On September 17, 2020, the SEC announced the imposition of a cease-and-desist order against private equity firm Welsh, Carson, Anderson & Stowe (Welsh Carson), an SEC-registered investment manager, in connection with alleged violations of reporting obligations under Section 13(d) of the Securities Exchange Act of 1934 (Exchange Act). The SEC alleged that Welsh Carson had failed to timely amend a Schedule 13D report – commonly known as a beneficial ownership statement – after its investment position changed from an intent to acquire and restructure a company to an intent to liquidate its entire position in the company. In connection with the entry of the SEC’s cease-and-desist order, Welsh Carson agreed to pay a civil penalty of $100,000.
On September 15, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert highlighting the recent uptick in “credential stuffing” cyber-attacks against SEC-registered investment advisors and broker dealers.
Credential stuffing is an automated cyber-attack on Internet-based user accounts and firm networks. Attackers obtain usernames and passwords from the dark web and then employ automated scripts utilizing the compromised information to attempt to log in and gain unauthorized access to other customer accounts and firm networks. Credential stuffing has proven to be a more effective way for hackers to gain access to accounts and firm systems than traditional brute force password attacks have been. If the credential stuffing attack is successful, attackers can gain access to and control over customer assets and confidential information.
The SEC, through its Office of Compliance Inspections and Examinations (“OCIE”), recently issued its most detailed cyber guidance to date. OCIE had previously issued several cybersecurity risk alerts over the past few years. This most recent release, however, offers much more than a risk alert. OCIE’s “Cybersecurity and Resiliency Observations” goes into significantly more detail than OCIE’s prior risk alerts in this area and is fashioned in a vastly different and more user-friendly format. Thus, it is required reading for SEC regulated entities because, rest assured, it will be closely followed and applied by OCIE staff conducting cyber examinations, as well as by the Division of Enforcement’s “Cyber Unit.”
Last week, the Department of Justice (“DOJ”) and the Securities & Exchange Commission (“SEC”) announced charges connected to a large-scale, international conspiracy to hack into the SEC’s Electronic Data Gathering, Analysis and Retrieval (“EDGAR”) system and profit by trading on stolen material, non-public information. The conduct underlying these cases was one of the principal reasons that the SEC created its Division of Enforcement “Cyber Unit” to target cyber-related securities fraud violations.
In a 16-count indictment unsealed in the United States District Court for the District of New Jersey, two Ukrainian citizens, Artem Radchenko and Oleksander Ieremenko, were charged with securities fraud conspiracy, wire fraud conspiracy, computer fraud conspiracy, wire fraud, and computer fraud. The SEC’s complaint charged nine defendants – Ieremenko, six traders in California, Ukraine, and Russian, and two entities – with antifraud violations of the federal securities laws.
The charging documents allege that Ieremenko and Radchenko hacked into the EDGAR system and stole thousands of files, including annual and quarterly earnings reports containing non-public financial information. The defendants gained access to the SEC’s networks by using a series of targeted cyberattacks, including directory traversal attacks, phishing attacks, and infecting computers with malware. The defendants extracted thousands of filings from the EDGAR system to a server they controlled in Lithuania. The defendants then profited by selling access to the stolen, confidential information and by trading on the stolen information prior to its distribution to the public. In total, the defendants and their co-conspirators are alleged to have traded before at least 157 separate earnings releases, and they generated over $4 million in illegal proceeds.
Some of the individuals charged in these cases were previously charged in connection with a similar scheme to hack into the computer systems of multiple newswire organizations and steal press releases containing financial information that had not yet been released to the public. Several of the same methods used to hack the newswire organizations were also employed to hack the EDGAR system.
The criminal and civil charges in these cases are a reminder that both DOJ and the SEC have prioritized combatting cybercrime and, in particular, network intrusions. They also serve as a stark reminder that any organization, even a U.S. government agency, can be targeted and victimized by cybercriminals. Companies and firms would be wise to examine the techniques used by the defendants in these cases and ensure that their own cyber defenses are sufficient to protect against and thwart similar attacks. For additional guidance, companies and firms can look to SEC guidance and actions issued since the creation of the SEC’s Cyber Unit.
On December 19, 2018, the United States Attorney for the Southern District of New York announced criminal charges against Central States Capital Markets, LLC (“CSCM”), a Prairie Village, Kansas-based broker-dealer. CSCM was charged with a violation of the Bank Secrecy Act (“BSA”) based on its willful failure to file a suspicious activity report (“SAR”) in connection with the illegal activities of one of its customers. The charge against CSCM represents the first criminal BSA charge ever brought against a United States-based broker-dealer.
The U.S. Attorney’s Office also announced that CSCM had entered into a deferred prosecution agreement under which it agreed to accept responsibility for its conduct, forfeit $400,000, and enhance its BSA / Anti-Money Laundering(“AML”) compliance program. If CSCM complies with the terms of the agreement,the U.S. Attorney’s Office agreed to defer prosecution for a period of two years, after which time the government will seek to dismiss the charge.
According to documents filed by the U.S. Attorney’s office, one of CSCM’s clients (the “Client”) was convicted of racketeering, wire fraud, and money laundering for his role in perpetrating a multibillion dollar payday lending scheme. In furtherance of his criminal scheme, the Client opened investment accounts at CSCM for multiple companies that he controlled and used in connection with the scheme. In connection with opening the accounts, CSCM failed to follow its written customer identification procedures. CSCM also failed to verify various statements by the Client regarding his businesses and his reasons for opening accounts at CSCM. Moreover, after opening accounts for the Client, CSCM became aware of other red flags, including the Client’s prior criminal record and an action brought against the Client by the Federal Trade Commission. Nevertheless, CSCM failed to act on these red flags and instead relied on explanations proffered by the Client. Finally, CSCM failed to appropriately monitor transactions involving the Client’s accounts. Specifically, whileCSCM’s AML monitoring tool generated alerts involving the Client’s accounts,CSCM never checked the alerts. In addition, numerous suspicious transactions went undetected and unreported by CSCM.
The announcement of criminal charges against CSCM should serve as a reminder that there can be significant consequences if broker-dealers are not mindful of their BSA / AML obligations. As U.S. Attorney Geoffrey Berman stated: “Today’s charge makes clear that all actors governed by the Bank Secrecy Act – not only banks – must uphold their obligations to protect our economy from exploitation by fraudsters and thieves.”
In addition, CSCM reached a separate settlement with the U.S. Securities & Exchange Commission, which included, among other things, a censure and a requirement to hire a compliance consultant.
Deputy Attorney General Rod Rosenstein recently announced significant changes to the Department of Justice’s corporate enforcement policy regarding individual accountability, previously announced in the 2015 Yates Memo. The revised policy no longer requires companies who are the target of DOJ investigations to identify all parties involved in potential misconduct before they can be eligible to receive any cooperation credit. This alert examines the updated policy, which should provide companies with greater flexibility in conducting investigations and negotiating dispositions with DOJ in both criminal and civil cases.
The Securities and Exchange Commission (SEC) recently released a report detailing whether or not certain companies that had fallen victim to cyber-related frauds had violated the Securities Exchange Act of 1934 by failing to have proper internal accounting controls. The nine companies investigated by the SEC fell prey to fraudulent “business email compromise” schemes, which are responsible for the highest estimated out-of-pocket losses of any cyber-related crimes in the last five years. The primary question for the SEC was whether or not the companies had failed to enact compliant internal accounting controls that may have prevented such fraud.
This alert details the SEC’s finding and advice for companies in an environment where cybersecurity is increasingly complicated and essential.
The Department of Justice has established a new policy that requires its attorneys to coordinate with one another and with other enforcement authorities when imposing multiple penalties for the same conduct. This policy is likely to protect companies from unfair outcomes resulting from a lack of coordination among the DOJ and other authorities.
I authored an alert that provides an overview of the new policy and discusses the potential impact on companies affected.