by T. GormanPosted on Posted in SECActions

The Commission proposed new rules on cybersecurity on March 8, 2022. The rules are straight forward, essentially requiring issuers to make certain disclosures regarding their policies and procedures on cybersecurity. The debate among the Commissioners, however, focuses on who should decide what is disclosed, the agency or the issuer.

The proposed rule: The proposed rules would require the company to disclose:

1) Any material incident regarding cybersecurity

2) The firm’s policies and procedures, periodically, to identify and manage cybersecurity risks

3) Management’s role in implementing cybersecurity policies and procedures and

4) The board of director’s cybersecurity experience and oversight

Finally, the proposals would, if adopted, require the firm to include updates on past incidents in current reports regarding cybersecurity incidents.

This is not the first time the Commission has considered cybersecurity issues. Previously, the Division of Corporate Finance issued interpretative guidance regarding an issuers then existing disclosure obligations. Following that 2011 staff guidance, the Commission issued interpretative guidance in 2018 which essentially reinforced the earlier statements from Corp Fin.

Commissioner Comments: Chair Gensler issued a statement supporting the proposals. Many issuers already make certain disclosures regarding cybersecurity, Mr. Gensler noted. Companies and the investing public would benefit from rules requiring certain disclosures in this area, in view of the repeated incidents. In this regard, two points are critical. First, the proposed rules would require “ongoing disclosures on companies’ governance, risk management, and strategy with respect to cybersecurity risks.” This type of disclosure will permit investors to assess the readiness of the firm to deal with issues in this area.

Second, the proposals would require mandatory, material and ongoing disclosure on incident reporting. This is an important point because “incidents could affect investors’ decision-making.” Finally, Chair Gensler has requested the staff to make recommendations with respect to broker-dealers, Regulation SCI and intermediaries’ requirements regarding customer notices.

Commissioner Hester M. Peirce had a different view. While admitting the importance of the topic, Ms. Peirce cautioned that the Commission must view the issue through the lens of its statutory obligations: “We have an important role to play in ensuring that investors get the information these need . . . This proposal, however, flirts with casting us as the nation’s cybersecurity command center . . .” The difficulty with the proposals is that they interfere with questions of business judgement that should be left to the issuer and not be made by the agency. For example, while “the integration of cybersecurity expertise into corporate decision-making likely is a prudent business decision for nearly all companies, whether, how and when to do so should be left to the business. . .”

The bright spot in the proposal, according to Commissioner Peirce, is the incident reporting provision. While this is governed in earlier guidance, the proposed does contain “sensible guideposts” for companies to follow if rooted in materiality.

Comment: The key difference here is not the importance of the topic. Chair Gensler and Commissioner Peirce both agree that cybersecurity is a critical topic for any issuer. Rather, the debate is about approach. Chair Gensler views the disclosure obligations as giving investors important information necessary for decision making. While Commissioner Peirce might agree that the topics would be of interest to investors, the question is should the agency step in and mandate that the information be available or should the issuer decide if its shareholders get the information? Perhaps those penning comments to the proposals should address this point.

Tagged with: ,

by T. GormanPosted on Posted in SECActions

Five Chinese issuers were ordered to comply with SOX audit/inspection obligations by the Commission on March 11, 2022. The group includes BeiGene, Zai Lab, Hutchmed, ACM Research and YumChina. This may be the beginning of the end for a long running battle.

The Commission has scheduled a vote for later this month on the adoption rules regarding an ESG framework. While foreign regulators have previously acted on this issue, it is a first for the agency.

SEC

Whistleblowers: The commission awarded about $14 million to a whistleblower in connection with one action and over $3.5 million in another this past week.

Cybersecurity: The agency proposed rules regarding the management, governance and incident disclosure by public companies regarding cybersecurity. Specifically, the proposals would require firms to provide current reporting about material incidents and periodic updates concerning prior incidents. They would also mandate periodic reporting by issuers regarding their policies and procedures to identify and manage cybersecurity risks, board oversight of those risks and the implementation of cybersecurity policies and procedures. Periodic disclosures would also be required about the expertise of the board in the area, according to the March 9, 2022, release (here).

SEC Enforcement – Filed and Settled Actions

Last week the Commission filed 2 civil injunctive actions and 1 administrative proceedings, exclusive of Section 12(j), tag-along and other similar proceedings.

Fraudulent digital assets: SEC v. Qin, Civil Action No. 1:20-cv-10849 (S.D.N.Y.) is a previously filed action which named as defendant Stefan Qin. The complaint alleged that Defendant was the founder and operator of Virgil Sigma Fund LP, a fraudulent investment fund that supposedly engaged in digital asset arbitrage trading. Mr. Qin repeatedly made false statements to investor to induce them to put their money into the fund. Much of the investor money was misappropriated. After entering a preliminary injunction and appointing a receiver the Court entered a final judgment by consent imposing an injunction based on Securities Act Section 17(a) and Exchange Act Section 10(b). The judgment also requires Defendant to pay disgorgement of $36,352,028 and prejudgment interest of $13,494,793. Those amounts are deemed satisfied by the order of forfeiture entered in the parallel criminal case. In the parallel criminal action brought by the Manhattan U.S. Attorney’s office Mr. Qin pleaded guilty to one count of criminal securities fraud and was sentenced to serve 7.5 years in prison and directed to pay criminal forfeiture in the amount of $54,793,532. See Lit. Rel. No. 25342 (March 9, 2022).

SEC v. Barksdale, Civil Action No. 1:22-cv-1933 (S.D.N.Y. Filed March 8, 2022). Named as defendants in the action are John Barksdale and his sister, Jonatina Barksdale. John, a U.S. citizen living in Thailand, is the founder and primary entrepreneur behind a firm called Ormeus Global S.A. and its digital tokens, Ormeus Coin or ORME. Sister JonAtina, or Tina, is a U.S. citizen living in Hong Kong. She controls the company along with her brother. In just a few months, beginning in June 2017, Brother and Sister raised millions of dollars from thousands of investors by offering and selling unregistered securities in the form of subscription packages in Ormeus Global, S.A., a multi-level marketing business. Also sold were unregistered securities in the form of the digital asset Ormeus Coin. The subscription packages included access to a learning portal about digital assets, funds pooled and invested into a digital asset trading system and the tokens of Ormeus Coin. Through the firm Defendants marketed a trading system as a proven program. Returns to investors were supposedly as high as 160% of the initial investment. Through Ormeus Global, a company organized in Panama on September 4, 2017 and based in Hong Kong, Defendants marketed the Ormeus Coin to investors. Part of the sale pitch claimed the Ormeus Coin would permanently place 40% of the profits from the digital assets mining business tied to the coin into digital asset wallets called Ormeus Reserve Vault. This would support the Ormeus Coin investors were told. They were also informed that the wallet would be displayed on a firm website. In fact, the wallet displayed belonged to a third party. Defendants’ marketing pitch contained other false claims. To portray the firm as successful, for example, the digital assets were displayed on the website and were represented to be worth over $190 million in November 2021. In fact, the actual digital wallets were worth less than $500,000 as of that date. The website also displays a letter which claimed that the digital mining operations of Ormeus Coin were among the largest in the world and included facilities in North America. During the period surrounding the road show Defendants engaged in manipulative trading of Ormeus Coin to boost the price. Coordinated trading was used to inflate the price of the coin. Overall Defendants raised at least $124 million from over 20,000 investors in the United States and various countries around the world. Defendants have used millions of dollars of investor cash for their personal benefit. The complaint alleges violations of Securities Act Sections 5(a), 5(c) and 17(a) and Exchange Act Section 10(b). The case is pending. See Lit. Rel. No. 25341 (March 8, 2022).

Misappropriation: SEC v. Schamens, Civil Action No. 2:22-cv-01219 (D.N.J. Filed March 7, 2022) is an action which names as defendant David W. Schamens who has been associated with a number of investment advisers. In 1992 Mr. Schamens resolved Commission charges that he misappropriated client finds. In connection with the resolution of that action he was barred from the securities business. In this action since February 2019 Defendant has solicited investors to acquire interests in investment fund TradeStream Algo Fund, LP. The fund supposedly used an algorithm-driven stock trading approach that had the potential for large profits. In fact investor funds were misappropriated by Defendant who tried to conceal his misconduct by furnishing investors with fake documents. The complaint alleges violations of Securities Act Section 17(a), Exchange Act Section 10(b) and Advisers Act Sections 206(1), 206(2) and 206(4). The case is pending. The U.S. Attorney’s Office for New Jersey filed parallel criminal charges.

Fees – conflicts: In the Matter of Alumni Ventures Group, LLC, Adm. Proc. File No. 3-20791 (March 4, 2022). Alumni Ventures Group has been an exempt reporting adviser since December 18, 2017. The firm relies on an exemption from registration for venture capital fund advisers in Section 203(f) of the Advisers Act. It has about $425 million under management. Respondent Michael Collins is its founder. The Order Instituting Proceedings is based on two claims. The first centers on the fees charged clients. Over a four-year period, beginning in June 2016, the adviser told clients and others that its management fee for the venture capital funds it managed was the “industry standard ‘2 and 20.’” In fact, it was not. The industry standard is 2% each year and carried interest of up to 20%. In contrast, the firm charged 2% each year plus the full 20% – not the industry standard. Second, the firm made inter-fund loans and cash transfers between funds as well as loans to certain funds. Those transactions violated the funds’ operating agreements prohibiting commingling and its fiduciary duties to the funds. The inter-fund transfers were also a conflict of interest between the funds that was not disclosed. The Order alleges violations of Section 206(2) and 206(4) of the Advisers Act. The firm undertook certain remedial acts and agreed to implement certain undertakings. To resolve the proceedings Respondents consented to the entry of cease-and-desist orders based on the Sections cited in the Order and to a censure. Respondents will each pay a penalty of $700,000 and, in addition, Mr. Collins will pay an additional penalty of $100,000.

DOJ

Remarks: Director of COVID -19 Fraud Enforcement Kevin Chambers delivered remarks on March 10, 2022 at the Enforcement Task Force Roundtable (here) regarding the work of the group.

FinCEN

Release: The agency published a release which identifies jurisdictions that have anti-money laundering and combating the financing of terrorist deficiencies on March 10, 2022 (here). The release identifies jurisdictions removed from the list as well as those that that are considered high risk.

U.K.

Release: The FCA cautioned firms divesting Russian assets to ensure that the transactions comply with the guidance issued by the regulator previously, according to a March 13, 2022 release (here).

Tagged with: , ,