Offering fraud actions are one of the most prevalent types of cases brought by the Commission. There is an almost endless number of variations of fraudulent schemes used to convince investors to pay over their money to people who are friends or perhaps people not really known to them. Just what it is that causes the investor to pay over their money to a fraudster is hard to determine. One common thread in many scams, however, is that the investors frequently conduct no or little due diligence as to either the possible investment or those soliciting it. This is likely the situation in the SEC’s most recent case in this area, SEC v. Karpavicius, Civil Action No. 1:23-cv-2205 (S.D.N.Y. Filed March 15, 2023).

Named as defendants in this action are: Darius Karpavicius; TBO Capital Group; Gary Capital Group; HMC Trading, LLC; and HMC Management, LLC. Mr. Karpavicius is a Lithuanian citizen who conducted business through TBO Capital Group and Gray Capital Group. He also incorporated HMC Trading and HMC Management and is the sole member of each entity.

Beginning in December 2021Defendants raised about $4.1 million from dozens of investors, selling interests in what were claimed to be mutual funds. The scheme was conducted through the websites of TBO Capital Group and Gray Capital Group. Each site claimed its investment funds were operated by a group of experienced professions. Each site displayed the pictures of those professionals. Each site also claimed to have annual returns of 50+% without a single down year.

Each s had another key feature in common — everything was fictitious. Three of the four pictures on each site were of the same people. The description of the funds on each site were near copies. The graphic layout of each was virtually identical. The sites also listed the same company address and telephone number.

In the end, the claimed people supposedly associated with each site did not exist; the investments did not exist. Not a single share of stock was purchased.

What did exist was real was the investor cash. It was transferred to Defendant Karpavicius who moved much of it to his bank account and ultimately to crypto trading platforms. The complaint alleges violations of Securities Act Sections 5(a), 5(c0 and 17(a) and Exchange Act Section 10(b). The case is pending.

Cyber security is an area that has rapidly evolved over the past few years. Once a threat that was considered obscure by some and not significant by others, it is now a key area of focus for many. The stakes today are by any definition significant. A breach can result in millions of records held by an issuer or market participant such as a broker-dealer being obtained and perhaps disseminated. Frequently those records contain personal information of thousands if not millions of persons, including financial and credit card data. As activity in this area has evolved the Commission and DOJ have investigated and filed cases.

Last year the Commission proposed rules for issuers designed to require the creation of policies and procedures to protect the company and its information. The proposals also including reporting obligations in case of a breach. Now the agency is proposing that market participants adopt similar rules.

The proposals

Proposed Rule 10 is at the center of the proposed rules for market participants. It would require that Market Entities – essentially most broker-dealers other those some small firms – address the risks presented in the area by adopting a set of policies and procedures which are reasonably designed to address the risks. Those policies and procedures would be reviewed each year and amended or updated in view of the evolving cyber risks. Market entities would also be required to provide the Commission with a written electronic notice immediately if there is a reasonable basis for believing that a breach has occurred as well as updates and disclosure as discussed below.

Form SCIR – updates/disclosure

Covered entities would be required under Rule 10 to complete Form SCIR to update the Commission and provide disclosure. One section of the form provides the Commission with periodic updates. Another section focuses on disclosure. It provides summary descriptions of the cyber risks and significant incidents experienced in the current and prior year that are to be published on the broker-dealer’s website. Customers opening a new account would be furnished a copy of the disclosures as well as existing customers when updates are made, including the yearly update.

The material would also be posted on the firm’s website.

Comment

The proposals initiated by the Commission build on those launched last year for issuers and the series of enforcement actions which predated those proposals. Collectively, the proposals last year and now are designed to provide an overall response to the rapidly increasing threat posed by cyber while assuring the markets and the public that confidential information will be protected.

To be sure, the proposals are a good starting point, thoughtfully designed to address the key points of a threat that is well recognized, acknowledged by many and rapidly evolving. At the same time, they are controversial even among the Commissioners who acknowledge the threat. Chair Gensler and Commissioners Crenshaw and Lizarraga support the proposals. Commissioners Peirce and Uyeda do not. No doubt there will be a variety of comments furnished to the agency before the process is completed.