Top 5 SEC Enforcement Developments

As a fitting cap to a busy month, on March 30, the SEC Division of Examinations announced its 2022 Examination Priorities. These priorities are consistent with the recent activities of the SEC more generally, as exemplified by the Top 5 Enforcement Developments below. The Examinations program will focus on private funds, environmental, social, and governance (ESG) investing, retail investor protections, information security and operational resiliency, emerging technologies, and crypto-assets.

These priorities, in addition to the key developments below, provide high-level guidance to in-house counsel and compliance professionals keeping abreast of the recent SEC developments.

1) Proposed Rules Changes on Cybersecurity

On March 9, 2022, the SEC proposed rules that appear to formalize the Enforcement Division’s recent scrutiny of public company cybersecurity disclosures by requiring specific disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting. If adopted, the rules would require that issuers report material cybersecurity incidents within four business days of a materiality determination. The proposed rules would also require public companies to provide periodic updates about previously reported material cybersecurity incidents and to disclose immaterial cybersecurity incidents, which, in the aggregate, are deemed to be material. The amended rules also would require periodic reporting about (i) a public company’s policies and procedures to identify and manage cybersecurity risks; (ii) the company’s board of directors’ cybersecurity expertise and oversight of cybersecurity risks; and (iii) management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures.

Although the SEC has stated that the goal of these proposed rules is to enhance cybersecurity disclosures to investors, the practical operation of these requirements in an environment that often requires forensic investigation and flexibility has caused some cybersecurity professionals alarm. Critics of the proposed rules have expressed concerns that requiring specific disclosure about an incident’s impact on such things as business operations may not be possible within four days of a materiality determination, and have questioned the lack of a law enforcement exception to the four-business-day deadline.

Whether the rules are adopted as proposed or are modified following the 60-day comment period, the SEC’s proposal serves as a good reminder for public companies to revisit cybersecurity policies and procedures, including to ensure companies have the requisite expertise to respond to a significant cyberattack, and to confirm that incident response policies provide a clear path to escalate incidents to senior leadership and/or a disclosure committee as appropriate.

2) Proposed Rules Changes on Climate-Related Disclosures

On March 22, 2022, the SEC proposed new rules aimed at standardizing climate-related disclosures for investors. This proposal appears to reflect a paradigm shift to a more prescriptive approach to disclosures—including requiring certain disclosures without regard to materiality—leaving some observers to question whether this change will be limited to climate-related disclosures or signals a broader change at the Commission.

If adopted, the new rules would require public companies to include certain climate-related disclosures in their registration statements and periodic reports, as well as plans to address such risks. The required disclosures would also include information about an issuer’s greenhouse gas emissions, including from upstream and downstream value-chain activities, although smaller entities could be granted a safe harbor. As with the proposed cybersecurity rules discussed above, the proposed climate-related rules require disclosures regarding corporate governance and risk management practices and the expertise of board members, potentially impacting the people chosen to serve on such boards.

These proposed rules serve as yet another reminder of the SEC’s focus on climate-related disclosures—coming on the heels of the SEC’s Division of Corporation Finance’s publication of a sample letter in September 2021 illustrating the kinds of comments that may be issued to companies regarding their climate-related disclosures—such that companies would be well served to ensure they have sufficient expertise to address climate-related risks no matter what specific language is ultimately adopted.

3) Proposed Rule Changes for SPACs

On March 30, 2022, the SEC took aim at special purpose acquisition companies (SPACs) with proposed rules focused on IPOs and “de-SPACs” involving those SPACs. The primary goal of the proposed rules is to ensure regulatory tools traditionally used to protect investors during IPOs are applied to SPACs, including disclosure requirements, standards for marketing practices, and gatekeeper and issuer obligations.

Among the most important provisions of the proposed rules are (i) the treatment of targets as “co-registrants” for de-SPAC transactions, exposing such private operating companies and signatories to liability under Section 11 of the Securities Act; (ii) a change in the definition of blank-check companies so that the PSLRA’s safe harbor provisions for forward-looking statements would not apply to target companies’ projections; and (iii) an expansion of who qualifies as an underwriter in the de-SPAC transactions by “deem[ing] anyone who has acted as an underwriter of the securities of a SPAC and takes steps to facilitate a de-SPAC transaction, or any related financing transaction or otherwise participates (directly or indirectly) in the de-SPAC transaction to be engaged in a distribution and to be an underwriter in the de-SPAC transaction.”

The proposal also includes a new rule addressing the status of SPACs under the Investment Company Act of 1940, which would exempt SPACs that satisfy certain conditions that limit their duration, asset composition, business purpose, and activities from registering under the Investment Company Act.

While in many instances the proposed rules require diligence and disclosures many SPACs are already undertaking, the rules as proposed threaten to add considerable cost and potential liability to SPAC participants. In statements offered at the Commission’s March 30, 2022 Open Meeting leading to these proposed rules, the SEC’s Commissioners invited a robust comment process to help clarify the costs and benefits of the proposed rules, and early public reactions suggest these proposed rules will be vigorously debated before any language is finalized and adopted.

4) Guidance for Lawyers and CCOs Acting as Gatekeepers

March has presented additional glimpses into the SEC’s and FINRA’s views of the role of lawyers as regulatory gatekeepers. On March 4, 2022, Commissioner Allison Herren Lee (who has since announced she does not intend to seek a second term after a successor for her is found) proposed new requirements intended for corporate lawyers to live up to the goals of Section 307 of Sarbanes-Oxley, during her remarks at PLI’s Corporate Governance Master Class. Section 307 was supposed to create new structures of accountability for lawyers, by mandating the adoption of minimum standards of professional conduct for attorneys appearing before the SEC. However, the only standard that has been adopted is the “up the ladder” rule, which requires lawyers to report certain potential violations up the chain of management. Commissioner Lee suggests solutions to the problem of “can-do,” or “goal-directed,” lawyering, which Lee described as legal advice tailored to what management wants to hear. Lee’s statements were aimed at the securities bar at large, and reflected her thoughts on steps the SEC could take to fulfill the mandate of Section 307, such as offering greater detail regarding a lawyer’s obligation to a corporate client, clearer standards on “materiality,” minimum standards of competence and expertise, and some degree of oversight at the firm level.

Soon afterwards, on March 17, 2022, FINRA issued new guidance on the role of chief compliance officers (CCOs) with respect to supervisory liability. The guidance may come as a relief to CCOs unsure about their obligations, as it specifies that FINRA will bring actions against a CCO for failure to supervise under the Supervision Rule (3110) only when the firm confers supervisory responsibility on the CCO and the CCO fails to discharge those responsibilities in a reasonable manner. Factors indicating that a CCO was not reasonable in the discharge of responsibilities would include whether he or she was aware of and failed to address multiple red flags or actual misconduct, or if he or she failed to establish, maintain, or enforce a firm’s written procedures. The CCO could be spared if he or she had been given insufficient support in terms of staffing, budget, training, or otherwise.

5) Ripple Executives Must Face Charges, but Key Defense Still in Play

On March 11, 2022, Southern District of New York Judge Analisa Torres denied Ripple executives’ motions to dismiss the SEC’s claims that they aided and abetted Ripple’s unregistered sale of $1.4 billion worth of the company’s signature digital asset, XRP. Judge Torres held that the agency had sufficiently alleged that the two executives knew or recklessly disregarded facts that made Ripple’s sale of XRP amount to the unregistered sale of securities.

Notably, however, Judge Torres also denied the agency’s request to strike Ripple’s “fair notice” affirmative defense, i.e., Ripple’s claim that it was never given fair notice by the agency that its actions relating to the token violated securities laws. This affirmative defense is integral to Ripple’s defense strategy, as it has maintained since the action was filed in 2020 that the SEC did not inform the company, or the crypto market generally, that the SEC viewed XRP as a security.

SEC critics who have long argued that the Commission has been “regulating through enforcement” rather than by adopting clear cryptocurrency rules have hailed Judge Torres’s decision to permit Ripple to pursue its affirmative defense as confirming their views. At the very least, the decision supports the industry’s need for clarity from the SEC and other regulators as to the rules of the cryptocurrency road.