Chicago partner, Jim Lundy, co-leader of the firm’s White Collar Defense and Investigations team and the firm’s SEC & Regulatory Enforcement Defense practice, provides a end of year update on Reg BI. In this blog post, Jim discusses the events that have taken place since SEC Chair Gary Gensler’s last statements on Reg BI early in 2021 including the recent speech from SEC Commissioner and former Acting Chair Allison Herren Lee and deficiency letters across the brokerage industry.
On October 26, 2021, the U.S. Securities and Exchange Commission’s Division of Examinations (Exams) issued a Risk Alert regarding mutual funds and exchange-traded funds intended to “highlight risk areas and assist funds and their advisers in developing and enhancing their compliance programs and practices” as they pertain to retail investors. This Risk Alert is the result of the registered investment companies (RIC) initiatives that were announced in a Risk Alert in November of 2018, and observations made by the staff of Exams in regard to the RIC Initiatives.
Cryptocurrencies are one of the fastest growing asset types worldwide. Cryptocurrencies, as an asset class, total over $1.5 trillion in market capitalization. With the rapid growth of this asset type, SEC Chair Gary Gensler shared his views for the SEC in this area. At a recent conference, Chair Gensler continued to broadly characterize most digital assets as “investment contracts,” placing cryptocurrencies within the scope of the SEC’s enforcement powers. During his remarks at the Aspen Security Forum on August 3, Chair Gensler stated, “many of these tokens are offered and sold as securities” because they meet the definition of an “investment contract.” As established by the U.S. Supreme Court under the “Howey Test”, investment contracts are defined as agreements in which a person invests money in a common enterprise, expecting profits based on the efforts of others. Investment vehicles that satisfy the “Howey Test” definition for investment contracts are securities that fall within the jurisdiction of the SEC.
Chair Gensler further stated that the cryptocurrency area currently “lacks the typical investor protection guardrails” and that he has asked Congress for additional authority to “prevent transactions, products and platforms from falling between regulatory cracks.” Chair Gensler’s views appear supported by the SEC’s Division of Enforcement having brought 75 enforcement actions over the last decade. However, others are not convinced that the SEC has clearly defined jurisdiction.
Robinhood, “an introducing broker-dealer that provides commission-free trading to retail customers through its website and mobile applications,” recently agreed to pay a record-setting amount of $70 million — consisting of a $57 million fine and more than $12.5 million in restitution to 2,832 customers — to resolve a myriad of FINRA rule violations dating back to 2016. While the lengthy Letter of Acceptance, Waiver, and Consent No. 2020066971201 (“AWC”) reads like a final exam in a corporate compliance and securities regulation course, there are two key takeaways that merit particular emphasis. First, an overreliance on technology without sufficient safeguards or personal verification can create substantial liability. Second, making claims about new, nontraditional products being offered directly to customers can be deceptive or misleading and in violation of FINRA Rules 3110 and 2010, if FINRA determines the communications lack sufficient disclosures.
Partners Peter Baldwin and Bob Mancuso published “Cybersecurity Enforcement Trends: A Fraught New Reality for ‘Victims’ of Cyberattacks.” This article in the New York Law Journal discusses how regulators have shifted their focus from data breach notifications to overall cybersecurity preparedness.
In the spirit of our previous Holiday film blogs, we present for your viewing pleasure (and background research) the following Independence Day films for your (re)viewing pleasure. Both deserve renewed attention in light of:
- The SEC’s recent Solar Winds-Cybersecurity-related events, regarding disclosure of material weaknesses or material cyber security risks related to the Solar Winds compromise;
- The re-opening of offices and recent announcements of certain businesses explaining employees should be back in the office or else.
We offer the following Independence Day Weekend themed film streaming recommendations that relate to each of the above and therefore count as background research.
Upcoming Changes to Rule 10b5-1:
The SEC is seeking to propose four key changes to executive stock trading plans under Rule 10b5-1 in October. Its Chairman, Gary Gensler, reported that the SEC is considering “freshen[ing] up Rule 10b5-1 after twenty years” to address insider trading concerns on June 7, 2021. Gensler’s comments come after a year of heightened insider trading reporting and the release of new research conducted by Stanford University and the Wharton School of the University of Pennsylvania finding that 10b5-1 plans have been used by executives to engage in “opportunistic, large-scale” sales of company stock. Gensler remarked the current plans under Rule 10b5-1 have led to a “real crack in our insider trading regime,” which he seeks to address in the upcoming months.
As publicly reported late last week, the Securities and Exchange Commission’s Division of Enforcement (SEC) sent voluntary requests for information to a range of public companies and investment firms seeking voluntary disclosure of information related to last year’s SolarWinds cyberattack. Specifically, the SEC is seeking information related to whether the companies and firms were exposed to the SolarWinds cyberattack and any remedial measures the companies and firms implemented in response.
SolarWinds, an IT, network, and systems software developer, disclosed in a filing with the SEC in December 2020 that a cyberattack had infiltrated its Orion monitoring product, which could allow the attacker to compromise the server on which the Orion product runs. SolarWinds disclosed that it believed that nearly 18,000 Orion customers downloaded the product containing the vulnerability and that it had notified all 33,000 users of the product that a cyberattack had taken place. The SolarWinds cyberattack was unprecedented in its scope and sophistication—including compromising nine U.S. federal agencies—leading the United States and other governments to blame the attack on an outside nation state actor.