Category: Hedge Funds and Private Equity

The SEC in 2019: Doing More With Less

Facing a 35-day government shutdown and new restrictions on the ability to recover disgorgement, it would be perfectly understandable if the SEC’s Division of Enforcement suffered a lackluster year. Nevertheless, according to their recently released Annual Report, the Division of Enforcement defied the odds and turned in an impressive year by most metrics. The full report is available here, but we address several key aspects of the report below.

In fiscal year 2019 (which runs from October to September), the SEC reported a total of 862 enforcement actions, including 526 “standalone” actions filed in either federal court or as administrative proceedings, which was its highest number of standalone actions since 2016. The SEC also filed 210 “follow-on” proceedings seeking the barring of individuals based on actions by other authorities or regulators. This number of “follow-on” proceedings matched the prior year’s total, and was about 10% higher than the number of such actions filed in 2016 or 2017. Though the Report laments the handcuffs placed on the Enforcement Division by the Supreme Court’s ruling in Kokesh v. SEC, which tied recoverable disgorgement to the five-year statute of limitations, the SEC nevertheless secured $3.248 billion in disgorgement – a five-year high. In addition, while 2019’s $1.101 billion in penalties was more than $300 million lower than what was ordered in 2018, it nonetheless surpassed the 2017 numbers, and contributed to a total amount of money ordered paid in 2019 (between disgorgement and penalties) that represented another five-year high for the SEC. Despite these metrics revealing a very solid year for the Enforcement Division, the Report made it a point to highlight that the SEC estimates that it has had to forgo more than $1.1 billion in disgorgement in filed cases as a result of Kokesh.

The strong financial results for 2019 were buoyed by several major actions settled in 2019. Indeed, in separate actions initiated against Mylan, Fiat Chrysler, Hertz, and two other major corporations, the SEC secured more than $200 million in penalties alone. In addition, in actions over the past two years against a variety of financial institutions relating to the early release of the American Depository Receipts, the SEC actions resulted in orders for more than $425 million in disgorgement and penalties. While these large actions contributed to the substantial financial achievements of the SEC in 2019, the report noted that in actions in which money was ordered to be paid the median amount of such total payments rose from $362,858 last year to $554,003 this year.

The SEC’s overall numbers were undoubtedly bolstered by successful implementation and conclusion of its Share Class Selection Disclosure Initiative. The Initiative, which permitted investment advisory firms to self-report failures to disclose conflicts of interest associated with the selection of fee-paying share classes as opposed to low-fee or no-fee share classes, allowed self-reporters to obtain standardized (and relatively favorable) settlement terms. The Initiative generated settlements against 79 advisers in March 2019, and another 16 advisers settled in September 2019. In total, the 95 advisory firms agreed to return more than $135 million to affected investors.

In addition to emphasizing all of these key metrics, the Report reiterated several themes that have been hallmarks of the SEC under Chairman Clayton. At the top of the list is “protecting main street investors,” as evidenced by the Share Class Initiative mentioned above, as well as the continued operation of the SEC’s Retail Strategy Task Force as a source for both providing education and generating new investigations. The Report also highlighted the continuing emphasis that the SEC would be placing on holding individuals accountable for wrongdoing, and highlighted several cases from the past year in which C-level executives were charged in both settled and litigated fraud actions. Digital assets, cryptocurrency, and other distributed ledger technology cases also played a prominent role in the report, as the SEC acknowledged that its enforcement actions in this space “matured and expanded” over the past year. Finally, the Enforcement Division also explained that it was working diligently to accelerate the pace of its investigations. Not only would this faster pace decrease the chance of encountering Kokesh problems when seeking disgorgement, but it also helps speed the pace at which harmed individuals and investors can recover their losses.

In a year in which it lost more than a month due to the government shutdown and just recently regained the ability to hire new staff, the Enforcement Division appeared to work both harder and smarter to generate results that met or exceeded its recent historical benchmarks. Going forward, it will be interesting to see whether the SEC can replicate or improve on these results with the benefit of additional time and a more complete complement of attorneys and other professionals.

Federal Prosecutor Faces Accusations that it Used the SEC to Collect Evidence for its Criminal Investigation

In a ruling handed down on Tuesday, a Southern District of New York judge ordered the U.S. Attorney’s Office for the Southern District of New York (“USAO”) to submit a full account of their communications with the SEC after defendant Jason Rhodes accused the USAO of using the SEC to develop its criminal case against him.

Rhodes was charged with four counts, including conspiracy to commit securities fraud and wire fraud, securities fraud, wire fraud, and investment advisor fraud, in what the government alleges was an elaborate $19.6 million scheme to defraud investors. Notably, the charges against Rhodes were brought almost two years after the government charged all other co-conspirators. During that time, the SEC initiated an investigation involving Rhodes.

In a motion filed back in March of this year, Rhodes argued that the USAO may have violated his due process rights by using the SEC civil process to further its criminal investigation against him. During the SEC’s investigation, it used its investigatory authority to obtain documents from Rhodes, including communications and data from his cellphone. These documents were then turned over to the USAO and the substance of certain of those documents was subsequently included in the criminal complaint against him. Rhodes asserted in his motion, as soon he was arrested, the SEC stopped investigating him.

Given that timeline, the court insisted the USAO submit an affidavit outlining its relationship with the SEC regarding its civil investigation and its criminal charges against Rhodes. After one AUSA submitted an affidavit, the court held that as of now, Rhodes had not shown the government acted in bad faith. The court went on to say, however, that the submitted affidavit “d[id] nothing to advance the ball.” While the AUSA insisted that he did not request the issuance of the SEC subpoena, the affidavit was silent regarding the involvement of others in the USAO. As a result, the court ordered that the USAO submit a new affidavit “detailing, with specificity, the nature and extent of any and all communications between the SEC and those involved in the criminal investigation of Rhodes.” Only then will the court determine whether the materials should be turned over to Rhodes.

The SEC and U.S. Attorney’s Office across the country often conduct parallel investigations and the SEC regularly shares the information it gathers with those offices. While there is nothing to prevent the government from conducting parallel investigations, the government must act “in good faith and with the proper procedures.” See United States v. Kordel, 397 U.S. 1, 6(1970). Indeed, the SEC warns in its “Form 1662” that it may share the information and documents produced pursuant to a subpoena (or voluntarily) to a host of other agencies, including, but not limited to, state and federal criminal authorities. It is, however, well-settled law at this point that the criminal authorities cannot direct the SEC’s investigation and that any action taken by the SEC, including subpoenas for documents, testimony and other evidence, must be supported by the SEC’s independent decision making and must be in furtherance of its investigation; not the criminal authority’s investigation. See, e.g., United States of America v. Stringer, 408 F. Supp. 2d 1083 (Dist. Or. 2006); United States of America v. Scrushy, 366 F. Supp. 2d 1134, 1140 (N.D. Ala. 2005.

SEC Issues Risk Alert Regarding Reg S-P, Privacy, Safeguarding, and Registrant Compliance

The SEC’s OCIE recently issued a Risk Alert focusing on compliance issues related to Regulation S-P, the primary SEC rule governing compliance practices for privacy notices and safeguard policies for investment advisers and broker-dealers. The Risk Alert summarizes the OCIE’s findings from two-year’s worth of issues identified in deficiency letters to assist investment advisers and broker-dealers in adopting and implementing effective policies and procedures for safeguarding customer records and information pursuant to Regulation S-P.

Continue reading “SEC Issues Risk Alert Regarding Reg S-P, Privacy, Safeguarding, and Registrant Compliance”

The SEC Speaks . . . and Cooperation is Key

SEC Speaks, the SEC’s annual conference in Washington, D.C., often provides valuable insight into developments at the agency, as well as pronouncements about policy evolution and enforcement priorities. At this year’s conference, “cooperation” emerged as one of the themes that the SEC has been prioritizing over the past year – and is committed to prioritizing in the future. Indeed, the co-directors of the SEC’s Division of Enforcement remarked that, “cooperation is as important now as it has ever been,” and that the “full range” of remedies are available to entities that provide meaningful cooperation to the SEC. Interestingly, the staff emphasized that the SEC is making a concerted effort to use its press releases and orders to highlight the importance, components, and benefits of cooperation – all in an effort to promote earlier, more meaningful, and more widespread cooperation.

Continue reading “The SEC Speaks . . . and Cooperation is Key”

DOJ and SEC Announce Charges Connected to Hack of SEC’s EDGAR System

Last week, the Department of Justice (“DOJ”) and the Securities & Exchange Commission (“SEC”) announced charges connected to a large-scale, international conspiracy to hack into the SEC’s Electronic Data Gathering, Analysis and Retrieval (“EDGAR”) system and profit by trading on stolen material, non-public information. The conduct underlying these cases was one of the principal reasons that the SEC created its Division of Enforcement “Cyber Unit” to target cyber-related securities fraud violations.

In a 16-count indictment unsealed in the United States District Court for the District of New Jersey, two Ukrainian citizens, Artem Radchenko and Oleksander Ieremenko, were charged with securities fraud conspiracy, wire fraud conspiracy, computer fraud conspiracy, wire fraud, and computer fraud. The SEC’s complaint charged nine defendants – Ieremenko, six traders in California, Ukraine, and Russian, and two entities – with antifraud violations of the federal securities laws.

The charging documents allege that Ieremenko and Radchenko hacked into the EDGAR system and stole thousands of files, including annual and quarterly earnings reports containing non-public financial information. The defendants gained access to the SEC’s networks by using a series of targeted cyberattacks, including directory traversal attacks, phishing attacks, and infecting computers with malware. The defendants extracted thousands of filings from the EDGAR system to a server they controlled in Lithuania. The defendants then profited by selling access to the stolen, confidential information and by trading on the stolen information prior to its distribution to the public. In total, the defendants and their co-conspirators are alleged to have traded before at least 157 separate earnings releases, and they generated over $4 million in illegal proceeds.

Some of the individuals charged in these cases were previously charged in connection with a similar scheme to hack into the computer systems of multiple newswire organizations and steal press releases containing financial information that had not yet been released to the public. Several of the same methods used to hack the newswire organizations were also employed to hack the EDGAR system.

The criminal and civil charges in these cases are a reminder that both DOJ and the SEC have prioritized combatting cybercrime and, in particular, network intrusions. They also serve as a stark reminder that any organization, even a U.S. government agency, can be targeted and victimized by cybercriminals. Companies and firms would be wise to examine the techniques used by the defendants in these cases and ensure that their own cyber defenses are sufficient to protect against and thwart similar attacks. For additional guidance, companies and firms can look to SEC guidance and actions issued since the creation of the SEC’s Cyber Unit.

SEC and CFTC FY2018 Results: Looking Back . . . and Looking Forward

Earlier this month, the U.S. Securities and Exchange Commission and the U.S. Commodity Futures Trading Commission issued their annual reports about their Divisions of Enforcement results for fiscal year 2018. Analyzing these reports is a helpful way for us to learn from the recent historical enforcement efforts by both financial regulatory agencies. Also, both reports provide guidance about the divisions’ objectives and initiatives for the upcoming fiscal year and beyond. Below we explore and summarize the important topics covered in both reports.

The SEC issued its FY2018 Annual Report earlier this month. The last several pages categorize and list every action filed by SEC Enforcement during FY2018; this provides a useful reference tool. In addition, this report continues to evolve and provide more information than in years past. Not surprisingly, the report highlights SEC Chairman Jay Clayton’s direction to SEC Enforcement to focus on “Main Street” investors. Thus, it was no surprise to see SEC Enforcement’s Share Class Selection Disclosure Initiative touted as a success.

If focusing on Main Street is Chairman Clayton’s top priority for SEC Enforcement, then policing cyber-related misconduct is the Chairman’s priority “1B.” In its Annual Report, SEC Enforcement specifically advised:

Since the formation of the Cyber Unit at the end of FY 2017, the Division’s focus on cyber- related misconduct has steadily increased. In FY 2018, the Commission brought 20 standalone cases, including those cases involving ICOs and digital assets. At the end of the fiscal year, the Division had more than 225 cyber-related investigations ongoing. Thanks to the work of the Unit and other staff focusing on these issues, in FY 2018 the SEC’s enforcement efforts impacted a number of areas where the federal securities laws intersect with cyber issues (emphasis added).

Regarding SEC Enforcement’s results, while the SEC seemingly tried to temper the increased results from last year and asked readers to avoid focusing on quantitative results, one thing that has become clear during Chairman Clayton’s tenure is that he has apparently not slowed down SEC Enforcement. Regarding the quantitative results, the SEC brought a diverse mix of 821 enforcement actions, including 490 standalone actions, and returned $794 million to harmed investors. A significant number of the SEC’s standalone cases concerned investment advisory issues, securities offerings, and issuer reporting/accounting and auditing, collectively comprising approximately 63 percent of the overall number of standalone actions. The SEC also continued to bring actions relating to market manipulation, insider trading, and broker-dealer misconduct, with each comprising approximately 10 percent of the overall number of standalone actions, as well as other areas. The agency also obtained judgments and orders totaling more than $3.945 billion in disgorgement and penalties.

The report also outlined the five core principles that serve to guide SEC Enforcement’s work. From here, we garner a glimpse into their focus and efforts going forward. These principles are:

  • Focus on the Main Street investor;
  • Focus on individual accountability;
  • Keep pace with technological change;
  • Impose remedies that most effectively further enforcement goals; and
  • Constantly assess the allocation of resources.

In concluding our discussion of the SEC Enforcement’s efforts and looking forward, with the continuing focus on the advisory and brokerage industries, we should expect SEC Enforcement to continue to focus its efforts and resources on the investment advisers and broker-dealers who serve Main Street.

Before turning to the CFTC, it is worth noting that both the SEC and the CFTC highlight the increased use of specialized proprietary tools they have developed to review data and bring enforcement actions. The SEC specifically stated that it “has continued to leverage its own technology to accomplish its enforcement goals.” These goals include using proprietary tools to conduct data analysis to identify and pursue a wide variety of misconduct, including insider trading, “cherry-picking” schemes, and the sale of unsuitable investment products or programs to retail investors. The CFTC highlighted its realignment of the Market Surveillance Unit, moving it from the Division of Market Oversight to the Division of Enforcement. Building and utilizing sophisticated analytical tools, the Market Surveillance Unit reviews data for instances of fraud, manipulation, and disruption. Moving the unit to the Division of Enforcement “reflects the data-centric approach the Division pursued during the last Fiscal Year, and expects to continue going forward.” Thus, the SEC and the CFTC will continue to increasingly employ sophisticated data analytics to pursue their enforcement objectives.

Turning to CFTC Enforcement, much like the SEC, CFTC Enforcement now provides much greater detail in its FY2018 Annual Report than in previous editions. Similar to the SEC’s results, quantitatively, CFTC Enforcement’s efforts in FY 2018 reflect significant increases. The number of enforcement actions filed increased year over year from 49 to 83 and monetary sanctions also increased from $413 million to $950 million. CFTC Enforcement  explained in the report a number of key initiatives started or continued during FY 2018, including cooperation and self-reporting, the use of data analytics, and the development of a set of specialized task forces focused on four  substantive areas — spoofing and manipulative trading, virtual currency, insider trading and protection of confidential information, and the Bank Secrecy Act.

Regarding the “Spoofing and Manipulative Trading” task force, the CFTC Enforcement Director provided additional information on this task force in a speech the day before the release of the FY2018 Annual Report:

Spoofing and Manipulative Trading: A little more than a decade ago, our markets moved from in-person trading in the pit, to computer-based trading in an electronic order book. The advent of the electronic order book brought with it significant benefits to our markets—it increased information available, reduced friction in trading, and significantly enhanced the price discovery process. But at the same time, this technological development has presented new opportunities for bad actors. Just as the electronic order book increases information available to traders, it creates the possibility that false information injected into the order book could trick them into trading to benefit a bad actor.

Efforts to manipulate the electronic order book—which can include spoofing—are particularly pernicious examples of bad actors seeking to gain an unlawful advantage through the abuse of technology. These efforts to manipulate the order book, if left unchecked, drive traders away from our markets, reducing the liquidity needed for these markets to flourish. And this misconduct harms businesses, large and small, that use our markets to hedge their risks in order to provide the stable prices that all Americans enjoy. The Spoofing Task Force works to preserve the integrity of these markets.

The CFTC’s efforts to detect market manipulation generally and spoofing in particular, however, were not limited to the creation of a task force. The FY2018 report identified 83 total actions filed, 26 (approximately 31 percent) of which were manipulation-based. This was a number second only to retail fraud (30 actions filed). While supervision is not discussed specifically as an initiative or a particular priority, CFTC Enforcement’s FY2018 Annual Report also identified 6 “Supervision” cases. Here is the breakdown by category:

From this table, it is a little unclear how the CFTC’s spoofing supervision cases were categorized and quantified in its FY2018 Annual Report. Regardless, based on the increased focus on supervision in this area— as previously reported—we can expect CFTC Enforcement to continue to investigate and bring charges for spoofing and related supervisory violations well into the future.

Finally, the CFTC Enforcement’s FY2018 Annual Report emphasizes its efforts to significantly ramp up its “coordination with our law enforcement and regulatory partners—in particular the criminal authorities.” These efforts included the announcement of the parallel actions involving spoofing and manipulative conduct filed together with the Department of Justice in January 2018. In those filings, the Commission charged three financial institutions and six individuals with manipulative conduct and spoofing. While the early 2018 joint filing was significant, the Commission’s coordination with criminal authorities was not limited to this filing. Joint filings with criminal counterparts were up significantly and may signal more to come:

ALJ Deals Blow to SEC’s Fraud Case Against Hedge Fund Manager

An SEC administrative law judge recently rejected some of the SEC’s fraud charges against hedge fund manager RD Legal Capital, LLC and its owner Roni Dersovitz (“Respondents”) by finding that the SEC did not prove that Respondents made certain material misrepresentations and failed to establish that other alleged material misrepresentations were made with scienter. In the Matter of RD Legal Capital, LLC, and Roni Dersovitz, File No. 3-17342, Initial Decision (Oct. 15, 2018). While ALJ Jason S. Patil did conclude that Respondents were liable for negligence-based fraud violations, his rulings with respect to the scienter-based charges and the drastically-reduced penalties he ordered were largely a defeat for the SEC.

Background

In July 2016, the SEC instituted proceedings alleging, among other things, that Respondents defrauded investors by misrepresenting the types of legal receivables in which two funds managed by RD Legal Capital invested. Id. at 2. In particular, the SEC alleged that Respondents violated the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934 by representing that the legal receivables invested in by two of their hedge funds all arose out of binding settlement agreements or judgments and therefore posed no litigation risk, when in fact four categories of legal receivable investments “involved matters that had not settled or reached final judgment at the time of the investments, or . . . were purchased from entities other than law firms.” Id. at 9. Those four categories were: (1) “purchases of attorneys’ and plaintiffs’ receivables arising from the 1983 Beirut barracks bombing” (the “Peterson receivables”); (2) “receivables of attorney Daniel Osborn” (the “ONJ receivables”); (3) “receivables of Barry Cohen” (the “Cohen receivables”); and (4) “receivables arising out of the 2010 oil spill in the Gulf of Mexico” (the “Deepwater Horizon receivables”).

In challenging Respondents’ representations to investors, the SEC specifically focused on the statements made in Respondents’ offering memoranda, marketing materials, investor-directed materials (such as Respondents’ website), and Form ADVs, as well as their  conversations with investors. However, Respondents argued “that they were permitted under the offering memoranda,” which contained “flexibility provisions,” “to make the investments challenged by the Division and, to the extent that other written or oral statements to investors were contradicted by the clear language in the offering memoranda, the terms of the offering memoranda control.” Id. at 59.

Respondents’ Representations

In deciding whether Respondents made material misrepresentations, Judge Patil found that he “should begin with consideration of the terms of the offering memoranda.” Id. He agreed with the SEC that those documents “gave investors the distinct impression that the Funds were invested exclusively in legal receivables from cases that were resolved by settlement, an agreement between parties, or, in some instances a judgment against a debtor—with little to no litigation risk,” and that “no offering memorandum ever advised a reader that the Funds had ever purchased a legal fee arising out of anything other than a settlement or judgment.” Id. at 59-60. Judge Patil also found that these impressions were reinforced by some of Respondents’ marketing materials and “[o]ther oral and written representations.” Id. at 62. Nevertheless, he determined that these statements were materially inaccurate only as a result of the ONJ and Cohen receivables, which presented a “different class of risks associated with contingent litigation-based receivables,” id. at 78, and found “that the Division failed to establish by a preponderance of the evidence that the statements were materially false or misleading with respect to the Peterson and Deepwater Horizon” receivables. Id. at 63.

Regarding the Deepwater Horizon receivables, Judge Patil held that “the opportunity was consistent with one of the emerging opportunities the Fund manager could reasonably take advantage of under the terms of the offering memoranda’s flexibility provision,” because, while the monies associated with these receivables were not advanced to attorneys, the settlement in that matter authorized “non-attorney representatives . . . to file claims against a settlement fund,” thus making them “something of a surrogate for law firms for purposes of the settlement process,” and otherwise, “the investments were . . . substantially similar to the core investments of the Funds.” Id. at 65-66. With respect to the Peterson receivables, which were the “[t]he focus of the Division’s case,” id. at 70, Judge Patil concluded that “[n]either the Division nor Respondents have convinced me,” and because the Division “bears the burden of proof or persuasion . . . the Division has not proved by a preponderance of the evidence that Respondents’ misrepresentations were material with respect to Peterson.” Id. at 78.

Respondents’ Intent

Next, Judge Patil found that, while Respondents made material misstatements concerning the ONJ and Cohen receivables, those misstatements were not made with scienter. Specifically, he reasoned that the following factors “rebut[] the allegation of scienter”: (1) Respondents’ provision of “quarterly ‘Independent Accountant’s Report[s] On Applying Agreed-Upon Procedures,’ which included detailed information concerning troubled assets . . . including the ONJ and Cohen investments;” (2) Respondents’ provision of “annual audited financial statements that identified the Funds’ top concentration of investments by payor;” (3) the hosting on Respondents’ website of documents “pertinent to the Funds, including the offering memoranda, subscription documents, financial statements, AUPs, and investor communications;” (4) the availability of “a detailed collection of information with respect to the legal receivables agreements;” and (5) the absence of a “policy or practice of denying or providing false information.” Id. at 80-82. In short, Judge Patil found that there was no “intent to deceive because Respondents did not attempt to hide the investments.” Id. at 81. Furthermore, he determined that Respondents’ conduct “did not rise to the level of extreme recklessness,” because, while “the most troubling misstatements were the express disclaimers of litigation risk in the” due diligence questionnaires, those questionnaires are “marketing materials, which investors should treat skeptically,” and “the misstatements were in answer to a question about the Funds’ strategy,” which Respondents testified did not include the ONJ and Cohen receivables, as they were “one-off workouts of other, strategy-compliant positions that had gone wrong.” Id. at 87. As a result of these findings, the SEC’s most serious claims—those under Section 10(b) and Rule 10(b)-5 of the Exchange Act and Section 17(a)(1) of the Securities Act—were dismissed.

However, while Judge Patil recognized that “the Division focused most of its efforts on supporting its claims requiring scienter,” he determined that the Division “did not thereby forfeit or waive its claims based on negligence.” Id. at 84. He further found that there was “sufficient evidence in the record regarding the standard of care to conclude that Respondents did not meet that standard,” and were therefore negligent in making material misrepresentations with regard to the ONJ and Cohen receivables. Id. Specifically, he concluded “that the offering memoranda language with respect to all legal receivables arising from settlements and judgments represented an inaccuracy that is inconsistent with the reasonable care a hedge fund should take when it in fact had substantial positions in receivables based on pending litigation.” Id. at 86-87. As a result, Respondents were found liable under Sections 17(a)(2) and 17(a)(3) of the Securities Act.

Penalties

Because he determined that Respondents did not act with scienter and it was shown that Respondents were not unjustly enriched and that most investors actually profited from their investments, Judge Patil found that only half of the maximum per-violation civil penalties were warranted. He based the penalties assigned to Respondents on the number of documents containing “actionable misrepresentations” and concluded that RD Legal Capital and Dersovitz should be fined $575,000 and $56,250 respectively. Id. at 96-97. In doing so, he rejected the SEC’s argument that Respondents should be penalized “for each defrauded investor who testified . . . as it could be based on tactical decisions by the Division about how many witnesses to call and who was available to testify.” Id. at 96. Furthermore, Judge Patil determined that disgorgement was not warranted, finding that to award the disgorgement of over $56 million sought by the SEC “may trigger constitutional scrutiny.” Id. at 98. Finally, while he also entered a cease and desist order and suspended Dersovitz from the securities industry for six months and prohibited him from working for an investment company for the same time period, Judge Patil declined to enter the permanent industry bar sought by the SEC.

Conclusion

While the SEC suffered several defeats in this case, it is important to note that despite being unable to prove that the Respondents acted with scienter, the SEC was able to hold Respondents liable for negligence-based charges. Because of the SEC’s ability to bring negligence-based charges, investment advisers must be extra vigilant about their disclosures and in ensuring that their trading practices are consistent with those disclosures.

Nevertheless, ALJ Patil’s decision signals that the SEC staff cannot rely on its “home court advantage” in every case. It also demonstrates that the SEC has a significant burden in proving “scienter” under Section 10(b) and Section 17(a)(1). It is also important that ALJ Patil recognized that the lack of scienter drastically affected the financial and non-financial remedies imposed against the Respondents.

SEC Cyber Unit Brings Groundbreaking Data Breach Case

On April 24, 2018, the Securities and Exchange Commission (SEC) announced its most significant case ever filed against a respondent for one of the world’s largest data breaches. Albata, Inc., f/d/b/a Yahoo! Inc., (“Yahoo”) settled with the SEC to charges of violating Section 17(a)(2) and 17 (a)(3) of the Securities Act of 1933 (“Securities Act”), amongst other charges, and agreed to various remedies, including a $35 million penalty.

In summary, the SEC alleged that in December of 2014 Yahoo’s information security team learned that Russian hackers stole what was referred to internally as the company’s “crown jewels”: usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for more than 500 million users. Although information relating to the breach was reported to members of Yahoo’s senior management and legal department, Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors. In addition, the SEC found that Yahoo did not share information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings.

The breach was not disclosed to the investing public until more than two years later, when in 2016 Yahoo was in the process of closing the acquisition of its operating business by another company. This disclosure caused a $1.3 billion fall in Yahoo’s market capitalization and a reduction in the acquisition price by $350 million.

As a result, the SEC’s order found that in Yahoo’s quarterly and annual report filings during the two-year period following the breach, the company failed to disclose the breach or its potential business impact, legal implications, and other potential ramifications. Finally, the SEC’s order finds that Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure.

In conclusion this SEC action provides several takeaways:

– This may be one of the first, but it will not be the last data breach case by the Division of Enforcement’s Cyber Unit created in September of 2017.

– The SEC charged Yahoo with fraud, but not with Rule 30(a) of Regulation S-P of the Securities Act. Historically, the SEC used the latter statute as the primary charge for data breaches. While these fraud charges against Yahoo are more aggressive, Section 17(a)(2) and (a)(3) are non-scienter based charges.

– Notably, the SEC did not charge any individuals.

– A study of the findings in the SEC’s order coupled with the Commission Statement and Guidance on Public Company Cybersecurity Disclosures announced on February 21, 2018, provides guidance for public companies and registrant firms to consider when assessing their cybersecurity programs, controls, policies and procedures, and disclosure obligations.

©2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Attorney Advertising.
Privacy Policy