At a recent panel discussion hosted by the Practising Law Institute, government enforcement officials discussed their agencies’ priorities including cyber issues, cooperation strategies, and recent court setbacks.
Cyber issues. Marc P. Berger, director of the SEC’s New York Regional Office, said that the Enforcement Division’s activity relating to cyber concerns generally falls into three buckets. The first bucket involves enforcement actions relating to cryptocurrency and digital assets. This area has been very active because the ICO market area has been so active, Berger advised. Even within the ICO space, cases involve two categories. One category is fraud that looks like traditional offering fraud, just with a word like “crypto,” “digital,” or “bit” in the name. The other category involves the failure to register digital tokens as securities or when they are being sold by unregistered broker-dealers, Berger explained.
The second bucket of enforcement actions are those in which hackers gain access to systems to obtain material nonpublic information. As an example, Berger pointed to charges brought by the SEC and the DOJ against individuals in Ukraine who hacked into newswire services to gain information about corporate earnings releases and then traded on that information, reaping $100 million in illegal profits.
The third cyber bucket involves cyber security controls, Berger said. Enforcement actions in this bucket include charges relating to policies and procedures that are necessary to protect customer records and information (Regulation S-P) and for identification theft (Regulation S-ID). Last September, the SEC for the first time brought charges for violations of Regulation S-ID, also known as the Identity Theft Red Flags Rule, Berger explained. Voya Financial Advisers agreed to pay $1 million to settle the SEC’s charges relating to weaknesses in their cybersecurity policies that resulted in the failure to detect and protect against a cyber intrusion that allowed access to the personal information of thousands of customers. Also included in this third bucket are matters relating to inadequate disclosure, such as the SEC’s $35 million enforcement action against Yahoo for failure to disclose a massive data breach.
Regarding the self-reporting of cyberattacks, Berger said in general, the SEC will want to know how the information was accessed, whether there were sufficient walls in place, when the company knew about the intrusion, what the company did in response to the intrusion, and when the company came forward. Berger emphasized that the SEC does not want to second-guess reasonable judgment calls. He added that just because there has been a hack, it does not necessarily mean that the company’s policies and procedures were not robust or rigorous.
Cooperation and remedies. When asked how the Commission determines to give credit for cooperating with the staff, Berger said the SEC still looks at the Seaboard factors first articulated in 2001. More recently, however, the Commission has been trying to better communicate what factors were considered in awarding cooperation credit, he said. Some of the SEC’s more recent orders have more detailed language on how cooperation credit was determined, including prompt-self reporting, document production, and fast remedial efforts, he advised. While the standards are still the same, the SEC is trying to be transparent on what actions will be useful to the staff.
Berger also stressed that the SEC will tailor remedies to meet the Commission’s goals, citing specifically the Elon Musk/Tesla and Elizabeth Holmes/Theranos cases. In the Tesla case, one of the targeted remedies involved controls over Musk’s use of social media to communicate company matters (although Berger noted that the SEC recently found itself back in court on this matter). In the Theranos case, founder and CEO Holmes’s settlement with the SEC involved not only a penalty, but being stripped of control of the company. Using creative targeted remedies such as specific undertakings, conduct-based injunctions, and the use of cooperation credit to enhance or reduce penalty amounts are tailored to the harm the SEC is trying to address, Berger explained. He added that the SEC’s actions can have a more deterrent impact when they are brought closer in time to the alleged misconduct.
FCPA. Christopher Cestaro of the DOJ’s FCPA Unit also weighed in on receiving cooperation credit. The DOJ’s pilot program on cooperation in FCPA cases, launched in 2016, is now a formal corporate enforcement policy, he advised. The policy outlines how the DOJ intends to resolve FCPA matters with companies and gives significant credit to companies who voluntarily and promptly self-disclose misconduct, offer full cooperation, and engage in remediation of FCPA matters. A company can also receive a declination as long as it agrees to disgorge illicit proceeds. The DOJ is very transparent about what it expects regarding cooperation, he stated.
Cyber issues. Marc P. Berger, director of the SEC’s New York Regional Office, said that the Enforcement Division’s activity relating to cyber concerns generally falls into three buckets. The first bucket involves enforcement actions relating to cryptocurrency and digital assets. This area has been very active because the ICO market area has been so active, Berger advised. Even within the ICO space, cases involve two categories. One category is fraud that looks like traditional offering fraud, just with a word like “crypto,” “digital,” or “bit” in the name. The other category involves the failure to register digital tokens as securities or when they are being sold by unregistered broker-dealers, Berger explained.
The second bucket of enforcement actions are those in which hackers gain access to systems to obtain material nonpublic information. As an example, Berger pointed to charges brought by the SEC and the DOJ against individuals in Ukraine who hacked into newswire services to gain information about corporate earnings releases and then traded on that information, reaping $100 million in illegal profits.
The third cyber bucket involves cyber security controls, Berger said. Enforcement actions in this bucket include charges relating to policies and procedures that are necessary to protect customer records and information (Regulation S-P) and for identification theft (Regulation S-ID). Last September, the SEC for the first time brought charges for violations of Regulation S-ID, also known as the Identity Theft Red Flags Rule, Berger explained. Voya Financial Advisers agreed to pay $1 million to settle the SEC’s charges relating to weaknesses in their cybersecurity policies that resulted in the failure to detect and protect against a cyber intrusion that allowed access to the personal information of thousands of customers. Also included in this third bucket are matters relating to inadequate disclosure, such as the SEC’s $35 million enforcement action against Yahoo for failure to disclose a massive data breach.
Regarding the self-reporting of cyberattacks, Berger said in general, the SEC will want to know how the information was accessed, whether there were sufficient walls in place, when the company knew about the intrusion, what the company did in response to the intrusion, and when the company came forward. Berger emphasized that the SEC does not want to second-guess reasonable judgment calls. He added that just because there has been a hack, it does not necessarily mean that the company’s policies and procedures were not robust or rigorous.
Cooperation and remedies. When asked how the Commission determines to give credit for cooperating with the staff, Berger said the SEC still looks at the Seaboard factors first articulated in 2001. More recently, however, the Commission has been trying to better communicate what factors were considered in awarding cooperation credit, he said. Some of the SEC’s more recent orders have more detailed language on how cooperation credit was determined, including prompt-self reporting, document production, and fast remedial efforts, he advised. While the standards are still the same, the SEC is trying to be transparent on what actions will be useful to the staff.
Berger also stressed that the SEC will tailor remedies to meet the Commission’s goals, citing specifically the Elon Musk/Tesla and Elizabeth Holmes/Theranos cases. In the Tesla case, one of the targeted remedies involved controls over Musk’s use of social media to communicate company matters (although Berger noted that the SEC recently found itself back in court on this matter). In the Theranos case, founder and CEO Holmes’s settlement with the SEC involved not only a penalty, but being stripped of control of the company. Using creative targeted remedies such as specific undertakings, conduct-based injunctions, and the use of cooperation credit to enhance or reduce penalty amounts are tailored to the harm the SEC is trying to address, Berger explained. He added that the SEC’s actions can have a more deterrent impact when they are brought closer in time to the alleged misconduct.
FCPA. Christopher Cestaro of the DOJ’s FCPA Unit also weighed in on receiving cooperation credit. The DOJ’s pilot program on cooperation in FCPA cases, launched in 2016, is now a formal corporate enforcement policy, he advised. The policy outlines how the DOJ intends to resolve FCPA matters with companies and gives significant credit to companies who voluntarily and promptly self-disclose misconduct, offer full cooperation, and engage in remediation of FCPA matters. A company can also receive a declination as long as it agrees to disgorge illicit proceeds. The DOJ is very transparent about what it expects regarding cooperation, he stated.
CFTC issues. Neel Chopra, special counsel to the CFTC’s Director of Enforcement, was asked about the government’s recent setbacks in court, such as the Flotron spoofing case and the DRW manipulation case. Regarding the Flotron case, Chopra pointed out that while the former precious metals trader was acquitted on criminal charges, the CFTC did obtain a $100,000 penalty against him. Chopra also noted that the charge of which Flotron was acquitted was conspiracy, so the courts did not disagree with the spoofing theory specifically. Chopra added that the CFTC has reached settlements and the DOJ has obtained guilty pleas in spoofing cases.
In the DRW case, the Southern District of New York ruled against the CFTC in a bench trial involving charges of commodities manipulation, which the CFTC decided not to appeal. Chopra said that he does not think that the DRW case set a new standard for CFTC manipulation cases. He noted that the judge had dismissed some of the CFTC’s evidence such as expert testimony that the traders had intended to create an artificial price. He also believes that the opinion was particularly facts-bound and the case itself was factually anomalous due to a highly illiquid market where settlement was based on unconsummated bids, which is different from the CFTC’s traditional cases on market power. In addition, he observed that because the conduct in the DRW case ended prior to Dodd-Frank, it was not charged using the CFTC’s 180.1(c) authority, and under that regime, the case could potentially look different.