This Week In Securities Litigation (Week ending August 18, 2017)

The SEC filed an insider trading case this week based on three separate trading chains that netted $5 million in trading profits, all back to a New York City bank official. The Manhattan U.S. Attorney’s Office filed a parallel case in which the tipper and the father of his girlfriend have pleaded guilty. A 54 count indictment was filed against the others.

KMPM and one of the firm’s engagement partners were named as Respondents in an administrative proceeding. The action centered on the failure of the firm to properly audit the main asset of Miller Energy, the defendant in a settled enforcement action based on the improper valuation of the asset which was the subject of the audit. The firm agreed to adopt an extensive series of undertakings and pay a $1 million penalty as part of the resolution of the case.

The Commission also filed two offering fraud actions last week, two proceedings against investment advisers, one of which was based on the improper allocation of certain expenses while the other was involved overcharging fees and expenses. Two proceedings named as Respondents COOs of advisers for failing to maintain the proper records. Finally, an “all in the family” insider trading case was brought, centered on an insider wife and trading by her husband, his father and brother and a family friend.

SEC Enforcement – Filed and Settled Actions

Statistics: Last week the SEC filed 4 civil injunctive case and 5 administrative proceeding, excluding 12j and tag-along proceedings.

Insider trading; SEC v. Rivas, Civil Action No. 1:17-cv-06192 (S.D.N.Y. Filed August 16, 2017) names as defendants Daniel Rivas, formerly an employee in the capital markets technology group of a bank in New York City, James Moodhe, the father of Mr. Rivas’ girlfriend and Roberto Rodriguez, Rodolfo Sablon and Jhonathan Zoquier, all friends of Mr. Rivas, and Michael Siva and Jeffrey Rogier, respectively a friend of Mr. Moodhe and a friend of Mr. Zoquier. Over a period from October 2014 through April 2017 the complaint alleges an insider trading scheme involving tips on 30 corporate deals that resulted in over $5 million in illegal trading profits. Generally, the scheme involved three tipping chains. In the first chain tips went from Mr. Rivas to James Moodhe who had about $2 million in trading profits; he in turn tipped Michael Siva who had about $880,000 in profits; he tipped a client who had about $300,000 in profits; the second involved tips from Mr. Rivas to Roberto Rodriguez and Rodolfo Sablon who together made about $2 million in trading profits; Mr. Rodriguez tipped a friend; the third involved tips from Mr. Rivas to Jhonatan Zoquier who had about $30,000 in trading profits; he in turn tipped his friend Jeffrey Rogiers who had about $50,000 in trading profits and tipped two others. The complaint alleges violations of Exchange Act Sections 10(b) and 14(e). The case is pending. The Manhattan U.S. Attorney’s office filed a parallel criminal action. There a 54 count indictment was brought against Messrs. Siva, Rodriguez, Sablon, Zoquier and Rogiers. It charges conspiracy, wire fraud and multiple counts of securities fraud and fraud in connection with a tender offer. Previously, Messrs. Rivas and Moodhe pleaded guilty to charges of conspiracy, securities fraud, fraud in connection with a tender offer, wire fraud and making false statements to law enforcement officials. See Lit. Rel. No. 23911 (Aug. 16, 2017).

Offering fraud: SEC v. Vergeous LLC, Civil Action No. 1:17-cv-23116 (S.D. Fla. Filed August 16, 2017) is an action which names as defendants Vergeous LLC, Dream Team Partners LLC and Paul Renfroe. Both entity defendants were founded by Mr. Renfroe who is a securities law recidivist barred by FINRA. The complaint alleges that over a three year period beginning in June 2013 defendants raised about $1.2 million from 33 investors. Investors were told that the money would be used to fund video game projects undertaken initially by Vergeous and later by a joint venture between the two entities. Misrepresentations were made to investors during the offerings regarding Mr. Renfroe’s disciplinary history, the use of the investor funds and Dream Team’s 100% ownership of the intellectual property rights for all of the joint video game projects. The complaint alleges violations of Securities Act Sections 5(a) and 5(c), each subsection of Section 17(a) and Exchange Act Section 10(b). The case is pending. See Lit. Rel. No. 23909 (Aug. 16, 2017).

Expense allocation: In the Matter of Capital Dynamics, Inc., Adm. Proc. File No. 3-18113 (August 16, 2017) names the registered investment adviser as a Respondent. The adviser acted as the manager of two funds. From March 2011 to July 2015 the adviser improperly allocated $1,273,148 in expenses to one of the funds, contrary to its organizational documents. The Order alleges violations of Advisers Act Sections 206(2) and 206(4). To resolve the proceedings Respondent consented to the entry of a cease and desist order based on the Sections cited in the Order. In addition, the adviser will pay a penalty of $275,000. Previously, the adviser reimbursed the fund. The Commission considered the cooperation and remedial acts of the adviser in resolving this action.

Financial fraud: SEC v. DiMaria, Civil Action No. 15-cv-07035 (S.D.N.Y.) is a previously filed action which names as defendants Edward DiMaria and Matthew Gamsey, two former executives of Bankrate Inc. The complaint alleged that defendants manipulated the financial results of the company to meet analyst expectations. It also claimed that Mr. DiMaria sold shares in the firm while they were at an artificial price. The Court entered final judgments by consent. Mr. DiMaria was enjoined from future violations of Securities Act Section 17(a) and Exchange Act Sections 10(b), 13(a), 13(b)(2) and 13(b)(5). He will also pay a penalty of $231,158.56 and is barred from serving as an officer or director of a public company for five years. Mr. Gramsey was enjoined from future violations of Securities Act Section 17(a)(3) and Exchange Act Sections 13(a) and 13(b)(2). He will pay a penalty of $60,000. Each defendant agreed to the entry of an order suspending him from appearing or practicing before the Commission as an accountant. Mr. DiMaria may apply for reinstatement after five years while Mr. Gramsey can apply after three years.

Audit violations: In the Matter of KPMG LLP, Adm. Proc. File No. 3-18110 (Aug. 15, 2017) is an action which names as Respondents the audit firm and John Riordan, CPA, who served as the engagement partner on the review and audit of the financial statements of Miller Energy Resources, Inc. During fiscal 2010 Miller Energy acquired certain oil and gas interests in Alaska for about $4.5 million. The assets were booked at a value of $480 million. That valuation was improper and the subject of a now settled SEC enforcement action. In auditing the financial statements of Miller Energy Respondents failed to properly assess the risk associated with the engagement or properly staff the engagement. They also overlooked certain evidence regarding the valuation of the assets and failed to exercise the requisite degree of professional care and skepticism. When the firm’s national office became aware of the issue it failed to take the proper steps. The Order alleges violations of Exchange Act Section 13(a). To resolve the proceeding each Respondent agreed to a series of undertakings. The firm also consented to the entry of a cease and desist order based on the Section cited in the Order and to a censure. The firm will pay disgorgement of $4,675,680, prejudgment interest and a penalty of $1 million. Mr. Riordan is denied the privilege of appearing or practicing before the Commission as an accountant with the right to apply for reinstatement after two years. He will pay a penalty of $25,000.

Filings/books, records: In the Matter of Diane W. Lamm, Adm. Proc. File No. 3-18112 and 3-16463 (Aug. 15, 2017). Respondent Lamm served as the COO for Aegis Capital, Circle One and Capital L Group, LLC, all of whom were formerly registered with the Commission as investment advisers. The three entities failed to file timely and accurate reports with the Commission while registered. Each had outsourced its compliance obligations to Strategic Counseling Advisors, LLC. Between 2010 and 2011 Aegis Capital and Circle One failed to keep the required books and records. In August 2011 the staff requested that the three entities produce certain books and records. The firms were not able to comply. Respondent Lamm, as COO was responsible for keeping the books and records. Previously, Ms. Lamm pleaded guilty to two counts of securities fraud. The Order alleges violations of Advisers Act Sections 204 and 207. To resolve the proceeding Respondent consented to the entry of a cease and desist order based on the Sections cited in the Order. She is also subject to an association bar regarding the securities business. See also In the Matter of David L. Osunkwo, Adm. Proc. File No. 3-16463 (Aug. 15, 2017)(Respondent Osunkwo was designated at the CCO of Aegis and Circle One through a consulting firm; the underlying conduct is essentially the same as above; resolved with a cease and desist order based on Advisers Act Sections 204 and 207, an a suspension from the securities business and the right to engage in penny stock offerings for twelve months and payment of a $30,000 penalty).

Fee disclosure: In the Matter of Coachman Energy Partners LLC, Adm. Proc. File No. 3-18109 (Aug. 14, 2017) names as Respondents the registered investment adviser and Randall Kenworthy, its sole owner and CEO. From 2011 through 2014 the firm served as an adviser to four private oil and gas funds. It failed to properly disclose the manner in which it calculated fees, overcharging the entities by about $1.1 million on management fees and $449,000 for expenses. Respondents also failed to properly advise one of the funds regarding a transaction with an affiliated entity about the conflict. The Order alleges violations of Advisers Act Sections 206(2) and 207. To resolve the matter each Respondent consented to the entry of a cease and desist order based on the Sections cited in the Order and to a censure. The firm will pay disgorgement of $2,088,087 along with prejudgment interest subject to certain offsets and credits and a penalty of $50,000. Mr. Kenworthy will also pay a penalty of $50,000.

Offering fraud: SEC v. Tennstar Energy, Inc., Civil Action No. 4:17-cv-00151 (S.D. Ga. Filed Aug. 11, 2017) is an action which names as defendants the firm and David Greenlee, David Stewart and Richard Underwood. Over a three year period beginning in January 2016 Messrs. Greenlee and Stewart, with assistance from Defendant Underwood, sold more than 150 investors at least $15 million in interests in various limited partnerships and joint ventures through Tennstar and another entity. Investors were told that their funds would be used to acquire working interests in certain wells and to employ certain enhanced oil recovery techniques. They were also told that the entities involved would be managed by an experienced person. The claims were false. Much of the money was diverted to fees and other expenses and Tennstar was not managed by an experienced person. The complaint alleges violations of each subsection of Securities Act Section 17(a) and Exchange Act Section 10(b). The action is pending. The U.S. Attorney’s Office for the Southern District of Georgia filed a parallel criminal action.

Insider trading: SEC v. Hovannisian, Civil Action No. 1:17-at-00617 (E.D. Ca. Filed Aug. 10, 2017) is an action which names as defendants Damon Hovannisian, Vernon Hovannisian, Vincent Hovannisian and Eddie Arakelian. Damon Hovannisian’s wife was employed at International Rectifier Corp. She learned that the firm would be acquired by Infineon Technologies AG. Prior to the deal announcement Damon learned about the deal from his wife. He traded through the account of a friend and told his father Vernon, brother Vincent and family friend Eddie Arakelian. Each traded and sold after the deal announcement. The complaint alleges violations of Exchange Act Section 10(b). To resolve the case each defendant consented to the entry of a permanent injunction prohibiting future violations of the Section cited in the complaint. In addition, Damon will pay disgorgement of $3,194.49, prejudgment interest and a penalty of $155,756.04; Vernon will pay disgorgement of $111,756.23, prejudgment interest and a penalty equal to the amount of the disgorgement; Vincent will pay disgorgement of $5,635.12, prejudgment interest and a penalty equal to the amount of the disgorgement; and Mr. Arakelian will pay disgorgement of $35,781.20, prejudgment interest and a penalty equal to the amount of the disgorgement. See Lit. Rel. No. 23901 (Aug. 11, 2017).

Cooperation: SEC v. Balaszczah, Civil Action No. 17-cv-03919 (Aug 8, 2017) is an insider trading case based on political intelligence regarding Medicare and Medicaid information improperly disclosed from Medicare & Medicaid Services or CMS. One of the defendants who is alleged to have received the information is Jordan Fogel, an analysis for an undisclosed adviser. Mr. Fogel entered into a cooperation agreement with the SEC. In connection with that agreement he consented to the entry of a permanent injunction based on Securities Act Section 17(a) and Exchange Act Section 10(b). The Court will determine the amount of disgorgement, prejudgment interest and penalties. The U.S. Attorney’s office has a parallel criminal case pending. See, Lit. Rel. No. 23899 (Aug. 8, 2017).

Print Friendly, PDF & Email
Posted in SECActions Tagged with: , , , , ,

SEC’s Latest Cybersecurity Risk Alert Identifies Elements of Robust Policies and Procedures

This is a guest post by Nick Akerman, Genna Garver and Kimberly Frumkin, Dorsey & Whitney

On August 7, 2017 the Securities and Exchange Committee (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released yet another cybersecurity Risk Alert entitled, “ Observations from Cybersecurity Examinations.” In this most recent Risk Alert, OCIE details its findings from its Cybersecurity 2 Initiative, which involved the examination of 75 firms, including broker-dealers, investment advisers, and investment companies between September 2015 and June 2016. Following its 2014 Cybersecurity 1 Initiative, the Cybersecurity 2 Initiative set out to assess industry practices and legal, regulatory and compliance issues associated with cybersecurity preparedness, focusing in greater depth on validation and testing of procedures and controls. As the Risk Alert sets forth a list of elements OCIE considers to be robust policies and procedures, it should be used as a check list for registrants in assessing the adequacy and effectiveness of their cybersecurity compliance program in light of their business risks.

The SEC has made cybersecurity a priority in recent years as more cyber-attacks threaten the industry. In addition to being named as a National Examination Program priority, cybersecurity has been a focus on the SEC’s outreach program. The SEC shared the results from its Cybersecurity 1 Initiative in its February 2015 Risk Alert entitled, “ Cybersecurity Examination Sweep Summary.” In May of this year, OCIE put out a Risk Alert regarding the ransomware called “WannaCry” in which OCIE initially shared its observations from its Cybersecurity 2 Initiative to provide guidance to registrants for strengthening cybersecurity programs and protecting against the ransomware. Beyond its exam program and outreach, the SEC’s Enforcement Division has also been focusing on the matter by

bringing cases against investment advisers and broker-dealers for cybersecurity-related violations. On all fronts the SEC is trying to get the message out that cybersecurity is one of the greatest risks facing the financial services industry and registrants must ensure their compliance programs address the risks posed by cyberattacks.

The Cybersecurity 2 Initiative exams focused on the following areas: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response. Generally, the staff found the cybersecurity preparedness of the firms they examined had improved since its Cybersecurity 1 Initiative testing in 2013 and 2014. Some of the improvements noted in the Cybersecurity 2 Initiative findings include:

Testing and monitoring:

95% of broker-dealers and 74% of advisers and funds conduct periodic risk assessments of vulnerable systems; Nearly all of the firms had plans in place for addressing incidents;

95% of broker-deals and 43% of advisers and funds conducted penetration tests and vulnerability scans on firm-identified critical systems; and

All firms examined had some form of control in place to monitor data loss of personally identifiable information.

Policies and Procedures:

Nearly all firms had policies and procedures in place to address cyber-related business continuity planning and Regulation S-P;

All of the advisers and funds maintained policies, procedures, and standards related to verifying the authenticity of a customer or shareholder requesting to transfer funds; and

Nearly all broker-dealers and most advisers and funds had specific policies addressing Regulation S-ID.

The Risk Alert also discussed some issues noted during the testing, including policies and procedures not reasonably tailored to the firm, firms’ actual practices not reflecting their written policies and procedures, and Regulation S-P issues among firms that did not appear to conduct system maintenance. Finally, the Risk Alert provided details of what the SEC considers elements of “robust policies and procedures.” These included:

Maintenance of an inventory of data, information, and vendors. Policies and procedures included a complete inventory of data and information, along with classifications of the risks, vulnerabilities, data, business consequences, and information regarding each service provider and vendor, if applicable.

Detailed cybersecurity-related instructions. Examples included:

Penetration tests: policies and procedures policies included specific information to review the effectiveness of security solutions.

Security monitoring and system auditing: policies and procedures regarding the firm’s information security framework included details related to the appropriate testing methodologies.

Access rights: requests for access were tracked, and policies and procedures specifically addressed modification of access rights, such as for employee on-boarding, changing positions or responsibilities, or terminating employees.

Reporting: policies and procedures specified actions to undertake, including who to contact, if sensitive information was lost, stolen, or unintentionally disclosed/misdirected.

Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities. Examples included: Vulnerability scans of core IT infrastructure were required to aid in identifying potential weaknesses in a firm’s key systems,

with prioritized action items for any concerns identified.

Patch management policies that included, among other things, the beta testing of a patch with a small number of users and servers before deploying it across the firm, an analysis of the problem the patch was designed to fix, the potential risk in applying the patch, and the method to use in applying the patch.

Established and enforced controls to access data and systems. For example, the firms:

Implemented detailed “acceptable use” policies that specified employees’ obligations when using the firm’s networks and equipment.

Required and enforced restrictions and controls for mobile devices that connected to the firms’ systems, such as passwords and software that encrypted communications.

Required third-party vendors to periodically provide logs of their activity on the firms’ networks.

Required immediate termination of access for terminated employees and very prompt (typically same day) termination of access for employees that left voluntarily.

Mandatory employee training. Information security training was mandatory for all employees at on-boarding and periodically thereafter, and firms instituted policies and procedures to ensure that employees completed the mandatory training.

Engaged senior management. The policies and procedures were vetted and approved by senior management.

Along with federal regulations that address cybersecurity preparedness, investment advisers and broker-dealers should also watch out for new state cybersecurity regulations aimed at financial institutions. New York was the first state to put out such cybersecurity regulations, which came into force on March 1 of this year. Although investment advisers are not covered entities under the New York law, some may have affiliated outside business activities that are covered by the regulations. Earlier this summer, Colorado adopted a similar set of cybersecurity rules which do cover investment advisers. Those rules became effective July 15, 2017.

In sum, SEC registrants should review OCIE’s suggested “robust policies and procedures” in light of their business and consider whether their current written policies and procedures are adequate and effectively implemented. Registrants should also be prepared to respond to OCIE exam requests regarding these policies and procedures and the registrant’s related testing.

Print Friendly, PDF & Email
Posted in SECActions Tagged with: ,