Partners Peter Baldwin and Bob Mancuso published “Cybersecurity Enforcement Trends: A Fraught New Reality for ‘Victims’ of Cyberattacks.” This article in the New York Law Journal discusses how regulators have shifted their focus from data breach notifications to overall cybersecurity preparedness.
In the spirit of our previous Holiday film blogs, we present for your viewing pleasure (and background research) the following Independence Day films for your (re)viewing pleasure. Both deserve renewed attention in light of:
- The SEC’s recent Solar Winds-Cybersecurity-related events, regarding disclosure of material weaknesses or material cyber security risks related to the Solar Winds compromise;
- The re-opening of offices and recent announcements of certain businesses explaining employees should be back in the office or else.
We offer the following Independence Day Weekend themed film streaming recommendations that relate to each of the above and therefore count as background research.
Upcoming Changes to Rule 10b5-1:
The SEC is seeking to propose four key changes to executive stock trading plans under Rule 10b5-1 in October. Its Chairman, Gary Gensler, reported that the SEC is considering “freshen[ing] up Rule 10b5-1 after twenty years” to address insider trading concerns on June 7, 2021. Gensler’s comments come after a year of heightened insider trading reporting and the release of new research conducted by Stanford University and the Wharton School of the University of Pennsylvania finding that 10b5-1 plans have been used by executives to engage in “opportunistic, large-scale” sales of company stock. Gensler remarked the current plans under Rule 10b5-1 have led to a “real crack in our insider trading regime,” which he seeks to address in the upcoming months.
As publicly reported late last week, the Securities and Exchange Commission’s Division of Enforcement (SEC) sent voluntary requests for information to a range of public companies and investment firms seeking voluntary disclosure of information related to last year’s SolarWinds cyberattack. Specifically, the SEC is seeking information related to whether the companies and firms were exposed to the SolarWinds cyberattack and any remedial measures the companies and firms implemented in response.
SolarWinds, an IT, network, and systems software developer, disclosed in a filing with the SEC in December 2020 that a cyberattack had infiltrated its Orion monitoring product, which could allow the attacker to compromise the server on which the Orion product runs. SolarWinds disclosed that it believed that nearly 18,000 Orion customers downloaded the product containing the vulnerability and that it had notified all 33,000 users of the product that a cyberattack had taken place. The SolarWinds cyberattack was unprecedented in its scope and sophistication—including compromising nine U.S. federal agencies—leading the United States and other governments to blame the attack on an outside nation state actor.
On Friday June 4, 2021, Securities and Exchange Commission Chair Gary Gensler removed the head of the Public Company Accounting Oversight Board (PCAOB), an independent agency created by the Sarbanes-Oxley Act of 2002 that is charged with setting standards and overseeing audits of public companies and broker-dealers. The move is part of a broader overhaul of the PCAOB announced by the SEC that includes soliciting nominations for all five of the PCAOB’s board positions, including board positions currently filled by members whose terms have not yet expired.
The removed chair of the PCAOB, William Duhnke III, was appointed by former President Trump and had held the position since January 2018. In 2020, President Trump called for the PCAOB to be folded into the SEC by 2022, losing its independent watchdog status. In a recent lawsuit filed against Duhnke, the PCAOB’s former chief risk officer alleged that Duhnke shared President Trump’s sentiment and called the PCAOB a “frivolous organization” that should be combined with the SEC.
In Faegre Drinker’s “Enforcement Highlights” third podcast, Jim Lundy moderates a panel with Investment Management Group partner Jillian Bosmann and fellow SEC and Regulatory Enforcement partner David Porteous discussing what the plans may be for the SEC’s Divisions of Investment Management, Examinations, and Enforcement and the investment management industry under the leadership of new SEC Chair Gary Gensler. Topics also include the Division of Examination’s 2021 Annual Report, the SEC’s ESG Risk Alert, and FINRA’s anticipated relationship with the SEC under Chair Gensler.
On May 3, 2021, the Securities Exchange Commission (“SEC”) announced charges against Under Armour Inc. (“Under Armour”) for “misleading investors as to the bases of its revenue growth and failing to disclose known uncertainties concerning its future revenue prospects.” Under Armour agreed to settle the case, paying a $9 million fine. The settlement stems from allegations that Under Armour violated Sections 17(a)(2) and (3) of the Securities Act of 1933, which do not require proof of scienter, as well as reporting provisions of the federal securities laws, by failing to tell investors that it pulled forward orders to meet its quarterly targets in order to appear healthier.
Alex Oh, U.S. Securities and Exchange Commission (SEC) Chair Gary Gensler’s pick for the agency’s Director of the Division of Enforcement, unexpectedly resigned on Wednesday amid growing criticism for her decades-long work as a private corporate defense lawyer. Ms. Oh’s hiring was announced on April 22, 2021, less than a week before her resignation.
Ms. Oh’s resignation followed a ruling on Monday from Judge Royce C. Lambeth of the Federal District of Columbia reprimanding ExxonMobile’s legal team, which included Ms. Oh, for their conduct in a class action lawsuit brought by Indonesia villagers against Exxon alleging human rights abuses. According to the ruling, Exxon’s defense team characterized the lawyers for the villagers as “agitated, disrespectful and unhinged” during a deposition. Judge Lambeth ordered Exxon’s lawyers to show why penalties were not warranted for those comments.