A panel of Gibson Dunn attorneys explored various regulatory developments that took hold in 2018 which significantly impact corporate compliance efforts in a webinar titled Challenges in Compliance and Corporate Governance. The presentation marked the 18th year Gibson Dunn has provided the community with an overview of these developments. Some of the hot topics covered included impact of the Trump administration and the recent government shutdown, cybersecurity and data privacy, SEC related disclosures, gatekeeper liability, as well as a review of key developments at the SEC and CFTC.
The panelists included Joseph Warren, Michael Mencher, Kendall Day, Sacha Harber-Kelly, Stuart Delery, Adam Smith, and Lori Zyskowski.
The Trump administration and impact of the government shutdown. The panelists generally agreed that in the first two years of the Trump administration, regulatory agencies have devoted resources and attention to many of the same priorities as in previous years. Especially at the SEC, things have stayed on track despite initial indications of vast overhauls at the agency. Cybersecurity and data privacy continue to be areas of focus for corporations and enforcement authorities alike in the wake of numerous announcements in 2018 of large-scale private and public sector data breaches. Criminal enforcement remains robust. Aggregate fines (from DOJ and civil enforcers) were down slightly, but remain significant—$10.91 billion in 2018 versus $11.75 billion in 2017.
As for the recent government shutdown, Michael Mencher noted that it will take many weeks for things to get back to normal. He observed that this was the case with the 2013 shutdown which lasted only 16 days. Clients can expect long delays when dealing with government agencies, even on routine matters, he noted.
State enforcers remain active. State enforcement authorities were active in 2018, utilizing a broad complement of enforcement tools. New York’s Department of Financial Services (“DFS”) remains a major player, and regulators from a number of states have taken action, particularly with respect to data privacy and security. California, Illinois, Massachusetts, and New York are all filling gaps created by decreased federal government enforcement in certain areas.
SEC enforcement in 2018. The panel noted that the SEC’s DOE 2018 annual report referred to five key focus areas:
- protecting the Main Street investor;
- pursuing individual accountability;
- keeping pace with technological change;
- imposing sanctions that most effectively further enforcement goals; and
- constantly assessing its allocation of resources.
- In Somers v. Digital Realty Trust, the Supreme Court held 9-0 that the Dodd-Frank anti-retaliation provision applies only to whistleblowers who report their concerns to the SEC, not to those who only file internal reports.
- In Lucia v. SEC, the Supreme Court held in a 7-2 decision that the SEC’s administrative law judges (“ALJ”) are “officers of the United States,” and thereby subject to the Appointments Clause of the Constitution. As a result, the SEC agreed to rehear more than 128 cases previously litigated before ALJs found to have been improperly appointed; the full SEC reaffirmed the ALJ appointments in compliance with the ruling.
- In December, the Supreme Court heard oral argument in Lorenzo v. SEC, a case on appeal from the D.C. Circuit regarding the scope of scheme liability under Rule 10b-5. The petitioner claimed that he cannot be found liable under a theory of “scheme” liability for distributing a misstatement of which he was not the “maker” under the Janus standard.
To advance its priorities, the CFTC created specialized task forces in four substantive areas: spoofing and manipulative trading; virtual currency; insider trading and protection of confidential information; and the Bank Secrecy Act. Additionally, cooperation advisories issued by the CFTC’s DOE in 2017 resulted in a number of reduced penalties during the year. In several spoofing enforcement actions, the CFTC specifically noted that the companies received credit for substantial cooperation and self-reporting.
Data privacy concerns remain front row and center. The panel noted that many data breaches started with mistakes. For instance, the New York Attorney General attributed a quarter of 2017 breaches to negligence, including inadvertent disclosure and lost devices. Meanwhile, an SEC investigation in October found that nine public companies lost almost $100 million from cyber frauds where employees wired money to individuals posing as executives or vendors. Additionally, ransomware incidents are ubiquitous with ransomware accounting for almost half of all malicious software in 2017. It was noted that approximately 93% of malware, including ransomware, is spread via e-mail. According to the panel, this underscores the importance of anti-phishing training.
Major SEC disclosure practices trends and developments. The panel identified a number of emerging SEC related disclosure practices. These include:
- Board Diversity. A growing number of companies are voluntarily enhancing their disclosures to highlight the diversity of their boards.
- Cybersecurity. Companies have been increasing their focus on cybersecurity disclosure in connection with both cybersecurity incidents and descriptions of board oversight and expertise.
- SEC disclosure update and simplification. In August, the SEC adopted several dozen amendments to existing disclosure requirements “to simplify compliance without significantly altering the total mix of information.”
- Proposed legislation to expand climate-related disclosures. In September, the Senate introduced the Climate Risk Disclosure Act of 2018, which would require public companies to disclose substantial new information about their exposure to climate-related risk. These disclosures would be intended to provide qualitative and quantitative information about financial risks from climate change and climate change mitigation.