by T. GormanPosted on Posted in SECActions

The number of securities class action filings set a new record last year, according to a recent report by Cornerstone Research titled Securities Class Action Filings, 2019 Year in Review (here). According to the Report, the number of those actions filed last year eclipsed the record set the prior year. The Report also tracks key trends the filing of securities class actions s in a number of other areas.

Number of cases filed: Last year 428 securities class actions were filed in federal and state courts, passing the record set the year before of 420. The number of suits filed as the decade drew to a close was the most on record, nearly doubling the 1997-2018 average. Core filings, defined as all such suits except those tied to M&A, also set a record at 268 compared to 238 suits filed the year before. While the number of M&A suits filed did not set a record, the 160 cases initiated represents the third largest number.

Exchange listed firms: The likelihood of being named as a defendant in a securities class action increased again in 2019 for firms listed on a major exchange. Since 2011 the likelihood of being named as a party for an exchange listed firm – NYSE or NASDAQ – has increased each year. In 2019 firms listed on one of the exchanges had a 5.5% of being named in a core action, up from 4.8% in 2018, 4.2% in 2017 and 4.1% in 2016. In contrast, the likelihood of being named in an M&A case for an exchange listed firm dropped to the lowest level since 2016.

S&P 500: In contract, the likelihood of an S&P 500 firm being named as a defendant in a securities class action declined after a record high was set in 2018. Firms in the health care sector were most frequently named in a suit in 2019, the same as in 2018. Firms in the consumer staples sector were second while those classified as industrials were third. During the prior year firms involved in telecommunications/information tech were second followed by those in consumer staples.

1933 Act claims: Last year the number of cases filed in state court under the 1933 Act continued to increase. A total of 49 such cases were filed last year compared to 35 in 2018. While 28 of those cases were brought in either New York or California state courts, the overall increase was fueled in large part by the 18 cases initiated in other state courts. That represented a significant increase over 2017 when only 13 cases were filed in other state courts.

Non-U.S. federal filings: The number of actions filed against non-U.S. issuers as a percentage of total filings has generally been trending upwards. Last year the number of core cases filed against non-U.S. issuers increased to 57, compared to 47 in the prior year. While the number of cases against non-U.S. issuers last year was the highest recorded during the decade, as a percentage of the total cases initiated it ranked third.

Circuits: Most securities class actions are filed in either the Second or Ninth Circuit followed by the Third. Last year was no exception. In 2019 103 cases were filed in the Second Circuit, followed by 52 in the Ninth and 28 in the Third. In 2018 there were 71 actions filed in the Second Circuit, 69 in the Ninth and 26 in the Third.

Tagged with: ,

by T. GormanPosted on Posted in SECActions

The SEC’s Office of Compliance Inspections and Examinations published a series of observations gleaned from hundreds of exams over a period of years. While OCIE’s charge is the inspection of registered investment entities, the observations of the exam staff offer important lessons for all in this critical and constantly evolving area. The observations are set-forth in Cybersecurity and Resiliency Observations, Office of Compliance Inspections and Examinations (Jan. 27, 2020)(here), detailed below.

Governance and risk management

An effective cybersecurity program begins with “tone at the top” and the involvement of senior enterprise executives. Four key building blocks are essential: senior level engagement; risk assessment; policy and procedure adoption; and communication of the policies and procedures in a timely manner.

Access rights and controls

The central question is the identification of the appropriate users which allows delimiting access. Three key elements should be examined: Access which is based on, and limited by, need; policies governing access tied to need; and monitoring to implement the policies.

Data loss prevention

This typically includes tools to ensure that sensitive data and client information is not lost or misused. Key tools include: Vulnerability scanning; perimeter security; detective security which searches for threats on endpoints; patch management covering all software; inventory hardware and software which is maintained and protected; encryption and network segmentation through the use of tools and processes designed to secure data and systems; insider threat monitoring; and securing legacy systems and equipment.

Mobile security

These devices can create additional concerns regarding security while having unique issues. Effectively dealing with these issues requires: Policies and procedures sesigned specifically for mobile devices; and the use of a mobile device management applications. If personal devices are used the program or system must be designed to cover all such devices. In addition, steps are required to prevent the duplication or saving information on personal devices along with specific training regarding such devices.

Incident response and resiliency

Two points to be considered are: First, the organization should have a plan with component elements that include: Developing risk assessment for various scenarios such as service attacks, malicious disinformation, ransomware, and others. Also to be addressed are the applicable federal and state reporting requirements. Second, strategies focused on resilience are required that include: Maintaining an inventory of core business operations and systems; and assessing risk tolerances tailored to the organization and maintaining the necessary back-up data.

Vendor management

Vendor management requires a program that includes: Elements to ensure that vendors meet the security requirements and take appropriate safeguards; understating the contractual and other terms and elements that govern the relationship; and appropriate monitoring and testing.

Training and awareness

Key to any plan is the training and awareness of employees. Policies and procedures here are used as a training guide for the training staff to implement the cybersecurity policies and procedures of the organization and engage employees. The program should also evaluate effectiveness.

In the end, cybersecurity is a multi-faceted program which must be addressed by every organization beginning with the tone that flows through the enterprise and is focused on the risks faced by the particular business.

Tagged with: , ,