Tag: SEC

SEC Adopts FAST Act Disclosure Simplification and Modernization Amendments

On March 20, 2019, the U.S. Securities and Exchange Commission (SEC) adopted amendments to modernize and simplify Regulation S-K’s disclosure requirements and related rules and forms, as required by the Fixing America’s Surface Transportation (FAST) Act. The amendments were proposed by the SEC in October 2017. The SEC adopted most of the amendments as proposed and some of the amendments with modifications, and elected not to adopt certain proposed amendments at all.

The SEC intends for the amendments to improve the readability and navigability of company disclosures and to discourage repetition and disclosure of immaterial information. These amendments complement other recent amendments adopted by the SEC to simplify disclosure, such as in the Disclosure Update and Simplification Final Rule that became effective in November 2018.

Below are brief summaries of some of the more significant amendments:

Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A) 

(Regulation S-K, Item 303 and Form 20-F). Registrants may omit discussion of the earliest of three years in the MD&A if they already discussed that year in any of their prior EDGAR filings that required such discussion. Registrants who elect not to include a discussion of the earliest year must include a statement that identifies the location in the prior filing where the omitted discussion may be found.

Description of Property (Regulation S-K, Item 102)

Registrants must provide disclosure about physical property only to the extent that the property is material to the registrant’s business.

Risk Factors (Regulation S-K, Item 503(c) (moved to new Item 105))

The examples are deleted from the risk factors item to emphasize the principles-based nature of this disclosure requirement.

Material Contracts Two-Year Look Back (Regulation S-K, Item 601(b)(10))

Only “newly reporting registrants” are required to file fully performed material contracts that the registrant has entered into within two years of the applicable registration statement or report.

Redaction of Confidential Information in Material Contracts (Regulation S-K, Items 601(b)(10) and 601(b)(2) and investment company registration forms)

Registrants may omit or redact confidential information from their filed material contracts without submitting a confidential treatment request to the SEC if the confidential information (i) is not material and (ii) would likely cause competitive harm to the registrant if publicly disclosed. This amendment is effective upon the rule’s publication in the Federal Register.

New Form 10-K Exhibit (new Regulation S-K, Item 6(b)(4)(iv)).

Registrants are required to file an additional Exhibit to Form 10-K containing the description of the registrant’s securities required under Regulation S-K, Item 202(a)-(d) and (f).

Schedules and Attachments as Exhibits (Regulation S-K, Item 601(a)(5) and investment company forms).

Registrants are no longer required to file attachments to their material agreements if such attachments do not contain material information or were not otherwise disclosed.

Hyperlinks (Securities Act Rule 411(b)(4); Exchange Act Rules 12b-23(a)(3) and 12b-32; Investment Company Act Rule 0-4; and Regulation S-T Rules 102 and 105).

Registrants are no longer required to file as an exhibit any document that is incorporated by reference in the filing, but instead registrants must provide a hyperlink to such document.

Financial Statements: Incorporation by Reference and Cross-Reference (Forms 8-K, 10-Q, 10-K, 20-F, and 40F).

Financial statements are prohibited from incorporating by reference, or cross-referencing to, information outside the financial statements (including in other parts of the same filing), unless otherwise specifically permitted by the SEC’s rules, U.S. Generally Accepted Accounting Principles, or International Financing Reporting Standards, as applicable.

Cover Page (Forms 8-K, 10-Q, 10-K, 20-F, and 40F).

Registrants are required to disclose on the form cover page the national exchange or principal U.S. market for their securities, the trading symbol, and the title of each class of securities. Additionally, registrants are required to tag all cover page information using Inline XBRL. This cover page Inline XBRL requirement has a three-year phase-in compliance period identical to the phase-in compliance period for the SEC’s Inline XBRL rules adopted in 2018, with large accelerated filers required to comply beginning with fiscal periods ending on or after June 15, 2019.

Section 16 Disclosure (Regulation S-K, Item 405 and Form 10-K).

The caption for reporting delinquent reporting under Section 16(a) of the Exchange Act is changed from “Section 16(a) Beneficial Ownership Reporting Compliance” to “Delinquent Section 16(a) Reports,” and the checkbox on the cover page of Form 10-K related to such delinquencies is eliminated. Additionally, registrants are allowed to rely on Section 16 reports filed on EDGAR (as opposed to only paper copies of reports).

Investment Companies.

The adopted amendments include parallel amendments to several rules and forms applicable to investment companies and investment advisers, including amendments that require certain investment company filings to include a hyperlink to each exhibit listed in the filings’ exhibit index and that require registrants to submit such filings in HyperText Markup Language (HTML) format. The requirements that all investment company registration statements and Form N-CSR filings be made in HTML format and comply with the hyperlink rule and form amendments applies to all filings made on or after April 1, 2020.

Except as otherwise noted, the amendments will be effective 30 days from publication in the Federal Register.

The above summaries are not comprehensive and provide only highlights of certain amendments. They do not reflect all of the amendments nor all of the rules and forms that are affected by the amendments.

 

© 2019 Schiff Hardin LLP

The Effects Of The SEC Shutdown On The Capital Markets

Although EDGAR continues to accept filings, the government shutdown has now eclipsed its 28th day and the SEC continues to operate with limited staff which is having a crippling effect on the ability of many companies to raise money in the public markets. This is particularly due to the fact that the SEC is unable to perform many of the critical functions during the lapse in appropriations, including the review of new or pending registration statements and/or the declaration of effectiveness of any registration statements.

Although Section 8(a) of the Securities Act of 1933, as amended, creates an avenue whereby a registration statement will automatically become effective 20 calendar days after the filing of the latest pre-effective amendment that does not include “delaying amendment” language, many companies seeking to raise money in the public markets, including through an initial public offering, are reluctant to use this route for the following reasons. First, any pre-effective amendment which removes the “delaying amendment” language must include all information required by the form including pricing information relating to the securities being sold as Rule 430A is not available in the absence of a delaying amendment. This means that companies must commit to pricing terms at least 20 days in advance of the offering which may be difficult due to the volatility in the markets. In the event pricing terms change, companies must file another pre-effective amendment which restarts the 20-day waiting period. Second, companies run the risk that the SEC may, among other things, issue a stop order. Finally, companies may run into issues with FINRA, Nasdaq or the NYSE as these organizations may not agree to list securities on such exchanges without the SEC confirming that they have reviewed and cleared such filing and affirmatively declared the registration statement effective. These risks, among others, associated with using Section 8(a) as a means by which a registration statement can become effective after the 20-day waiting period, seem to outweigh the benefits of pursuing this alternative despite the fact that many companies with a December 31st year end will soon be required to file audited financial statements for the year ended December 31, 2018 pursuant to Rule 3-12 of Regulation S-X which will further delay the process resulting in an increase in both cost and time related to the offering.

Although companies seeking to raise money in the public markets, including through initial public offerings or shelf registration statements, may be reluctant to rely upon Section 8(a), some companies have already chosen to remove the “delaying amendment” language. For example, some companies which appear to have cleared all comments from the SEC prior to the partial government shutdown have elected to remove the “delaying amendment” and proceed with their offerings after the 20-day waiting period. In addition, other companies conducting rights offerings, such as Trans-Lux Corporation and Roadrunner Transportation Systems, Inc., are also relying on Section 8(a) as a means of raising money. Finally, some special purpose acquisition companies (“SPACs”), including Andina Acquisition Corp. III, Gores Metropoulous, Inc., Pivotal Acquisition Corp. and Wealthbridge Acquisition Limited, are among the issuers that are using Section 8(a) as a way to procced with their offerings during this partial government shutdown since SPACs, in particular, are not sensitive to price volatility in the markets because they have no operations.

Companies and underwriters that may be considering filing a pre-effective amendment to a registration statement to take advantage of Section 8(a) of the Securities Act should discuss the effects of removing the “delaying amendment” language with securities counsel before proceeding down such path.

 

Copyright © 2019, Sheppard Mullin Richter & Hampton LLP.
Read more legal news on the Government Shutdown at the National Law Review.

SEC’s Office of Compliance Inspections and Examinations Releases 2019 Examination Priorities

On Dec. 20, 2018, the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (SEC) issued its annual Examination Priorities for 2019 (Exam Priorities), which is available for download here. The Exam Priorities focus around six thematic areas: (1) Retail Investors, including seniors and those saving for retirement; (2) Registrants responsible for critical market infrastructure; (3) FINRA and MSRB; (4) Digital Assets; (5) Cybersecurity; and (6) Anti-Money Laundering (AML) Programs.

As in the past, OCIE notes that their priorities are not exhaustive. The scope of any examination is determined through a risk-based approach that includes analysis of the registrant’s operations and products offered. For example, OCIE typically examines the disclo­sure of services, fees, expenses, conflicts of interest for investment advisers, and trading and execution quality issues for broker-dealers. OCIE is continually evaluating changes in market conditions, industry practices, and investor preferences to assess risks to both investors and the markets.

In connection with OCIE’s priority to protect retail investors, OCIE reviews retail fees and expenses paid by investors, conflicts of interest of industry personnel, treatment of senior investors and the advertising and suitability of retirement products, portfolio management and trading, operations of and the selection of mutual funds and ETFs, procedures of municipal advisors, procedures for broker-dealers entrusted with customer assets, and microcap securities.

OCIE also continues to prioritize critical market registrants impacting the safety and operation of our financial markets, including clearing agencies, entities subject to Regulation SCI, transfer agents, and national securities exchanges.

Finally, OCIE will prioritize examinations of the effectiveness of FINRA and MSRB, which are assigned the responsibility for certain aspects of investor protection. OCIE also will conduct inspections to gather information and evaluate practices affecting digital assets, cybersecurity, and AML programs (especially broker-dealers subject to express obligations and SAR filing obligations).

Overall, OCIE noted that although changes to its priorities may be continual, OCIE’s analytic efforts and examinations remain firmly grounded in its four pillars: promoting compliance, preventing fraud, identifying and monitoring risk, and informing policy.

 

©2019 Greenberg Traurig, LLP. All rights reserved.
This article was written by Arthur Don and Vincent Lewis of Greenberg Traurig, LLP.

Supreme Court Resolves Constitutionality of SEC’S ALJ Appointments — Now What?

Last week, the United States Supreme Court settled a circuit split regarding the constitutionality of the appointment of Administrative Law Judges (“ALJs”) by the Securities and Exchange Commission (“SEC” or the “Commission”).  In Lucia v. SEC, the Court held that the Commission’s five ALJs are “officers” subject to the Constitution’s Appointments Clause, which requires officers to be appointed by the President, “Courts of Law,” or “Heads of Departments.”  And because the SEC’s ALJs were hired by the agency’s staff, the Court reasoned, their appointments were unconstitutional.  The SEC reacted quickly, immediately issuing an order staying all pending administrative proceedings, the constitutionality of which is now unclear.

The Road to the Supreme Court

The Supreme Court’s decision arose from an SEC administrative proceeding against radio personality Raymond Lucia, charging him with violations of the Investment Advisers Act.  An ALJ, Cameron Elliot, heard the case and issued an initial decision finding against Lucia.  Lucia appealed to the SEC, arguing that because ALJ Elliott had not been constitutionally appointed, he lacked authority to issue such findings.  The SEC disagreed and affirmed the initial decision, prompting Lucia to appeal to the D.C. Circuit Court of Appeals.  Siding with the SEC, the D.C. Circuit held that SEC ALJs are not “inferior officers,” as Lucia argued, but rather “employees,” and therefore not subject to Appointments Clause requirements.  Meanwhile, in a similar case, Bandimere v. SEC, the Tenth Circuit reached the opposite conclusion, creating a circuit split requiring Supreme Court resolution.

The Ruling

In last week’s majority opinion, authored by Justice Kagan, the Court applied a test articulated in Freytag v. Commissioner, 501 U.S. 868 (1991) for distinguishing between officers and employees for Appointments Clause purposes.  In concluding that SEC ALJs are officers, the Court relied on the following facts: (1) they have career appointments and hold a continuing office established by law; (2) they exercise “significant discretion” when carrying out “important functions,” such as taking testimony, receiving evidence, examining witnesses, and enforcing discovery orders; and (3) when the SEC declines to review an ALJ’s initial decision, it becomes final and is deemed the action of the Commission.  In short, the Court held, the SEC’s ALJs are “near carbon copies” of the tax court judges found to be “officers” in Freytag.

Issues Left Unresolved

While the decision clearly settles the matter for Mr. Lucia, it leaves a number of issues unresolved, and its broader implications remain unclear.

Validity of SEC’s Prior Ratification

The biggest question left unanswered is whether the SEC’s attempt last year to cure any constitutional defect in its appointments scheme was sufficient.  While Luciawas pending before the Court, the Commission issued an order “ratifying” the prior appointments of its ALJs.  (See our prior blog post for additional discussion).  Lucia argued that the ratification was invalid and that the action did not in fact resolve the appointment defect.  The Court, however, declined to address this argument, noting in a footnote that the SEC had not indicated whether it intended to “assign Lucia’s case on remand to an ALJ whose claim to authority rests on the ratification order. The SEC may decide to conduct Lucia’s rehearing itself.  Or it may assign the hearing to an ALJ who has received a constitutional appointment independent of the ratification.”  The Court’s observation could be taken to suggest that the SEC’s ratification of the prior ALJ appointments did not in fact satisfy the Appointments Clause.  Perhaps in recognition of that possibility, the SEC promptly issued an order staying for thirty days, or until further other from the Commission, all of its pending administrative proceedings, including those in which an ALJ has already issued a decision.  The Commission presumably is now evaluating whether it needs to go beyond ratification to immunize its administrative proceedings from further constitutional attack.

Impact on Other Agencies

Another open question concerns the impact on other agencies’ administrative proceedings.  At oral argument, Justices Breyer and Sotomayor expressed concern that, if the Court were to rule in Lucia’s favor, proceedings in other federal agencies could be undermined as well.   While the majority opinion is silent on that question, Justice Breyer warned in his concurrence that the majority’s approach “risks . . . unraveling, step-by-step, the foundations of the Federal Government’s administrative adjudication system as it has existed for decades.”

ALJ Removal

Last, as noted in Justice Breyer’s concurrence, the Court’s decision raises questions about the constitutionality of limitations on ALJ removal under the Administrative Procedures Act (“APA”).   The APA provides that ALJs may only be removed “for cause.”  But if an SEC ALJ is a constitutional “officer,” that limitation may be invalid, as duly appointed officers are subject to removal at will.  Justice Breyer observed that, if ALJs are vulnerable to removal at any time, it could transform them “from independent adjudicators into dependent decisionmakers, serving at the pleasure of the Commission,” and therefore raise fundamental doubts about the legitimacy of their decisions.

Next Steps

As a result of the Court’s decision, Lucia himself will be entitled to a new hearing before a properly appointed ALJ or the Commission itself.  Given the questions that the Court declined to answer, and the SEC’s decision to temporarily stay its proceedings, however, we can expect further developments and continuing litigation in this area in the days and years to come.

 

© Copyright 2018 Squire Patton Boggs (US) LLP
For more coverage of the Supreme Court, see the National Law Review’s Litigation Page.

SEC Issues Updated Disclosure Guidance on Cybersecurity

On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) issued updated interpretative guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. The updated guidance reinforces and expands upon the prior guidance on cybersecurity disclosures issued by the SEC’s Division of Corporation Finance in October 2011. In addition to highlighting the disclosure requirements under the federal securities laws that public companies must pay particular attention to when considering their disclosure obligations with respect to cybersecurity risks and incidents, the updated guidance (1) emphasizes the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents, and (2) discusses the application of insider trading prohibitions and Regulation FD and selective disclosure prohibitions in the cybersecurity context. The guidance specifically notes that the SEC continues to monitor cybersecurity disclosures carefully through its filing review process.

Cybersecurity-Related Disclosures

Timely Disclosure of Material Nonpublic Information

In determining disclosure obligations regarding cybersecurity risks and incidents, companies should analyze the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and the impact of the incident on the company’s operations. When assessing the materiality of cybersecurity risks or incidents, the SEC notes that the following factors, among others, should be considered:

  • Nature, extent, and potential magnitude (particularly as it relates to any compromised information or the business and scope of company operations), and
  • Range of possible harm, including harm to the company’s reputation, financial performance, customer and vendor relationships, and possible litigation or regulatory investigations (both foreign and domestic).

When companies become aware of a cybersecurity incident or risk that would be material to investors, the SEC expects companies to disclose such information in a timely manner and sufficiently prior to the offer and sale of securities. In addition, steps should be taken to prevent directors and officers (and other corporate insiders aware of such information) from trading in the company’s securities until investors have been appropriately informed about the incident or risk. Importantly, the SEC states that an ongoing internal or external investigation regarding a cybersecurity incident “would not on its own provide a basis for avoiding disclosure of a material cybersecurity incident.”

Risk Factors

In evaluating cybersecurity risk factor disclosure, the guidance encourages companies to consider the following:

  • the occurrence of prior cybersecurity incidents, including severity and frequency;
  • the probability of the occurrence and potential magnitude of cybersecurity incidents;
  • the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks;
  • the aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third party supplier and service provider risks;
  • the costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers;
  • the potential for reputational harm;
  • existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies; and
  • litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.

The guidance also notes that effective communication of cybersecurity risks may require disclosure of previous or ongoing cybersecurity incidents, including incidents involving suppliers, customers, competitors and others.

MD&A of Financial Condition and Results of Operations

The guidance reminds companies that MD&A disclosure of cybersecurity matters may be necessary if the costs or other consequences associated with such matters represent a material event, trend or uncertainty that is reasonably likely to have a material effect on the company’s operations, liquidity or financial condition or would cause reported financial information not to be necessarily indicative of future results. Among other matters, the cost of ongoing cybersecurity efforts (including enhancements to existing efforts), the costs and other consequences of cybersecurity incidents, and the risks of potential cybersecurity incidents could inform a company’s MD&A analysis. In addition to the immediate costs incurred in connection with a cybersecurity incident, companies should also consider costs associated with:

  • loss of intellectual property;
  • implementing preventative measures;
  • maintaining insurance;
  • responding to litigation and regulatory investigations;
  • preparing for and complying with proposed or current legislation;
  • remediation efforts; and
  • addressing harm to reputation and the loss of competitive advantage.

The guidance further notes that the impact of cybersecurity incidents on each reportable segment should also be considered.

Business and Legal Proceedings

Companies are reminded that disclosure may be called for in the (1) Business section of a company’s SEC filings if cybersecurity incidents or risks materially affect a company’s products, services, relationships with customers or suppliers, or competitive conditions, and (2) Legal Proceedings section if a cybersecurity incident results in material litigation against the company.

Financial Statement Disclosures

The SEC expects that a company’s financial reporting and control systems would be designed to provide reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into its financial statements on a timely basis as the information becomes available. The guidance provides the following examples of ways that cybersecurity incidents and risks may impact a company’s financial statements:

  • expenses related to investigation, breach notification, remediation and litigation, including the costs of legal and other professional services;
  • loss of revenue, providing customers with incentives or a loss of customer relationship assets value;
  • claims related to warranties, breach of contract, product recall/replacement, indemnification of counterparties, and insurance premium increases; and
  • diminished future cash flows, impairment of intellectual, intangible or other assets; recognition of liabilities; or increased financing costs.

Board Risk Oversight

The securities laws require a company to disclose the extent of its board of directors’ role in the risk oversight of the company, including how the board administers its oversight function and the effect this has on the board’s leadership structure. To the extent cybersecurity risks are material to a company’s business, the disclosure should include the nature of the board’s role in overseeing management of that risk.

Cybersecurity-Related Policies and Procedures

Disclosure Controls and Procedures

The guidance encourages companies to adopt comprehensive policies and procedures related to cybersecurity and to regularly assess their compliance. Companies should evaluate whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents. Controls and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.

The certifications and disclosures regarding the design and effectiveness of a company’s disclosure controls and procedures should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact. In addition, to the extent cybersecurity risks or incidents pose a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed in filings, management should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective.

Insider Trading

Companies and their directors, officers, and other corporate insiders should be mindful of compliance with insider trading laws in connection with information about cybersecurity risks and incidents, including vulnerabilities and breaches. The guidance urges companies to consider how their code of ethics and insider trading policies take into account and prevent trading on the basis of material nonpublic information related to cybersecurity risks and incidents. Specifically, the guidance suggests that as part of the overall investigation and assessment during significant cybersecurity incidents, companies should consider whether and when it may be appropriate to implement restrictions on insiders trading in their securities to avoid the appearance of improper trading during the period following a cybersecurity incident and prior to the dissemination of disclosure.

Regulation FD and Selective Disclosure

Companies are expected to have policies and procedures in place to ensure that any disclosures of material nonpublic information related to cybersecurity risks and incidents are not made selectively, and that any Regulation FD required public disclosure is made simultaneously (in the case of an intentional disclosure) or promptly (in the case of a non-intentional disclosure) and is otherwise compliant with the requirements of Regulation FD.

 

© 2018 Jones Walker LLP
This post was written by Monique A. Cenac and Brett Beter of Jones Walker LLP.

Supreme Court Limits Scope of Dodd-Frank Whistleblower Protections

On February 21, the US Supreme Court decided Digital Realty Trust, Inc. v. Somers (583 U.S. ____ (2018)), which resolved a circuit split related to whether the anti-retaliation provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act, 124 Stat. 1376 (Dodd-Frank) extend to individuals who have not reported a securities law violation to the Securities and Exchange Commission and, therefore, falls outside of Dodd-Frank’s definition of a “whistleblower.”

Paul Somers alleged that Digital Realty Trust, Inc. (Digital Realty) terminated his employment shortly after reporting suspected securities-law violations to the company’s senior management. Somers filed a case in the US District Court for the Northern District of California (District Court) alleging that his termination amounted to whistleblower retaliation under Dodd-Frank. Digital Realty moved to dismiss the claim on the grounds that Somers did not qualify as a “whistleblower” for purposes of Dodd-Frank because (1) the statute defines a “whistleblower” as someone “who provides . . . information relating to a violation of the securities laws to the [SEC];” and (2) Somers failed to report the allegations to the SEC prior to his termination. The District Court denied Digital Realty’s motion and the Ninth Circuit affirmed on the grounds that Dodd-Frank’s whistleblower protections should be read to protect employees regardless of whether they provide information to the SEC.

Reversing the District Court and the Ninth Circuit, Justice Ruth Bader Ginsburg, writing for the Court, explained that Dodd-Frank’s whistleblower retaliation provisions do not extend to an individual who has not reported alleged securities law violations to the SEC. Citing Dodd-Frank’s definition of a “whistleblower,” the Court determined that the statute explicitly required an individual to report such violations to the SEC in order to receive whistleblower protections. The Court found this interpretation of the whistleblower definition to be corroborated by Dodd-Frank’s intended purpose of motivating individuals to report securities law violations directly to the SEC.

The text of the decision is available here.

©2018 Katten Muchin Rosenman LLP
Read more Litigation news on the National Law Review Litigation page.

SEC Observations from Recent Cybersecurity Examinations Identify Best Practices

The SEC continues to focus on cybersecurity as an area of concern within the investment management industry.

On August 7, the US Securities and Exchange Commission’s (SEC’s) Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert summarizing its observations from a recent cybersecurity-related examination of 75 firms—including broker-dealers, investment advisers, and investment companies (“funds”) registered with the SEC.

The SEC staff has made it clear that cybersecurity remains a high priority and is likely to be an area of continued scrutiny with the potential for enforcement actions. During a recent interview,[1] the SEC’s co-directors of Enforcement, Stephanie Avakian and Steven Peikin, stated their belief that “[t]he greatest threat to our markets right now is the cyber threat.” This pronouncement follows on the heels of OCIE’s identification of cybersecurity as one of its examination priorities for 2017,[2] OCIE’s release of a Risk Alert on the “WannaCry” ransomware virus,[3] and several significant Regulation S-P enforcement actions involving firms that failed to adequately protect customer information.[4]

This LawFlash details OCIE’s observations from its recent cybersecurity-related examination that were discussed in its Risk Alert.

OCIE’s Examination Identifies Common Issues

OCIE staff observed common issues in a majority of the firms and funds subject to examination. These common issues include the following:

  • Failure to reasonably tailor policies and procedures. Specifically, the examination found issues with policies and procedures that

    • incorporated only general guidance;

    • identified limited examples of safeguards for employees to consider; and

    • did not articulate specific procedures to implement policies.

  • Failure to adhere to or enforce policies and procedures. In some cases, policies and procedures were confusing or did not reflect a firm’s actual practices, including in the following areas:

    • Annual customer protection reviews not actually conducted on an annual basis

    • Policies providing for ongoing reviews to determine whether supplemental security protocols were appropriate performed only annually, or not at all

    • Policies and procedures creating contradictory or confusing instructions for employees[5]

    • Firms not appearing to adequately ensure that cybersecurity awareness training was provided and/or failing to take action where employees did not complete required cybersecurity training

  • Regulation S-P issues among firms that did not appear to adequately conduct system maintenance. Because Regulation S-P was enacted to safeguard the privacy of customer information, OCIE observed that issues arose where firms failed to install software patches to address security vulnerabilities and other operational safeguards to protect customer records and information.

  • Failure to fully remediate some of the high-risk observations that firms discovered when they conducted penetration tests and vulnerability scans.

Cyber Best Practices and Other Observations

OCIE identified elements of what it viewed as “robust” cybersecurity policies and procedures from its examinations. Such elements should be considered as best practices and instructive for broker-dealers, investment advisers, and funds in implementing, assessing, and/or enhancing existing cybersecurity-related policies and procedures. Such elements are as follows:

  • Maintenance of data, information, and vendor inventory, including risk classifications

  • Detailed cybersecurity-related instructions, including instructions related to penetration tests, access rights, and reporting guidelines for lost, stolen, or unintentionally disclosed sensitive information

  • Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities, including patch management policies

  • Access controls for data and systems

  • Mandatory employee training upon onboarding and periodically thereafter

  • Engaged senior management

OCIE staff noted an overall improvement in firms’ awareness of cyber-­related risks and the implementation of certain cybersecurity practices since its previous Cybersecurity 1 Initiative.[6] Most notably, all broker-dealers, all funds, and nearly all investment advisers in the more recent examinations maintain written policies and procedures related to cybersecurity that address the protection of customer/shareholder records and information. This finding is in contrast to the Cybersecurity 1 Initiative, where OCIE found that comparatively fewer broker-dealers and investment advisers had adopted this type of written policies and procedures.

OCIE staff also noted the following:

  • Nearly all broker-dealers and many investment advisers and funds conducted periodic risk assessments, penetration tests, and vulnerability scans.

  • All broker-dealers and nearly all investment advisers and funds had a process in place for ensuring regular system maintenance.

  • All firms utilized some form of system, utility, or tool to prevent, detect, and monitor data loss as it relates to personally identifiable information.

  • All broker-dealers and a majority of investment advisers and funds maintained cybersecurity organizational charts and/or identified and described cybersecurity roles and responsibilities for the firms’ workforces.

  • Almost all firms either conducted vendor risk assessments or required that vendors provide the firms with risk management and performance reports (i.e., internal and/or external audit reports) and security reviews or certification reports.

  • Information protection programs at the firms typically included relevant cyber-related policies and procedures as well as incident response plans.

Key Takeaways

SEC-registered broker-dealers, investment advisers, and funds should evaluate their policies and procedures to determine whether there are gaps or areas that could be improved based on OCIE’s articulation of best practices. Firms and funds should further evaluate their policies and procedures to ensure that they reflect actual practices and are reasonably tailored to the particular firm’s business. As OCIE notes, effective cybersecurity requires a tailored and risk-based approach to safeguard information and systems.[7]

This post was written by Mark L. Krotoski,  Merri Jo Gillette , Sarah V. Riddell Martin Hirschprung and  Jennifer L. Klass of Morgan, Lewis & Bockius LLP.

Read more legal analysis at The National Law Review.

[1] Sarah Lynch, Exclusive: New SEC Enforcement Chiefs See Cyber Crime as Biggest Market Threat, Reuters.com (Jun. 8, 2017).

[2] OCIE, Examination Priorities for 2017 (Jan. 12, 2017).

[3] National Exam Program Risk Alert, Cybersecurity: Ransomware Alert (May 17, 2017).

[4] In re Morgan Stanley Smith Barney LLC, Exchange Act Release No. 78021, Advisers Act Release No. 4415 (Jun. 8, 2016); In re R.T. Jones Capital Equities Management Inc., Advisers Act Release No. 4204 (Sept. 22, 2015); and In re Craig Scott Capital LLC, Exchange Act Release No. 77595 (Apr. 12, 2016).

[5] OCIE provides an example of confusing policies regarding remote customer access that appeared to be inconsistent with those for investor fund transfers, making it unclear to employees whether certain activity was permissible based on the policies.

[6] See, e.g., OCIE Cybersecurity Initiative (Apr. 15, 2014); see also National Exam Program Risk Alert, Cybersecurity Examination Sweep Summary (Feb. 3, 2015).

[7] For example, the National Institute of Standards and Technology Cybersecurity Framework 1.0 (Feb. 12, 2014) provides a useful flexible approach to assess and manage cybersecurity risk.

Using “Finders” to Find Capital: Avoiding Problems for Your Company

Raising money for your startup can be hard. Not every entrepreneur can walk into Silicon Valley with a business idea and walk out with multiple VC term sheets in hand. Sometimes the only path to financing your startup is through the hard work of pitching and cobbling together a group of angels and other individual investors. But that path takes time and can be frustrating. Potential investors may hesitate to commit or, even worse, give you the dreaded “you’re-too-early-for-us” response. The offer from a “finder” to introduce you to investors with cash sounds attractive. Why not, right? What’s the downside?

You can use a finder if their role is limited and their compensation is structured properly. But you can cause major problems for yourself and the finder if they’re too involved and paid commissions on the money raised. These are activities that only registered broker-dealers (persons or firms engaged in the business of buying and selling securities for themselves or others) can engage in. If your company uses a finder acting as a broker-dealer, you might find your fundraising round unraveling, and your finder might find themselves in trouble with the Securities and Exchange Commission (SEC).

A “true” finder

A “true” finder can be OK if they limit their role to making introductions, receive a flat or hourly consulting fee that is not contingent on the success of the offering, and avoid any active role in negotiating and completing the investment. Finders acting in this very limited capacity are not considered broker-dealers. As a result, true finders are largely unregulated under the securities laws and need not be registered with the state or federal government as broker-dealers. This area is murky, however, because there are not clear regulations and the rules of the road have been developed in court cases and case-by-case “no-action” letters from the SEC.

The real problem is that many finders do not limit their activities to mere introductions. These finders end up assisting in structuring and negotiating the offering, providing advice regarding the offering and investment, and even encouraging and inducing investors to invest. These activities make them a “broker” under the securities laws, and federal and state governments require that brokers be registered. Often the finder is not registered as a broker.

Finders also prefer success-based compensation, calculated as a percentage of the funds raised by the company, and companies prefer to pay finders only if and when they’re successful in helping to raise capital. Both courts and the SEC, however, take the position that such success-based compensation (also referred to as transaction-based compensation) is the telltale factor indicating whether a finder is acting as an unregistered broker-dealer.

So, what’s the risk?

For the company, using an unregistered broker-dealer to assist with an offering could create a rescission right in favor of the investors. If investors succeed in rescinding their investments, the company must return their money. For the finder acting as an unregistered broker-dealer, they could be subject to severe SEC sanctions and the company could void the finder’s engagement agreement, requiring return of the finder’s compensation. Moreover, even if a finder’s activities and compensation are perfectly legal, the relationship alone can still give rise to problems for the company. Any financial relationship with a finder must be disclosed to investors and listed on the company’s Form D filed with the SEC and state securities departments. Disclosure of such a relationship, again, even if perfectly legal, may nevertheless prompt some states to initiate an investigation.

The situation in Michigan, however, is even murkier. In the recent case Pransky v. Falcon Group, the Michigan Court of Appeals held that a “finder” as defined in the Michigan Uniform Securities Act, was not required to be registered with and regulated by the State of Michigan, even where the company agreed to pay success-based compensation. Michigan companies and finders, however, should not take the opinion as a green light to engage in a finder relationship, structured with success-based compensation, without fear of regulatory oversight. The trial court initially dismissed the case on summary judgment, and as a result there was no evidence in the record of whether or not the finder’s activities went beyond mere introductions. In addition, some commentators have criticized the court’s decision. Perhaps sensing such impending criticism, the Court of Appeals, in a footnote, cautioned that the “better course of action would be for finders acting pursuant to similar contracts to protect themselves by registering, at the very least, as broker-dealers; the line between a finder’s activities and that of a broker-dealer…is a thin one and persons acting under such contracts without being registered are inviting litigation.”

The bottom line

Using finders for raising capital is not the easy solution it appears to be at first glance. Worse yet, it can lead to significant problems. As the saying goes, nothing worth having is easy. If you don’t have a VC-backable business, you may have an even harder time raising capital than most. Regardless, when it comes to raising money for your startup, be your own “finder”. Network, hustle, and tell your story. No one is more effective than you at explaining your business and the investment opportunity.

For more legal analysis check out the National Law Review.

This post was written by Matthew W. Bower of  Varnum LLP.

Chairman Clayton Outlines His “Guiding Principles” for SEC

In remarks to the Economic Club of New York on July 12, 2017, SEC Chairman Jay Clayton outlined eight guiding principles for his chairmanship and identified certain areas in which such principles could be put into practice.  Chairman Clayton’s remarks – his first public speech as SEC Chairman – indicated his interest in, among other things, creating a Fixed Income Market Structure Advisory Committee to give advice to the SEC on regulatory issues impacting fixed income markets and coordinating with the U.S. Department of Labor (DoL) to bring “clarity and consistency” to the issue of standards of conduct for investment professionals, noting the DoL’s Fiduciary Rule is now partially in effect.

Guiding Principles

Clayton stated that the following principles will guide his SEC chairmanship:

• Principle 1: “The SEC’s mission is our touchstone.” Chairman Clayton stated that each tenet of the SEC’s three-part mission – (1) to protect investors, (2) to maintain fair, orderly, and efficient markets, and (3) to facilitate capital formation – is critical.

• Principle 2: “Our analysis starts and ends with the long-term interests of the Main Street investor.”  According to the Chairman, an assessment of whether the SEC is abiding by its threepart mission must focus on the impact of its actions on “Mr. and Ms. 401(k)” and whether the SEC’s actions further the long-term interests of such investors.

• Principle 3: “The SEC’s historic approach to regulation is sound.” The SEC’s regulatory approach, focusing on disclosure and materiality, and using the SEC’s “extensive enforcement capabilities” as a “back-stop” to disclosure rules and oversight systems, is sound. In expressing his support for disclosure-based rules, Clayton asserted that informed decision-making by investors supports more accurate valuations of securities and more efficient allocation of capital.  As to the “back-stop,” the anti-fraud regime established by Congress and the SEC, Clayton noted the government’s “extensive enforcement capabilities on those who try to circumvent established investor protections or otherwise engage in deceptive or manipulative acts in the markets.”  Taking the foregoing into account, Chairman Clayton maintained that “wholesale changes” to the SEC’s fundamental regulatory approach would “not make sense.”

• Principle 4: “Regulatory actions drive change, and change can have lasting effects.”  Although Chairman Clayton endorsed the disclosure-based regime of the SEC, he cautioned that the incremental impact of regulatory changes to this regime has included a significantly expanded scope of required disclosures “beyond the core concept of materiality.”  He cited increased disclosure as among the factors that may make alternatives for raising capital increasingly attractive for small and medium-sized companies.  Chairman Clayton added that fewer small and mediumsized public companies may mean less liquid trading markets for those that remain public and, to the extent companies are not raising capital in public markets,  “the vast majority of Main Street investors will be unable to participate in their growth.”

• Principle 5: “As markets evolve, so must the SEC.”  Noting that technology and innovation are changing the way markets work and investors transact, Chairman Clayton stated that the SEC must take this “dynamic atmosphere” into account and “strive to ensure that our rules and operations reflect the realities of our capital markets.”   Further to this point, Clayton remarked that the evolution of capital markets presents opportunities for regulatory improvements and efficiencies and noted that the SEC is “adapting machine learning and artificial intelligence to new functions, such as analyzing regulatory filings.” Chairman Clayton cautioned, however, that implementing regulatory change has costs, including the “significant resources” spent by companies to build compliance systems.

• Principle 6: “Effective rulemaking does not end with rule adoption.”  Chairman Clayton stated that the SEC should review its rules “retrospectively,” and listen to investors and others as to areas in which rules are, or are not, functioning as intended.

• Principle 7: “The costs of a rule now often include the cost of demonstrating compliance.”  Chairman Clayton noted that the SEC must ensure that, at the time of adoption, the SEC has a “realistic version for how rules will be implemented,” as well as how the SEC will examine for compliance.  In this regard, according to Clayton, “[v]aguely worded rules can too easily lead to subpar compliance solutions or an overinvestment in control systems.”

• Principle 8: “Coordination is key.”  According to Chairman Clayton, coordination with, between, and among all of the various U.S. federal regulatory bodies, state securities regulators, selfregulatory organizations  and various other regulatory players “is essential to a well-functioning regulatory environment.”  To illustrate his point, Clayton cited the dual regulatory structure for over the-counter derivatives called for by the Dodd-Frank Act and working with the CFTC in this respect.  Chairman Clayton noted that cybersecurity is also an area where coordination is critical, adding that the SEC is working with “fellow financial regulators to improve our ability to receive critical information and alerts and react to cyber threats.”

Fixed Income Markets

In a portion of his remarks titled, “Putting Principles into Practice,” Chairman Clayton observed that the “time is right for the SEC to broaden its review of market structure to include specifically the efficiency, transparency, and effectiveness of our fixed income markets.”  The SEC, according to Clayton, must explore whether fixed income markets “are as efficient and resilient as we expect them to be, scrutinize our regulatory approach, and identify opportunities for improvement.”  In this connection, Chairman Clayton stated that he has asked the SEC staff to develop a plan for creating a Fixed Income Market Structure Advisory Committee.

Fiduciary Rule

Chairman Clayton also touched upon the DoL’s Fiduciary Rule, noting that he recently issued a statement seeking public input on standards of conduct for investment advisers and broker-dealers.  Chairman Clayton expressed hope that the SEC can “act in concert with our colleagues at the [DoL] in a way that best serves the long-term interests of Mr. and Ms. 401(k).”  He also noted that “any action will need to be carefully constructed, so that it provides appropriate and meaningful protections but does not result in Main Street investors being deprived of affordable investment advice or products.”

The transcript of Chairman Clayton’s remarks is available at: https://www.sec.gov/news/speech/remarks-economicclub-new-york.

Read more SEC news at the National Law Review.

This post was by the Investment Services Group of Vedder Price

U.S. Supreme Court Rules That An SEC Enforcement Claim For Disgorgement Is Subject To A Five-Year Statute Of Limitations

Today, the U.S. Supreme Court unanimously held that any claim for disgorgement in an SEC enforcement action must be commenced within five years of the date the claim accrued. The decision in Kokesh v. SEC, No. 16-529, resolved a split among Courts of Appeals whether the statute of limitations that applies to SEC enforcement actions seeking a penalty or forfeiture (28 U.S.C. § 2462) applies when disgorgement is sought. The Court had earlier applied that statute of limitations to claims by the SEC seeking a civil monetary penalty, and held that the limitations period begins to run when the violation occurs, not when it is discovered by the government. Gabelli v. SEC, 568 U.S. 442 (2013).

Supreme Court SCOTUS Class-Action WaiverThe five-year statute of limitations applies to “an action, suit or proceeding for the enforcement of any civil fine, penalty, or forfeiture.” The Court held that the imposition of disgorgement in an SEC enforcement action is a “penalty,” thus subject to the five-year limitations period. In reaching that conclusion, the Court noted that disgorgement is imposed as a consequence of violation of a public law, not because some individual was aggrieved. Another element of the Court’s reasoning was that when disgorgement is ordered in an enforcement action the remedy is not compensatory. Instead, disgorged profits are paid to the court, and it is within the discretion of the court to determine how and to whom the money will be distributed.

Perhaps most important among the Court’s rationales, the primary purpose of disgorgement ordered in an enforcement action is deterrence, and sanctions imposed to deter infractions of public laws are “inherently punitive.” The Court noted that the amount paid is often greater than the defendant’s gain so that the defendant is not, in all cases, merely restored to the status it would have occupied had it not broken the law.

The oral argument in the case included considerable colloquy on the source of a court’s power to order disgorgement in an SEC enforcement action. In its decision the Court stated, “Nothing in this opinion should be interpreted as an opinion on whether courts possess authority to order disgorgement in SEC enforcement proceedings . . . .” (Slip Op., p. 5, n. 3)

The obvious effect of the decision will be to require the SEC to be expeditious in filing cases seeking not only civil monetary penalties but also, now, disgorgement. The Court did not address whether the remedy of an injunction, which often has collateral consequences for the defendant, or of declaratory relief is subject to this statute of limitations. The Court also did not discuss the effect a tolling agreement would have on the running of the statute.

This post was written by Allan Horwich of Schiff Hardin LLP.