Monday, November 08, 2021

Former SEC Enforcement chiefs share insights on defending against SEC enforcement actions

By Lene Powell, J.D.

Sharing insights honed by past leadership in the SEC Enforcement Division, prominent members of the SEC defense bar discussed the agency’s assertive enforcement under SEC Chair Gary Gensler and Enforcement Director Gurbir Grewal. The panel at the Practising Law Institute (PLI) 53rd Annual Institute on Securities Regulation gave tips on defending against enforcement actions and updates in the areas of ESG disclosures, SPACs, cybersecurity, accounting and revenue, insider trading, and cryptoassets, among other topics.

The panel “Rebuttal: The Defense Perspective” was hosted by Colleen Mahoney, head of the Securities Enforcement at Skadden, Arps, Slate, Meagher & Flom. Panelists included Stephanie Avakian, head of the Securities and Financial Services Department at Wilmer Cutler Pickering Hale and Dorr and former SEC Enforcement co-director; Andrew Ceresney, co-chair of the Litigation Department at Debevoise & Plimpton and former SEC Enforcement co-director; Linda Chatman Thomsen, senior counsel in the Litigation Department at Davis Polk and former SEC Enforcement director; Joan McKown, a partner in the Securities Litigation & SEC Enforcement Practice at Jones Day and former SEC Enforcement chief counsel; and Dani James, co-chair of the White Collar Defense and Investigations practice at Kramer Levin Naftalis & Frankel and former assistant U.S. attorney in the Southern District of New York.

ESG disclosures. The SEC is taking a “whole of agency” approach to ESG, said Avakian. On the policy side, she expects to see the agency issue proposed rules by early next year that will be fairly prescriptive in requiring specific disclosures about human capital, diversity, and other topics. On the enforcement side, the SEC created a Climate and ESG Task Force within the Enforcement Division in March. The SEC has so far not identified any cases that arose as a result of the task force, but Avakian expects there will be cases in the future, and that they could involve investment advisers as well as public companies. At least until new rules on ESG disclosures are adopted, cases in this area are more likely to involve misrepresentations rather than omissions, Avakian believes.

Enforcement staff will likely use a certain process to identify possible violations, said Avakian. The first step would be to scrape filings for terms like “green,” “climate, “energy,” and “human capital,” to capture disclosures relating to ESG. Next, staff would use data analytics to filter down to items that make a fair amount of disclosure, or an interesting disclosure. Then, staff would use human review to further filter the candidates. Finally, staff would look at whether reality lines up with the disclosures, including by sending out requests to companies. For advisers, Avakian expects that staff would look at exam results and ask what firms mean by, for example, a “green” investment strategy. This would include looking at what specific funds they have and what standards, policies and procedures, and controls they are using.

SPACs. Ceresney likened the current SPAC craze to the ICO surge of several years ago, where before this year many people might not have heard of SPACs. He noted that the SEC has taken both a formal enforcement approach and also informal actions.

Ceresney identified the main SPAC case the SEC has brought as the Momentus case. The case involved misrepresentations by a space propulsion technology company that overstated the capabilities of the company’s product. The SEC charged the de-SPAC merged company, the SPAC, the sponsor of the SPAC, and the CEO of the SPAC merge company.

The entire case was investigated and brought in just seven months, noted Mahoney. Ceresney agreed that was very fast and said it might have been because the SEC wanted to bring it before the de-SPAC merger closed. What was interesting, said Ceresney, was that even though the public investors could have withdrawn and not participated in the SPAC, knowing it was the subject of an SEC securities fraud action, they nevertheless went ahead and participated. He noted that all the respondents have settled except the CEO.

The other big SPAC case the SEC has brought is against Nikola, an electric vehicle manufacturer. In this case also, said Ceresney, the misrepresentations involved overstating the company’s technological capabilities. For example, the company filmed a truck that appeared to be moving under its own power, but in fact it was simply rolling down an incline.

In terms of informal actions the SEC has taken, the Office of the Chief Accountant and Division of Corporation Finance issued guidance in April regarding accounting for warrants. The guidance provided that in most cases, this required accounting for warrants as liability rather than equity, which was a complete departure from past practice. As a result, 85 percent of SPACs ended up restating and this cooled the SPAC market, said Ceresney,

Cybersecurity. Turning to cybersecurity, Thomsen pointed to the SEC’s case against Pearson, a London-based data company that had a cyberbreach. Pearson disclosed the risk of cyberbreach as a hypothetical even though it had actually happened, which the SEC always dislikes, said Thomsen. They were also late in notifying the public. Although the stock price drop after disclosure was only 3.3 percent, arguably indicating the public did not view the disclosure as very material, materiality is in the eye of the beholder, said Thomsen. What’s more, you almost never win on the materiality argument, she said.

Another significant cybersecurity matter, still ongoing, is SolarWinds a software development company. Thomsen explained that in that matter, Russians hacked into the company’s products and installed a malicious code that would give hackers a backdoor into customers’ computers. The hack was discovered in December of 2020. In June 2021, the SEC sent letters to public issuers and investment firms that the SEC thought had been affected by the breach. The SEC sought information on when the breach was discovered, impact of the breach, remedial actions taken, and what disclosures were made. Responses are supposed to be voluntary, and an amnesty was offered to companies that acknowledged they should have made disclosures about the impact of the incident and made corrective disclosures before replying to the SEC. A lot of data has been sent to the SEC and they are sorting through it, said Thomsen.

On the topic of whether the SEC views companies as victims of hack attacks, Avakian thinks the SEC is taking a more aggressive stance than in the past, particularly since Chair Gensler has put cybersecurity on the Regulatory Flexibility Agenda. Thomsen added that the instinct of senior management of companies is to say this is a tech issue and to push it down, but SEC has consistently sought to push it up. Communication with both technical staff and senior management is key, said Thomsen. Mahoney agreed and added that it is important to keep an eye on the trading window because it is important that people who are in the loop are prohibited from trading.

Accounting and revenue. A current initiative in the area of accounting and revenue involves earnings per share. SEC staff is running quarterly reports through data analytics systems to look for indications that earnings may be improperly managed to mask volatility. For example, according to a Wall Street Journal, the number 4, which should come up one-tenth of the time, sometimes does not come up often enough in earnings that have been tinkered with.

Staff has also found instances of unsupported manual entries to adjustments that were not supported by GAAP. Another pattern is internal forecasts that indicated that the company was going to fall short of analysts’ consensus estimates for the company combined with external statements that analyst expectations were met.

Mahoney observed that there has been more explicit focus on gatekeepers. Specifically, auditors are finding themselves more focused at these investigations than they had in prior years. Mahoney expects there will be more enforcement activity involving the audit firms.

Insider trading. James drew attention to two unusual insider trading cases. In the Andeavor case, the SEC charged the energy company with having inadequate controls around its authorization of a stock buyback plan. At the CEO’s direction, while the company had paused merger discussions with another company, the company approved a 10b5-1 repurchase plan to buy $250 million of shares back. Within a matter of weeks, the merger negotiations resumed and there was an announcement of a deal, with the stock price significantly higher than the price at which the company had repurchased.

This case was troubling, said James. For one thing, it seemed like materiality was determined in hindsight. Merger discussions do not always progress. Another issue, as noted by a commissioner in a dissent, was this might not be an appropriate use of controls provisions.

The other unusual case was a so-called “shadow insider trading” case, said James. In that matter, an employee at a pharmaceutical company called Medivation traded on inside information that the company would be acquired by Pfizer. The twist was that he didn’t trade in Medivation or Pfizer stock, but rather Incyte Corporation, another mid-cap oncology-focused biopharmaceutical company. The SEC alleged that the employee knew that investment bankers had cited Incyte as a comparable company in discussions with Medivation. Accordingly, he bet, correctly, that the acquisition of Medivation would likely lead to an increase in Incyte's stock price. James noted that the case is still being litigated, so it remains to be seen how it will turn out.

Crypto. On the topic of cryptoassets, Ceresney observed that Chair Gensler’s position appears to be that almost every crypto token is a security. Further, Gensler appears to be focusing on going after crypto trading platforms rather than individual tokens. However, one major token case that the SEC is pursuing is against Ripple, which issued the XRP token. Ceresney himself is representing Ripple in this case. They are vigorously asserting that XRP is not an investment contract, that it's not subject to Howey, that there were no promises made to the holders of XRP, and that there is no common enterprise. Ceresney pointed out that a lot of the XRP was sold in the secondary market.

On the issue of whether the SEC will advise if a token is a security or not, if an issuer comes to the SEC to discuss the matter, Ceresney said they will not. He pointed to the example of Coinbase. In that matter, Coinbase was going to introduce product called Lend, and they were going to lend against stablecoins. Coinbase went to the SEC, and they talked to the SEC about that product. The SEC then gave them a Wells notice in response, even though they had not yet introduced the product. Ceresney questioned whether that type of response could disincentivize people to come in and speak to the SEC.