Cybersecurity is a great concern for organizations of all types and sizes. There is a significant potential for a wide variety of issues to arise from such a disruption. This is particularly true for public companies which are required to make filings with the Commission that may involve disclosing the event and response.

Last week the Commission reported four proceedings in which issuers were charged with violations of the securities laws based on cyber incidents. See, e.g. In the Matter of Unisys Corporation, Adm. Proc. File No. 3-22272 (October 22, 2024).

Respondent is a Delaware corporation based in Blue Bell, Pennsylvania. The firm’s shares are traded on the NYSE. The company information tech network and resources regularly stored and transmitted its customers’ data and information as well as its own.

The matter here involving Unisys centers on two incidents. First, in December 2020 Unisys identified a computer that was part of its network that had a version of SolarWinds Orion software. The company believed the device had likely been infected with malicious code that allow for unauthorized activity on affected computers and networks. Unisys also received notifications about, and discovered, compromises of its environment. Those compromises took place over a period of about 16 months beginning in January 2020. The issues and compromises involved at least seven network credentials and 34 cloud-based accounts. At least 33 gigabytes of data had been transferred. Unisys was aware that its investigations involved gaps based on the activity analyzed. The firm also believed that the issues likely arose from a nation-state threat actor.

In its Form 10-K for the fiscal years ended December 31, 2020 and 2021, the firm made disclosures regarding the incident. Those disclosures were not accurate. Specifically, they did not accurately describe the intrusions. The disclosures also did not accurately describe the risk of unauthorized data access, phrasing it in hypothetical terms rather than specifically stating what happened.

Second, in July 2022, the firm experienced a separate threat actor. It was a Russian-speaking ransomware group that successfully compromised the network. This group successfully exfiltrated certain cybersecurity product and platform software code for products the company offers to customers.

Prior to December 2022 Unisys’ incident response policies did not reasonably require cybersecurity personal to report information to company disclosure decision makers. It also did not require cybersecurity personnel to report information to the disclosure decision makers. Thus, senior cybersecurity personnel repeatedly failed to report incidents to executive management and the legal department.

Subsequently, the firm took a number of remedial steps regarding its policies and disclosed a material weakness in its disclosure controls. The complaint alleges violations of Securities Act Sections 17(a)(2) and 17(a)(3). The Commission considered the firm’s remedial acts and cooperation.

Respondent resolved the matter, consenting to the entry of a cease-and-desist order based on the Sections cited in the Order. In addition, Respondent agreed to pay a penalty of $4 million. See also In the Matter of Mimecast Ltd., Adm. Proc. File No. 3-22271 (Oct. 22, 2024)(similar incident and issues re cybersecurity incident; resolved on similar terms); In the Matter of Check Point Software Technologies, Ltd., Adm. Proc. File No. 3-22270 (Oct. 22, 2024)(similar issues and resolution); In the Matter of Mimecast Ltd., Adm. Proc. File No. 3-22271 (Oct. 22, 2024)(similar issues and resolution); In the Matter of Avaya Holdings Corp., Adm. Proc. File No. 3-22269 (Oct. 22, 2024)(similar issues resolved on similar terms).

Tagged with: ,

Research is typically viewed as critical to investments and trading. Brokerage firms and investment advisers frequently make substantial investments in the portion of their operations dedicated to conducting proper and complete research for any investments to be made. The results of the research typically guide the ultimate investments. The Commission’s most recent case in this area highlights the impact of failing to properly complete research prior to trading. SEC v. Choi, Civil Action No. 2:24-cv-09082 (C.D. Ca. Filed October 22, 2024).

Named as defendant in the action is Ryan Choi. He holds brokerage licenses and was registered with the State of California as an investment adviser from 2017 through 2018 – just prior to the events in this case. He at times works with Andrew Left, an activist short publisher. Mr. Choi has used the moniker Citron Capital, LLC for years.

Beginning in late October 2019 Mr. Ryan assisted Andrew Left in preparing tweets and reports published through Citron Research by Mr. Left. Citron frequently identified short selling opportunities or those viewed as long investment candidates. The price of the target stock frequently moved in a manner that was consistent with the recommendations.

In December 2020 Mr. Choi worked with Mr. Left on research and content for two buy recommendations. Mr. Left issued the recommendations through Citron Research. Mr. Choi failed to act reasonably in conducting the research or due diligence that was provided to Mr. Left as support for the recommendations he included in the Citron Research tweets, according to the complaint.

Once the investments were made, Mr. Choi quickly traded on price increases that followed after the two transactions. He also traded on price increases without disclosing the basis for his trading. Throughout the process Mr. Choi failed to act reasonably and was negligent. The complaint alleges violations of Securities Act Section 17(a)(3).

To resolve the action, Mr. Choi consented to the entry of a final judgment permanently enjoining him from violating the Section cited in the complaint. The final judgment also requires him to pay a penalty of $115,231, disgorgement of $1,647,217 and prejudgment interest of $64,818. See Lit. Rel. No. 26164 (October 22, 2024).

Tagged with: , , ,