SEC Cyber Unit Brings Groundbreaking Data Breach Case

On April 24, 2018, the Securities and Exchange Commission (SEC) announced its most significant case ever filed against a respondent for one of the world’s largest data breaches. Albata, Inc., f/d/b/a Yahoo! Inc., (“Yahoo”) settled with the SEC to charges of violating Section 17(a)(2) and 17 (a)(3) of the Securities Act of 1933 (“Securities Act”), amongst other charges, and agreed to various remedies, including a $35 million penalty.

In summary, the SEC alleged that in December of 2014 Yahoo’s information security team learned that Russian hackers stole what was referred to internally as the company’s “crown jewels”: usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for more than 500 million users. Although information relating to the breach was reported to members of Yahoo’s senior management and legal department, Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors. In addition, the SEC found that Yahoo did not share information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings.

The breach was not disclosed to the investing public until more than two years later, when in 2016 Yahoo was in the process of closing the acquisition of its operating business by another company. This disclosure caused a $1.3 billion fall in Yahoo’s market capitalization and a reduction in the acquisition price by $350 million.

As a result, the SEC’s order found that in Yahoo’s quarterly and annual report filings during the two-year period following the breach, the company failed to disclose the breach or its potential business impact, legal implications, and other potential ramifications. Finally, the SEC’s order finds that Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure.

In conclusion this SEC action provides several takeaways:

– This may be one of the first, but it will not be the last data breach case by the Division of Enforcement’s Cyber Unit created in September of 2017.

– The SEC charged Yahoo with fraud, but not with Rule 30(a) of Regulation S-P of the Securities Act. Historically, the SEC used the latter statute as the primary charge for data breaches. While these fraud charges against Yahoo are more aggressive, Section 17(a)(2) and (a)(3) are non-scienter based charges.

– Notably, the SEC did not charge any individuals.

– A study of the findings in the SEC’s order coupled with the Commission Statement and Guidance on Public Company Cybersecurity Disclosures announced on February 21, 2018, provides guidance for public companies and registrant firms to consider when assessing their cybersecurity programs, controls, policies and procedures, and disclosure obligations.

SEC Freezes $27 Million Related to a Blockchain/Cryptocurrency Acquisition

On April 6, 2018, the Securities and Exchange Commission (SEC) obtained a court order freezing more than $27 million in proceeds from alleged illegal distributions and sales of restricted shares of a public company, and charged the company, its CEO, and three other affiliated individuals. That same day, the Nasdaq Stock Market said it halted trading in the company’s stock. The SEC’s complaint alleges that shortly after the company began trading on the Nasdaq Stock Market and announced the acquisition of a purported blockchain-empowered cryptocurrency business that its stock price rose dramatically until its market capitalization exceeded $3 billion. The SEC further alleges that the CEO and the three other individual defendants then illegally sold large blocks of their restricted shares to the public while the stock price was excessively elevated and that they collectively reaped more than $27 million in profits.

By way of background, and as alleged by the SEC, the company went public under a scaled-down version of a traditional initial public offering known as Reg A+ late last year. In December 2017, the company’s Class A shares began trading on the Nasdaq Stock Market. Two days later, the company announced that it had acquired the purported blockchain-empowered cryptocurrency business from another entity. The SEC alleges that one of the individual defendants held at least a 92% stake in this entity. The SEC further alleges that — notwithstanding that this acquired business had no ascertainable value — the company’s stock price rose excessively and quickly after said acquisition. Specifically, by December 18, 2017, the company’s stock price rose to a high of $142.82 per share; an increase of nearly 550% from the prior day’s closing price and about 2,670% above the company’s closing price on its first day of trading just several days earlier.

This action serves as yet another example of the SEC’s heightened and aggressive focus in this area. As we discussed previously on this blog, one of the focus areas for the SEC’s Cyber Unit that was created just last September is “Violations involving distributed ledger technology and initial coin offerings.” More recently, the financial press reported that the SEC had launched a “sweep” in this area by serving subpoenas and information requests on technology companies and investment management firms and brokers doing business in the virtual currency markets.

Returning to the SEC’s $27 million freeze action here, the SEC alleged only registration offering violations against the defendants. This may not be the last of the charges, however, as the SEC described this as a “continuing investigation” in its press release.

SEC Share Class Selection Disclosure Initiative to Encourage Self-Reporting

On February 12, 2018, the U.S. Securities and Exchange Commission (SEC) announced a “Share Class Selection Disclosure Initiative” (“SCSD Initiative”), led by the Asset Management Unit of the Division of Enforcement (“Enforcement”). To encourage self-reporting and participation in the SCSD Initiative, Enforcement advises in the release that it “will agree not to recommend financial penalties against investment advisers who self-report violations of the federal securities laws relating to certain mutual fund share class selection issues and promptly return money to harmed clients.” Enforcement also warns that it “expects to recommend stronger sanctions in any future actions against investment advisers that engaged in the misconduct but failed to take advantage of this initiative.”

The deadline for self-reporting is June 12, 2018. Firms contacted by Enforcement before the announcement regarding possible violations related to their failures to disclose the conflicts of interest associated with mutual fund share class selection are not eligible for the program. Firms that are subject to pending SEC examinations, but that have not been contacted by Enforcement, will be eligible. Importantly, Enforcement specifically offers no assurances with respect to the potential liability of involved individuals.

Below we summarize the SCSD Initiative, explore the direct and indirect messages being sent by the SEC, and provide practical strategic guidance for affected firms to consider.

Initial Strategies – What to Do

By way of background, the SEC has long been focused on Rule 12b-1 fees paid by a mutual fund on an ongoing basis for shareholder services, distribution, and marketing expenses. As with any fee, 12b-1 fees have the potential to reduce a client’s returns. In recent years, the SEC has brought several enforcement actions against investment advisers, finding that they failed to disclose conflicts associated with the receipt of 12b-1 fees for investing client funds in a 12b-1 fee-paying share class when a lower-cost share class was available for the same fund.

What firms should consider the SCSD Initiative? Investment advisers that did not explicitly disclose in applicable Forms ADV (i.e., brochure(s) and brochure supplements) the conflict of interest associated with the 12b-1 fees the firm, its affiliates, or its supervised persons received for investing advisory clients in a fund’s 12b-1 fee share class when a lower-cost share class was available for the same fund. Enforcement provides more specific guidance as follows:

A “Self-Reporting Adviser” is an adviser that received 12b-1 fees in connection with recommending, purchasing, or holding 12b-1 fee paying share classes for its advisory clients when a lower-cost share class of the same fund was available to those clients, and failed to disclose explicitly in its Form ADV the conflicts of interest associated with the receipt of such fees. The investment adviser “received” 12b-1 fees if (1) it directly received the fees, (2) its supervised persons received the fees, or (3) its affiliated broker-dealer (or its registered representatives) received the fees. To have been sufficient, the disclosures must have clearly described the conflicts of interest associated with (1) making investment decisions in light of the receipt of the 12b-1 fees, and (2) selecting the more expensive 12b-1 fee paying share class when a lower-cost share class was available for the same fund.

Evaluating and assessing these factors for purposes of determining whether to self-report pursuant to the SCSD Initiative will be resource-intensive and will likely involve analyzing complex legal, factual and reputational issues. Thus, firms should first consult with in-house or outside counsel. One of the benefits of involving counsel at the start – and throughout – is that it allows for the application of the attorney work product doctrine and attorney-client privilege. As a reminder, the majority of the cases interpreting these privileges have not extended them to compliance officers performing their duties as part of a firm’s compliance operations. Thus, involving in-house or outside counsel is necessary to claim privilege. The firm can ultimately decide to waive privilege if it elects to self-report. However, for the firms that conduct this evaluation and assessment and then elect not to self-report, preserving the attorney-client and attorney work product privileges will allow firms to protect their work from discovery by regulators or third parties.

With the oversight of counsel, the firm should consider developing and implementing a project plan, due to the anticipated resource-intensive nature of what will be required. The project plan should involve analyzing whether the firm failed to disclose conflicts of interest associated with the receipt of 12b-1 fees by the adviser, its affiliates, or its supervised persons for investing advisory clients in a 12b-1 fee-paying share class when a lower-cost share class of the same mutual fund was available for the advisory clients. More specifically, this involves conducting detailed analyses of each fund, fund class, the 12b-1 fees associated with the share classes, and all of the related disclosures.

Settlement Terms – What You Need to Know

Enforcement uses the description “favorable settlement terms” in its announcement, in order to entice participation. Firms, however, need to understand that self-reporting under the SCSD Initiative will undoubtedly result in a settled enforcement action, and that the terms will include the SEC’s typical terms, with the exception of a civil penalty. Firms should also consider the nature of the charges and their potential impacts, as discussed below.

Terms may include a cease-and-desist order and a censure, likely along with an SEC release touting the settlement as a successful result of the SCSD Initiative. Settlement terms will include full disgorgement by the investment adviser of its ill-gotten gains and prejudgment interest thereon. It is not clear from the announcement how Enforcement will calculate disgorgement, but it will likely be based on the 12b-1 fees received. The firm will also need to agree to a self-administered distribution to its affected clients, thereby assuming all of the internal or external costs associated with such a distribution. Lastly, the settlement will either include an acknowledgment that the adviser has voluntarily taken the following steps (if completed before the order is instituted), or order that within 30 days of instituting the order, the eligible adviser:

  • Review and correct as necessary the relevant disclosure documents.
  • Evaluate whether existing clients should be moved to a lower-cost share class and move clients as necessary.
  • Evaluate, update (if necessary), and review for the effectiveness of its implementation policies and procedures to ensure that they are reasonably designed to prevent violations in connection with the adviser’s disclosures regarding mutual fund share class selection.
  • Notify clients of the settlement terms in a clear and conspicuous fashion (this notification requirement applies to all affected clients).
  • Provide the Commission staff, no later than 10 days after completion, with a compliance certification regarding the applicable undertakings by the investment adviser.

The charges in the settlement order would be considered non-scienter and negligence-based, but the plain statutory language reads much harsher. The statutes under which a Self-Reporting Adviser will be settling for the violative conduct are Section 206(2) and Section 207 of the Investment Advisers Act of 1940 (“Advisers Act”). Section 206(2) prohibits an investment adviser, directly or indirectly, from engaging “in any transaction, practice, or course of business which operates as a fraud or deceit upon any client or prospective client,” and imposes a fiduciary duty on investment advisers to act for their clients’ benefit, including an affirmative duty of utmost good faith and full disclosure of all material facts. Section 207 of the Advisers Act makes it “unlawful for any person willfully to make any untrue statement of a material fact in any registration application or report filed with the Commission . . . or willfully to omit to state in any such application or report any material fact which is required to be stated therein.” Thus, based on the plain language of these statutes, these are by no means technical-type violations. Firms need to consider their exposure to reputational harm and other collateral damage. Moreover, a Self-Reporting Adviser will have to disclose the institution and resolution of the charges in its Form ADV, as well as in response to requests for proposals and certain other information requests.

Finally, for those Self-Reporting Advisers participating in the SCSD Initiative, Enforcement will likely expect them to disclose information and produce evidence with respect to employees who were involved with the sale of 12b-1 class shares to clients, as well as those involved in the Self-Reporting Adviser’s disclosure of conflicts of interest. Accordingly, as advisers navigate their way through the process of determining whether it is in their best interest to participate in the SCSD Initiative, they should also be sensitive to the possibility that certain employees may need separate representation due to potential conflicts of interest that may arise.

Conclusion

The decision to self-report and participate in the SCSD Initiative deserves serious consideration, but there is no one-size-fits-all approach. As discussed, the decision-making process will be resource-intensive and involve complex and high-stakes legal, factual and reputational decisions, so firms should work closely with counsel. That said, here are five key takeaways for firms to consider:

  • Engage with in-house or outside counsel at the start for the attorney-work product doctrine and attorney-client privilege to apply, subject to waiver by the firm if the determination is made to self-report.
  • A project plan should be developed and implemented under the oversight of in-house or outside counsel to evaluate and assess whether the firm’s practices and disclosures warrant consideration of self-reporting pursuant to the SCSD Initiative.
  • Firms need to understand that, while avoiding a civil penalty, the settlement terms will include a cease-and-desist order and a censure; disgorgement, prejudgment interest, and the accompanying internal or external distribution costs; and the detailed undertakings discussed above.
  • Firms also should recognize that settling to charges under Section 206(2) and Section 207 of the Advisers Act present reputational risks that need to be weighed, and collateral consequences that need to be considered.
  • Lastly, firms that determine that they qualify as Self-Reporting Advisers should heed the SEC’s warnings and self-report, or they will potentially expose themselves to the SEC pursuing significant monetary penalties and possible additional charges and remedies.

Supreme Court Unanimously Holds that Whistleblowers Must First Report to the SEC Before Being Afforded Dodd-Frank Anti-Retaliation Protections

In a 9-0 opinion issued on Wednesday, February 21, in Digital Realty Trust v. Somers (2018), the Supreme Court resolved a circuit split by holding that Dodd-Frank’s anti-retaliation provision does not apply to an individual, like Somers, who reported a violation of the securities law internally at his company but did not report the violation to the SEC.

As we have previously written, this case came to the Supreme Court from the Ninth Circuit, affirming the District Court’s holding that Section 78u-6(h), Dodd-Frank’s anti-retaliation provision, did not necessitate reporting a potential violation to the SEC before gaining “whistleblower” status. Somers v. Digital Realty Trust Inc., 850 F.3d 1045 (9th Cir. 2016). The Fifth Circuit had previously come to the opposite holding. Asadi v. G.E. Energy (USA), L.L.C., 720 F.3d 620 (5th Cir. 2013). The Supreme Court decided this circuit split and reversed the Ninth Circuit’s holding—taking a narrow view of the “whistleblower” definition and statutory construction.

Dodd-Frank defines a “whistleblower” as “any individual who provides . . . information relating to a violation of the securities laws to the Commission, in a manner established, by rule or regulation, by the Commission.” 15 U.S.C. § 78u-6(a)(6) (emphasis added). Somers and the Solicitor General argued that the “whistleblower” definition applies only to Dodd-Frank’s monetary reward program for whistleblowers and does not apply to its anti-retaliation provision. Further, the SEC itself advanced this view in its Rules. See 17 C.F.R. § 240.21F-2. The rule, as well as interpretative guidance released in 2015, explained that there were two definitions of “whistleblower”: one for the reward program, which required reporting to the SEC, and one only for the anti-retaliation provision, as long as the information is provided “in a manner described in Section 21F(h)(1)(A) of the Exchange Act,” which includes internal reporting. See id.; SEC Rel. No. 34-75592. The Rule further qualified that “[t]he anti-retaliation protections apply whether or not you satisfy the requirements, procedures and conditions to qualify for an award.” 17 C.F.R. § 240.21F-2(b)(1)(iii).

The Supreme Court, however, found this argument to be at odds with the “plain” language of the statute and the purpose of this portion of Dodd-Frank—to encourage individuals to report violations to the SEC. The Supreme Court reasoned that the SEC Rule should not be accorded deference because “Congress has directly spoken” on this issue in its unambiguous language in Dodd-Frank, and concluded that the language in Dodd-Frank was explicit in its exclusive inclusion of only those individuals who report securities complaints to the SEC.

While the Supreme Court’s decision limits the scope of potential “whistleblowers” who could seek the protection of the Dodd-Frank anti-retaliation provision, the decision may have another, less positive, collateral consequence. When the SEC promulgated the whistleblower rules, it received dozens of comments suggesting that the SEC require employees to report internally before reporting potential violations to the SEC. The SEC rejected that approach, but attempted to encourage internal reporting by including as a factor in deciding the amount of an award whether the whistleblower first reported the potential violation internally. In light of the Supreme Court’s decision, it is more likely that employees will forego reporting any potential violations internally and instead go straight to the SEC so as to not only qualify for an award, but also to seek the protection of the anti-retaliation provision.

SEC Announces Enforcement Division Cyber Specialty Unit

On September 25, 2017, the Securities and Exchange Commission announced the creation of an Enforcement Division “Cyber Unit” that will focus on cyber-related violative conduct. The timing of this is much more than coincidental; indeed it’s obvious. Just last week, SEC Chairman Jay Clayton disclosed: 1) a 2016 intrusion of the SEC’s EDGAR system due to a software vulnerability in the test filing component of the system, resulting in access to nonpublic information; and 2) the creation of a senior-level cybersecurity working group. Since the disclosure of the EDGAR breach, the financial press has reported that SEC Enforcement, the Secret Service, and the FBI have been investigating, and that Chairman Clayton asked the SEC’s Office of Inspector General to investigate. On September 26, 2017, Chairman Clayton appears before the Senate Committee on Banking, Housing, and Urban Affairs where he will provide testimony and likely be subject to intense questioning.

Returning to the SEC’s Cyber Unit, while not specifically described as such, it appears to be created in the mold of the other Enforcement Division Specialty Units. This new unit’s mandate includes targeting cyber-related violative conduct, such as: market manipulation schemes involving false information spread through electronic and social media; hacking to obtain material nonpublic information; misuse of distributed ledger technology; misconduct perpetrated via the dark web; intrusions into retail brokerage accounts; and cyber-related threats to trading platforms and other critical market infrastructure. Consistent with this being a new specialty unit, the “Chief” is a former Co-Chief of the SEC’s Market Abuse Specialty Unit. Thus, registrants can expect the Cyber Unit to evolve much as the SEC’s other specialty units have previously. Specifically, this unit will likely: develop and expand SEC internal cyber knowledge; seek to hire external cyber experts; and dedicate its efforts and resources to this specialty area. Consistent with the evolutions of the other specialty units, the Cyber Unit will likely pursue cases that the Enforcement Division generally and historically might not have pursued, such as non-fraud violations considered more technical in nature.

While it’s ironic that the SEC announced the Cyber Unit on the heels of its recent breach, issuers and registrants should take this opportunity to self-assess and implement plans to avoid the SEC’s Cyber Unit in the future. Among various strategies, actively monitoring and assessing the SEC’s cybersecurity guidance and, in particular, the Office of Compliance Inspections and Examinations Risk Alerts, and documenting this work will support arguments of reasonable and diligent efforts. For further and more detailed guidance, look to FINRA’s February 2015 Report on Cybersecurity Practices. While FINRA’s oversight is limited to its member broker-dealer firms, this 46-page report provides plain-language guidance that any company or firm may want to consider reviewing and implementing as appropriate.

D.C. Circuit Split on Constitutionality of SEC’s Administrative Judges

We previously blogged about the D.C. Circuit’s decision in Raymond J. Lucia Cos v. SEC, which rejected the petitioner’s constitutional challenges to the SEC’s use of administrative law judges that are not appointed by the President. Yesterday, the D.C. Circuit issued a two sentence per curiam order denying an en banc review by an equally divided court.

We noted that the panel’s original opinion was the first appellate ruling of its kind. Although the panel’s decision remains in effect because the full court did not rehear the case, the strength of that ruling is now severely undermined. As we previously reported, the Tenth Circuit has already disagreed with the D.C. Circuit’s panel and held that the SEC’s administrative law judges are subject to the Constitution’s Appointments Clause. Yesterday’s order likely sets the stage for a Supreme Court challenge.

SEC Names Co-Directors of Enforcement

Last week, the Securities and Exchange Commission (SEC) announced that Acting Enforcement Director Stephanie Avakian and former federal prosecutor Steven Peikin had been named Co-Directors of the Division of Enforcement. In making the announcement, SEC Chairman Jay Clayton advised:

There is no place for bad actors in our capital markets, particularly those that prey on investors and undermine confidence in our economy. Stephanie and Steve will aggressively police our capital markets and enforce our nation’s securities laws as Co-Directors of the Division of Enforcement. They have each demonstrated market knowledge, impeccable character, and commitment to public service, and I am confident their combined talents and experience will enable them to effectively lead the Division going forward.

Prior to being named Acting Director in December 2016, Ms. Avakian served as Enforcement’s Deputy Director since June 2014. Mr. Peikin joins the SEC for the first time from private practice. Prior to that, from 1996 to 2004, Mr. Peikin served as an Assistant U.S. Attorney in the Southern District of New York. He was Chief of the Office’s Securities and Commodities Fraud Task Force, where he supervised some of the nation’s highest profile prosecutions of accounting fraud, insider trading, market manipulation, and abuses in the foreign exchange market. As a prosecutor, Mr. Peikin also personally investigated and prosecuted a wide variety of securities, commodities, and other investment fraud schemes, as well as other crimes.

As Chairman Clayton continues to appoint the Division leadership at the SEC and establish his own agenda for the Commission as its new Chairman, these Co-Director appointments bear a strong resemblance to those of his predecessors, Chair Mary Jo White and Chair Mary Schapiro. First, in 2009, Chair Schapiro appointed a former federal prosecutor for the first time to lead the SEC’s Division of Enforcement. Second, in 2013, Chair White appointed another former federal prosecutor, Andrew Ceresney. In furtherance of the striking similarities, Chair White appointed Mr. Ceresney as a Co-Director with the then Acting Director. Mr. Ceresney eventually took over the Directorship on his own. Thus, while many forecasted that the new Commission may perhaps be friendlier to the industry, with these Co-Director appointments Chairman Clayton looks to be following the lead of his recent predecessors rather than breaking from them. Lastly, if the precedent of the only prior Co-Directorship is any indication, then at some point in the foreseeable future Mr. Peikin will be occupying the Director’s chair on his own, as Mr. Ceresney ultimately did.

Compliance and Legal Officer Guidelines to Prevent Non-Line Supervisory Liability

Chicago partner Jim Lundy and associate Carrie DeLange, members of Drinker Biddle’s SEC & Regulatory Enforcement Team, authored “Compliance and Legal Officer Guidelines to Prevent Non-Line Supervisory Liability” for the National Society of Compliance Professionals’ (NSCP) professional journal, Currents, March 2017 edition.

The article provides guidance and recommendations to compliance officers and in-house attorneys with investment management and broker-dealer firms regarding the legal background and recommended practices to avoid supervisory liability with respect to the violative conduct of business personnel. Specifically, the article examines the applicable statutes and rules, the controversial “Gutfreund Standard,” and the SEC’s more recent guidance from a Division of Trading and Markets “FAQ” and speeches. Jim and Carrie build on this information to provide recommendations for investment management and broker-dealer compliance and in-house personnel to manage satisfying their compliance obligations while dealing with the potentially problematic conduct of business personnel.

Read “Compliance and Legal Officer Guidelines to Prevent Non-Line Supervisory Liability.”