article about hacking that quoted a DOE official whose embargoed market-moving oil data has come under attack before its wider release. The official said they were no longer posting embargoed data, as there was no way to make sure someone couldn't access it early saying "As long as there is a wire connected to it, it's still at risk."

Seems sensible to me but the PRN exec scoffed that the government would know anything about security (though apparently he believes the SEC to be the exception). Never mind that I misquoted the WSJ article, and that the actual official was not with the DOE but from the Conference Board, who also has had their market-moving data come under attack. The point is no data on a connected computer is completely safe, and it would be risible if it weren't so worrisome that PRN, an entity that stands to lose virtually nothing if their data is hacked, thinks their security impenetrable. How would they even know if they were hacked?

But here's the thing -- the solution is simple and painless: Why not mandate that all earnings are to be released between 6 a.m. and 9 a.m.? Sixty percent of them already are, so it's a perfectly acceptable time frame to analysts and traders. And it means that PRN and Business Wire won't have to hold the data during market hours (it could all be transmitted to the duopoly after 4pm to be ready well before 6 a.m.). Not only does this eliminate the hacking issue, Schneiderman's milliseconds issue goes away too.

Who loses in this arrangement? Nobody. Why would above-board market participant care if the announcement were at 6 a.m. instead of 4 pm (or 5 pm or 6 pm) the day before? The announcement still happens after the close of one day and before the open of another. And why would the company announcing the earnings care? And why would the duopoly of PRN or Business Wire care? They will still get paid to distribute whether it be 4 pm or 9.00 a.m. or any time in between. The only ones that care are law abiding investors and those that seek to fleece them.