SEC Speaks, the SEC’s annual conference in Washington, D.C., often provides valuable insight into developments at the agency, as well as pronouncements about policy evolution and enforcement priorities. At this year’s conference, “cooperation” emerged as one of the themes that the SEC has been prioritizing over the past year – and is committed to prioritizing in the future. Indeed, the co-directors of the SEC’s Division of Enforcement remarked that, “cooperation is as important now as it has ever been,” and that the “full range” of remedies are available to entities that provide meaningful cooperation to the SEC. Interestingly, the staff emphasized that the SEC is making a concerted effort to use its press releases and orders to highlight the importance, components, and benefits of cooperation – all in an effort to promote earlier, more meaningful, and more widespread cooperation.
Recently, the Northern District of Illinois denied the SEC summary judgment on its claims against a company charged with fraudulently offering and failing to register securities. United States Securities and Exchange Commission v. Webb et al. In doing so, it rejected the SEC’s argument that, pursuant to the doctrines of collateral estoppel and respondeat superior, the company’s liability for the alleged securities violations was established through the criminal conviction of the company’s founder, CEO, and chairman for wire and mail fraud. The Court’s decision emphasizes the legal necessity of establishing and giving each defendant the opportunity to defend against the claims brought against them, even if claims against companies and their officers for purported securities violations seem inextricably related.
In SEC v. Webb., No. 11 C 7152 (N.D. Ill.), the SEC alleged that InfrAegis, Inc. and its founder, CEO, and chairman, Gregory Webb, violated the Securities Act of 1933 and the Securities Exchange Act of 1934 by (1) fraudulently raising funds from investors through a false portrayal of InfrAegis’s success; and (2) failing to register its securities. A separate, criminal case was brought against Webb “based on the same underlying facts in this case,” and this civil action was stayed pending the outcome of that matter. Order and Op. at 1 (Apr. 2, 2019). After a jury returned a verdict finding Webb guilty of both wire and mail fraud, however, the SEC, having separately settled with Webb, moved for summary judgment against InfrAegis in this case.
Specifically, despite the fact that “[t]he criminal case . . . did not include a finding that InfrAegis was vicariously liable for Webb’s actions, and neither Webb nor InfrAegis were tried or found guilty of any violations of the Securities Act or the Exchange Act,” id. at 4, the SEC argued that InfrAegis was precluded “from contesting its liability on the SEC’s securities fraud claims in light of Webb’s convictions for mail and wire fraud based on the same conduct at issue in this case and Webb’s role as InfrAegis’[s] chairman, CEO, and majority owner,” id. at 5. But the Court rejected this argument. While it found that “Webb’s criminal conviction establishe[d] all the elements necessary to support his civil liability,” id. at 6 (emphasis added), the Court held that InfrAegis was not “fully represented during Webb’s [criminal] trial,” as is required to establish issue preclusion. Id. at 1. In doing so, the Court further rejected the SEC’s contention that because Webb was represented at his criminal trial and was in privity with InfrAegis, InfrAegis had a full and fair opportunity to litigate the issues presented there. The Court found that no exception “to the rule against nonparty preclusion” applied here because (1) “[a] principal-agent or fiduciary relationship at the time the alleged acts occurred” is not a recognized exception; and (2) there was no evidence that InfrAegis controlled Webb’s criminal defense “or that Webb remained an agent or fiduciary of InfrAegis at the time of his trial.” Id. at 7-8.
Moreover, while neither party disputed that the doctrine of respondeat superior could apply to securities fraud claims “where the employee acted in the scope of his employment in furtherance of the corporation’s goals,” the Court also held that the SEC could not “use respondeat superior to circumvent the . . . requirement of issue preclusion that InfrAegis have had a full and fair opportunity to litigate the issues.” Id. at 9. Thus, the Court denied the SEC’s motion for summary judgment concerning the securities fraud claims against InfrAegis.
Last week, the Department of Justice (“DOJ”) and the Securities & Exchange Commission (“SEC”) announced charges connected to a large-scale, international conspiracy to hack into the SEC’s Electronic Data Gathering, Analysis and Retrieval (“EDGAR”) system and profit by trading on stolen material, non-public information. The conduct underlying these cases was one of the principal reasons that the SEC created its Division of Enforcement “Cyber Unit” to target cyber-related securities fraud violations.
In a 16-count indictment unsealed in the United States District Court for the District of New Jersey, two Ukrainian citizens, Artem Radchenko and Oleksander Ieremenko, were charged with securities fraud conspiracy, wire fraud conspiracy, computer fraud conspiracy, wire fraud, and computer fraud. The SEC’s complaint charged nine defendants – Ieremenko, six traders in California, Ukraine, and Russian, and two entities – with antifraud violations of the federal securities laws.
The charging documents allege that Ieremenko and Radchenko hacked into the EDGAR system and stole thousands of files, including annual and quarterly earnings reports containing non-public financial information. The defendants gained access to the SEC’s networks by using a series of targeted cyberattacks, including directory traversal attacks, phishing attacks, and infecting computers with malware. The defendants extracted thousands of filings from the EDGAR system to a server they controlled in Lithuania. The defendants then profited by selling access to the stolen, confidential information and by trading on the stolen information prior to its distribution to the public. In total, the defendants and their co-conspirators are alleged to have traded before at least 157 separate earnings releases, and they generated over $4 million in illegal proceeds.
Some of the individuals charged in these cases were previously charged in connection with a similar scheme to hack into the computer systems of multiple newswire organizations and steal press releases containing financial information that had not yet been released to the public. Several of the same methods used to hack the newswire organizations were also employed to hack the EDGAR system.
The criminal and civil charges in these cases are a reminder that both DOJ and the SEC have prioritized combatting cybercrime and, in particular, network intrusions. They also serve as a stark reminder that any organization, even a U.S. government agency, can be targeted and victimized by cybercriminals. Companies and firms would be wise to examine the techniques used by the defendants in these cases and ensure that their own cyber defenses are sufficient to protect against and thwart similar attacks. For additional guidance, companies and firms can look to SEC guidance and actions issued since the creation of the SEC’s Cyber Unit.
Deputy Attorney General Rod Rosenstein recently announced significant changes to the Department of Justice’s corporate enforcement policy regarding individual accountability, previously announced in the 2015 Yates Memo. The revised policy no longer requires companies who are the target of DOJ investigations to identify all parties involved in potential misconduct before they can be eligible to receive any cooperation credit. This alert examines the updated policy, which should provide companies with greater flexibility in conducting investigations and negotiating dispositions with DOJ in both criminal and civil cases.
Earlier this month, the U.S. Securities and Exchange Commission and the U.S. Commodity Futures Trading Commission issued their annual reports about their Divisions of Enforcement results for fiscal year 2018. Analyzing these reports is a helpful way for us to learn from the recent historical enforcement efforts by both financial regulatory agencies. Also, both reports provide guidance about the divisions’ objectives and initiatives for the upcoming fiscal year and beyond. Below we explore and summarize the important topics covered in both reports.
The SEC issued its FY2018 Annual Report earlier this month. The last several pages categorize and list every action filed by SEC Enforcement during FY2018; this provides a useful reference tool. In addition, this report continues to evolve and provide more information than in years past. Not surprisingly, the report highlights SEC Chairman Jay Clayton’s direction to SEC Enforcement to focus on “Main Street” investors. Thus, it was no surprise to see SEC Enforcement’s Share Class Selection Disclosure Initiative touted as a success.
If focusing on Main Street is Chairman Clayton’s top priority for SEC Enforcement, then policing cyber-related misconduct is the Chairman’s priority “1B.” In its Annual Report, SEC Enforcement specifically advised:
Since the formation of the Cyber Unit at the end of FY 2017, the Division’s focus on cyber- related misconduct has steadily increased. In FY 2018, the Commission brought 20 standalone cases, including those cases involving ICOs and digital assets. At the end of the fiscal year, the Division had more than 225 cyber-related investigations ongoing. Thanks to the work of the Unit and other staff focusing on these issues, in FY 2018 the SEC’s enforcement efforts impacted a number of areas where the federal securities laws intersect with cyber issues (emphasis added).
Regarding SEC Enforcement’s results, while the SEC seemingly tried to temper the increased results from last year and asked readers to avoid focusing on quantitative results, one thing that has become clear during Chairman Clayton’s tenure is that he has apparently not slowed down SEC Enforcement. Regarding the quantitative results, the SEC brought a diverse mix of 821 enforcement actions, including 490 standalone actions, and returned $794 million to harmed investors. A significant number of the SEC’s standalone cases concerned investment advisory issues, securities offerings, and issuer reporting/accounting and auditing, collectively comprising approximately 63 percent of the overall number of standalone actions. The SEC also continued to bring actions relating to market manipulation, insider trading, and broker-dealer misconduct, with each comprising approximately 10 percent of the overall number of standalone actions, as well as other areas. The agency also obtained judgments and orders totaling more than $3.945 billion in disgorgement and penalties.
The report also outlined the five core principles that serve to guide SEC Enforcement’s work. From here, we garner a glimpse into their focus and efforts going forward. These principles are:
- Focus on the Main Street investor;
- Focus on individual accountability;
- Keep pace with technological change;
- Impose remedies that most effectively further enforcement goals; and
- Constantly assess the allocation of resources.
In concluding our discussion of the SEC Enforcement’s efforts and looking forward, with the continuing focus on the advisory and brokerage industries, we should expect SEC Enforcement to continue to focus its efforts and resources on the investment advisers and broker-dealers who serve Main Street.
Before turning to the CFTC, it is worth noting that both the SEC and the CFTC highlight the increased use of specialized proprietary tools they have developed to review data and bring enforcement actions. The SEC specifically stated that it “has continued to leverage its own technology to accomplish its enforcement goals.” These goals include using proprietary tools to conduct data analysis to identify and pursue a wide variety of misconduct, including insider trading, “cherry-picking” schemes, and the sale of unsuitable investment products or programs to retail investors. The CFTC highlighted its realignment of the Market Surveillance Unit, moving it from the Division of Market Oversight to the Division of Enforcement. Building and utilizing sophisticated analytical tools, the Market Surveillance Unit reviews data for instances of fraud, manipulation, and disruption. Moving the unit to the Division of Enforcement “reflects the data-centric approach the Division pursued during the last Fiscal Year, and expects to continue going forward.” Thus, the SEC and the CFTC will continue to increasingly employ sophisticated data analytics to pursue their enforcement objectives.
Turning to CFTC Enforcement, much like the SEC, CFTC Enforcement now provides much greater detail in its FY2018 Annual Report than in previous editions. Similar to the SEC’s results, quantitatively, CFTC Enforcement’s efforts in FY 2018 reflect significant increases. The number of enforcement actions filed increased year over year from 49 to 83 and monetary sanctions also increased from $413 million to $950 million. CFTC Enforcement explained in the report a number of key initiatives started or continued during FY 2018, including cooperation and self-reporting, the use of data analytics, and the development of a set of specialized task forces focused on four substantive areas — spoofing and manipulative trading, virtual currency, insider trading and protection of confidential information, and the Bank Secrecy Act.
Regarding the “Spoofing and Manipulative Trading” task force, the CFTC Enforcement Director provided additional information on this task force in a speech the day before the release of the FY2018 Annual Report:
Spoofing and Manipulative Trading: A little more than a decade ago, our markets moved from in-person trading in the pit, to computer-based trading in an electronic order book. The advent of the electronic order book brought with it significant benefits to our markets—it increased information available, reduced friction in trading, and significantly enhanced the price discovery process. But at the same time, this technological development has presented new opportunities for bad actors. Just as the electronic order book increases information available to traders, it creates the possibility that false information injected into the order book could trick them into trading to benefit a bad actor.
Efforts to manipulate the electronic order book—which can include spoofing—are particularly pernicious examples of bad actors seeking to gain an unlawful advantage through the abuse of technology. These efforts to manipulate the order book, if left unchecked, drive traders away from our markets, reducing the liquidity needed for these markets to flourish. And this misconduct harms businesses, large and small, that use our markets to hedge their risks in order to provide the stable prices that all Americans enjoy. The Spoofing Task Force works to preserve the integrity of these markets.
The CFTC’s efforts to detect market manipulation generally and spoofing in particular, however, were not limited to the creation of a task force. The FY2018 report identified 83 total actions filed, 26 (approximately 31 percent) of which were manipulation-based. This was a number second only to retail fraud (30 actions filed). While supervision is not discussed specifically as an initiative or a particular priority, CFTC Enforcement’s FY2018 Annual Report also identified 6 “Supervision” cases. Here is the breakdown by category:
From this table, it is a little unclear how the CFTC’s spoofing supervision cases were categorized and quantified in its FY2018 Annual Report. Regardless, based on the increased focus on supervision in this area— as previously reported—we can expect CFTC Enforcement to continue to investigate and bring charges for spoofing and related supervisory violations well into the future.
Finally, the CFTC Enforcement’s FY2018 Annual Report emphasizes its efforts to significantly ramp up its “coordination with our law enforcement and regulatory partners—in particular the criminal authorities.” These efforts included the announcement of the parallel actions involving spoofing and manipulative conduct filed together with the Department of Justice in January 2018. In those filings, the Commission charged three financial institutions and six individuals with manipulative conduct and spoofing. While the early 2018 joint filing was significant, the Commission’s coordination with criminal authorities was not limited to this filing. Joint filings with criminal counterparts were up significantly and may signal more to come:
The Second Circuit ruled on August 24 in United States v. Hoskins that the Foreign Corrupt Practices Act (FCPA) does not apply to foreign nationals who do not have ties to United States entities for bribery crimes that take place outside of U.S. borders. In doing so, the court rejected the government’s broadened theory of prosecution against Lawrence Hoskins, a U.K. citizen and former executive of the U.K.-based subsidiary of Alstom S.A., a global company headquartered in France that provides power and transportation services. United States v. Hoskins, No. 16-1010-CR, 2018 WL 4038192, at *1 (2d Cir. Aug. 24, 2018).
The alleged bribery scheme centers on Alstom S.A.’s American subsidiary, Alstom Power, Inc. (Alstom U.S.), headquartered in Connecticut. Hoskins was one of four Alstom executives charged with facilitating bribes to Indonesian officials in order to help the company win a $118 million power plant contract in Indonesia between 2002 and 2009. In 2014, Alstom S.A. pled guilty to the charge and paid a then record-setting $772 million fine.
The FCPA prohibits American companies and American persons, as well as their agents, from using interstate commerce in connection with the certain payments, or bribes, of foreign officials. 15 U.S.C. § 78dd-2. The FCPA likewise prohibits foreign persons or businesses from taking acts to further certain corrupt schemes, including ones causing the payment of bribes, while present in the United States. 15 U.S.C. § 78dd-3. Hoskins never worked directly for Alstom U.S. or traveled to the U.S. while the alleged scheme was ongoing. However, he was a former executive of the U.K subsidiary of the Alstom S.A., the parent company of Alstom U.S. that allegedly paid bribes to Indonesian officials. Based on his position, the government indicted Hoskins as an agent of Alstom U.S. under multiple theories of liability including conspiring to violate the FCPA.
The Second Circuit was faced with deciding the issue of whether a foreign person who does not reside in the United States can be liable for conspiring or aiding and abetting a U.S. company to violate the FCPA if that individual is not in the categories of principal persons covered in the statute. As the court phrased it, “[i]n other words, can a person be guilty as an accomplice or a co-conspirator for an FCPA crime that he or she is incapable of committing as a principal?” The Second Circuit held that such a person could not be liable.
In their analysis, the court noted that the FCPA defined precisely the categories of persons who may be charged and the statute clearly states the extent of its extraterritorial application. “The statute includes specific provisions covering every other possible combination of nationality, location, and agency relation, leaving excluded only nonresident foreign nationals outside American territory without an agency relationship with a U.S. person, and who are not officers, directors, employees, or stockholders of American companies.”
While the government argued that U.S. law has historically allowed for individual liability of a crime even if that person was incapable of committing the substantive offense, the Second Circuit noted that FCPA legislation clearly did not intend that accomplice liability extend to persons known as the “affirmative-legislative-policy exception.” The court explained that there is no specific provision in the FCPA which assigns liability to persons who are “nonresident foreign nationals, acting outside American territory, who lack an agency relationship with a U.S. person, and who are not officers, directors, employees, or stockholders of American companies.” The court also noted that the legislative intent behind the language of the FCPA was to protect foreign nationals who may not know American law.
The impact of the Second Circuit’s decision not to extend FCPA liability to Hoskins will have ongoing consequences, as recognized in the case’s concurring opinion by Judge Gerard E. Lynch. “It is for Congress to decide whether there are sound policy reasons for limiting the punishment of foreign nationals abroad to those who are agents of American companies, rather than to those who make American companies their agents. Our only task is to enforce the laws as Congress has written them.” But the impact of the decision in light of the current FCPA statute, as Judge Lynch notes, creates a pervasive result: “It makes little sense permit the prosecution of foreign affiliates of United States entities who are minor cogs in the crime, while immunizing foreign affiliates who control or induce such violations from a high perch in a foreign parent company. That is the equivalent of punishing the get-away driver who is paid a small sum to facilitate the bank robber’s escape, but exempting the mastermind who plans the heist.”
While the Second Circuit’s decision in Hoskins may have limited the scope of foreign individuals in FCPA cases for now, it is likely that the DOJ will continue to prosecute similar cases that test the jurisdictional reach of the FCPA.
The Department of Justice has established a new policy that requires its attorneys to coordinate with one another and with other enforcement authorities when imposing multiple penalties for the same conduct. This policy is likely to protect companies from unfair outcomes resulting from a lack of coordination among the DOJ and other authorities.
I authored an alert that provides an overview of the new policy and discusses the potential impact on companies affected.
On April 24, 2018, the Securities and Exchange Commission (SEC) announced its most significant case ever filed against a respondent for one of the world’s largest data breaches. Albata, Inc., f/d/b/a Yahoo! Inc., (“Yahoo”) settled with the SEC to charges of violating Section 17(a)(2) and 17 (a)(3) of the Securities Act of 1933 (“Securities Act”), amongst other charges, and agreed to various remedies, including a $35 million penalty.
In summary, the SEC alleged that in December of 2014 Yahoo’s information security team learned that Russian hackers stole what was referred to internally as the company’s “crown jewels”: usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for more than 500 million users. Although information relating to the breach was reported to members of Yahoo’s senior management and legal department, Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors. In addition, the SEC found that Yahoo did not share information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings.
The breach was not disclosed to the investing public until more than two years later, when in 2016 Yahoo was in the process of closing the acquisition of its operating business by another company. This disclosure caused a $1.3 billion fall in Yahoo’s market capitalization and a reduction in the acquisition price by $350 million.
As a result, the SEC’s order found that in Yahoo’s quarterly and annual report filings during the two-year period following the breach, the company failed to disclose the breach or its potential business impact, legal implications, and other potential ramifications. Finally, the SEC’s order finds that Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure.
In conclusion this SEC action provides several takeaways:
– This may be one of the first, but it will not be the last data breach case by the Division of Enforcement’s Cyber Unit created in September of 2017.
– The SEC charged Yahoo with fraud, but not with Rule 30(a) of Regulation S-P of the Securities Act. Historically, the SEC used the latter statute as the primary charge for data breaches. While these fraud charges against Yahoo are more aggressive, Section 17(a)(2) and (a)(3) are non-scienter based charges.
– Notably, the SEC did not charge any individuals.
– A study of the findings in the SEC’s order coupled with the Commission Statement and Guidance on Public Company Cybersecurity Disclosures announced on February 21, 2018, provides guidance for public companies and registrant firms to consider when assessing their cybersecurity programs, controls, policies and procedures, and disclosure obligations.