Tag: SEC Division of Enforcement

Auditor problems are not just auditor problems

On Friday, SEC Enforcement charged audit firm BF Borgers CPA PC and its owner, Benjamin F. Borgers, with “massive fraud” involving “deliberate and systemic failures” to comply with PCAOB standards in auditing and reviewing financial statements incorporated into more than 1,500 SEC filings from January 2021 through June 2023. The charges also included “falsely representing to their clients that the firm’s work would comply with PCAOB standards; fabricating audit documentation to make it appear that the firm’s work did comply with PCAOB standards; and falsely stating in audit reports included in more than 500 public company SEC filings that the firm’s audits complied with PCAOB standards.” In settlement, the audit firm agreed to pay a $12 million civil penalty, and Benjamin Borgers agreed to pay a $2 million civil penalty, along with censures, cease-and-desists and permanent suspensions from appearing and practicing before the SEC as accountants. According to SEC Enforcement Director Gurbir S. Grewal,

“Ben Borgers and his audit firm, BF Borgers, were responsible for one of the largest wholesale failures by gatekeepers in our financial markets….As a result of their fraudulent conduct, they not only put investors and markets at risk by causing public companies to incorporate noncompliant audits and reviews into more than 1,500 filings with the Commission, but also undermined trust and confidence in our markets. Because investors rely on the audited financial statements of public companies when making their investment decisions, the accountants and accounting firms that audit those statements play a critical role in our financial markets. Borgers and his firm completely abandoned that role, but thanks to the painstaking work of the SEC staff, Borgers and his sham audit mill have been permanently shut down.”

This case has received an unusual amount of press—for an audit firm that many have never even heard of before—because Borgers was the auditor for the social media company of a certain former president. (See, e.g., the NYT, CNBC, CBS News) But, as we’ve often seen in other contexts, such as auditor independence (see, e.g., this PubCo post), this case also illustrates the importance for companies to keep in mind that these types of violations may have serious consequences not only for the audit firm, but also for the audit clients. In fact, in this case, the staff of Corp Fin and the Office of Chief Accountant issued this Staff Statement on Issuer Disclosure and Reporting Obligations in Light of Rule 102(e) Order against BF Borgers CPA PC.

Is the SEC’s case against SolarWinds counterproductive?

You remember the 2020 SolarWinds hack, perhaps one of the worst cyberattacks in history? As described by NPR in 2021, the hack was  “believed to be directed by the Russian intelligence service, the SVR,” which used a “routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America.” It was estimated that 18,000 customers were affected, including some very well-known companies and about a dozen government agencies including the Treasury, Justice and Energy departments, the Pentagon and, ironically, the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security.  The SEC filed a complaint against SolarWinds and its Chief Information Security Officer, Timothy G. Brown, charging ‘fraud and  internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.” The gist of the complaint, as alleged by the SEC, is that many red flags emerged and incidents occurred, well known among company employees, that should have spurred the company and its CISO to take action to address serious cyber vulnerabilities, including vulnerabilities related to the company’s “crown jewel” assets.  Instead, the SEC charged, the CISO “failed to resolve the issues or, at times, sufficiently raise them further within the company.” (See this PubCo post.) As discussed in this blogpost, Fatal Flaws in SEC’s Amended Complaint Against SolarWinds, from our White Collar Defense and Investigations group, this case has developed into a very high-stakes contest.  

Was it SPAC week? SEC charges SPAC with misleading statements

Perfectly calibrated to slap an exclamation point on last Wednesday’s 581-page SPAC release (see this PubCo post), this new SEC Order, posted the following day, reflects settled charges against Northern Star Investment Corp. II, a SPAC, for misleading statements in its SEC filings in connection with its SPAC IPO and failed de-SPAC transaction. In the SPAC release, the SEC noted concerns from commentators regarding the adequacy of the disclosures provided to investors in SPAC IPOs and de-SPAC transactions.  In this case, the SEC charged that Northern Star stated in its SEC filings that, prior to filing its S-1 for its IPO, it had had no substantive discussions with any potential target; in reality, however, Northern Star had had several discussions with the ultimate target regarding a potential SPAC business combination. According to the Director of the SEC’s Philadelphia Regional Office, “Northern Star’s failure to disclose discussions with its merger target kept investors in the dark about its future plans, information that would have been important in deciding whether to invest in this SPAC….Given that the purpose of a SPAC is to identify and acquire an operating business, SPACs should be transparent about any pre-IPO discussions with potential acquisition targets.”  Northern Star was ordered to pay a civil money penalty of $1.5 million for violation of the antifraud provisions of the Securities Act.

District Court views “shadow trading” to be within the “misappropriation” standard of §10(b)

In August 2021, the SEC filed a complaint in the U.S. District Court charging Matthew Panuwat, a former employee of Medivation Inc., an oncology-focused biopharma, with insider trading in advance of Medivation’s announcement that it would be acquired by a big pharma company, Pfizer.  As you know by now, this case has often been viewed as highly unusual:  Panuwat didn’t trade in shares of Medivation or shares of the acquiror, nor did he tip anyone about the transaction.  No, the SEC’s novel theory of the case was that Panuwat engaged in “shadow trading”; he allegedly used the information about the acquisition of his employer to purchase call options on Incyte Corporation, another biopharma that the SEC claimed was comparable to Medivation, based on an assumption that the acquisition of Medivation at a healthy premium would probably boost the share price of Incyte.  Panuwat made over $100,000 in profit.   The SEC charged that he violated Rule 10b-5 and sought an injunction and civil penalties.  (See this PubCo post.)  After losing a motion to dismiss, this past September, Panuwat moved for summary judgment, claiming that this was the wrong case to test out the novel shadow-trading theory: “Incyte and Medivation were fundamentally different companies with no economic or business connection, Medivation’s policies did not prohibit Mr. Panuwat’s investment, and Mr. Panuwat’s reasons for making the investment were entirely separate from the Medivation sale process and consistent with his prior investment  practices.”  The SEC responded that Panuwat’s “actions fit squarely within the misappropriation theory of insider trading” and that his “actions provide strong evidence of his scienter.”  The District Court for the Northern District of California has just rendered its decision.  Did the Court take issue with the SEC’s application of this novel theory of shadow trading?  Not so much. Indeed, the Court appears to treat the case as just another version of “misappropriation” of material nonpublic information.  According to the Court, the SEC showed that there were “genuine disputes of material fact concerning (i) whether Panuwat received nonpublic information, (ii) whether that information was material to Incyte, (iii) whether Panuwat breached his duty to Medivation by using its confidential information to personally benefit himself, and (iv) whether Panuwat acted with scienter.” Accordingly, the Court denied Panuwat’s motion for summary judgment.  In its Order, the Court reminded the parties to schedule a settlement conference. Will the parties settle? Or will this case go to trial?

SEC reports Enforcement stats for fiscal 2023 —with big contributions from whistleblowers

The SEC has announced its Enforcement stats for fiscal 2023, which revealed that the SEC filed 784 total enforcement actions, up 3% from the 760 filed in fiscal 2022.  However, the level of financial remedies declined in fiscal 2023 to $4.9 billion from a record $6.4 billion last year. Nevertheless, it was still the second highest amount in SEC history. (Of course, you might recall that Gurbir S. Grewal, Director of the Division of Enforcement, said last year that the SEC didn’t expect to break last year’s records and set new ones every year because they “expect behaviors to change. We expect compliance.”)  Of those financial recoveries, in fiscal 2023, the SEC distributed $930 million to harmed investors, representing the second consecutive year of distributions in excess of $900 million. But the standout statistics this year related to the SEC’s whistleblower program, where new records were set with whistleblower awards totaling almost $600 million, and 18,000 whistleblower tips in fiscal 2023, about 50% more tips than were received in fiscal 2022. A new record was also set with a $279 million award to one whistleblower. Overall, in fiscal 2023, the SEC received over “40,000 tips, complaints, and referrals in total,” a 13% increase over last year. According to SEC Chair Gary Gensler, the “investing public benefits from the Division of Enforcement’s work as a cop on the beat….Last fiscal year’s results demonstrate yet again the Division’s effectiveness—working alongside colleagues throughout the agency—in following the facts and the law wherever they lead to hold wrongdoers accountable.” Grewal added that “[i]nvestor protection and enhancing public trust in our markets requires that we work with a sense of urgency, using all the tools in our toolkit. As today’s results make clear, that’s precisely what the Enforcement Division did in fiscal year 2023….Whether it was by leveraging risk-based initiatives, seeking robust remedies, rewarding cooperation, protecting whistleblowers, or returning nearly a billion dollars to harmed investors, the Enforcement Division stood up for the investing public.”

SEC charges Charter Communications with controls violation related to 10b5-1 plans for company buybacks

Yesterday, the SEC announced a settled action against Charter Communications for “violating internal accounting controls requirements when it engaged in stock buybacks not authorized by its board of directors.” More specifically, the Board had authorized the company to conduct stock buybacks using Rule 10b5-1 plans, but the SEC contended that Charter’s plans contained a provision that permitted too much discretion—allowing Charter to “change the total dollar amounts available to buy back stock and to change the timing of buybacks after the plans took effect.”  As a result, the SEC concluded, the plans did not satisfy Rule 10b5-1. But this was not a case about insider trading. Rather, the SEC charged, because the plans did not satisfy Rule 10b5-1, the buybacks were effectively unauthorized. And that was a problem of ineffective internal accounting controls (which, the SEC maintained, aren’t necessarily just about accounting). According to Melissa Hodgman, Associate Director of Enforcement, “[c]ompanies whose boards authorize buybacks using Rule 10b5-1 plans must have controls that reasonably assure that their trading plans meet all of the rule’s conditions….This includes the fundamental requirement that, to benefit from the protection of Rule 10b5-1, traders have to relinquish their ability to influence the amount or timing of trades after their trading plans go into effect.” Charter agreed to pay a civil penalty of $25 million. Commissioners Hester Peirce and Mark Uyeda dissented.  

SEC charges SolarWinds and CISO with securities fraud and control failures

You remember the 2020 SolarWinds hack, perhaps one of the worst cyberattacks in history?  As NPR described it in 2021, we all regularly receive routine software updates like this one:

“‘This release includes bug fixes, increased stability and performance improvements’…. Last spring, a Texas-based company called SolarWinds made one such software update available to its customers. It was supposed to provide the regular fare—bug fixes, performance enhancements—to the company’s popular network management system, a software program called Orion that keeps a watchful eye on all the various components in a company’s network. Customers simply had to log into the company’s software development website, type a password and then wait for the update to land seamlessly onto their servers. The routine update, it turns out, is no longer so routine. Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America. ‘Eighteen thousand [customers] was our best estimate of who may have downloaded the code between March and June of 2020,’”

according to the Company’s CEO. And not just any customers—the Company determined that many very well-known companies and about a dozen government agencies were compromised, including the Treasury, Justice and Energy departments, the Pentagon and, ironically, the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security. On Monday, the SEC announced that it had filed a complaint against SolarWinds and its Chief Information Security Officer, Timothy G. Brown, charging ‘fraud and  internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.”  In the complaint, the SEC charges that “SolarWinds’ public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the Company’s cybersecurity policy violations, vulnerabilities, and cyberattacks.” According to Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, the SEC’s enforcement action “underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”

ICYMI: column from Matt Levine on SEC Enforcement’s “silly season”

After all the PubCo posts on the avalanche of SEC enforcement cases muscled into the last couple of days before the SEC’s fiscal year end, I thought this column in Bloomberg from Matt Levine might be of particular interest.  The relevant portion of the column, called the “SEC silly season,” discusses the apparent scramble by the SEC at the end of its fiscal year to bring as many enforcement actions as possible in response to “performance-reporting pressures,” that is, the pressures to make its stats to achieve optimal Congressional funding.  According to academic research cited in the column, that scramble is not just “apparent,” it’s real, and it has practical implications for enforcement behavior.  The research showed that the average number of cases filed in September “is almost double the average in other months,” and that the “spike is larger when case totals are behind pace to meet last year’s case total, which likely serves as a de facto performance benchmark.” The SEC achieves this fiscal-year-end increase, according to the research, “by changing its enforcement behavior related to substantive cases,” that is, through prioritization of less complex cases and imposition of more lenient penalties, including financial discounts, relative to other periods.  For example, the September cases are “significantly more likely to reference defendant cooperation and to only name companies as defendants, and are less likely to include a fraud allegation and to reference parallel criminal proceedings.” Accordingly, the authors found that the  “evidence is consistent with the SEC agreeing to more lenient settlement terms to increase case volume at fiscal year-end—an unintended consequence of performance reporting that undermines the SEC’s core values.” As the authors of the research suggest, might defendants familiar with this “regulatory inconsistency” be able to use it to their advantage?

In an enforcement sweep, SEC charges multiple companies and insiders with untimely reporting under Sections 16 and 13(d)

Yesterday, the SEC announced a sweep enforcement action against several insiders and companies for failing to file Forms 4 (Section 16(a) short-swing trading reports) and Schedules 13D and G (reports by beneficial owners of more than 5%) on a timely basis. Using data analytics, the SEC staff identified the insiders charged as “repeatedly filing these reports late,” some delayed “by weeks, months, or even years.”  In some cases, the companies failed to make filings on behalf of insiders after having volunteered to do so, and then failed to report the delinquencies in their own filings, as required by Reg S-K Item 405. Those charged were assessed penalties ranging from $66,000 to $200,000. In commenting on these cases, SEC Director of Enforcement Gurbir Grewal said that “[t]imely disclosure of insider transactions is critically important to both investors and the fair, orderly and efficient operation of our securities markets. According to today’s orders, the insiders and companies charged in these matters in the aggregate deprived investors of timely information about over $90 million in transactions….These enforcement actions also make clear that we will not hesitate to charge companies for causing their insiders’ disclosure violations where the companies took on the responsibility for making relevant filings for their insiders, and then acted negligently.” According to the Deputy Enforcement Director, “[s]everal years ago, we undertook a similar initiative to root out repeated late filers….Today’s enforcement action should serve to remind SEC filers that reporting obligations under the securities laws are not optional, and there are consequences for failing to file required forms in a timely manner.” Apparently, the SEC wants to send a message that late filings are not ok…and really late filing are really not ok. It’s also clear that the SEC views companies that do volunteer to make filings on behalf of their insiders—a common practice—as potentially contributing to their filing failures and will hold the companies responsible if the insiders fail to timely file. Message sent, message received?

SEC charges CBRE for violation of whistleblower protections

One area where SEC Enforcement appears to have focused its attention recently is whistleblower protections. In this Order against CBRE, Inc., the SEC brought settled charges against the commercial real estate services and investment firm for using an employee release form that the SEC alleged violated Exchange Act Rule 21F-17, the SEC’s whistleblower protection rule. The purpose of the whistleblower provisions in the Exchange Act, added in 2010 as part of Dodd-Frank, was to “encourage whistleblowers to report possible securities law violations by providing, among other things, financial incentives and confidentiality protections.” To prevent obstruction of that reporting, the SEC adopted Rule 21F-17, which provides that “[n]o person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement…with respect to such communications.”  The SEC’s order found that, “by conditioning separation pay on employees’ signing the release, CBRE took action to impede potential whistleblowers from reporting complaints to the Commission.”  According to an SEC Regional Director, it “is critical that employees are able to communicate with SEC staff about potential violations of the federal securities laws without compromising their financial interests or the confidentiality protections of the SEC’s whistleblower program….We commend CBRE for its swift and far-reaching remediation and for its high level of cooperation with our staff, which is reflected in the terms of the resolution.” Is it time to take another look at your employee separation agreements and release forms?