CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Posts Tagged ‘SEC’

Loss of SEC Commissioners Piwowar and Stein May Wreak Havoc on SEC’s Proposed Fiduciary Regulations

Posted on: June 1st, 2018

By: Ted Peters

On May 7, 2018, Republican SEC Commissioner Michael Piwowar announced that he will resign effective July 7, 2018.  Piwowar’s five-year term expires on June 5, but SEC commissioners are permitted to remain in office for up to 18 months following the end of their term.  Democratic Commissioner Kara Stein’s term expired in 2017 and she too is expected to leave the Commission this year.

Piwowar was admittedly a harsh critic of the U.S. Department of Labor’s fiduciary rule (calling it a “terrible, horrible, no good, very bad” rule), which has since been struck down by the Fifth Circuit Court of Appeal.  He also expressed significant misgivings with the Commission’s April 18, 2018 proposals which attempt to establish standards of conduct for financial advisors.  Despite such concerns, Piwowar wholeheartedly voted in favor of putting the proposals out for public comment lest anyone criticize the SEC for failing to take action.  Stein, however, voted against the proposals, finding them too weak and suggesting they be called “Regulation Status Quo.”

Regardless of their personal views, the loss of Commissioners Piwowar and Stein will undoubtedly put further pressure on the SEC as the agency takes comments on the proposals. On the other hand, the SEC might have an easier go in reaching a compromise with the decision being left to just three commissioners.  In theory, the White House and Senate could quickly take action to replace Piwowar and Stein, as it is customary for the Senate to consider commissioners in pairs (Republican and Democrat).  In the meantime, between the departures of Piwowar and Stein, the SEC will operate with four commissioners including two Democrats, which could lead to deadlocked votes, something for which the SEC is well known.

If you have questions or would like more information, please contact Ted Peters at [email protected].

Lessons Learned from the SEC’s Order in the Yahoo! Data Breach Enforcement Action

Posted on: May 22nd, 2018

By: Jennifer Lee

On April 24, 2018, the SEC issued an order in the enforcement action against Altaba Inc., formerly Yahoo! Inc., and imposed a $35 million fine relating to the 2014 data breach which affected more than 500 million Yahoo! user accounts.

SEC’s Findings

The SEC found that Yahoo! violated federal securities laws by failing to disclose the 2014 data breach for almost two years. The SEC focused on the fact that despite its knowledge of the data breach, Yahoo!’s annual and quarterly reports made no mention of the data breach as a risk factor. Instead, the reports represented that the company only faced the risk of potential future data breaches that may expose its users’ personally identifiable information which may lead to litigation, loss of revenue, and damage to its reputation.

In addition, Yahoo! management’s analysis of the company’s financial condition also omitted changes to revenue that were expected to result from the public disclosure of the 2014 data breach.

Lastly, the stock purchase agreement between Yahoo! and Verizon entered into on July 23, 2016 and filed with the SEC on July 25, 2016 was misleading because it contained affirmative representations denying the existence of any significant data breaches.

The data breach was not disclosed until September 2016 in a press release filed as an attachment to a Form 8-K. After the public announcement of the data breach, Yahoo!’s stock price decrease by 3%, resulting in a $1.3 billion drop in its market cap.

Lessons Learned

Disclosures regarding cybersecurity risk factors that discuss potential incidents are misleading if they do not discuss known incidents that have already occurred. The SEC found that the omission of the 2014 data breach in the risk factor disclosures were misleading because it suggested that a significant data breach had not yet occurred, which in turn implied that any negative effects that may result from future breaches are merely speculative.

Companies should perform regular assessments of cybersecurity threats and their likely impact on the business to determine whether such issues should be disclosed as a risk factor. Regulation S-K item 303 requires companies to include trends or uncertainties reasonably likely to have a material impact on their business. Item 503(c) requires companies to disclose the most significant risk factors that make the company speculative or risky. Because cybersecurity incidents have the potential to and often do, in fact, lead to a significant depreciation in a company’s stock price and market cap, failing to perform regular assessments of cybersecurity threats and their likely impact on the business will inevitably lead companies to run afoul of Regulation S-K.

Be mindful of other state, federal, and international regulations that govern disclosure of data breaches and other cybersecurity incidents. Currently, data breach notification obligations in the United States consist of a patchwork of individual state statutes. In addition, the EU’s General Data Protection Regulation, which takes effect on May 25, 2018, contains a whole new set of rules regarding the disclosure of data breaches and other cybersecurity incidents. Companies that operate on a national or international level must be aware of their disclosure obligations under these regulatory structures and how they may affect companies’ disclosure obligations under federal securities laws.

If you have any questions or would like more information, please contact Jennifer Lee at [email protected].

 

DOL Fiduciary Rule Suffers a Slow Death

Posted on: May 15th, 2018

By: Ted Peters

In 2016, the U.S. Department of Labor (“DOL”) promulgated a set of rules and regulations now infamously referred to as the “Fiduciary Rule.”  After multiple criticism and legal challenges, the Fifth Circuit Court of Appeal struck down the Fiduciary Rule effective May 7, 2018.  Surprising many, the DOL elected not to challenge the Fifth Circuit ruling.  Even more surprising, however, was the bulletin issued by the DOL on the effective date of the court’s order.

The court’s ruling, which was not opposed by the DOL, left many unanswered questions.  Enter the DOL’s field bulletin.  Rather than admitting the total defeat of the Fiduciary Rule, however, the DOL seeks to maintain the status quo.  Specifically, the DOL announced that pending further guidance, advisors will not be penalized for either complying with the Fiduciary Rule, or ignoring it in favor of pre-existing standards.  Unfortunately, this announcement leaves the single most important question unanswered – what is the standard to which advisors will be held?  With the U.S. Securities and Exchange Commission working on its own set of rules, and the wait-and-see approach embraced by the DOL notwithstanding, only time will tell.

If you have questions or would like more information, please contact Ted Peters at [email protected].

New FINRA Proposals for High Risk Brokers

Posted on: May 4th, 2018

By: Theodore C. Peters

On April 30, 2018, FINRA published Regulatory Notice 18-16, captioned “High-Risk Brokers,” which seeks comment on proposed rule amendments that would place further restrictions on not only high-risk brokers, but also the member firms that employ them.  FINRA warns that such brokers “may present heightened risk of harm to investors, and any misconduct by them also may undermine confidence in the securities markets as a whole.”

This Notice, among others, stems from the increasing pressure upon FINRA to deal with problem brokers.  According to the Notice, the amendments would serve to “strengthen existing controls.”  More specifically, the amendment would affect the Rule 9200 Series (Disciplinary Proceedings) and the Rule 9300 Series (Review of Disciplinary Proceedings by National Adjudicatory Council and FINRA Board; Application for SEC Review), and would allow a hearing panel “to impose conditions or restrictions on the activities of member firms and brokers while a disciplinary matter is on appeal to the National Adjudicatory Council (“NAC”), and to require member firms to adopt heightened supervision procedures for brokers during the period the appeal is pending.”

The proposal would also impact the Rule 9520 Series (Eligibility Proceedings) to mandate that member firms adopt heightened supervision procedures for brokers during the period a statutory disqualification (“SD”) eligibility request is under review. Further, Rule 8312 (FINRA BrokerCheck Disclosures) would require disclosure of the status of a member firm as a “taping firm” under Rule 3170 (Tape Recording of Registered Persons by Certain Firms).

Lastly, the NASD Rule 1010 Series (Membership Proceeding)(MAP Rules) would be amended to place additional limits on member firms by requiring firms to first submit a written letter to FINRA’s Department of Member Regulation through the MAP Group (the Membership Application Program Group), requesting a “materiality consultation” when a natural person who has been the subject of, within the prior five years, one or more final criminal actions or two or more specific risk events, seeks to become an owner, control person, principal or registered person of an existing member firm.  “Specific risk events” generally mean “final, adjudicated disclosure events disclosed on a person’s or firm’s Uniform Registration Forms.”

Separately, FINRA also published Regulatory Notice 18-15, which reiterates the existing obligation of member firms to adopt and implement heightened supervisory procedures under Rule 3110 (Supervision) that are specifically tailored for high-risk brokers.  Unlike Notice 18-16 which seeks comment on proposed rule amendments, Notice 18-15 intends to “reiterate the supervisory obligations of member firms regarding associated persons with a history of past misconduct that may pose a risk to investors,” and to provide guidance for member firms in implementing effective heightened supervisory procedures for such persons.

If you have questions or would like more information, please contact Ted Peters at [email protected].

Yahoo Fined $35M for Delay in Disclosing 2014 Cyberattack

Posted on: April 30th, 2018

By: Theodore C. Peters

On April 24, 2018, the U.S. Securities and Exchange Commission hit Altaba, Inc. (formerly known as Yahoo) with a $35 million fine.  The penalty stems from Yahoo’s failure to disclose a 2014 cyberattack until 2016, even though it knew of the breach within days after it occurred.

In its order, the SEC said that Yahoo’s information security team was promptly advised that Russian hackers had acquired highly sensitive information that Yahoo itself referred to as its “crown jewels,” namely Yahoo usernames, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers for hundreds of millions of accounts.  Despite such knowledge, however, Yahoo waited until September 2016, on the eve of a pending sale to Verizon Communications, Inc., before it officially disclosed the breach.

Yahoo’s disclosure of the breach resulted in an immediate 3 percent decline (estimated at $1.3B) of Yahoo’s share price, and caused Verizon to renegotiate the purchase price, lowering it by $350M (representing a 7.5% discount).  Before publicly acknowledging the breach, Yahoo released annual and quarterly reports that the SEC concluded were “materially misleading” insofar as “they claimed the company only faced the risk of potential future data breaches that might expose the company to loss of its users’ personal information…”(emphasis added).

Yahoo later amended its risk factor disclosures and MD&A (Yahoo management’s discussion of financial condition and results of operations) to reflect the 2014 breach in its subsequent public filings.  On October 9, 2016, Yahoo acknowledged that the breach occurred in 2014.  Yahoo also corrected prior public disclosures for 2014 and 2015, which indicated that Yahoo’s disclosure controls and procedures were effective.  The amended filings stated that such controls and procedures were not effective.

As part of its agreement with the SEC, Altaba neither confirmed nor denied the statements in the order.  Whether further action will be taken against any of the Yahoo executives who were employed at the time of the 2014 cyberattack remains to be seen.  Altaba must pay the $35M penalty.

Separately, a U.S. District Court Judge, for the Northern District of California, held off on sentencing of a 23-year-old Canadian “international hacker-for-hire,” Karim Baratov. At an April 24, 2018 sentencing hearing, Judge Vince Chhabria told federal prosecutors that he was concerned that Baratov could potentially face a tougher sentence solely based upon the fact that among Baratov’s clients were certain Russian nationals who committed the 2014 Yahoo cyberattack, even though there was no evidence that Baratov himself was involved in the Yahoo breach.  Prosecutors sought a near eight year term of imprisonment.  During the sentencing hearing, Judge Chhabria stated that he had “multiple concerns” about the sentence and noted that other hackers engaged in similar conduct had received lesser sentences.  Further briefing was ordered on the issue of what national sentencing ranges are for hackers convicted in federal court.

If you have questions or would like more information, please contact Ted Peters at [email protected].