G. Jeffrey Boujoukos is partner and leader of the securities enforcement practice, Susan Resley is partner, and Laurie Cerveny is corporate partner at Morgan Lewis & Bockius LLP. This post is based on a Morgan Lewis memorandum by Mr. Boujoukos, Ms. Resley, Ms. Cerveny, and Justin Chairman.
Most media accounts suggest that the incoming Biden administration will usher in a more “aggressive” SEC enforcement posture, with renewed emphasis on investigating potential fraud and controls deficiencies at public companies. SEC Enforcement may face some short-term headwinds to this approach. A dramatic increase in tips, complaints, and referrals during the pandemic, as well as COVID- 19-related delays that may extend the 24-month average lifetime of SEC enforcement investigations, will likely require the SEC to selectively allocate stretched resources in 2021.
Where are the limited resources likely to go beyond the more standard accounting, revenue recognition, and disclosure cases that the SEC regularly investigates and prosecutes?1 Recent enforcement activity points to several areas of interest to the SEC, and provides a valuable window for public companies into the SEC’s methods and priorities, including:
- Coronavirus-Related Public Disclosures—Enforcement’s First Case
- Enforcement’s EPS Initiative—Harnessing the Data
- Executive Perquisites—Continued Enforcement Focus
- Insider Trading—A Zero Tolerance Policy
- Buybacks and Rule 10b5-1 Plans—A New Enforcement Theory and Likely Rulemaking in 2021
- Cyber Intrusions—The Current SEC Playbook
- Whistleblowers—2020 Was a Record Year
Background—Enforcement Personnel Changes, Data Analytics, and a Legislative Fix for Disgorgement
The lasting enforcement legacy of the SEC under former Chairman Jay Clayton may very well be data analytics. While the Commission certainly employed data analytics before Chairman Clayton arrived, his emphasis on collaboration among different divisions and offices, such as the Division of Enforcement (Enforcement) and the Division of Economic and Risk Analysis, led to a number of Enforcement cases during his tenure where data analytics played a heightened role. During her tenure, former Director of Enforcement Stephanie Avakian extolled the importance of data analytics, and we expect that these techniques will continue to develop.
During 2020, Enforcement signaled that it would more aggressively use data analytics to aid in its investigation of public company financial reporting, risk disclosures, and insider trading. A newly created Enforcement Coronavirus Steering Committee worked “with the Division’s Market Abuse Unit to monitor trading activity around announcements made by issuers in industries particularly impacted by COVID-19 and to identify other suspicious market movements for possible manipulation.”
Similarly, Enforcement warned that the Coronavirus Steering Committee would use a “systematic process to review public filings from issuers in highly-impacted industries, with a focus on identifying disclosures that appear to be significantly out of step with others in the same industry[,]” and indicated that Enforcement is “also looking for disclosures, impairments, or valuations that may attempt to disguise previously undisclosed problems or weaknesses as coronavirus-related.” Such peer-related review has been used to in the past by the Commission to detect securities violations by over-performing investment advisors and to expose Ponzi schemes.
In the past we have written on the Kokesh v. SEC5 decision, where the US Supreme Court held the five- year statute of limitations in 28 USC § 2462 applies to claims for disgorgement in SEC enforcement action. This was a significant limitation of the SEC’s ability to seek disgorgement for aged misconduct, and former Chairman Clayton pushed Congress for legislative relief. In a rare New Year’s Day session, the Senate overrode a presidential veto and passed into law the National Defense Authorization Act for Fiscal Year 2021 and within its over 1,400 pages was Section 6501, titled: “Investigations and Prosecution of Offenses for Violations of the Securities Laws.” This section addresses the issue of disgorgement in two primary ways: (1) by amending the Securities Exchange Act of 1934 to expressly recognize disgorgement as a statutory remedy; and (2) extending the statute of limitations for claims of disgorgement to 10 years where the underlying violation is pursuant to Section 10(b) of the Exchange Act, section 17(a)(1) of the Securities Act of 1933, the Investment Advisers Act of 1940 or “any other provision of the securities laws for which scienter must be established.”
While this section does extend the time to bring a claim for disgorgement it is important to note the limitation to instances where the violation involves “scienter” or the intent to defraud (as opposed to negligence). Often SEC actions against public companies are resolved without scienter-based charges. However, this dichotomy between levels of intent may have the apparent unintended consequence of causing Enforcement to pursue scienter-based charges where the statute would otherwise preclude disgorgement.
Coronavirus Related Public Disclosures—Enforcement’s First Case in this Area
Less than seven months after describing its approach for evaluating COVID-19-related disclosures, the SEC announced a settled action against a publicly traded company in the restaurant industry for allegedly “making misleading disclosures about the impact of the COVID-19 pandemic on its business operations and financial condition.” This was the first case brought by the SEC against a public company for allegedly misleading investors about the financial effects of the pandemic. We expect that there are more cases like this under investigation by Enforcement.
The SEC claimed that the company stated in its public that its restaurants were “operating sustainably” during the COVID-19 pandemic. The SEC alleged that those filings were materially false and misleading because the company’s internal documents at the time showed that the company was losing approximately $6 million in cash per week and that it projected that it had only 16 weeks of cash remaining. Further, the SEC found that, while not disclosed in its March and April 2020 public filings, the company shared that information with potential private equity investors and lenders in connection with an effort to seek additional liquidity. The SEC also alleged that a March 23 filing described actions the company had undertaken to preserve financial flexibility during the pandemic, but failed to disclose that the company had already informed landlords that it would not pay rent in April due to the impacts of COVID-19 on its business.
While neither admitting nor denying the allegations, the company agreed to an Order Instituting Cease and Desist Proceedings finding violations of Section 13(a) of the Exchange Act and Rules 13a-11 and 12b-20 thereunder, which collectively require every issuer of a security registered pursuant to Section 12 of the Exchange Act to file accurate reports on Form 8-K, and to a $125,000 penalty.
Lessons of note:
- This was a fast-paced investigation—lasting less than eight months—demonstrating Enforcement focus on the accuracy or adequacy of an issuer’s disclosures concerning actual or projected risks.
- The Commission will use unrelated discussions of business issues that are contemporaneous in time to public statements to assert that the public disclosures were insufficient or incorrect.
Enforcement’S EPS Initiative—Harnessing the Data
On September 28, 2020 the SEC filed settled actions against two public companies that originated from a self-described “EPS Initiative” that “utilize[d] risk-based data analytics to uncover potential accounting and disclosure violations caused by, among other things, earnings management practices.” In the press release, Enforcement credited the recently formed Division of Enforcement Office of Investigative and Market Analytics with providing valuable assistance.
In the first case, the SEC’s order found that in multiple quarters the subject company made “unsupported, manual accounting adjustments that were not compliant with GAAP,” and that “these adjustments were often made when the [the company’s] internal forecasts indicated that the company would likely fall short of analyst consensus EPS estimates.” The order further found that “the adjustments boosted the company’s income, making it possible for [the company] to consistently report earnings that met or exceeded consensus estimates.” The SEC also charged the company’s former controller and chief accounting officer with directing the unsupported adjustments, including those made to management bonus accruals and stock-based compensation accounts. The company’s former chief financial officer was charged with causing the controller and chief accounting officer to direct some of the unsupported entries.
The SEC found that the company and CFO violated antifraud provisions of the Securities Act of 1933 as well as internal controls and books and records provisions of the Securities Exchange Act of 1934. Without admitting or denying the SEC’s findings, the company, the CAO, and the former CFO agreed to cease and desist from future violations of the charged provisions and to pay civil penalties of $5 million, $70,000, and $45,000, respectively.
In the second case, the SEC alleged that the subject company inaccurately presented its financial performance in late 2016 and early 2017. The order found that during two quarters in which the company was on track to meet or beat analyst consensus EPS estimates, its public filings “included a valuation allowance for its mortgage servicing rights that was at odds with the valuation methodology described in the same filings.” In mid-2017 the company belatedly reversed the valuation allowance, increasing its EPS by $0.01 in a quarter when it otherwise would have fallen short of consensus estimates. The SEC concluded that the company’s disclosures “created the misleading appearance of consistent earnings across multiple reporting periods.”
The SEC’s order concluded that the company violated the reporting, books and records, and internal controls provisions of the federal securities laws. Without admitting or denying the SEC’s findings, the company agreed to cease and desist from future violations of the charged provisions and to pay a $1.5 million civil penalty.
Executive Perquisites—Continued Enforcement Focus
Executive compensation in the form of perquisites or “perks” has been and will remain an Enforcement focus area. The SEC proxy disclosure rules require that companies disclose in the Summary Compensation Table of the proxy statement the perquisites provided to a named executive officer if the officer’s total perquisites exceed $10,000. If the value of a single perquisite exceeds the greater of
$25,000 or 10% of the total value of all perquisites reported, then the type and amount of such perquisite must be identified in a footnote.
The SEC standard for analyzing whether a benefit is a perquisite considers the following:
- An item is not a perquisite or personal benefit if it is integrally and directly related to the performance of the executive’s duties.
- An item is a perquisite or personal benefit if it confers a direct or indirect benefit that has a personal aspect without regard to whether it may be provided for some business reason or for the convenience of the company, unless it is generally available on a nondiscriminatory basis to all employees.
In recent enforcement actions, the SEC has sanctioned companies that have omitted discussion of perks paid to executives from their Compensation Discussion & Analysis for violating the requirements of Item 402 of Regulation S-K as well as the companies’ obligations to file proxy statement and annual reports that do not contain materially false or misleading statements or materially misleading omissions. This included instances where public companies have paid for personal use of private airplanes, charitable donations, yacht and sports car expenses, cosmetic surgery, hotel stays, personal financial planning, transportation for family members, club memberships, and tickets to entertainment events. In some cases, executives used company credit cards or petty cash equivalents for personal expenses and submitted expense reports and invoices that the SEC found falsely indicated that certain expenses were for business purposes. Sanctions have included civil penalties and the retention of independent compliance consultants.
Recently, Enforcement disclosed that it identifies unreported perks, in part, through data analytics. In the press release for a September 2020 perquisite case, Enforcement announced the action “was generated by the Division of Enforcement’s use of risk-based data analytics to uncover potential violations related to corporate perquisites.” Former Director Avakian indicated: “We will continue to use risk-based analytics to identify companies that fail to comply with the Commission’s executive compensation disclosure rules.”
Lessons of note:
- Using the terms “risk-based analytics” suggests that the Division of Enforcement has identified factors it believes suggest a higher likelihood of unreported perquisites.
- Public companies should review procedures for evaluating whether an item is a perquisite, and for valuing and disclosing perquisites in the proxy.
- Compliance programs should include robust training and documentation components relating to, among other things, non-cash benefits to executives.
Insider Trading—A Zero Tolerance Policy
Detecting and prosecuting those engaged in insider trading remains an SEC priority. Enforcement indicated particular vigilance during the COVID-19 pandemic as companies have dealt with a steady stream of potentially market moving information. “Given these unique circumstances, a greater number of people may have access to material nonpublic information than in less challenging times. Those with such access—including, for example, directors, officers, employees, and consultants and other outside professionals—should be mindful of their obligations to keep this information confidential and to comply with the prohibitions on illegal securities trading.”
While the SEC has yet to bring an insider trading case based on material, nonpublic information arising from the pandemic, in 2020 it brought actions against a number of company insiders, including an administrative assistant in a corporate legal department, an accountant in a company’s revenue recognition department, a regional vice president, a senior manager in a corporate tax department, a retiring chief financial officer, an IT manager, and a vice president of an international group within a multinational corporation. Further, it is important to recognize that Enforcement no longer relies primarily on tips or questionnaires posed to companies to generate insider trading leads. Data analytics allow Enforcement to analyze trading patterns and activity shortly after a price moving event. Further, when it comes to corporate insiders, it appears no alleged illicit gain is too small to avoid Enforcement scrutiny. For example, in 2020 the SEC pursued cases against a corporate president for avoiding a $23,000 loss, a general manager of acquisitions for a $21,609 profit, and a director of capital sourcing for a $13,153 profit.
Lessons of note:
- Companies should revisit insider trading policies, including procedures surrounding trading windows.
- Robust periodic training is imperative, with a recognition that even lower level employees will be exposed to material nonpublic information.
Buybacks and Rule 10b5-1 Plans—A New Enforcement Theory and Likely Rulemaking in 2021
Company stock buybacks and executive 10b5-1 plans (which allow an executive to structure his or her trades in advance of stock sales) have drawn considerable recent focus from Congress. On October 15, 2020, the SEC waded into the fray, charging a company with violating the internal controls provisions of Exchange Act Section 13(b)(2)(B) by engaging in a $250 million stock buyback while in possession of material nonpublic information. This action is an aggressive departure from traditional insider trading cases, and the first time that the SEC has ever charged a non-registrant issuer with violating Section 13(b)(2) in connection with controls against insider trading.
In this matter, the company was in discussions to be acquired, but these discussions were suspended in October 2017. The CEOs of the respective companies agreed to recommence discussions on February 23, On February 21, 2018, the company’s CEO directed its CFO to initiate a $250 million share buyback. On February 22, 2018, its legal department concluded that the company was not in possession of material nonpublic information and approved a Rule 10b5-1 plan to repurchase $250 million of stock in accordance with 2015 and 2016 Board authorizations for share repurchases. The buyback was executed over a period of weeks while the company negotiated, and ultimately reached, an agreement to be acquired. A month after completing the buyback, the company publicly announced the acquisition in a deal valuing the company at over $150 per share. The SEC concluded that the company repurchased 2.6 million shares of its stock from investors at an average price of $97 per share.
Rather than charge the company with insider trading, which would have required demonstrating scienter—an intent to defraud—the SEC charged the company with a controls violation. The SEC alleged “insufficient internal account controls” including an “abbreviated and informal process to evaluate the materiality of the acquisition discussions that did not allow for a proper analysis of the probability that [the company] would be acquired.” Further, the “informal process did not require conferring with persons reasonably likely to have potentially material information regarding significant corporate developments prior to approval of share repurchases.” As a consequence, the SEC found that the company “violated Exchange Act Section 13(b)(2)(B), which requires all reporting companies to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that, among other things, transactions are executed in accordance with management’s general or specific authorizations, and access to assets is permitted only in accordance with management’s general or specific authorization.” Without admitting or denying the findings, the company agreed to cease and desist from further violations and to pay a $20 million fine. The SEC’s two Republican Commissioners, Hester Peirce and Elad Roisman, took the seldom-used step of issuing a Public Statement explaining their opposition to the action and rationale as an overreach for an internal controls case.
Future application of Section 13(b)(2)(B) to reach other stock transactions will turn on how broadly the SEC will apply this interpretation of “transactions” and “access to assets.” The authorization or exercise of stock options, for example, is a transaction that should be approached with the level of diligence described above.
In addition, we expect additional scrutiny and possible rulemaking regarding executive 10b5-1 plans in 2021. While 10b5-1 plans are designed to provide protections for prearranged trades, questions have arisen concerning the need to further clarify the requirement that an executive entering into the plan does not possess material, nonpublic information at the time that he or she enters into the plan. In an oversight hearing before the Senate Banking Committee on November 17, 2020, both Chairman Clayton and Democratic members of the Senate appeared to agree that additional rulemaking is necessary to prevent timing trades in a fortuitous manner for that executive, such as a “cooling-off period” between the date the plan is adopted and the first trade. In response to a question for Senator Sherrod Brown asking if “clear standards to follow and avoid abuses” were necessary, Chairman Clayton stated: “for executives, I am a proponent of a cooling-off period. When you put your plan in place, say you do it in June, there are no purchases or sales, in most cases it is sales, for a period of time. Whether that is three months or six months whatever that is, that gives everybody comfort that timing was not planned ahead. That fortuity was an intent. I think that is something we all should explore.”
Lessons of note:
- Consider revising internal policies and procedures surrounding approval of share buybacks to include a formal process that includes a requirement to confer with persons reasonably likely to have potential material information regarding significant corporate developments.
- Consider applying the same rigor to any approval of a Rule 10b5-1 plan and revisit required cooling-off periods.
- Consider establishing a Rule 10b5-1 plan for stock repurchases, and consider an appropriate cooling-off period.
- Ensure that all steps are fully documented in a uniform manner.
Cyber Intrusions—The Current SEC Playbook
In the past three years Enforcement created the Cyber Unit designed to “focus the Enforcement Division’s substantial cyber-related expertise on targeting cyber-related misconduct,” issued a report pursuant to Section 21(a) of the Exchange Act on nine public companies that were victims of cyber-related frauds, and considered whether these companies violated federal securities laws by failing to have a sufficient system of internal accounting controls. The SEC also adopted a statement and interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. These efforts, and two related enforcement actions discussed below, have set the stage for what has become standard investigative techniques for Enforcement when a cyberincident becomes public.
With regard to cyber-related disclosure, in April 2018, the SEC charged a publicly traded company that was a victim of a massive breach of its user database by hackers associated with the Russian Federation that resulted in the “theft, unauthorized access, and acquisition of hundreds of millions of its users’ data, including usernames, birthdates, and telephone numbers.” The SEC found that the company violated Sections 17(a)(2) and 17(a)(3) of the Securities Act and Section 13(a) of the Exchange Act and Rules 12b-20, 13a-1, 13a-11, 13a-13, and 13a-15 thereunder by failing to disclose the breach in its annual and quarterly reports. Without admitting the finding, the company settled the matter and paid a $35 million civil penalty.
At the heart of the SEC’s action was the allegation that “senior management and relevant legal staff did not properly assess the scope, business impact, or legal implications of the breach, including how and where the breach should have been disclosed in [the company’s] public filings or whether the fact of the breach rendered, or would render, any statements made by [the company] in its public filings misleading.” Further, the SEC noted that senior management and legal teams did not share information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations and “did not maintain disclosure controls and procedures designed to ensure that reports from [the company’s] information security team raising actual incidents of the theft of user data, or the significant risk of theft of user data, were properly and timely assessed to determine how and where data breaches should be disclosed.”
With regard to cyber-related insider trading, in March 2018, the SEC charged a chief information officer and a product development manager of software engineering with insider trading in advance of the public announcement of a data breach at their employer that exposed Social Security numbers and other personal information of approximately 148 million US customers. Both individuals concluded that the public announcement of the breach would adversely affect the stock price and either traded to profit or avoid losses in advance of the announcement.
These two cases provide insight into Enforcement concerns in the wake of cyber events. A publicly traded company that is the victim of a data breach should prepare for SEC scrutiny when the breach becomes public in any manner. This scrutiny will not only focus on the process for responding to, and evaluating reporting arising from the breach but, in addition, those with knowledge will be investigated to determine whether they profited from the information before it became public.
Lessons of note:
- Ensure that cyber intrusion related information is not siloed and consider policies and procedures that reflect a process for the gathering and evaluation of such information in connection with public reporting.
- Be prepared before the attack, including preparing written action plans for response to cyber intrusions.
- Consider whether a company-wide blackout on trading is appropriate in light of a suspected data breach.
Whistleblowers—2020 Was a Record Year
Since its first whistleblower award in 2012, the SEC has awarded approximately $728 million to 118 individuals who provided information and assistance that led to successful enforcement actions. SEC enforcement actions from whistleblower tips have resulted in over $2.5 billion in ordered financial remedies, including more than $1.4 billion in disgorgements.
Further, the pace and size of SEC whistleblower awards have increased dramatically over the last three years as the program has matured. In FY 2020 alone, the SEC made a record 39 individual awards of approximately $175 million. This marked a 200% increase in the number of individuals awarded in a single year and, at the time, 31% of the total monies awarded in the program’s history. Former Director Avakian attributed the sharp increase to efforts within Enforcement to “streamline and substantially accelerate the evaluation of claims for whistleblower awards.” This included a series of amendments to the SEC Rule approved in September 2020 addressing issues such as a presumption of the statutory award amount for certain awards of $5 million or less, allowing awards where relief is a deferred prosecution agreement or non-prosecution agreement by the DOJ, and creating summary disposition procedures for award denials.
The increased pace and size of awards has continued into FY 2021, including an October 2020 award of $114 million, the largest award to date. The $114 million award consisted of an approximately $52 million award in connection with the SEC case and an approximately $62 million award arising out of the related actions by another agency. “After repeatedly reporting concerns internally, and despite personal and professional hardships, the whistleblower alerted the SEC and the other agency of the wrongdoing and provided substantial, ongoing assistance that proved critical to the success of the actions.”
Lessons of note:
- Continue to promote internal reporting through various compliance channels, as that is the best way to learn of issues and remediate them prior to SEC involvement.
- Review and update policies to make clear prohibitions on retaliation.
- Review and update agreements to ensure that confidentiality and other provisions do not improperly prohibit whistleblower activities.
Conclusion
The coronavirus crisis forced companies to adapt and the same was true for the SEC. Traditionally, public company cases arose through whistleblowers or after public announcements that resulted in stock price declines. These circumstances still generate the lion’s share of SEC cases. However, in recent years, significant criticism was levied upon the SEC for failing to identify alleged misconduct before it was publicly exposed. Data analytics is one way for the SEC to identify ongoing violations, and Enforcement spent 2020 honing these tools. Increased whistleblower awards are another way, and the SEC devoted significant resources and attention to streamlining and advertising its whistleblower program in 2020.
Expect more of the same in 2021.
The complete publication, including footnotes, is available here.