Compliance Conversations — Episode 11
The Invisible Insider: When Vendor Access Triggers Securities Fraud
For CCOs, Procurement Teams, Vendor Management, IT Leadership, and Third-Party Service Providers
🎧 Listen to this Episode
An NDA buried in an 18-page vendor agreement is not a polite confidentiality promise. It is a federal securities law tripwire. The moment a vendor employee logs into a public company’s system with credentials governed by that NDA, they become a de facto insider — carrying the same federal obligations as the company’s own executives.
Alex Reyes is a senior technical support specialist at a 32-person clinical trial software vendor. On a Tuesday morning, he logs into a client’s system to fix a routine database synchronization error — the kind of task he performs several times a week.
While testing the sync, an automated FDA gateway notification inadvertently populates on his screen: FDA NDA Approved — Submission BNX-4471 — Effective Today.
The client is BioNovex Therapeutics, a publicly traded biotech company whose primary pipeline asset — a novel oncology drug — has been in Phase III trials for three years. Their stock is trading at $24 a share. Alex knows this single drug is essentially their entire pipeline. Once this news goes public, the stock will rocket 40 to 80 percent.
Alex did not break into anyone’s system. He did not seek out the information. He was fixing a database sync error and the information found him. What happens next turns a routine Tuesday morning into a federal case involving four people across two organizations.
It’s like calling a plumber to fix a leak under your kitchen sink. While they’re down there with a wrench, they accidentally knock over a loose brick and stumble upon the blueprints to your company’s vault. The plumber didn’t come looking for the blueprints. But suddenly they have the keys to the castle.
Four People. Four Decision Points. One Chain Reaction.
This episode is unique in the Compliance Conversations series because the compliance failure cascades across four distinct individuals, each facing a different decision moment with different pressures and different correct actions.
The Legal Mechanism: How an NDA Creates a Federal Insider
Alex does not work for BioNovex. He has no employment contract with them. He does not own their stock. He is not an executive, a board member, or a registered insider. So how can the SEC treat him the same way they would treat a corrupt CEO?
The answer is the misappropriation theory, established by the Supreme Court in United States v. O’Hagan (1997). Trading on material nonpublic information is securities fraud if the information was misappropriated in breach of a duty of trust — regardless of whether you work for the company whose stock you traded.
The duty of trust does not come from an employment relationship. It comes from the paperwork.
Twelve months before this Tuesday morning, Alex’s software company and BioNovex signed an 18-page master service agreement. Buried inside those pages is a standard three-paragraph nondisclosure agreement. That NDA is the legal bridge. It creates the duty of trust. The second Alex logs in with his vendor credentials, the NDA makes him a de facto insider.
Under the EU Market Abuse Regulation Article 8, the framework is even broader. The prohibition applies to anyone who possesses inside information and knows or ought to know that it is inside information — regardless of whether an NDA created a specific fiduciary duty. In a globalized data environment, Alex’s accidental discovery is a legal landmine across multiple jurisdictions.
Marcus Webb signed that MSA twelve months ago. He read the scope of work. He negotiated the payment terms. He viewed the NDA as a shield for trade secrets — not a securities compliance instrument. Neither Marcus nor anyone on his legal team flagged it as an SEC trigger. The moment he signed it, he bound every employee touching that account to a federal duty of trust. He never trained them on it.
The 43-Minute Gap: From Accidental Access to Federal Conspiracy
Alex does not report the accidental access. Instead, he steps into the parking lot and calls his sister Susan. He tells her to buy BioNovex stock immediately. He explicitly says: “Don’t ask questions.”
Susan logs into her dormant brokerage account and buys 800 shares at $24.20.
Alex believes he has built an impenetrable firewall — a different city, a different last name, a nurse’s dormant retail account. No connection to his IT job. The single most commonly detected insider trading pattern in SEC enforcement is a dormant or third-party family account suddenly activating to purchase stock immediately before a material announcement. Alex did not build a firewall. He built a conspiracy case.
Susan becomes liable through willful blindness. Deliberately avoiding facts to shield yourself from wrongdoing is legally treated as actual knowledge. Susan was presented with a highly unusual request — drop $20,000 into a random biotech stock and don’t ask why. She sensed the red flags. She chose not to investigate because she wanted the financial benefit without the burden of the truth. That active choice to avoid the facts establishes her liability.
By involving his sister, Alex did not just commit misappropriation. He added a federal conspiracy charge and dragged Susan in as a co-defendant.
The Digital Trail That Connects Everything
On Thursday, the FDA approval will be made public. BioNovex stock rockets 73%. At BioNovex headquarters, Rachel Chen receives an automated alert from the equity monitoring service: a small retail account with no prior history in BioNovex stock purchased 800 shares on Tuesday morning.
Rachel pulls the data loss prevention system report. The DLP log shows that Alex’s vendor support session triggered a read receipt on the FDA gateway notification at 9:47 AM. The system did not simply record that he logged in. It tracked active window time, confirming the FDA notification was the foreground window. It logged keystrokes, mouse movements, and dwell time. It captured a cryptographic hash of the exact file access.
It’s not like dropping a physical ID badge at a crime scene. It’s like breaking into a house but leaving your smartphone automatically connected to the homeowner’s Bluetooth speaker. You might be physically gone, but the network remembers exactly when you were there and what you interacted with.
The DLP logged Alex’s access at 9:47 AM. Susan’s brokerage trade was timestamped exactly 43 minutes later. That gap is the digital footprint that connects the entire case.
The SEC’s Consolidated Audit Trail and advanced relational analytics do not just search for matching last names. They ingest massive metadata — geographic proximity, shared IP addresses, overlapping bank records, Venmo histories, shared cell phone towers. If Alex ever logged into his own bank account from Susan’s WiFi during a family dinner, the system knows.
Four Decision Points: The Right Call for Each Person
Note: for Rachel and Marcus, the correct call is Choice B — the wrong choices are A and C.
Alex — The IT Specialist
✖ Choice A — Tip his sister
Calls Susan and tells her to buy the stock, believing a family member’s dormant account in another city creates a firewall. It creates a federal conspiracy charge instead. The SEC’s algorithms are specifically designed to detect this exact pattern.
✖ Choice B — Log off and say nothing
Closes the session and pretends it didn’t happen. Silence in the face of logged DLP access looks like deliberate concealment. If discovered later, regulators assume he was looking for a way to use the information.
✔ Choice C — Document and report immediately
Closes the session, documents in writing the same day exactly what he saw and when, and reports to his company’s compliance team immediately. The written record proves he recognized the MNPI and actively chose to quarantine it.
Susan — The Tippee
✖ Choice A — Buy the stock
Executes the trade. The willful blindness doctrine applies — she was presented with an obviously suspicious request, chose not to investigate, and accepted the financial benefit. Legally equivalent to actual knowledge.
✖ Choice B — Hang up the phone
Refuses the trade and hangs up. Protects her from this specific trade but leaves Alex spiraling — likely to try the scheme with someone else, which eventually brings the investigation back to her doorstep.
✔ Choice C — Refuse, name the crime, redirect Alex
Refuses and says the exact words: “This sounds like insider trading.” Tells Alex to hang up and call his company’s compliance team immediately. Naming the crime forces the reality into the open before the damage is done.
Rachel — The CCO
✖ Choice A — Wait and monitor
Hopes it flies under the radar. Playing defense is the fastest way to turn the company into a regulatory target. If BioNovex monitors a breach and waits, it reads as a lack of good faith.
✔ Choice B — Proactive disclosure
Briefs general counsel immediately, begins formal internal investigation preserving all logs, and contacts the vendor’s legal team with the DLP evidence before the SEC initiates contact. Documented good faith response is the organization’s strongest shield.
✖ Choice C — Fire Alex quietly
Pressures the vendor to terminate Alex and hopes the problem disappears. Firing the individual without disclosure to regulators is a cover-up. It makes the organization’s legal position catastrophically worse.
Marcus — The Vendor CEO
✖ Choice A — Fire Alex and bury it
Terminates Alex, limits disclosure, claims it was one rogue employee. Every instinct to protect the company by limiting disclosure makes his legal position worse. Regulators punish the cover-up harder than the crime.
✔ Choice B — Full transparency and audit
Retains outside counsel, cooperates fully, preserves every digital record, and immediately audits every other publicly traded client account. Identifies which employees have similar access under similar NDA frameworks and deploys insider trading training to all 32 employees before another support ticket is opened.
✖ Choice C — Blame the client’s system
Argues the data exposure was BioNovex’s fault for not restricting the FDA notification from vendor view. While data segmentation may be a legitimate issue, deflecting blame does not eliminate the vendor’s NDA obligations or the fact that Marcus never trained his team.
The Supply Chain Shift: Insider Trading Training as a Contractual Requirement
This scenario reveals a systemic gap that exists in millions of non-public companies today — IT firms, consulting groups, accounting practices, clinical research organizations, and any vendor whose employees access public company data. The CEO signs the MSA, views the NDA as standard boilerplate, and never recognizes it as a securities compliance instrument.
Enterprise compliance teams are responding by making insider trading training certification mandatory for MSA renewals. If a vendor needs access to sensitive data in the production system, their employees must be certified in insider trading compliance before they access the system.
Insider trading is no longer just an internal issue for public companies. It has become a supply chain issue.
For vendor companies, this is both a compliance obligation and a competitive advantage. The vendor that can demonstrate certified insider trading training across its workforce wins the enterprise contract over the vendor that cannot. For public companies, the legal perimeter no longer ends at the physical walls — it extends to wherever the data goes.
Key Takeaways
An NDA in a vendor master service agreement is a federal securities law trigger — not a polite confidentiality agreement. It creates a duty of trust under the misappropriation theory for every employee who logs into the client’s systems under that agreement.
Under the misappropriation theory (US v. O’Hagan, 1997), you do not need to work for a public company to face insider trading liability. You only need to have misappropriated information in breach of a duty of trust.
Under EU MAR Article 8, the prohibition applies to anyone who possesses inside information and knows or ought to know it is inside information — regardless of whether a specific NDA exists.
Willful blindness — deliberately avoiding facts to shield yourself from wrongdoing — is legally treated as actual knowledge. A family member told “don’t ask questions” who executes the trade anyway has established their own liability.
Using a family member’s dormant account in another city does not create a firewall. It creates a federal conspiracy charge. The SEC specifically detects dormant third-party accounts activating before material announcements.
Modern DLP systems track active window time, keystrokes, mouse movements, and dwell time. Logging off and saying nothing is not a defense when the system has already recorded exactly what you accessed, when, and for how long.
The only protection for accidental access is immediate documented disclosure — exactly what was seen, when, reported to compliance the same day. The paper trail proves you recognized the MNPI and chose to quarantine it.
Insider trading training is becoming a supply chain requirement. Enterprise clients are making training certification a mandatory MSA condition for vendors who access production systems with potentially market-moving data.
Frequently Asked Questions
Can a vendor employee be charged with insider trading?
Yes. Under the misappropriation theory established in United States v. O’Hagan (1997), trading on material nonpublic information is securities fraud if the information was misappropriated in breach of a duty of trust. The NDA in a vendor’s master service agreement creates that duty. The vendor employee faces full insider trading liability without any employment relationship with the public company.
What is the misappropriation theory of insider trading?
The misappropriation theory holds that using MNPI for trading in breach of a duty of trust owed to the source of the information constitutes securities fraud. Unlike the classical theory requiring a fiduciary relationship with the company whose stock is traded, the misappropriation theory covers outsiders — vendors, consultants, accountants, IT providers — who gain access to MNPI through a contractual relationship like an NDA or MSA.
What is willful blindness in securities law?
Willful blindness is a doctrine under which deliberately avoiding knowledge of facts in order to maintain the appearance of innocence is treated as legally equivalent to actual knowledge. A person who receives an obviously suspicious stock tip with explicit instructions not to ask questions and proceeds to trade has established their own liability by actively choosing not to know the source of the information.
How does DLP software create an insider trading evidence trail?
Modern data loss prevention systems go far beyond simple login logs. They track which files and screens were accessed, whether the window was active or in the background, how long the user engaged with specific content, and they capture cryptographic hashes of exact file access. This creates a forensic-grade evidence trail that can prove not just that a user was logged in, but that they actively viewed specific material nonpublic information for a specific duration — making the defense of “I didn’t see it” essentially impossible.
What should a vendor employee do if they accidentally see confidential client information?
Close the session immediately. Document in writing the same day exactly what you saw, when you saw it, and that the access was accidental. Report the documentation to your company’s compliance team immediately. Do not log off and say nothing — silence in the face of logged access looks like deliberate concealment. The written record is the only thing that proves you recognized the MNPI and actively chose to quarantine it.
Why are companies requiring insider trading training from vendors?
Enterprise compliance teams are making insider trading training certification a mandatory part of vendor MSA renewals. If a vendor’s employees access production systems containing potentially market-moving data, the client company’s legal perimeter extends to that vendor. Requiring certified training is both a regulatory risk mitigation strategy and a competitive advantage for vendors seeking enterprise contracts.
How to Use This Episode in Compliance Training
This episode is designed for two audiences simultaneously: the public company that manages vendor relationships, and the vendor company whose employees access public company data. The four-character decision structure makes it effective for training at every level — the frontline employee, the family member tippee, the compliance officer who discovers the breach, and the CEO who must choose between cover-up and transparency.
The supply chain compliance argument — that insider trading training is no longer just an internal obligation but a contractual requirement for vendor relationships — makes this episode directly relevant for procurement teams, vendor management offices, and any organization evaluating third-party risk.
More Compliance Conversations Episodes
Ready to Train Your Team — and Your Vendors — on the Decisions That Actually Matter?
Contact Xcelus to discuss a scenario-based compliance program built around your highest-risk situations — including vendor access, insider trading training for the supply chain.
© 2005–2026 Xcelus LLC. All rights reserved.