In order to provide an overview for busy in-house counsel and compliance professionals, we summarize below some of the most important SEC enforcement developments from the past month, which was an active one as the SEC Division of Enforcement closed out its fiscal year. This month we examine:
- A rare Regulation FD action that could be headed to a jury trial;
- Charges against a broker-dealer and investment adviser for failing to guard 15 million customers’ personal identifiable information, or “PII”;
- An insider trading action involving an allegedly improper Rule 10b5-1 plan;
- A significant negligence settlement against a major aerospace company and its former CEO for failing to disclose safety issues in public statements regarding airplane crashes; and
- A settlement with 16 registrants assessing penalties totaling more than $1 billion for employees’ use of off-channel, and therefore unpreserved, communications to conduct firm business.
1. Reg FD Litigation Appears to Be Headed to Trial After SDNY Judge Dismisses Cross-motions for Summary Judgment
On September 8, 2022, Judge Engelmayer of SDNY denied cross-motions for summary judgment in SEC v. AT&T, Inc. et al. and set a Reg FD litigation on a course to trial for the first time. As discussed in detail in MoFo’s recent client alert, in March 2021, the SEC filed a complaint against AT&T and three investor relations (IR) executives alleging violations of Reg FD, which prohibits a public company from providing selective disclosures of MNPI to particular persons outside the company, without also disclosing such information to the public. The SEC alleged that, in March and April of 2016, AT&T and members of its IR department violated Reg FD by disclosing AT&T’s “projected and actual financial results” to “stock analysts from approximately 20 Wall Street firms on a one-on-one basis” in an effort to lower consensus revenue estimates for Q1 2016 so that AT&T would not fall short. According to the complaint, AT&T’s conduct came on the heels of missed consensus revenue estimates in two of the previous three quarters. As alleged, AT&T’s selective disclosures of MNPI prompted these analysts to significantly reduce their revenue estimates for Q1 2016, and AT&T ended up exceeding these projections by 0.1%.
In a 129-page decision, Judge Engelmayer carefully details the specific disclosures made by AT&T to analysts. He found that the SEC put forth sufficient evidence to support its claims, going so far as to note that the “evidence is . . . formidable that the information that the individual defendants selectively disclosed about AT&T in their calls to analysts was both material and nonpublic.” On the other hand, Judge Engelmayer found that a reasonable jury could find that AT&T lacked the requisite intent for violating Reg FD’s bar against selective disclosures of MNPI. In particular, he held that a “jury could credit defendants’ uniform testimony that . . . they had not appreciated that the information they were disclosing was material and nonpublic.” The court therefore held that neither side should prevail on summary judgment, paving the way for a jury to decide this potentially groundbreaking case.
#RegFDCaseHeadedForTrial? #Can’tSelectivelyDiscloseToAnalysts
2. The SEC Obtained a $35 Million Civil Penalty for a Failure to Safeguard Customers’ Personally Identifying Information (PII)
Not to be outdone by last summer’s slew of cybersecurity enforcement activity, on September 20, 2022, the SEC brought a settled enforcement action against Morgan Stanley Smith Barney LLC (MSSB) for violating the Safeguards Rule, Rule 30(a) of Regulation S-P. The Safeguards Rule requires broker-dealers and investment advisers to adopt written policies and procedures that include safeguards reasonably designed for the protection of customer records and PII. The SEC alleged that, beginning in 2015, MSSB hired a moving company to assist in various decommissioning projects, including a 2016 project related to two data centers. MSSB tasked the company with removing thousands of electronic devices from the data centers and destroying all data contained on the devices. The SEC alleged that the moving company had no experience in data destruction and that MSSB failed to properly monitor its work. The moving company sold thousands of devices to a third party, without wiping the customers’ PII, and the devices were eventually resold on an internet auction site.
In 2017, MSSB received notice from a third party that he had purchased hard drives from the online auction site and that he had access to MSSB customer data. MSSB launched an investigation into the disposition of the devices and provided notice to 15 million impacted customers in 2020. Moreover, a record reconciliation exercise revealed that 42 servers, potentially containing unencrypted PII, were also missing.
Without admitting or denying the charges, MSSB agreed to a cease-and-desist order and a censure, and agreed to pay a civil penalty of $35 million. This matter serves as a good reminder that although the SEC generally will not second-guess companies’ good faith and prompt responses to cybersecurity-related incidents and mishaps, it takes prolonged exposure of customer PII very seriously. #WipeItClean #RemovePIIWhenDisposingDevices
3. The SEC Rejects a Rule 10b5-1 Plan Adopted While in Possession of MNPI
On September 21, 2022, the SEC brought a settled enforcement action against the CEO and former president of Chinese app developer Cheetah Mobile, Inc. in a rare SEC action stemming from the improper use of a Rule 10b5-1 trading plan. As discussed in further detail in a recent MoFo client alert, the SEC alleged the Rule 10b5-1 plans at issue were implemented with knowledge of MNPI regarding the reasons for certain revenue trends. As alleged, in 2015, Cheetah earned a significant portion of its revenues by selling advertising placements in its applications to its single largest advertising partner. Cheetah allegedly was informed by this advertising partner in 2015 that it would be implementing a new algorithm, which had the potential to halve the revenues received by Cheetah from this partner. By the end of 2015, Cheetah’s revenues from its advertising partner began to decline and monthly revenues from the partner persisted at this lower level for the rest of Q1 2016. During a conference call in March 2016 to discuss the Company’s Q4 and year-end financial results for 2015, Cheetah Mobile’s CEO attributed the decline in revenue to “greater-than-expected seasonality,” while failing to mention the advertising partner’s algorithm change had created a negative trend in revenues.
The SEC alleged that, in late March 2016, with knowledge of MNPI (i.e., the negative trend in revenues), the CEO and former president established a Rule 10b5-1 trading plan to sell a portion of their Cheetah securities. The SEC further alleged that, because they sold their Cheetah stock before the company disclosed in May 2016 the lower-than-expected Q2 guidance due to a decline in advertising revenue from third-party advertisers, they avoided losses of approximately $203,290 and $100,127, respectively.
Without admitting or denying the charges, the CEO and the former president settled to insider trading and other charges under the federal securities laws and agreed to pay civil penalties of $556,580 and $200,254, respectively. They also agreed to an unusually long list of undertakings, which included, among others, disclosing to the SEC all of their U.S.-based securities accounts, notifying the SEC within 48 hours of any transactions in Cheetah stock, and, for the CEO, notifying the SEC within 48 hours of the creation or modification of any Rule 10b5-1 plan involving Cheetah securities. #Rule10b-5PlansUnderScrutiny #InsiderTrading
4. The SEC Obtains Civil Penalties Against Boeing and Its Former CEO in Connection with the 737 Max Crashes
On September 22, 2022, the SEC announced settled negligence charges again the Boeing Company (Boeing) and its former CEO for making materially misleading public statements after 737 MAX airplane crashes in Indonesia and Ethiopia in October 2018 and March 2019, respectively. The SEC alleged that Boeing failed to disclose known safety issues with the Maneuvering Characteristics Augmentation System (MCAS),” which was “designed to help avert stalls by pushing the nose of the airplane downward without input from the crew whenever a sensor . . . indicated the aircraft was approaching an angle at which a stall may occur.” Accident investigations revealed that the cause of both crashes was “erroneous activation” of the MCAS.
The SEC alleged that Boeing knew that MCAS posed an “ongoing safety issue that required remediation” and had begun to work on a redesign in November 2018. Despite this knowledge, the SEC alleged that on November 27, 2018, Boeing issued a press release stating that the 737 MAX “is as safe as any airplane that has ever flown the skies.” This press release did not mention the MCAS issue. The SEC alleged that Boeing then made a series of misleading public statements in April 2019 after the crash in Ethiopia. According to the SEC, Boeing’s former CEO stated that the certification process for the 737 MAX was properly performed, without disclosing that (1) Boeing uncovered documents in January 2019 indicating that the company had not disclosed key facts about MCAS to the Federal Aviation Administration (FAA) that Boeing discovered in responding to a DOJ criminal subpoena, and (2) an internal compliance review revealed gaps in the certification process. Without admitting or denying the facts alleged, Boeing and its former CEO agreed to settle to negligence charges under Sections 17(a)(2) and (3) of the Securities Act of 1933. The SEC imposed a cease-and-desist order and a $200 million civil penalty against Boeing and a $1 million civil penalty against the former CEO.
The SEC’s decision to agree to settle this matter—focused in part on Boeing’s failure to disclose key facts about MCAS to the FAA—as a negligence case, rather than intentional fraud, is noteworthy in light of the criminal cases Boeing and one of its pilots faced relating to the same 737 MAX MCAS. Indeed, eighteen months before the SEC settlement, in January 2021, Boeing settled a criminal charge with DOJ related to a conspiracy to defraud the FAA in connection with the 737 MAX MCAS and agreed to pay over $2.5 billion in criminal penalties and compensation to victims. But six months before the SEC settlement, a jury had already acquitted a former Boeing pilot accused of wire fraud relating to the same reports to the FAA, perhaps informing the SEC’s position in resolving its case on negligence grounds. #MajorNegligenceSettlement #IncompleteDisclosures
5. SEC Charges 16 Wall Street Firms with Recordkeeping Violations and Levies Combined Penalties That Exceed $1.1 Billion
On September 27, 2022, the SEC obtained settlements that included admissions from 15 broker-dealers and one affiliated investment adviser for failures to maintain and preserve electronic communications, namely their employees’ “pervasive off-channel communications,” including texts, WhatsApp, and other messages sent and received on personal (i.e., not firm-issued) devices. The SEC alleged that each charged broker-dealer (1) willfully violated Section 17(a) of the Securities Exchange Act of 1934 and Rule 17a-4(b)(4) thereunder, which require broker-dealers to preserve for at least three years originals of all business communications, and (2) failed reasonably to supervise their employees with a view toward preventing or detecting these violations. The SEC alleged that the charged investment adviser (1) willfully violated Section 204 of the Investment Advisers Act of 1940 and Rule 204-2(a)(7) thereunder, which require investment advisers to preserve in an easily accessible place all written communications, and (2) failed reasonably to supervise their employees with a view toward preventing or detecting these violations. All of the firms charged cooperated with the SEC’s investigation by gathering communications from the personal devices of a sample of their employees, who ranged from senior to junior investment bankers and debt and equity traders.
As described by the SEC’s Deputy Director of Enforcement Sanjay Wadhwa, “These actions deliver a straightforward message to registrants: You are expected to abide by the Commission’s recordkeeping rules[.]” Under the settlements, the SEC ordered each registrant to cease and desist from future recordkeeping provision violations and issued a censure. Each registrant agreed to retain a compliance consultant to conduct a comprehensive review of its electronic communications policies and procedures and its disciplinary frameworks for dealing with employees who use off-channel communications to conduct business. The registrants agreed to pay combined civil penalties of more than $1.1 billion. Registrants of all kinds with recordkeeping obligations should expect record keeping compliance to be a continued focus of the SEC’s Divisions of Examinations and Enforcement.
#BillionDollarSettlementForRecordkeepingViolations
#KeepBusinessCommsOnOfficialChannels
#PersonalDevicesSubjectToReview
#FailureToSuperviseEmployees
Nicolas Apter-Vidler contributed to the writing of this client alert.
[View source.]
