Tag: internal accounting controls
Cooley Alert: Federal Court Dismisses Bulk of SEC’s Complaint Against SolarWinds in Cyberattack Case
The 2020 SolarWinds hack was perhaps one of the worst cyberattacks in history, reportedly directed by the Russian intelligence service and affecting 18,000 customers, including some very well-known companies and about a dozen government agencies including the Treasury, Justice and Energy departments. Following the cyberattack, the SEC filed a complaint against SolarWinds and its Chief Information Security Officer, charging securities “fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.” (See this PubCo post.) SolarWinds and Brown then moved to dismiss the complaint for failure to state a claim. On July 18, 2024, a federal district court issued a 107-page opinion, dismissing most of the SEC’s case against SolarWinds and its CISO.
SEC charges RR Donnelley with control failures related to cybersecurity incident
In this June Order, SEC Enforcement brought settled charges against R.R. Donnelley & Sons, a “global provider of business communications services and marketing solutions,” for control failures: more specifically, a failure to maintain adequate disclosure controls and procedures related to cybersecurity incidents and alerts and a failure to devise and maintain adequate internal accounting controls—more specifically, “a system of cybersecurity-related internal accounting controls sufficient to provide reasonable assurances that access to RRD’s assets—its information technology systems and networks, which contained sensitive business and client data—was permitted only with management’s authorization.” RRD agreed to pay over $2.1 million to settle the charges. Interestingly, in a Statement, SEC Commissioners Hester Peirce and Mark Uyeda decried the SEC’s use of “Section 13(b)(2)(B)’s internal accounting controls provision as a Swiss Army Statute to compel issuers to adopt policies and procedures the Commission believes prudent,” not to mention its “decision to stretch the law to punish a company that was the victim of a cyberattack.”
SEC charges Charter Communications with controls violation related to 10b5-1 plans for company buybacks
Yesterday, the SEC announced a settled action against Charter Communications for “violating internal accounting controls requirements when it engaged in stock buybacks not authorized by its board of directors.” More specifically, the Board had authorized the company to conduct stock buybacks using Rule 10b5-1 plans, but the SEC contended that Charter’s plans contained a provision that permitted too much discretion—allowing Charter to “change the total dollar amounts available to buy back stock and to change the timing of buybacks after the plans took effect.” As a result, the SEC concluded, the plans did not satisfy Rule 10b5-1. But this was not a case about insider trading. Rather, the SEC charged, because the plans did not satisfy Rule 10b5-1, the buybacks were effectively unauthorized. And that was a problem of ineffective internal accounting controls (which, the SEC maintained, aren’t necessarily just about accounting). According to Melissa Hodgman, Associate Director of Enforcement, “[c]ompanies whose boards authorize buybacks using Rule 10b5-1 plans must have controls that reasonably assure that their trading plans meet all of the rule’s conditions….This includes the fundamental requirement that, to benefit from the protection of Rule 10b5-1, traders have to relinquish their ability to influence the amount or timing of trades after their trading plans go into effect.” Charter agreed to pay a civil penalty of $25 million. Commissioners Hester Peirce and Mark Uyeda dissented.
SEC charges SolarWinds and CISO with securities fraud and control failures
You remember the 2020 SolarWinds hack, perhaps one of the worst cyberattacks in history? As NPR described it in 2021, we all regularly receive routine software updates like this one:
“‘This release includes bug fixes, increased stability and performance improvements’…. Last spring, a Texas-based company called SolarWinds made one such software update available to its customers. It was supposed to provide the regular fare—bug fixes, performance enhancements—to the company’s popular network management system, a software program called Orion that keeps a watchful eye on all the various components in a company’s network. Customers simply had to log into the company’s software development website, type a password and then wait for the update to land seamlessly onto their servers. The routine update, it turns out, is no longer so routine. Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America. ‘Eighteen thousand [customers] was our best estimate of who may have downloaded the code between March and June of 2020,’”
according to the Company’s CEO. And not just any customers—the Company determined that many very well-known companies and about a dozen government agencies were compromised, including the Treasury, Justice and Energy departments, the Pentagon and, ironically, the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security. On Monday, the SEC announced that it had filed a complaint against SolarWinds and its Chief Information Security Officer, Timothy G. Brown, charging ‘fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.” In the complaint, the SEC charges that “SolarWinds’ public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the Company’s cybersecurity policy violations, vulnerabilities, and cyberattacks.” According to Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, the SEC’s enforcement action “underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
Is political corruption securities fraud?
You remember Matt Levine’s mantra in his “Money Stuff” column on Bloomberg: “everything is securities fraud”? “You know the basic idea,” he says, a
“company does something bad, or something bad happens to it. Its stock price goes down, because of the bad thing. Shareholders sue: Doing the bad thing and not immediately telling shareholders about it, the shareholders say, is securities fraud. Even if the company does immediately tell shareholders about the bad thing, which is not particularly common, the shareholders might sue, claiming that the company failed to disclose the conditions and vulnerabilities that allowed the bad thing to happen. And so contributing to global warming is securities fraud, and sexual harassment by executives is securities fraud, and customer data breaches are securities fraud, and mistreating killer whales is securities fraud, and whatever else you’ve got. Securities fraud is a universal regulatory regime; anything bad that is done by or happens to a public company is also securities fraud, and it is often easier to punish the bad thing as securities fraud than it is to regulate it directly.” (Money Stuff, 6/26/19)
(See this PubCo post.) But here’s a new one—bribery and political corruption as securities fraud. As described in this press release, in the fiscal-year-end enforcement crush, the SEC brought settled charges against Exelon Corporation, a utility services holding company, and its subsidiary, electric utility company Commonwealth Edison Company (ComEd), and filed a complaint against ComEd’s former CEO alleging “fraud in connection with a multi-year scheme to corruptly influence and reward the then-Speaker of the Illinois House of Representatives.” Exelon and ComEd agreed to settle the charges, with Exelon paying a civil penalty of $46.2 million. The charges against the CEO are headed for trial. So how is this securities fraud? According to the Chief of the SEC Enforcement Division’s Public Finance Abuse Unit, the CEO’s “remarks to investors about ComEd’s lobbying efforts hid the reality of the long-running political corruption scheme in which they were engaged….When corporate executives speak to investors, they must not mislead by omission.”
SEC charges executives with fraudulent revenue recognition practices
As part of its fiscal-year-end enforcement surge, the SEC filed charges against three former executives of Pareteum Corporation, a telecommunications and cloud software company, for fraudulent revenue recognition practices—a settled action against the former controller and a complaint against the former CFO and former Chief Commercial Officer (also, formerly CEO). As described in the complaint, the SEC charged the former executives with orchestrating a fraudulent scheme to overstate revenue by recording revenue from non-binding purchase orders and concealing the practice from the company’s auditors. From 2018 through mid-2019, the SEC alleged, the defendants’ improper revenue recognition practices resulted in the company’s overstating revenue by “approximately $12 million for fiscal year 2018 (60% of the ultimately restated revenue), and by approximately $30 million for the first and second quarters of 2019 (91% of the ultimately restated revenue).” In addition, the former CFO, the SEC charged, did not establish sufficient internal accounting controls to assess whether revenue should be recognized under GAAP. According to the press release, Pareteum previously settled with the SEC on accounting and disclosure fraud charges in 2021 and filed for bankruptcy in 2022. Notably, the U.S. Attorney’s Office for the SDNY has announced parallel criminal charges against the former CFO and CCO. According to the Associate Director of Enforcement for the SEC’s Philadelphia Regional Office, as the SEC alleged in its complaint, “Pareteum’s executives artificially inflated Pareteum’s revenue numbers to create the illusion of robust revenue growth….Investors should be able to trust public companies to issue truthful and accurate financial statements, and we will hold accountable any executives who abuse that trust and defraud investors.”
SEC charges GTT with disclosure failures and control violations
This press release announces settled charges brought by the SEC against GTT Communications, Inc., a multinational telecommunications and internet service provider, for failure to disclose material information about “unsupported adjustments of more than $35 million” that had the effect of reducing COR, i.e., cost of revenue, and increasing reported operating income by at least 15% in three quarters from 2019 through 2020. According to the Order, in 2017 and 2018, GTT rapidly expanded its business through multiple acquisitions, but had difficulty absorbing and integrating the operations of the acquired, sometimes distressed, companies, especially with regard to accounting and controls. As a result, GTT was never able to reconcile data from two critical operating systems used to determine COR, ultimately leading to data integrity issues in its financial statements. In an attempt to achieve some consistency between the two systems, the SEC alleged, the company began to make accounting adjustments that, in the absence of effective controls, were “highly uncertain” and devoid of proper support. Moreover, the SEC alleged, GTT failed to provide adequate disclosure about the adjustments. In addition to antifraud violations, the SEC charged GTT with control violations: although GTT knew that its systems were inadequate to accurately report COR, “GTT failed to implement and maintain policies and procedures designed to provide reasonable assurance that the COR reflected in GTT’s financial statements was based on reasonable support.” However, because of GTT’s prompt self-reporting, remedial measures and substantial cooperation, the SEC did not impose a civil penalty. But perhaps the real penalty can be found here: in 2021, GTT was delisted from the NYSE, terminated its Exchange Act registration and filed for bankruptcy. GTT emerged in 2022 as a private company owned by certain of its former creditors—but eligible to use “Fresh-Start Reporting.”
SEC charges Fluor with improper accounting and inadequate internal accounting controls
In this Order, the SEC brought settled charges against Fluor Corporation, a global engineering, procurement and construction company listed on the NYSE, in connection with alleged improper accounting on two large-scale, fixed-price construction projects. Five current and former Fluor officers and employees were also charged. (The press release includes links to the orders for the five individuals.) Fixed-price contracts mean that cost overruns are the contractor’s problem, not the customer’s, and Fluor’s bids on the two projects were based on “overly optimistic cost and timing estimates.” When Fluor experienced cost overruns, the SEC alleged, Fluor’s internal accounting controls failed, with the result that Fluor used improper accounting for these projects that did not comply with the percentage-of-completion accounting method under GAAP, leading Fluor to materially overstate its net earnings for several annual and quarterly periods. A restatement ultimately followed. Fluor agreed to pay a civil penalty of $14.5 million and the officers to pay civil penalties between $15,000 and $25,000. According to the Associate Director in the Division of Enforcement, “[d]ependable estimates and the internal accounting controls that facilitate them are the backbone of percentage of completion accounting and are critical to the accuracy of the financial statements that investors rely on….We will continue to hold companies and individuals accountable for serious controls failures and resulting recordkeeping and reporting violations.”
SEC Enforcement’s “EPS Initiative” chalks up another one
Last week, the SEC announced settled charges against Gentex Corporation, a manufacturer of digital vision, connected car, dimmable glass and fire protection products, and its former Chief Accounting Officer and current CFO, Kevin Nash, related to financial reporting, books-and-records and internal accounting controls violations. Allegedly, these violations were the consequence of deficiencies in the company’s accounting practices for its bonus programs, which practices allowed the company to manage its earnings by adjusting its accruals for bonuses to ensure that publicly reported EPS was in line with consensus EPS estimates—without the required accounting analysis or adequate supporting documentation. According to the SEC, had the company not reduced the accrual for bonuses, it “would have missed consensus EPS estimates by one penny.” Gentex was ordered to pay a civil money penalty of $4 million and Nash to pay $75,000. These charges represent yet another case resulting from SEC Enforcement’s “Earnings-Per-Share Initiative,” which applies risk-based data analytics to detect potential violations from earnings management, among other things.
SEC charges Sequential Brands with failure to take goodwill impairment charges
The SEC has just filed a complaint against Sequential Brands Group, Inc., a brand management company, for failing to take timely and appropriate goodwill impairment charges as required by GAAP and the federal securities laws, despite “clear evidence of goodwill impairment” (according to the press release). As a result, the SEC alleges, the company “materially understated its operating expenses and net loss and materially overstated its income from operations, goodwill, and total assets” in its SEC filings, turning “a net loss into income” for financial statement purposes.
You must be logged in to post a comment.