Category: Investment Advisers and Broker Dealers

SEC and CFTC FY2018 Results: Looking Back . . . and Looking Forward

Earlier this month, the U.S. Securities and Exchange Commission and the U.S. Commodity Futures Trading Commission issued their annual reports about their Divisions of Enforcement results for fiscal year 2018. Analyzing these reports is a helpful way for us to learn from the recent historical enforcement efforts by both financial regulatory agencies. Also, both reports provide guidance about the divisions’ objectives and initiatives for the upcoming fiscal year and beyond. Below we explore and summarize the important topics covered in both reports.

The SEC issued its FY2018 Annual Report earlier this month. The last several pages categorize and list every action filed by SEC Enforcement during FY2018; this provides a useful reference tool. In addition, this report continues to evolve and provide more information than in years past. Not surprisingly, the report highlights SEC Chairman Jay Clayton’s direction to SEC Enforcement to focus on “Main Street” investors. Thus, it was no surprise to see SEC Enforcement’s Share Class Selection Disclosure Initiative touted as a success.

If focusing on Main Street is Chairman Clayton’s top priority for SEC Enforcement, then policing cyber-related misconduct is the Chairman’s priority “1B.” In its Annual Report, SEC Enforcement specifically advised:

Since the formation of the Cyber Unit at the end of FY 2017, the Division’s focus on cyber- related misconduct has steadily increased. In FY 2018, the Commission brought 20 standalone cases, including those cases involving ICOs and digital assets. At the end of the fiscal year, the Division had more than 225 cyber-related investigations ongoing. Thanks to the work of the Unit and other staff focusing on these issues, in FY 2018 the SEC’s enforcement efforts impacted a number of areas where the federal securities laws intersect with cyber issues (emphasis added).

Regarding SEC Enforcement’s results, while the SEC seemingly tried to temper the increased results from last year and asked readers to avoid focusing on quantitative results, one thing that has become clear during Chairman Clayton’s tenure is that he has apparently not slowed down SEC Enforcement. Regarding the quantitative results, the SEC brought a diverse mix of 821 enforcement actions, including 490 standalone actions, and returned $794 million to harmed investors. A significant number of the SEC’s standalone cases concerned investment advisory issues, securities offerings, and issuer reporting/accounting and auditing, collectively comprising approximately 63 percent of the overall number of standalone actions. The SEC also continued to bring actions relating to market manipulation, insider trading, and broker-dealer misconduct, with each comprising approximately 10 percent of the overall number of standalone actions, as well as other areas. The agency also obtained judgments and orders totaling more than $3.945 billion in disgorgement and penalties.

The report also outlined the five core principles that serve to guide SEC Enforcement’s work. From here, we garner a glimpse into their focus and efforts going forward. These principles are:

  • Focus on the Main Street investor;
  • Focus on individual accountability;
  • Keep pace with technological change;
  • Impose remedies that most effectively further enforcement goals; and
  • Constantly assess the allocation of resources.

In concluding our discussion of the SEC Enforcement’s efforts and looking forward, with the continuing focus on the advisory and brokerage industries, we should expect SEC Enforcement to continue to focus its efforts and resources on the investment advisers and broker-dealers who serve Main Street.

Before turning to the CFTC, it is worth noting that both the SEC and the CFTC highlight the increased use of specialized proprietary tools they have developed to review data and bring enforcement actions. The SEC specifically stated that it “has continued to leverage its own technology to accomplish its enforcement goals.” These goals include using proprietary tools to conduct data analysis to identify and pursue a wide variety of misconduct, including insider trading, “cherry-picking” schemes, and the sale of unsuitable investment products or programs to retail investors. The CFTC highlighted its realignment of the Market Surveillance Unit, moving it from the Division of Market Oversight to the Division of Enforcement. Building and utilizing sophisticated analytical tools, the Market Surveillance Unit reviews data for instances of fraud, manipulation, and disruption. Moving the unit to the Division of Enforcement “reflects the data-centric approach the Division pursued during the last Fiscal Year, and expects to continue going forward.” Thus, the SEC and the CFTC will continue to increasingly employ sophisticated data analytics to pursue their enforcement objectives.

Turning to CFTC Enforcement, much like the SEC, CFTC Enforcement now provides much greater detail in its FY2018 Annual Report than in previous editions. Similar to the SEC’s results, quantitatively, CFTC Enforcement’s efforts in FY 2018 reflect significant increases. The number of enforcement actions filed increased year over year from 49 to 83 and monetary sanctions also increased from $413 million to $950 million. CFTC Enforcement  explained in the report a number of key initiatives started or continued during FY 2018, including cooperation and self-reporting, the use of data analytics, and the development of a set of specialized task forces focused on four  substantive areas — spoofing and manipulative trading, virtual currency, insider trading and protection of confidential information, and the Bank Secrecy Act.

Regarding the “Spoofing and Manipulative Trading” task force, the CFTC Enforcement Director provided additional information on this task force in a speech the day before the release of the FY2018 Annual Report:

Spoofing and Manipulative Trading: A little more than a decade ago, our markets moved from in-person trading in the pit, to computer-based trading in an electronic order book. The advent of the electronic order book brought with it significant benefits to our markets—it increased information available, reduced friction in trading, and significantly enhanced the price discovery process. But at the same time, this technological development has presented new opportunities for bad actors. Just as the electronic order book increases information available to traders, it creates the possibility that false information injected into the order book could trick them into trading to benefit a bad actor.

Efforts to manipulate the electronic order book—which can include spoofing—are particularly pernicious examples of bad actors seeking to gain an unlawful advantage through the abuse of technology. These efforts to manipulate the order book, if left unchecked, drive traders away from our markets, reducing the liquidity needed for these markets to flourish. And this misconduct harms businesses, large and small, that use our markets to hedge their risks in order to provide the stable prices that all Americans enjoy. The Spoofing Task Force works to preserve the integrity of these markets.

The CFTC’s efforts to detect market manipulation generally and spoofing in particular, however, were not limited to the creation of a task force. The FY2018 report identified 83 total actions filed, 26 (approximately 31 percent) of which were manipulation-based. This was a number second only to retail fraud (30 actions filed). While supervision is not discussed specifically as an initiative or a particular priority, CFTC Enforcement’s FY2018 Annual Report also identified 6 “Supervision” cases. Here is the breakdown by category:

From this table, it is a little unclear how the CFTC’s spoofing supervision cases were categorized and quantified in its FY2018 Annual Report. Regardless, based on the increased focus on supervision in this area— as previously reported—we can expect CFTC Enforcement to continue to investigate and bring charges for spoofing and related supervisory violations well into the future.

Finally, the CFTC Enforcement’s FY2018 Annual Report emphasizes its efforts to significantly ramp up its “coordination with our law enforcement and regulatory partners—in particular the criminal authorities.” These efforts included the announcement of the parallel actions involving spoofing and manipulative conduct filed together with the Department of Justice in January 2018. In those filings, the Commission charged three financial institutions and six individuals with manipulative conduct and spoofing. While the early 2018 joint filing was significant, the Commission’s coordination with criminal authorities was not limited to this filing. Joint filings with criminal counterparts were up significantly and may signal more to come:

OCIE Issues Risk Alert on Issues Related to Best Execution by Investment Advisers

Pursuant to their fiduciary duties, investment advisers have certain obligations to seek out “best execution” for client transactions. The SEC’s Office of Compliance Inspections and Examinations (OCIE) recently issued a Risk Alert identifying deficiencies found during examinations of investment advisers’ compliance with their best execution obligations.

In this alert, partner Jim Lundy and associate Kellilyn Greco outline OCIE’s findings, including background on best execution, notable deficiencies, and recommended best practices.

Read the full alert.

SEC Cyber Unit Brings Groundbreaking Data Breach Case

On April 24, 2018, the Securities and Exchange Commission (SEC) announced its most significant case ever filed against a respondent for one of the world’s largest data breaches. Albata, Inc., f/d/b/a Yahoo! Inc., (“Yahoo”) settled with the SEC to charges of violating Section 17(a)(2) and 17 (a)(3) of the Securities Act of 1933 (“Securities Act”), amongst other charges, and agreed to various remedies, including a $35 million penalty.

In summary, the SEC alleged that in December of 2014 Yahoo’s information security team learned that Russian hackers stole what was referred to internally as the company’s “crown jewels”: usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for more than 500 million users. Although information relating to the breach was reported to members of Yahoo’s senior management and legal department, Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors. In addition, the SEC found that Yahoo did not share information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings.

The breach was not disclosed to the investing public until more than two years later, when in 2016 Yahoo was in the process of closing the acquisition of its operating business by another company. This disclosure caused a $1.3 billion fall in Yahoo’s market capitalization and a reduction in the acquisition price by $350 million.

As a result, the SEC’s order found that in Yahoo’s quarterly and annual report filings during the two-year period following the breach, the company failed to disclose the breach or its potential business impact, legal implications, and other potential ramifications. Finally, the SEC’s order finds that Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure.

In conclusion this SEC action provides several takeaways:

– This may be one of the first, but it will not be the last data breach case by the Division of Enforcement’s Cyber Unit created in September of 2017.

– The SEC charged Yahoo with fraud, but not with Rule 30(a) of Regulation S-P of the Securities Act. Historically, the SEC used the latter statute as the primary charge for data breaches. While these fraud charges against Yahoo are more aggressive, Section 17(a)(2) and (a)(3) are non-scienter based charges.

– Notably, the SEC did not charge any individuals.

– A study of the findings in the SEC’s order coupled with the Commission Statement and Guidance on Public Company Cybersecurity Disclosures announced on February 21, 2018, provides guidance for public companies and registrant firms to consider when assessing their cybersecurity programs, controls, policies and procedures, and disclosure obligations.

SEC Freezes $27 Million Related to a Blockchain/Cryptocurrency Acquisition

On April 6, 2018, the Securities and Exchange Commission (SEC) obtained a court order freezing more than $27 million in proceeds from alleged illegal distributions and sales of restricted shares of a public company, and charged the company, its CEO, and three other affiliated individuals. That same day, the Nasdaq Stock Market said it halted trading in the company’s stock. The SEC’s complaint alleges that shortly after the company began trading on the Nasdaq Stock Market and announced the acquisition of a purported blockchain-empowered cryptocurrency business that its stock price rose dramatically until its market capitalization exceeded $3 billion. The SEC further alleges that the CEO and the three other individual defendants then illegally sold large blocks of their restricted shares to the public while the stock price was excessively elevated and that they collectively reaped more than $27 million in profits.

By way of background, and as alleged by the SEC, the company went public under a scaled-down version of a traditional initial public offering known as Reg A+ late last year. In December 2017, the company’s Class A shares began trading on the Nasdaq Stock Market. Two days later, the company announced that it had acquired the purported blockchain-empowered cryptocurrency business from another entity. The SEC alleges that one of the individual defendants held at least a 92% stake in this entity. The SEC further alleges that — notwithstanding that this acquired business had no ascertainable value — the company’s stock price rose excessively and quickly after said acquisition. Specifically, by December 18, 2017, the company’s stock price rose to a high of $142.82 per share; an increase of nearly 550% from the prior day’s closing price and about 2,670% above the company’s closing price on its first day of trading just several days earlier.

This action serves as yet another example of the SEC’s heightened and aggressive focus in this area. As we discussed previously on this blog, one of the focus areas for the SEC’s Cyber Unit that was created just last September is “Violations involving distributed ledger technology and initial coin offerings.” More recently, the financial press reported that the SEC had launched a “sweep” in this area by serving subpoenas and information requests on technology companies and investment management firms and brokers doing business in the virtual currency markets.

Returning to the SEC’s $27 million freeze action here, the SEC alleged only registration offering violations against the defendants. This may not be the last of the charges, however, as the SEC described this as a “continuing investigation” in its press release.

SEC Share Class Selection Disclosure Initiative to Encourage Self-Reporting

On February 12, 2018, the U.S. Securities and Exchange Commission (SEC) announced a “Share Class Selection Disclosure Initiative” (“SCSD Initiative”), led by the Asset Management Unit of the Division of Enforcement (“Enforcement”). To encourage self-reporting and participation in the SCSD Initiative, Enforcement advises in the release that it “will agree not to recommend financial penalties against investment advisers who self-report violations of the federal securities laws relating to certain mutual fund share class selection issues and promptly return money to harmed clients.” Enforcement also warns that it “expects to recommend stronger sanctions in any future actions against investment advisers that engaged in the misconduct but failed to take advantage of this initiative.”

The deadline for self-reporting is June 12, 2018. Firms contacted by Enforcement before the announcement regarding possible violations related to their failures to disclose the conflicts of interest associated with mutual fund share class selection are not eligible for the program. Firms that are subject to pending SEC examinations, but that have not been contacted by Enforcement, will be eligible. Importantly, Enforcement specifically offers no assurances with respect to the potential liability of involved individuals.

Below we summarize the SCSD Initiative, explore the direct and indirect messages being sent by the SEC, and provide practical strategic guidance for affected firms to consider.

Initial Strategies – What to Do

By way of background, the SEC has long been focused on Rule 12b-1 fees paid by a mutual fund on an ongoing basis for shareholder services, distribution, and marketing expenses. As with any fee, 12b-1 fees have the potential to reduce a client’s returns. In recent years, the SEC has brought several enforcement actions against investment advisers, finding that they failed to disclose conflicts associated with the receipt of 12b-1 fees for investing client funds in a 12b-1 fee-paying share class when a lower-cost share class was available for the same fund.

What firms should consider the SCSD Initiative? Investment advisers that did not explicitly disclose in applicable Forms ADV (i.e., brochure(s) and brochure supplements) the conflict of interest associated with the 12b-1 fees the firm, its affiliates, or its supervised persons received for investing advisory clients in a fund’s 12b-1 fee share class when a lower-cost share class was available for the same fund. Enforcement provides more specific guidance as follows:

A “Self-Reporting Adviser” is an adviser that received 12b-1 fees in connection with recommending, purchasing, or holding 12b-1 fee paying share classes for its advisory clients when a lower-cost share class of the same fund was available to those clients, and failed to disclose explicitly in its Form ADV the conflicts of interest associated with the receipt of such fees. The investment adviser “received” 12b-1 fees if (1) it directly received the fees, (2) its supervised persons received the fees, or (3) its affiliated broker-dealer (or its registered representatives) received the fees. To have been sufficient, the disclosures must have clearly described the conflicts of interest associated with (1) making investment decisions in light of the receipt of the 12b-1 fees, and (2) selecting the more expensive 12b-1 fee paying share class when a lower-cost share class was available for the same fund.

Evaluating and assessing these factors for purposes of determining whether to self-report pursuant to the SCSD Initiative will be resource-intensive and will likely involve analyzing complex legal, factual and reputational issues. Thus, firms should first consult with in-house or outside counsel. One of the benefits of involving counsel at the start – and throughout – is that it allows for the application of the attorney work product doctrine and attorney-client privilege. As a reminder, the majority of the cases interpreting these privileges have not extended them to compliance officers performing their duties as part of a firm’s compliance operations. Thus, involving in-house or outside counsel is necessary to claim privilege. The firm can ultimately decide to waive privilege if it elects to self-report. However, for the firms that conduct this evaluation and assessment and then elect not to self-report, preserving the attorney-client and attorney work product privileges will allow firms to protect their work from discovery by regulators or third parties.

With the oversight of counsel, the firm should consider developing and implementing a project plan, due to the anticipated resource-intensive nature of what will be required. The project plan should involve analyzing whether the firm failed to disclose conflicts of interest associated with the receipt of 12b-1 fees by the adviser, its affiliates, or its supervised persons for investing advisory clients in a 12b-1 fee-paying share class when a lower-cost share class of the same mutual fund was available for the advisory clients. More specifically, this involves conducting detailed analyses of each fund, fund class, the 12b-1 fees associated with the share classes, and all of the related disclosures.

Settlement Terms – What You Need to Know

Enforcement uses the description “favorable settlement terms” in its announcement, in order to entice participation. Firms, however, need to understand that self-reporting under the SCSD Initiative will undoubtedly result in a settled enforcement action, and that the terms will include the SEC’s typical terms, with the exception of a civil penalty. Firms should also consider the nature of the charges and their potential impacts, as discussed below.

Terms may include a cease-and-desist order and a censure, likely along with an SEC release touting the settlement as a successful result of the SCSD Initiative. Settlement terms will include full disgorgement by the investment adviser of its ill-gotten gains and prejudgment interest thereon. It is not clear from the announcement how Enforcement will calculate disgorgement, but it will likely be based on the 12b-1 fees received. The firm will also need to agree to a self-administered distribution to its affected clients, thereby assuming all of the internal or external costs associated with such a distribution. Lastly, the settlement will either include an acknowledgment that the adviser has voluntarily taken the following steps (if completed before the order is instituted), or order that within 30 days of instituting the order, the eligible adviser:

  • Review and correct as necessary the relevant disclosure documents.
  • Evaluate whether existing clients should be moved to a lower-cost share class and move clients as necessary.
  • Evaluate, update (if necessary), and review for the effectiveness of its implementation policies and procedures to ensure that they are reasonably designed to prevent violations in connection with the adviser’s disclosures regarding mutual fund share class selection.
  • Notify clients of the settlement terms in a clear and conspicuous fashion (this notification requirement applies to all affected clients).
  • Provide the Commission staff, no later than 10 days after completion, with a compliance certification regarding the applicable undertakings by the investment adviser.

The charges in the settlement order would be considered non-scienter and negligence-based, but the plain statutory language reads much harsher. The statutes under which a Self-Reporting Adviser will be settling for the violative conduct are Section 206(2) and Section 207 of the Investment Advisers Act of 1940 (“Advisers Act”). Section 206(2) prohibits an investment adviser, directly or indirectly, from engaging “in any transaction, practice, or course of business which operates as a fraud or deceit upon any client or prospective client,” and imposes a fiduciary duty on investment advisers to act for their clients’ benefit, including an affirmative duty of utmost good faith and full disclosure of all material facts. Section 207 of the Advisers Act makes it “unlawful for any person willfully to make any untrue statement of a material fact in any registration application or report filed with the Commission . . . or willfully to omit to state in any such application or report any material fact which is required to be stated therein.” Thus, based on the plain language of these statutes, these are by no means technical-type violations. Firms need to consider their exposure to reputational harm and other collateral damage. Moreover, a Self-Reporting Adviser will have to disclose the institution and resolution of the charges in its Form ADV, as well as in response to requests for proposals and certain other information requests.

Finally, for those Self-Reporting Advisers participating in the SCSD Initiative, Enforcement will likely expect them to disclose information and produce evidence with respect to employees who were involved with the sale of 12b-1 class shares to clients, as well as those involved in the Self-Reporting Adviser’s disclosure of conflicts of interest. Accordingly, as advisers navigate their way through the process of determining whether it is in their best interest to participate in the SCSD Initiative, they should also be sensitive to the possibility that certain employees may need separate representation due to potential conflicts of interest that may arise.

Conclusion

The decision to self-report and participate in the SCSD Initiative deserves serious consideration, but there is no one-size-fits-all approach. As discussed, the decision-making process will be resource-intensive and involve complex and high-stakes legal, factual and reputational decisions, so firms should work closely with counsel. That said, here are five key takeaways for firms to consider:

  • Engage with in-house or outside counsel at the start for the attorney-work product doctrine and attorney-client privilege to apply, subject to waiver by the firm if the determination is made to self-report.
  • A project plan should be developed and implemented under the oversight of in-house or outside counsel to evaluate and assess whether the firm’s practices and disclosures warrant consideration of self-reporting pursuant to the SCSD Initiative.
  • Firms need to understand that, while avoiding a civil penalty, the settlement terms will include a cease-and-desist order and a censure; disgorgement, prejudgment interest, and the accompanying internal or external distribution costs; and the detailed undertakings discussed above.
  • Firms also should recognize that settling to charges under Section 206(2) and Section 207 of the Advisers Act present reputational risks that need to be weighed, and collateral consequences that need to be considered.
  • Lastly, firms that determine that they qualify as Self-Reporting Advisers should heed the SEC’s warnings and self-report, or they will potentially expose themselves to the SEC pursuing significant monetary penalties and possible additional charges and remedies.

Supreme Court Unanimously Holds that Whistleblowers Must First Report to the SEC Before Being Afforded Dodd-Frank Anti-Retaliation Protections

In a 9-0 opinion issued on Wednesday, February 21, in Digital Realty Trust v. Somers (2018), the Supreme Court resolved a circuit split by holding that Dodd-Frank’s anti-retaliation provision does not apply to an individual, like Somers, who reported a violation of the securities law internally at his company but did not report the violation to the SEC.

As we have previously written, this case came to the Supreme Court from the Ninth Circuit, affirming the District Court’s holding that Section 78u-6(h), Dodd-Frank’s anti-retaliation provision, did not necessitate reporting a potential violation to the SEC before gaining “whistleblower” status. Somers v. Digital Realty Trust Inc., 850 F.3d 1045 (9th Cir. 2016). The Fifth Circuit had previously come to the opposite holding. Asadi v. G.E. Energy (USA), L.L.C., 720 F.3d 620 (5th Cir. 2013). The Supreme Court decided this circuit split and reversed the Ninth Circuit’s holding—taking a narrow view of the “whistleblower” definition and statutory construction.

Dodd-Frank defines a “whistleblower” as “any individual who provides . . . information relating to a violation of the securities laws to the Commission, in a manner established, by rule or regulation, by the Commission.” 15 U.S.C. § 78u-6(a)(6) (emphasis added). Somers and the Solicitor General argued that the “whistleblower” definition applies only to Dodd-Frank’s monetary reward program for whistleblowers and does not apply to its anti-retaliation provision. Further, the SEC itself advanced this view in its Rules. See 17 C.F.R. § 240.21F-2. The rule, as well as interpretative guidance released in 2015, explained that there were two definitions of “whistleblower”: one for the reward program, which required reporting to the SEC, and one only for the anti-retaliation provision, as long as the information is provided “in a manner described in Section 21F(h)(1)(A) of the Exchange Act,” which includes internal reporting. See id.; SEC Rel. No. 34-75592. The Rule further qualified that “[t]he anti-retaliation protections apply whether or not you satisfy the requirements, procedures and conditions to qualify for an award.” 17 C.F.R. § 240.21F-2(b)(1)(iii).

The Supreme Court, however, found this argument to be at odds with the “plain” language of the statute and the purpose of this portion of Dodd-Frank—to encourage individuals to report violations to the SEC. The Supreme Court reasoned that the SEC Rule should not be accorded deference because “Congress has directly spoken” on this issue in its unambiguous language in Dodd-Frank, and concluded that the language in Dodd-Frank was explicit in its exclusive inclusion of only those individuals who report securities complaints to the SEC.

While the Supreme Court’s decision limits the scope of potential “whistleblowers” who could seek the protection of the Dodd-Frank anti-retaliation provision, the decision may have another, less positive, collateral consequence. When the SEC promulgated the whistleblower rules, it received dozens of comments suggesting that the SEC require employees to report internally before reporting potential violations to the SEC. The SEC rejected that approach, but attempted to encourage internal reporting by including as a factor in deciding the amount of an award whether the whistleblower first reported the potential violation internally. In light of the Supreme Court’s decision, it is more likely that employees will forego reporting any potential violations internally and instead go straight to the SEC so as to not only qualify for an award, but also to seek the protection of the anti-retaliation provision.

SEC Announces Enforcement Division Cyber Specialty Unit

On September 25, 2017, the Securities and Exchange Commission announced the creation of an Enforcement Division “Cyber Unit” that will focus on cyber-related violative conduct. The timing of this is much more than coincidental; indeed it’s obvious. Just last week, SEC Chairman Jay Clayton disclosed: 1) a 2016 intrusion of the SEC’s EDGAR system due to a software vulnerability in the test filing component of the system, resulting in access to nonpublic information; and 2) the creation of a senior-level cybersecurity working group. Since the disclosure of the EDGAR breach, the financial press has reported that SEC Enforcement, the Secret Service, and the FBI have been investigating, and that Chairman Clayton asked the SEC’s Office of Inspector General to investigate. On September 26, 2017, Chairman Clayton appears before the Senate Committee on Banking, Housing, and Urban Affairs where he will provide testimony and likely be subject to intense questioning.

Returning to the SEC’s Cyber Unit, while not specifically described as such, it appears to be created in the mold of the other Enforcement Division Specialty Units. This new unit’s mandate includes targeting cyber-related violative conduct, such as: market manipulation schemes involving false information spread through electronic and social media; hacking to obtain material nonpublic information; misuse of distributed ledger technology; misconduct perpetrated via the dark web; intrusions into retail brokerage accounts; and cyber-related threats to trading platforms and other critical market infrastructure. Consistent with this being a new specialty unit, the “Chief” is a former Co-Chief of the SEC’s Market Abuse Specialty Unit. Thus, registrants can expect the Cyber Unit to evolve much as the SEC’s other specialty units have previously. Specifically, this unit will likely: develop and expand SEC internal cyber knowledge; seek to hire external cyber experts; and dedicate its efforts and resources to this specialty area. Consistent with the evolutions of the other specialty units, the Cyber Unit will likely pursue cases that the Enforcement Division generally and historically might not have pursued, such as non-fraud violations considered more technical in nature.

While it’s ironic that the SEC announced the Cyber Unit on the heels of its recent breach, issuers and registrants should take this opportunity to self-assess and implement plans to avoid the SEC’s Cyber Unit in the future. Among various strategies, actively monitoring and assessing the SEC’s cybersecurity guidance and, in particular, the Office of Compliance Inspections and Examinations Risk Alerts, and documenting this work will support arguments of reasonable and diligent efforts. For further and more detailed guidance, look to FINRA’s February 2015 Report on Cybersecurity Practices. While FINRA’s oversight is limited to its member broker-dealer firms, this 46-page report provides plain-language guidance that any company or firm may want to consider reviewing and implementing as appropriate.

D.C. Circuit Split on Constitutionality of SEC’s Administrative Judges

We previously blogged about the D.C. Circuit’s decision in Raymond J. Lucia Cos v. SEC, which rejected the petitioner’s constitutional challenges to the SEC’s use of administrative law judges that are not appointed by the President. Yesterday, the D.C. Circuit issued a two sentence per curiam order denying an en banc review by an equally divided court.

We noted that the panel’s original opinion was the first appellate ruling of its kind. Although the panel’s decision remains in effect because the full court did not rehear the case, the strength of that ruling is now severely undermined. As we previously reported, the Tenth Circuit has already disagreed with the D.C. Circuit’s panel and held that the SEC’s administrative law judges are subject to the Constitution’s Appointments Clause. Yesterday’s order likely sets the stage for a Supreme Court challenge.

©2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Attorney Advertising.
Privacy Policy