by T. GormanPosted on Posted in SECActions

The Commission’s focus on small, retail investors seems to have turned into a near quest to uncover offering frauds of all types, sizes and configuration. To be sure these actions fleece thousands of investors on a continual basis. That is evident from the near continual stream of these cases discovered and prosecuted by the agency. Despite the ardent and continuing efforts of the Commission they continue. Perhaps it is time to consider devoting more time to prevention, a most difficult task. In the long run that effort may be worthwhile, however.

In the immediate future look for the stream of cases to continue. This week the agency brought yet another offering fraud action. It adopts a technique frequently used by those behind such schemes – a key popular theme. In SEC v. Thunderbird Power Corp., Civil Action No. 1:20-cv-22901 (N.D. Fla. Filed July 14 2020) the theme was conservation in the form of wind turbines. The named defendants – Richard Hinds, Anthony Goldstein and John Alexander Van Arem – are each officers of the company who sold the vision to investors who departed with their cash.

The vision was the wind turbine, popular with environmentalists. Thunderbird supposedly had an industrial grade turbine called PowerStack under development. The tech had been validated by a nationally-known – but unidentified – scientific firm, according to the sales pitch. Proceeds from the offering were supposed to go to development. The stock was compared to an early version of Amazon and other, similar start-ups that later were successful.

Defendants raised almost $2 million from investors in less than three years. The claims were false. Portions of the investor money was misappropriated. The Commission’s complaint alleges violations of Securities Act Section 5(a), 5(c), each subsection of 17(a) and Exchange Act Sections 10(b) and 15(a). The case is pending.

Tagged with: ,

by T. GormanPosted on Posted in SECActions

The Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert titled CyberSecurity: Ransomware Alert (July 10, 2020)(here). The OCIE Alert follows one issued on the same topic by Homeland Security (AA19-339A), dated June 30 2020 (here), which is a joint product of Treasury and FinCEN. That alert provides an overview of malware, related activity and a list of previously unreported indicators of compromise reported to FinCEN.

The OCIE Alert draws on its experience and the Homeland Security Alert. There has been an apparent increase in sophisticated ransomware attacks on SEC registrants, including broker-dealers, investment advisers and investment companies, according to OCIE. The perpetrators of those attacks typically demand compensation to maintain the integrity and/or confidentiality of customer data or for the return of control over the systems.

OCIE distilled its observations and comments into six points:

Incident response and resiliency policies: Policies and procedures relied by the organization should center on incident response and resiliency policies and procedures. They typically include: Response plans for various scenarios; procedures for timely transmitting the information up the management ladder in the organization; ensuring compliance with federal and state legal requirements; and procedures for contacting law enforcement.

Operational resiliency: The organization must determine which systems can be restored during the disruption. This includes: Focusing on which applications can continue to operate and which are unavailable. It also includes ensuring the geographic separation of back-up data and writing it to an immutable storage system if the primary data is unavailable.

Awareness and training: Employees should be provided with specific cybersecurity and resiliency training and information regarding cybersecurity and responsibilities.

Vulnerability scanning and patch management: The firm should implement proactive vulnerability and patch management programs by ensuring that all firmware, operating systems and application software have the most current updates. Anti-virus and anti-malware solutions should be set to update automatically.

Access management: Managing access through a series of steps is important. Those include limiting access as appropriate, having a separation of duties, re-certifying access periodically, having strong passwords that periodically change, having an additional verification, and revoking access immediately when an employee is terminated.

Perimeter security: The firm should implement perimeter security capabilities that can control, monitor and inspect all traffic. This should include adopting best practices for remote desktop protocols, ensuring that only approved software can be executed and using a security proxy server to control and monitor access to the internet.

Cybersecurity is a continuing issue as highlighted by the Homeland Security alert cited above. It is also an OCIE exam item.

Tagged with: , ,