By Lene Powell, J.D.
SEC Enforcement Director Gurbir Grewal touched on themes of continuity and collaboration in a panel at a securities conference. According to Grewal, the SEC has not broken new ground in cases involving novel fact patterns like “shadow insider trading.” Likewise, two recent cybersecurity cases involve misleading statements and failure to maintain inadequate disclosure cases, are just as the SEC always brought. In its enforcement program, the SEC looks to use the traditional tools it has in addition to newer capabilities like data analytics.
Moreover, the SEC seeks to partner with regulated entities as well as gatekeepers like accountants, auditors, and attorneys with the goal of shared proactive compliance, said Grewal. The SEC cannot fulfill its mission alone, and all share the responsibility of working to stay in compliance and restore trust in financial institutions and markets. In that vein, the SEC is not looking to kick people when they are down or crack down on those who are making good-faith efforts.
The panel, “Updates from SEC Senior Staff: Division of Enforcement”, was held January 26 at the 49th Annual Securities Regulation Institute hosted by the Northwestern University Pritzker School of Law. The panel was moderated by Dixie Johnson, Institute vice chair and partner at King & Spalding, and also included Division of Enforcement Deputy Director Sanjay Wadhwa.
Restoring trust in public institutions. There is now a large segment of the population that does not trust our financial institutions, participants, or the markets more badly, said Grewal. Many surveys have shown this. The loss of trust has many causes, including repeated lapses by market participants and gatekeepers and perception that wrongdoers are not held accountable by regulators. Some may believe that there is one set of rules for the big and powerful and another for everyone else. This lack of trust affects the fair and efficient operation of the markets, and it affects the ability to raise capital, said Grewal.
The Enforcement Division is working to restore that trust through robust enforcement, a focus on robust remedies where appropriate, and encouraging robust and proactive compliance, said Grewal, adding that the last point is a shared responsibility. Especially with shared challenges like the pandemic and cybersecurity risks, it is critical that companies put in place strong controls and compliance policies and respond appropriately when red flags are raised.
Grewal said he “firmly believes” that if we all do these things, and we do them well and with a sense of urgency, then we can not only rebuild but enhance trust in institutions. This philosophy animates all of the Enforcement Division’s work, he said.
Accounting enforcement. In an audience poll, financial reporting and internal controls were the topics of highest interest. Johnson said an enforcement goal is to have a continuous program and has not noticed any lack of interest in the financial reporting area, so she was surprised when the SEC’s annual report showed a decline in financial reporting cases in fiscal years 2020 and 2021. Did this signify a trend?
There has not been a decline in enforcement activity in financial reporting cases, said Grewal. He noted that the numbers refer to resolved matters where the SEC had filed a litigated action, and the numbers do not capture the pipeline of investigations. Grewal said this area is a priority for the chair, and he believes the numbers will reflect activity that happened in the past six months that he has been head of enforcement.
On revenue recognition cases specifically, Grewal said it is not an appropriate distinction to draw a difference between cases where revenue is fake and cases where revenue is real but reflected in the wrong period, for example pulled forward prematurely. At heart this is a disclosure regime, and investors need to have a true picture of what is going on at a firm. If the numbers are not reliable, then there is a potential danger. The SEC has brought cases involving revenue timing for years, and there has not been a change, said Grewal.
Johnson asked how the SEC is finding cases using data analytics in areas that are heavily judgment-laden, and what message does Grewal want public company officials to hear. Grewal said the SEC is not about second-guessing good-faith efforts where folks are trying to reach a right result. If companies and management have robust and transparent processes, have the right procedures in place, and incorporate and evaluate all relevant information, it is hard to imagine that would result in an enforcement action. But in the data-driven cases the SEC has brought, those things are not happening. In the worst examples, management is making unilateral adjustments just to meet numbers.
Johnson said she trusts that is right, but pointed out that investigations can delay financial reporting, and sometimes the SEC has cracked down on companies for missing deadlines even though the delay was due to investigation by the SEC. That feels like kicking companies when they’re down, she said. Grewal said that is not the intent. In the cases referenced, which predated his tenure and involved a data-driven sweep focusing on Form N-T filings, it was apparent that the filers knew that the delay was due to restatement or due to a correction of prior financial reporting. When you file Form N-T and ask for additional time, the rules require you to be transparent and upfront about it, and that is what was lacking in those cases, said Grewal. Johnson said what she takes from those cases is the reason for the late filing needs to be analyze, at a minimum. Grewal agreed.
Johnson next asked about financial reporting cases that involved numbers that were not really non-GAAP. Grewal responded that this ties back to the concern that issuers and management be responsible in what they say publicly, whether that is through audited disclosure, required disclosure, or on social media. Broadly, the SEC brings actions involving misleading statements, whether it is by the CEO as in the Nikola case or by the company, as in Diageo where the company was misleading about internal sales targets.
The core issue is that you cannot mislead the investing public, said Grewal—whether the statement is audited or a tweet on social media. He thinks sometimes this can get overcomplicated.
ESG. Wadhwa concurred that the bottom line is that disclosures cannot be materially false or misleading, and the SEC takes this position in both financial reporting and ESG disclosures. On ESG, Grewal said the SEC is not waiting for new rules. The SEC has brought cases touching on ESG well before the last year or two. The SEC uses traditional tools to ensure that statements are not materially misleading, that they are accurate, and that fiduciary duty principles are complied with, depending on who is making the statement.
Johnson asked how the SEC is approaching statements about ESG that may be made via less formal communications like brochures and company websites. Wadhwa said the SEC looks at the whole picture and is not looking to take obscure statements out of context. Rather, the focus is on what was behind putting the information out there.
Cybersecurity. On the topic of cybersecurity lapses, Wadhwa said these are complex cases, and the world will never know about investigations that did not result in an enforcement action. Issuers are often victims in dealing with cyberattacks. Nevertheless, issuers must balance considerations and ensure that they make accurate and adequate disclosures to investors in a timely fashion. So long as issuers have in placed appropriate controls and procedures around those controls, the SEC will take a measured approach, said Wadhwa.
Wadhwa pointed to the First American case as an example of failure to have adequate disclosure controls and procedures., In that case, the company first issued a press statement, then a few days later furnished a Form 8k in response to cybersecurity reporters finding a vulnerability that had exposed sensitive customer personal data, such as social security numbers and financial information. Senior executives were not informed that the company’s information security personnel had in fact identified that same vulnerability months before, but failed to remediate it. The takeaway is that key information needs to be reported up the corporate ladder to those who responsible for making disclosure decisions, said Wadhwa.
Grewal echoed the point about companies as victims.
“Just because you've been victimized, and we're going to be understanding, that doesn't give you license as an issuer to be misleading and say, incrementally disclose information and to minimize it,” said Grewal.
Insider trading. A recent insider trading case that has caused excitement is Panuwat, in which the defendant used inside information about the company he worked for to trade options in a competitor company. Grewal said cases like this do not signal a shift in the SEC’s analysis of materiality or of insider trading more broadly. The defendant had access to material nonpublic information and owed a duty to his employer, and he breached that duty in trading on the inside information. The case has now survived a motion to dismiss and the SEC is confident in its theory, said Grewal.
“The court recognized it's a novel fact pattern but not a novel application of the law,” said Grewal. “And I think that's what the takeaway there should be. As long as are information asymmetries that people are going to try to profit off of, we've seen no limit to the ways in which people tried to benefit from those types of asymmetries or capitalize on MNPI. And this is really just holding folks accountable for what is not too far astride of the typical insider trading case.”
Books and records. Johnson asked about the recent enforcement action in which JPMorgan admitted to widespread books and records failures and paid a penalty of $125 million. Wadhwa responded that the message in the JPMorgan case is that recordkeeping requirements of the securities laws are sacrosanct and go to the very heart of the SEC’s mission of protecting investors. When there is a wholesale failure to abide by these requirements, the SEC will treat those failures with the seriousness and the severity that failure deserves, said Wadhwa. In particular, JPMorgan’s recordkeeping failures impacted SEC investigations. That fact tied into the decision to obtain an admission, he said.
On the question of the use of personal devices, firms need to adapt their internal controls and corporate compliance programs to evolving technologies, said Wadhwa. Grewal added that firms need to have bespoke policies that really address the risks that a firm faces in its particular space. In addition, it is not enough to have those policies and controls and procedures in place—there also needs to be implementation. For example, JPMorgan had policies and procedures in place, but they weren't being implemented, said Grewal.
Gatekeepers. Finally, Johnson touched briefly on the topic of gatekeepers, noting that there have been a lot of statements about them. Grewal said they are not looking to second-guess folks who are making the best possible decision that they can make under a given circumstance and trying to advise their clients, nor to move the goalposts in the middle of a game. The SEC appreciates and fully understand the value and hard work of gatekeepers including accounting firms, auditors, and lawyers. They are partners in the compliance effort. The SEC has not brought individual enforcement actions based on just second-guessing someone's decision. It is really an abdication of their duties and crossing the line that gets people on the SEC’s radar, said Grewal.