SEC Enforcement Division Co-Directors Stephanie Avakian and Steven Peikin, in an October 21, 2019, hour-long SEC Historical Society webinar moderated by Merri Jo Gillette (the deputy general counsel at Edward Jones), answered questions about the Division’s handling of cybersecurity and other enforcement matters.
Fiscal years 2019 and 2020. Gillette separated her questions into those pertaining to the Division’s handling of enforcement issues in the just-now-ending 2019 fiscal year, and those enforcement matters being addressed in the new fiscal year.
Avakian and Peikin emphasized that the Commission’s primary issue in any fiscal year is investor protection but that fiscal year 2019 saw an uptick in cybersecurity and initial coin offering cases, with the particular challenge being how to keep pace with the increasing technologies used to perpetrate these cyber and virtual currency crimes. The co-directors added that until recently, limited resources prevented them adding staff to help prosecute these frauds. Moreover, they proclaimed that the 35-day government shutdown earlier this year prevented them from even investigating these cases but that they learned during the shutdown how to expedite the handling of cases to more quickly resolve them when the shutdown ended.
When Gillette asked about fiscal year 2020, Peikin said he does not anticipate a big change because the landscape from 2019 was broad enough to extend into the new year. Peikin and Avakian both stated that the Division will always get the typical fraud cases but that 2020 will probably see escalating schemes involving cybersecurity, initial coin offerings and conflicts of interest. And they remarked that other than the challenge from having limited resources to go after these schemes, the additional challenge particularly nowadays is discovering and then educating themselves on these technologically advanced securities crimes, e.g., cybersecurity and virtual currencies, as the crimes so quickly develop electronically to victimize investors.
Cybersecurity. Regarding cybersecurity, Gillette relied on a SEC cybersecurity report to ask whether the Commission expects corporate boards to provide steps to prevent or mitigate a cyberattack. Avakian and Peikin answered that the Commission does not expect companies to have a specific approach in place but would hope that they have something to disclose to investors along with the risks of a data breach. The co-directors then went on to cite the Yahoo case as an example of a company whose lack of any cyber policy in place allowed wholesale data breaches to occur. They additionally pointed out that Yahoo was one of the only companies whose data breach warranted SEC prosecution.
When asked what factors would prompt an SEC investigation, Avakian and Peikin were quick to point out that because of having limited resources, the Enforcement Division must look at a number of factors including the size of the entity and, depending on size, what, if any, cyber policy is in place, what type and how many disclosures the entity has failed to provide investors about potential data breaches, and whether other U.S. or foreign government agencies have gotten involved. If other agencies such as the Environment Protection Agency have gotten involved because the company is, say, polluting the air, the SEC won’t join the case unless investors were involved and collectively lost a certain large amount of money from investing in the entity. Likewise, if a foreign government were prosecuting an entity domiciled in that country, even if U.S. investors were involved and lost money on U.S. bonds or stocks, the SEC would weigh a number of factors such as how many U.S. investors were involved and how much money they lost before deciding whether to enter the fray.
When Gillette asked about the Division’s prosecution of individuals such as a company’s CEO versus just the company itself, Avakian and Peikin stated that 70 percent of the Division’s cases name individuals while the other 30 percent name the company alone because the evidence does not show one or more individuals as being responsible for the crime. But they emphasized that prosecuting individuals has a deterrent effect, although sometimes it is a long process because the individual has a lot to lose, including reputation, and so spends a lot of money on litigation.
Digital coin offerings. The co-directors made a point of mentioning that they do not prosecute only fraud, but that especially in the emerging initial coin offering arena they will go after the issuers who fail to register an offering. They said that for whatever reason these issuers think that the coins are not securities and so are exempt from registration, and attempt to sell them without claiming an appropriate exemption or absent that, without registering them with the SEC. By simply selling them, they are not providing investors with the appropriate disclosures they need to make an informed decision about whether to invest and, thereby, open the investors up to experiencing significant financial losses if the investment is a bust, which it often is.
Self-reporting and tolling. Gillette spent some time asking about the issue of tolling and self-reporting. The co-directors said that this SEC self-reporting initiative incentivizes the alleged wrongdoing entities and individuals to sign tolling agreements for the possible receipt of a reduced crime and sentence down the line. They said, however, that signing a tolling agreement is not in theory supposed to equate with a defendant’s “being cooperative” to earn them reduced crime and sentencing status but that in reality a defendant’s signing the agreement can work to mitigate circumstances by, for example, permitting a settlement. Conversely, a defendant’s refusal to sign a tolling agreement often prompts Division staff to expedite the investigation to bring about a quick, harsh resolution for the defendant. And the reason for expedition is to avoid from the tolling of a fraud statute, the loss of disgorgement from the defendant’s ill-gotten gain to pay back the victimized investors.
Usefulness of white papers and Wells process. When Gillette asked about the usefulness of white papers and the Wells process for resolving cases, Peikin and Avakian answered in the affirmative. Peikin further stated that white papers have sometimes actually resulted in decisions and parts of an outcome going in a different direction from what was previously thought.
When Gillette asked about fiscal year 2020, Peikin said he does not anticipate a big change because the landscape from 2019 was broad enough to extend into the new year. Peikin and Avakian both stated that the Division will always get the typical fraud cases but that 2020 will probably see escalating schemes involving cybersecurity, initial coin offerings and conflicts of interest. And they remarked that other than the challenge from having limited resources to go after these schemes, the additional challenge particularly nowadays is discovering and then educating themselves on these technologically advanced securities crimes, e.g., cybersecurity and virtual currencies, as the crimes so quickly develop electronically to victimize investors.
Cybersecurity. Regarding cybersecurity, Gillette relied on a SEC cybersecurity report to ask whether the Commission expects corporate boards to provide steps to prevent or mitigate a cyberattack. Avakian and Peikin answered that the Commission does not expect companies to have a specific approach in place but would hope that they have something to disclose to investors along with the risks of a data breach. The co-directors then went on to cite the Yahoo case as an example of a company whose lack of any cyber policy in place allowed wholesale data breaches to occur. They additionally pointed out that Yahoo was one of the only companies whose data breach warranted SEC prosecution.
When asked what factors would prompt an SEC investigation, Avakian and Peikin were quick to point out that because of having limited resources, the Enforcement Division must look at a number of factors including the size of the entity and, depending on size, what, if any, cyber policy is in place, what type and how many disclosures the entity has failed to provide investors about potential data breaches, and whether other U.S. or foreign government agencies have gotten involved. If other agencies such as the Environment Protection Agency have gotten involved because the company is, say, polluting the air, the SEC won’t join the case unless investors were involved and collectively lost a certain large amount of money from investing in the entity. Likewise, if a foreign government were prosecuting an entity domiciled in that country, even if U.S. investors were involved and lost money on U.S. bonds or stocks, the SEC would weigh a number of factors such as how many U.S. investors were involved and how much money they lost before deciding whether to enter the fray.
When Gillette asked about the Division’s prosecution of individuals such as a company’s CEO versus just the company itself, Avakian and Peikin stated that 70 percent of the Division’s cases name individuals while the other 30 percent name the company alone because the evidence does not show one or more individuals as being responsible for the crime. But they emphasized that prosecuting individuals has a deterrent effect, although sometimes it is a long process because the individual has a lot to lose, including reputation, and so spends a lot of money on litigation.
Digital coin offerings. The co-directors made a point of mentioning that they do not prosecute only fraud, but that especially in the emerging initial coin offering arena they will go after the issuers who fail to register an offering. They said that for whatever reason these issuers think that the coins are not securities and so are exempt from registration, and attempt to sell them without claiming an appropriate exemption or absent that, without registering them with the SEC. By simply selling them, they are not providing investors with the appropriate disclosures they need to make an informed decision about whether to invest and, thereby, open the investors up to experiencing significant financial losses if the investment is a bust, which it often is.
Self-reporting and tolling. Gillette spent some time asking about the issue of tolling and self-reporting. The co-directors said that this SEC self-reporting initiative incentivizes the alleged wrongdoing entities and individuals to sign tolling agreements for the possible receipt of a reduced crime and sentence down the line. They said, however, that signing a tolling agreement is not in theory supposed to equate with a defendant’s “being cooperative” to earn them reduced crime and sentencing status but that in reality a defendant’s signing the agreement can work to mitigate circumstances by, for example, permitting a settlement. Conversely, a defendant’s refusal to sign a tolling agreement often prompts Division staff to expedite the investigation to bring about a quick, harsh resolution for the defendant. And the reason for expedition is to avoid from the tolling of a fraud statute, the loss of disgorgement from the defendant’s ill-gotten gain to pay back the victimized investors.
Usefulness of white papers and Wells process. When Gillette asked about the usefulness of white papers and the Wells process for resolving cases, Peikin and Avakian answered in the affirmative. Peikin further stated that white papers have sometimes actually resulted in decisions and parts of an outcome going in a different direction from what was previously thought.