Boston federal prosecutors charged 30 defendants on May 6 in an M&A insider-trading ring built around a single Yale Law-trained attorney who rotated through four AmLaw 50 firms over a decade. The audit committee question is not whether your deal leaked. It is how you would know.
On May 6, 2026, the United States Attorney's Office for the District of Massachusetts and the Securities and Exchange Commission filed parallel actions in Boston charging thirty defendants in what prosecutors describe as one of the largest M&A-driven insider-trading rings ever assembled around a single law firm insider. The central tipper is Nicolo Nourafchan, a Yale Law-trained M&A associate who, between 2013 and 2023, rotated through Sidley Austin, Latham & Watkins, Goodwin Procter, and Willkie Farr & Gallagher. The indictment identifies roughly thirty unannounced transactions whose terms moved from Nourafchan's deal teams into the trading accounts of friends, family, and an organized downstream of co-conspirators that included Robert Gershowitz and twenty-eight others.
The confirmed deals named in the public record include the Amazon-iRobot transaction. The full universe will surface as the SEC files its disgorgement schedule and the DOJ moves to forfeiture. Bloomberg's coverage of the indictment frames it as the "biggest insider-trading case in a generation by deal count." Above the Law's coverage is bluntly titled "The BigLaw Insider-Trading Scheme, Now With More BigLaw."
Willkie Farr & Gallagher issued a verbatim statement: "a former employee is alleged to have engaged in conduct that would constitute a severe violation of our clear and well-defined compliance policies." The other three firms issued statements in the same register. Every statement is true. Every statement is also the wrong frame.
The story every outlet is running is a rogue-attorney story. The story the F500 general counsel has to brief the audit committee on is different. Four elite firms' information-barrier regimes failed simultaneously, over a decade, on a single rotating attorney. That is not a personnel problem. That is a doctrinal problem with the way information barriers actually work inside the firms F500 companies retain to handle the most material transactions of the year.
The doctrinal architecture is ABA Model Rule 1.10 (imputation of conflicts across the firm), Model Rule 1.18 (duties to prospective clients), and Model Rule 1.7 (current-client conflicts). When a firm represents Buyer in a transaction and an attorney with knowledge of that transaction moves to a firm that represents Seller, the receiving firm avoids imputed disqualification by erecting an "ethical wall" or "screen" around the lateral. The wall is supposed to do three things. Restrict the lateral's access to the conflicted matter. Prohibit any communication between the lateral and the deal team. Document the screen in writing and certify compliance to the affected client.
The doctrine is sound in the abstract. The Nourafchan facts demonstrate what it does not protect against.
A wall only restricts what the firm knows it needs to restrict. When the lateral is not on the deal team, when the deal post-dates the lateral's arrival, when the lateral has no formal access to the matter file, there is no wall because there is no triggering conflict to wall off. Nourafchan was not screened off the Amazon-iRobot transaction at any of his firms. He did not need to be. He was the deal lawyer or one node removed from the deal lawyer. He had legitimate access to the information he leaked.
The second failure is structural. The screening doctrine assumes the threat actor is the firm. It assumes the firm is the entity that might benefit from the leaked information and the entity that must therefore be walled off. The doctrine has no framework for the threat actor who is the attorney, acting against the firm, against the client, and against the public market simultaneously. Every confidentiality policy at every firm Nourafchan worked for prohibited exactly what he is alleged to have done. The prohibition did not stop the conduct. Detection would have. None of the four firms detected anything across a decade.
The Amazon-iRobot deal is the named, verifiable transaction. Amazon announced its $1.7 billion acquisition of iRobot on August 5, 2022. The deal was eventually abandoned in January 2024 after European Commission opposition, but the trading window the SEC focuses on is the run-up to the announcement.
In the days before August 5, options activity in iRobot showed the signature pattern federal prosecutors look for. Out-of-the-money call options purchased in unusual volume by accounts with no prior history of trading iRobot. Concentrated buying in short-dated expirations. Profitable closing of those positions immediately after the announcement. The SEC's complaint walks the trading log through this exact pattern and ties the accounts to the downstream of the Nourafchan ring. The Amazon-iRobot trade alone, by the SEC's pleading, generated several million dollars in illicit profit across the named accounts.
For the F500 general counsel sitting across the table from her audit committee, the Amazon-iRobot example matters for a specific reason. Amazon ran a clean process. iRobot ran a clean process. The deal teams at the relevant firms followed every protocol. The leak happened anyway. The trade is visible in the options data only in retrospect, only after federal prosecutors built a multi-year case from cooperating witnesses and trading records that no individual issuer would have had standing or capacity to assemble in real time.
The question is simple. How would you know if your deal leaked?
Join 1,847 litigation leaders who get weekly intelligence on strategy, technology, and the data that matters.
Walk through the honest answer. The general counsel does not see the options book. The investment banker does. The banker watches for unusual derivatives activity in the days before announcement and flags anomalies as part of standard rumor-and-leak protocol. That protocol is real. It is also blind to the kind of leak the Nourafchan ring ran. The downstream traders in the SEC complaint were not concentrated in one account or one venue. They were geographically dispersed, used multiple brokers, traded varying expirations, and laundered the signal through enough noise that no single banker's leak-monitoring desk would have caught the pattern.
The general counsel does not see the SEC's market-surveillance feeds. The exchanges do. The exchanges report unusual activity to FINRA and the SEC. The issuer learns about the surveillance only if and when prosecutors bring a case, which in the Nourafchan facts was years after the leak.
The honest answer to the audit committee question is: you would not know. Not at announcement. Not in the quarter after. Possibly not ever, unless a federal investigation eventually surfaces your deal in a charging document.
That answer is unacceptable as a governance posture. The next section is about what to do with it.
Every F500 legal department maintains outside-counsel guidelines. The Nourafchan ring is the prompt for the next refresh cycle. Four specific provisions belong in the rewrite.
First, a firm-level breach-notification clause. Current OCGs typically require the firm to notify the client of a security incident affecting client data. The clause needs to expand. Specifically: "Outside Counsel shall notify Client in writing within seventy-two hours of any internal investigation, governmental subpoena, or regulatory inquiry concerning the alleged misuse of material non-public information by any current or former attorney, paralegal, or staff member who had access to Client matters within the preceding ten years." That language is not in most OCGs today. The Nourafchan facts say it has to be.
Second, periodic conflicts and barrier audits. The OCG should require the firm to certify, annually, that its conflicts database and information-barrier protocols have been audited by an independent function within the firm, and to deliver a one-page summary of the audit findings to the client's general counsel. Annual frequency. Independent function. Written summary. None of those are standard today.
Third, panel rotation for sensitive matters. The largest M&A clients of the four named firms had multi-year roster relationships that made it possible for a rotating attorney to maintain ten years of access across the deal universe. Rotation of panel firms on a deal-by-deal basis for transactions above a defined materiality threshold breaks the cross-firm aggregation that the Nourafchan facts exploited. The materiality threshold is the client's call. The rotation principle should not be.
Fourth, explicit market-abuse cooperation rights with disclosure. The OCG should require the firm, upon receipt of a subpoena, civil investigative demand, or formal regulatory inquiry concerning trading activity in a Client transaction, to disclose the existence of that inquiry to Client within a defined window and to cooperate with any independent forensic review Client commissions. This provision will be negotiated. It should still be drafted into the first ask.
The closing argument is a question. What is the actual half-life of an information barrier when a single attorney has cross-firm access?
The Nourafchan facts answer it. The barrier holds within the four corners of a single matter at a single firm. It does not hold across firms. It does not hold across time. It does not hold against the threat actor the doctrine was never designed to address: the deal lawyer with legitimate access to the matter, acting against the firm and against the client in pursuit of personal trading profit.
The audit committee briefing on this story, the one the F500 general counsel will be asked to deliver in the next quarterly cycle, has to make one specific pivot. Cross-firm attorney rotation, which the doctrine treats as the cure for imputed conflicts, is now also a diligence trigger. When the firm pitching your next material transaction has lateraled in an M&A attorney from a competitor in the past twenty-four months, that fact belongs on the engagement-decision checklist alongside billing rate and bench depth. It is not disqualifying. It is diligence-relevant.
The four firms named in the indictment are not bad firms. They are the firms F500 clients hire precisely because the bench is deep and the cross-pollination is constant. The same feature that makes the bench valuable is the feature the Nourafchan ring exploited. There is no version of this story where you fix it by hiring less prestigious firms. The fix is in the contract terms, the audit rights, and the rotation protocols that bind the prestigious firms you are going to hire anyway.
The half-life of an information barrier is shorter than the ten-year cross-firm window the indictment describes. The audit committee is going to ask how short. The right answer is not a number. The right answer is the contract amendment that makes the number knowable.
litigationsentinel.com/briefing
The Executive Briefing takes 2 minutes and shows you exactly where the gaps are.
Take the Executive Briefing โJoin 1,847 litigation leaders who get weekly intelligence on strategy, technology, and the data that matters.