InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
9th Circuit affirms dismissal of investors’ data breach disclosures suit
On March 2, the U.S. Court of Appeals for the Ninth Circuit affirmed the dismissal of a class action suit for failure to state a claim, concluding that investors had failed to adequately allege that statements about the defendant company’s cybersecurity practices in the company’s 2018 Form 10-K amounted to securities fraud. The plaintiffs asserted that certain statements, including statements that the company maintained “a comprehensive security program,” “were misleading because they created the impression that [the company] implemented the data security best practices described in those statements no later than 2016, when in fact, the company did not implement those practices until later.” The plaintiffs argued that based on these statements, “a reasonable investor could have concluded that any data security improvements [the company] described would have been put in place in response to the two public hacks [the company] had experienced in the past, one in 2013 and one in 2016.” The 9th Circuit determined that the plaintiffs had failed to show that the company had misled investors into believing that it had made data security improvements specifically in response to the 2013 and 2016 data breaches and had “plead no facts supporting a reasonable inference that either of those hacks was a prominent enough milestone in company history that the average investor would be led to believe every data security improvement directly followed them.”
The plaintiffs further alleged that other statements in the 10-K were misleading because they “created the impression that it was unlikely [the company] had suffered an undetected data breach in the past, when in reality it was somewhat likely.” The appellate court rejected the plaintiffs’ argument and noted that “these statements would not give an ordinary investor reason to believe that [the company] was asserting that the risk that an undetected breach had occurred was particularly high or low, or that it had changed over time.” The 9th Circuit further agreed with the district court that the plaintiffs had failed to specifically allege that the company acted with the intent to deceive, manipulate, or defraud, or engage in “deliberate recklessness.”
CFTC orders unregistered respondents to pay $2.6 million for fraudulent solicitations
On February 23, the CFTC announced a $2.6 million settlement with a North Carolina-based company and its president for allegedly acting as unregistered commodity trading advisors and commodity pool operators, and for advertising without making required disclosures. Among other things, the respondents allegedly engaged in binary options solicitation and trading fraud through the operation of two webpages and related social media channels. According to the CFTC, the respondents made numerous false statements to solicit business, which claimed that traders could choose from the company owner’s winning strategies to earn significant profits. However, the CFTC stated that the owner was not actually a successful trader and had an overall losing trading record. Additionally, the respondents distributed client testimonials and training videos without providing disclosures required under CFTC regulations. As a result, ten participants lost roughly $410,000 in a managed account trading pool, while approximately 1,600 customers lost at least $945,000 through fraudulent solicitations for binary options signals, trainings, and strategy course offerings. While the respondents did not admit or deny any of the allegations, they agreed to pay $409,965 in restitution, $896,673 in disgorgement, and a $1,306,638 civil monetary penalty. Additionally, the respondents must cease and desist from any further violations of the Commodity Exchange Act or CFTC regulations. The order also permanently bans the respondents from trading on, or trading subject to, the rules of any CFTC-registered entity, and from engaging in any activities requiring CFTC registration. Respondents are also prohibited from, directly or indirectly, entering into any transactions involving commodity interests.
SEC, states reach $100 million settlement over crypto lending product
On February 14, the SEC and state regulators reached a $100 million settlement with a New Jersey-based financial services company in parallel actions to resolve allegations that the company failed to register the offers and sales of its retail credit lending product—marking the SEC’s “first-of-its-kind action” taken with respect to crypto lending platforms. According to the SEC, the company offered a product whereby retail investors lent crypto assets to the company “in exchange for the company’s promise to provide a variable monthly interest payment.” Among other things, the SEC found that because the company’s product are securities under applicable law, the company was required to register its offers and sales of the product or qualify for an exemption—both of which the company failed to do. The company also allegedly violated the Securities Act by making misleading statements on its website concerning its collateral practices and the level of risk in its loan portfolio and lending activity. Additionally, the company allegedly violated the Investment Company Act by engaging in interstate commerce while failing to register as an investment company with the SEC. While the company neither admitted nor denied the findings, it agreed to pay $50 million to the SEC and another $50 million to 32 states to settle similar charges. The company also agreed to cease engaging in unregistered offers and sales of its product, and will stop offering or selling its product in the U.S. Additionally, the company’s parent company stated its intention to register the offer and sale of a new lending product under the Securities Act.
SEC amends whistleblower program rules
On February 10, the SEC announced two amendments to the rules regarding its whistleblower program. According to the SEC, the first proposed amendment concerns award claims for related actions that would be otherwise covered by an alternative whistleblower program. The amendment would allow the Commission to pay whistleblower awards for certain actions brought by other entities, including designated federal agencies, in cases where those awards might otherwise be paid under the other entity's whistleblower program. The second amendment would affirm the Commission's authority under Rule 21F-6 to consider the dollar amount of a potential award for the limited purpose of increasing the award amount, and would eliminate the Commission’s authority to consider the dollar amount of a potential award for the purpose of decreasing an award. Comments are due 60 days after publication of the proposing release on the SEC’s website or 30 days after publication in the Federal Register.
SEC to update beneficial ownership reporting requirements
On February 10, the SEC proposed amendments to its rules governing beneficial ownership reporting under Exchange Act Sections 13(d) and 13(g) in order to “improve transparency and provide more timely information for shareholders and the market.” (See also SEC fact sheet here.) Among other things, the proposed rule would (i) accelerate the filing deadlines for Schedules 13D and 13G beneficial ownership reports from 10 days to five days (amendments would be required to be filed within one business day); (ii) expand the application of Regulations 13D and 13G to certain derivative securities; (iii) clarify the circumstances in which two or more persons have formed a “group” that would be subject to beneficial ownership reporting obligations; (iv) allow for new exemptions “to permit certain persons to communicate and consult with one another, jointly engage issuers, and execute certain transactions without being subject to regulation as a ‘group’”; and (v) require Schedules 13D and 13G filings to be done through a “structured, machine-readable data language.” Comments are due 30 days after publication in the Federal Register, or April 11, whichever is later. SEC Chair Gary Gensler issued a statement supporting the proposed amendments, which “would reduce information asymmetries and promote transparency, thereby lowering risk and illiquidity,” citing the “rapidity of current markets and technologies” as justification for updating the decades-old rules. However, SEC Commissioner Hester M. Peirce dissented, arguing that the proposed amendments fail to fully contend “with the realities of today’s markets or the balance embodied in Section 13(d) of the Exchange Act.” She further challenged the justification of technological advancements as a reason to shorten the 10-day reporting window to five days.
SEC proposes cybersecurity risk management rules and amendments
On February 9, a divided SEC voted to release proposed cybersecurity risk management rules and amendments to certain requirements for registered investment advisers and funds. (See SEC fact sheet here.) Commissioner Hester Peirce voted against the proposal, stressing that because “an adviser’s or fund’s system has been successfully breached should not lead us to the immediate conclusion that that adviser or fund was lax in its efforts to protect client data and funds.” She added that “[a]bsent circumstances that suggest deliberate or reckless disregard of known vulnerabilities by the firm, we should resist the temptation to pile on with an enforcement action after a breach.”
Under the proposed rules, advisers and funds would be required to adopt and implement written policies and procedures reasonably designed to address cybersecurity risks that could harm advisory clients and fund investors. Advisers would also be required to file a confidential report for a significant cybersecurity incident to the SEC on a new form. Additionally, advisers and funds must also publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years “that have significantly disrupted or degraded the adviser’s ability to maintain critical operations, or that have led to the unauthorized access or use of adviser information, resulting in substantial harm to the adviser or its clients in their brochures and registration statements.” Advisers and funds would be required to comply with new cybersecurity-related recordkeeping requirements to assist SEC inspection and enforcement capabilities. Comments on the proposal are due 60 days following publication on the SEC’s website or 30 days after publication in the Federal Register, whichever period is longer.
Judgments reached in SEC’s first crowdfunding regulation enforcement action
On January 28, the U.S. District Court for the Eastern District of Michigan issued judgments (see here and here) against a real estate company and its CEO in the SEC’s first crowdfunding regulation enforcement action. As previously covered by InfoBytes, the SEC filed a complaint last September alleging that several entities and related individuals participated in a fraudulent scheme to sell nearly $2 million of unregistered securities through two crowdfunding offerings. The complaint alleged that two of the entities issued securities without registering with the SEC, while their principals diverted investor funds for personal use rather than using the funds for the disclosed purposes. Without admitting or denying the SEC’s allegations, the real estate company and the CEO consented to be permanently enjoined from violating certain securities laws. The CEO also agreed to a prohibition on “acting as an officer or director of any issuer that has a class of securities registered pursuant to Section 12 of the Exchange Act [15 U.S.C. § 78l] or that is required to file reports pursuant to Section 15(d) of the Exchange Act [15 U.S.C. § 78o(d)].” The judgments decreed that, upon motion of the SEC, the court will decide whether disgorgement and/or civil money penalties are appropriate.
SEC: Taking remedial actions may help companies avoid penalties
On January 28, the SEC announced a settlement subject to court approval with a private technology company to resolve allegations that the company, through its former CEO, falsely inflated key financial metrics and doctored internal sales records. The complaint, which alleged violations of the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934, claimed that the CEO significantly inflated the value of numerous customer deals, and then masked the inflation by creating fake invoices and altering real invoices to make it seem as if customers had been billed higher amounts. The company’s board of directors conducted an internal investigation, which led to the removal of the CEO, a revised company valuation, and remedial efforts including repaying investors. The company also hired new senior management, expanded its board, and implemented processes and procedures to ensure transparency and accuracy of deal reporting and associated revenues. While the company neither admitted nor denied the allegations, it agreed to be permanently enjoined from violations of the antifraud provisions. The SEC highlighted that the lack of a penalty in the settlement is significant, and demonstrates the Commission’s position that a company may receive credit if it makes significant remedial efforts in the wake of an internal investigation. “For companies wondering what types of remedial actions and cooperation might be credited by the Commission after a company uncovers fraud, this case offers an excellent example,” stated Gurbir S. Grewal, Director of the SEC’s Division of Enforcement. “[The company’s] remediation and cooperation included not just its internal investigation and revised valuation, but also repaying harmed investors and improving its governance—all of which were factors that counseled against the imposition of a penalty in this case.”
FINRA fines securities firm $20,000 for AML violations
On January 20, the Financial Industry Regulatory Authority (FINRA) entered into a Letter of Acceptance, Waiver, and Consent (AWC), which requires a securities firm to pay a $20,000 fine for allegedly failing to: (i) establish and implement anti-money laundering (AML) policies and procedures reasonably expected to detect and cause the reporting of suspicious activity; (ii) conduct an independent AML test; and (iii) obtain the signature of a principal at the firm evidencing supervisory review and approval of the opening of customer accounts. According to the AWC, in 2018, “following a change in majority ownership, the firm’s business model shifted, and it began to service high-net worth international customers, many of whom were citizens or residents of jurisdictions that posed a heightened risk of money laundering or were considered bank secrecy havens.” The firm allegedly “failed to tailor its AML program to the firm’s new, higher-risk business model,” FINRA stated. The firm did not admit nor deny the findings as part of the AWC but agreed to a censure, among other things.
SEC chair considers updating cybersecurity rules
On January 24, SEC Chair Gary Gensler discussed the agency’s cybersecurity policy work before the Northwestern Pritzker School of Law’s Annual Securities Regulation Institute. Gensler commented that the SEC is working to improve the overall cybersecurity resiliency of the financial sector with a focus on four groups of entities, including broker-dealers and investment companies, public companies, service providers that are not necessarily registered with the agency but that work with SEC financial sector registrants, and the SEC itself. Areas that may benefit from being “freshen[ed] up” include SEC regulations related to systems compliance and integrity (which focus on reducing the occurrence of system issues and improving resiliency), as well as cyber “hygiene” and incident reporting requirements. With respect to data privacy, Gensler commented that there may be opportunities to modernize and expand Regulation S-P, which requires registered broker-dealers, investment companies, and investment advisers to protect customer records and information. Noting that Regulation S-P was adopted more than two decades ago, Gensler has also asked SEC staff to provide “recommendations about how customers and clients receive notifications about cyber events when their data has been accessed,” including breaches of personally identifiable information. He stated that recommendations could also include changes to the timing and substance of notifications currently required under Regulation S-P. Gensler also asked for recommendations on whether and how to update public companies’ cybersecurity practices and cyber risk disclosures. He also noted that the SEC needs to explore and address cybersecurity risks arising from service providers, adding that measures “could include holding registrants accountable for service providers’ cybersecurity measures with respect to protecting against inappropriate access and investor information.”