Securities Regulation Daily Enforcement directors tout cyber unit, urge observers to be chary on finding trends in upcoming annual report
Thursday, October 4, 2018

Enforcement directors tout cyber unit, urge observers to be chary on finding trends in upcoming annual report

By Mark S. Nelson, J.D.

SEC Division of Enforcement Co-Directors Stephanie Avakian and Steven Peikin said the Division’s Cyber Unit seeks to bring carefully selected cases that send broad messages in remarks they delivered at the 10th Annual SEC Historical Society event co-hosted this year by law firm Morgan Lewis. The event was billed as a conversation with Avakian and Peikin about a range of issues, including initial coin offerings (ICOs), cybersecurity, the Supreme Court, and the SEC’s enforcement priorities. Morgan Lewis partners Susan Resley and Ben Indek moderated the discussion with Avakian and Peikin.

ICOs and cybersecurity. Indek opened the discussion with a question about ICOs and the types of cases brought thus far by the SEC with the help of the Division’s Cyber Unit. The Cyber Unit was created just over a year ago to focus on: (1) market manipulation; (2) hacking of material, nonpublic information; (3) violations that involve distributed ledger technology and ICOs; (4) violations that occur on the dark web; (5) retail brokerage account intrusions; and (6) cybersecurity treats to trading platforms and critical infrastructure.

Avakian said the Cyber Unit has about 30 employees and that it has a presence in five of the SEC’s regional offices, although the SEC’s other offices each have a liaison to the Cyber Unit. She explained that the purpose of the Cyber Unit is to provide centralized expertise. She said the Cyber Unit’s cases generally fall into two categories—fraud and regulatory matters (e.g., failure to register). Because the Cyber Unit has so many things to look at, Avakian said it is critical for the unit to pursue "thoughtful" cases; Avakian later elaborated that the intent is to choose cases "that send the broadest message."

As an example, Peikin noted the SEC’s enforcement efforts regarding celebrity-endorsed ICOs. Peikin said the targeted behavior stopped almost immediately after the agency brought a case. Previously, the Division and the Office of Compliance Inspections and Examinations jointly issued a public statement about celebrity-endorsements of ICOs that warned investors that celebrities may not be disclosing their financial ties to ICOs and warning celebrities and other promoters of the potential for liability under the SEC’s anti-touting and anti-fraud rules.

A follow-up question from Indek about subpoenas issued by the SEC in the ICO space drew mostly a no comment from Avakian, although Avakian acknowledged there are many open investigations and that the agency seeks to cover a broad landscape, including registration, unregistered broker-dealers, and unregistered investment companies.

Avakian also noted that the Division, sometimes in conjunction with other SEC divisions or offices and other regulators, had issued a number of statements in the ICO space. With respect to ICOs, the Division has commented on The DAO reportplatformsvirtual currency enforcement, and celebrity-endorsed ICOs. The Division also has commented on matters outside the ICO context, including in enforcement cases against Leon CoopermanHoward Present, and Christopher Hall. Chairman Clayton has since reminded users of SEC guidance that such documents are not legally binding.

Resley asked if there had been developments on another of the Cyber Unit’s focal points—cybersecurity. Peikin observed that cybersecurity requires the agency to tread carefully because it does not want to enforce against someone just because they were the victim of a breach and because cybersecurity is a national security and economic security issue, not just a securities issue. As for its cases, Peikin said the SEC has focused on companies that had inadequate controls or failed to make timely disclosures. Peikin cited the Altaba (Yahoo!) case alleging that Yahoo! failed to disclose a breach, and the Voya case, the first enforcement action involving violations of Regulation S-ID’s identify theft red flags requirements. Avakian added that the SEC tries to put enough information into its orders to show that it was addressing "real failures" and not just second-guessing companies.

In February 2018, the Commission issued more detailed guidance on cybersecurity disclosures in the form of an interpretive release. The Division of Corporation Finance had issued guidance in 2011 that addressed a number of disclosure issues while urging companies to disclose enough information about breaches to inform investors but not so much information as to give would-be hackers a roadmap to any vulnerabilities.

Tesla. Peikin gave a speech ahead of the SEC Historical Society event at which he touted the efficacy of non-monetary, equitable relief the SEC has obtained in significant matters. For example, he cited the recent proposed settlement (a court must still approve it) with Tesla and its CEO Elon Musk, who had tweeted that he could take Tesla private at a specified price, that funding was secured, and that the only uncertainty was a shareholder vote. As part of that settlement, Musk is barred from being chairman of Tesla for three years and the company must adopt numerous governance reforms. Chairman Jay Clayton also issued a statement of support for the settlement, characterizing the result as being in the "best interests of our markets and our investors, including the shareholders of Tesla." The settlement would also require Tesla and Musk to each pay $20 million in penalties.

In reply to a question from Resley, Peikin said there were several take aways for company boards and executives, although neither he nor Avakian could comment more broadly about the Tesla case. First, Peikin said the Tesla case suggested an unusual fact pattern. Second, he said the case involved a situation where the company lacked controls over the CEO’s communications. Third, Peikin noted that the relief sought by the SEC was tailored to address specific issues, much like the relief sought by the SEC in the earlier Theranos case. Avakian said that in cases like Tesla the SEC is thinking about what relief is the most important.

Retail investors and the five principles. In joint testimony in May 2018 before the House Financial Services Subcommittee on Capital Markets, Securities, and Investment, Avakian and Peikin said the Division was focused on five goals that broadly support principles announced by Chairman Clayton. Specifically, the Division seeks to address: (1) MainStreet investors’ concerns; (2) hold individuals accountable; (3) deal with evolving technologies; (4) impose sanctions to further the Division’s goals; and (5) engage in an ongoing reassessment of how best to deploy the Division’s limited resources.

Here, Avakian said the SEC’s Retail Strategy Task Force, created at the same time as the Cyber Unit, houses centralized expertise. Indek then asked about how big data impacts the retail space, especially in cherry-picking cases. Peikin replied that the SEC uses tools developed in house and that the quality of these tools is good.

Supreme Court decisions and enforcement. Resley inquired of Avakian and Peikin whether it was business as usual for SEC in-house proceedings now that the Supreme Court in Lucia has concluded that the agency’s administrative law judges (ALJs) are officers of the U.S. and not merely employees. Avakian replied "Yes and no." According to Avakian, the SEC will pursue an in-house proceeding in matters where that is the only possible enforcement avenue and when the in-house proceeding allows the SEC to seek certain types of relief. More specifically, financial fraud cases are now less likely to be taken in-house. Avakian also noted that the agency’s in-house proceedings as a forum are "overloaded" because of the many re-assigned matters under Lucia and she observed that the in-house process would need time to return to normal, which she said may look more like the past year.

Peikin agreed that the SEC would be more "judicious" in its use of in-house proceedings. But Peikin also cautioned that there could be additional legal challenges to the in-house process. Although not mentioned by Peikin or Avakian, those legal challenges may include whether the SEC’s ALJs enjoy too many layers of tenure protection in violation of the Supreme Court’s holding in the Free Enterprise case that dual for-cause removal protections for members of the Public Company Accounting Oversight Board were unconstitutional. The justices, however, resolved that case by severing provisions of the Sarbanes-Oxley Act that made members of the PCAOB removable only for cause.

In a speech late in 2017, Peikin observed that the SEC’s Foreign Corrupt Practices Act cases have lately tended to focus on international cooperation and individual culpability. He also noted that the Supreme Court’s Kokesh decision that disgorgement is a penalty for purposes of the applicable federal limitations period had cast a shadow over FCPA cases because the SEC must now try to bring cases earlier if the agency wants to maximize its prospects to obtain disgorgement. The faster pace of enforcement may not always be ideal because of the typically long lead time needed to investigate FCPA violations.

Peikin reiterated before the SEC Historical Society audience that Kokesh had a "very significant impact" on the SEC’s enforcement cases. He observed that in many instances funds are now beyond the SEC’s reach. Peikin also noted that the SEC is keeping tabs internally on the amount of funds it can no longer reach via disgorgement; the figure as of earlier this year, he said, was $800 million, although he acknowledged that figure is likely higher now. When asked by Resley about the use of tolling agreements in cases involving long-running frauds, Peikin said cases have the most impact when they are brought near in time to the alleged violation. Peikin also noted that the longer it takes to bring a case, the more likely witnesses may forget key details.

With respect to whistle blowers, the Supreme Court held in Somers that an employee may take advantage of the Dodd-Frank Act’s anti-retaliation protections only if they report information relating to a securities violation to the Commission, as required by the Dodd-Frank Act’s definition of "whistle blower." Avakian told Indek that the SEC has approximately 700 open cases with a whistle blower component. She also suggested that the SEC’s Dodd-Frank Act whistle blower program is both a blessing and a curse; Avakian said the downside is the volume of claims to review, but she said the program’s results are positive. Peikin said it was too soon to judge the impact of Somers, but that the SEC could get more claims.

Enforcement trends. Resley nudged Avakian and Peikin to give a preview of the SEC’s annual enforcement statistics, which are due to be released soon. Avakian cautioned against inferring trends from a certain time period of data, especially from just one years’ worth of data. Avakian instead urged listeners to look at the substance and quality of the SEC’s enforcement actions. She also noted that individual responsibility was a big theme in 2018 and cited the Tesla matter and others as examples. Overall, however, Avakian said there likely would be no change in current SEC enforcement trends.

Avakian’s comments largely reiterated remarks she delivered this past September as she and Peikin approached the one-year anniversary of their co-directorship in which she said enforcement statistics fail to explain the depth of the Division’s work. "Steve and I fundamentally reject the premise these analyses embrace—that numbers—standing alone—can adequately measure the success or impact of an enforcement program." Instead, Avakian urged observers to focus on the "nature and quality" of the matters pursued. Avakian cited a number of high profile matters, including those the SEC brought against Rep. Christopher Collins (insider trading; parallel criminal indictment) and Elizabeth Holmes of Theranos, Inc (false statements about company’s business). But with respect to ICOs, Avakian said the Division, despite bringing numerous enforcement matters, did not want to quash a nascent technology, although she emphasized that all securities markets participants must abide by the federal securities laws.

Peikin told the SEC Historical Society audience that 85 percent of the Division’s work is constant and that priorities tend to be shaped around the margins. He cited the SEC’s share class initiative as one of several examples. The share class initiative encourages firms to self-report potential violations regarding Rule 12b-1 fees. Earlier in the discussion, Peikin said the initiative allows for non-enforcement, but that the SEC could pursue charges if it finds violations after the initiative ends; Avakian said the initiative, so far, has been successful.

But in later questioning about the forthcoming enforcement report, Peikin said that the SEC has no control over major events in markets. He observed that markets are stable now and that enforcement typically follows market events, so the SEC’s enforcement priorities could change as events happen.

Attorneys: Susan Resley and Ben Indek (Morgan, Lewis & Bockius LLP).

MainStory: TopStory Blockchain BrokerDealers CorporateGovernance CorpGovNews GCNNews CyberPrivacyFeed DirectorsOfficers DoddFrankAct Enforcement FedTracker Securities FraudManipulation InvestmentAdvisers InvestmentCompanies PublicCompanyReportingDisclosure SarbanesOxleyAct SECNewsSpeeches SecuritiesOfferings WhistleblowerNews

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More
Reading Securities Regulation Daily on tablet

Securities Regulation Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on securities regulation legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.

Free Trial Learn More