Securities Enforcement Roundup – October 2024

In this issue of our monthly Securities Enforcement Roundup, we highlight top securities enforcement developments and cases from October 2024.

In October 2024:

• As discussed in a recent LawFlash, the US Securities and Exchange Commission’s (SEC’s) Division of Examinations announced its fiscal year 2025 priorities. The Examination Priorities report provides insights into the SEC’s current thinking and areas of focus, as well as topics that will be formally examined by the Division of Examinations—and potentially lead to referrals to the Division of Enforcement—over the course of this fiscal year.
• The Director of the Division of Enforcement, Gurbir Grewal, departed the SEC.
• In the first actions against victims of the SolarWinds hack, the SEC charged four companies with making allegedly materially misleading disclosures regarding cybersecurity risks.
• Continuing its quest against “AI washing,” the SEC charged two companies for making allegedly false and misleading statements about their use of artificial intelligence (AI).
• The SEC levied significant penalties in connection with two settled investigations involving alleged violations of the Foreign Corrupt Practices Act (FCPA).

THE SEC’S DIVISION OF EXAMINATIONS ANNOUNCES ITS FISCAL YEAR 2025 PRIORITIES

On October 21, 2024, the SEC’s Division of Examinations released its 2025 Examination Priorities. The Division releases this report annually to inform investors and registrants of the areas and topics on which the Division plans to focus in the new fiscal year. Though not meant to be exhaustive, the report focuses on practices that the Division believes present heightened risks to investors or the US capital markets in the coming year. Areas of particular focus in the 2025 Examination Priorities (many of which have consistently been addressed over the last several years) include the below.

Investment Advisers

The 2025 Priorities reflect a continued focus on fiduciary standards of conduct for investment advisers, particularly as it relates to dual registrants and advisers with affiliated broker-dealers, with a focus on best execution, suitability, account-type recommendations, and conflicts of interest.

The Division of Examinations will also continue to focus on advisers’ compliance with Rule 206(4)-7 under the Investment Advisers Act of 1940, as amended, outsourcing of investment selection and management, and the use of AI tools. We expect more referrals to the Division of Enforcement in matters involving advisers’ use of third-party data and tools in connection with investment selection processes and related compliance issues.

Despite the US Court of Appeals for the Fifth Circuit’s invalidation of the SEC’s private funds rules (as further discussed in a LawFlash), the 2025 Priorities include a focus on advisers to private funds, including their compliance with recently adopted SEC rules, including amendments to Form PF, and the updated rules that govern investment adviser marketing, to assess whether advisers have established adequate policies and procedures and whether their actual practices conform to them.

Investment Companies

The Division of Examinations will have continued focus on investment companies “due to their importance to retail investors, particularly those saving for retirement.” Examination areas of focus will include investment companies’ compliance programs, disclosures, and governance practices. The Exam Priorities highlight registered funds with exposure in commercial real estate as a developing area of interest. (Relatedly, the Division recently published a Risk Alert concerning the core areas of the examination process for funds and the types of documents and information that are typically requested.)

Broker-Dealers

Among the number of focus areas related to broker-dealers is a continued focus on compliance with Regulation Best Interest (Reg BI), particularly as it relates to complex, illiquid, or other high-risk products, as well as recommendations made using automated tools, related to opening (or rolling over) different account types, and/or made to specific investor types.

Other Risk Areas

There are several areas of focus highlighted in the 2025 Priorities as “risk areas impacting various market participants.” We expect the Division of Enforcement to take particular interest in the following areas:

• Cybersecurity: Examinations will continue to review registrant practices to prevent mission-critical service interruptions and protect investor information, focusing on policies and procedures, governance, data loss prevention, access controls, account management, and incident response (e.g., ransomware attacks). Examinations will also consider cybersecurity risks associated with third-party products and services.
• Emerging Financial Technologies: The 2025 Priorities contain a heightened focus on the use of automated investment tools, AI, and trading algorithms. Examinations will review the accuracy of representations regarding AI capabilities as well as policies and procedures for both monitoring and supervising its use and protecting client data.
• Cryptoassets: Citing the volatility and activity in proliferating cryptoasset markets, Examinations will continue to monitor and examine registrants offering cryptoasset–related services. The 2025 Priorities note two areas of particular focus: (1) whether registrants meet and follow applicable standards of conduct when recommending or advising on cryptoassets, with particular attention given to retail clients and retirement assets; and (2) whether registrants routinely review and update compliance practices, risk disclosures, and operational resiliency practices.

Absent from the 2025 Priorities—like the 2024 Priorities before them—was any reference to environmental, social, and governance (ESG). This had been a major focus of the SEC in years past, including the creation of a dedicated “Climate and ESG Task Force” within the Division of Enforcement. It was recently reported that the SEC had disbanded the task force, which we discussed in last month’s Securities Enforcement Roundup.

The 2025 Priorities are discussed in greater detail in a recent LawFlash.

THE DIRECTOR OF THE DIVISION OF ENFORCEMENT DEPARTS THE SEC

Gurbir Grewal, who had served as the Direct of the Division of Enforcement since July 2021, departed the SEC in October. According to the SEC’s press release, “[d]uring Mr. Grewal’s tenure, the Division of Enforcement recommended, and the Commission authorized, more than 2,400 enforcement matters resulting in orders for more than $20 billion in disgorgement, prejudgment interest, and civil penalties, more than 340 industry bars against individuals, more than $1 billion in awards to whistleblowers.” Perhaps most notable were the myriad off-channel communications actions the SEC brought during Grewal’s tenure.

Grewal was replaced by Sanjay Wadhwa, the Division’s Deputy Director, who has been at the SEC for 21 years and is now serving as acting director of the Division of Enforcement. Sam Waldon, the Division’s Chief Counsel, is serving as acting deputy director. Wadhwa joined the SEC in 2003 as a staff attorney and later became the co-head of Enforcement in the New York Regional Office. He previously served in other roles at the SEC, including deputy chief of the Market Abuse Unit and assistant director of the New York office. Waldon spent eight years at the SEC as senior counsel and assistant chief counsel in the Division of Enforcement, and rejoined in 2022 in the role of enforcement chief counsel.

SEC CONTINUES ITS FOCUS ON CYBERSECURITY-RELATED DISCLOSURES

On October 22, 2024, the SEC charged four public companies with making allegedly materially misleading disclosures regarding cybersecurity risks and intrusions. The SEC also charged one of the companies with disclosure controls and procedures violations. All charges stem from a sweep investigation involving companies potentially impacted by the compromise of SolarWinds’ Orion software, which had been infected with malicious code. The SEC’s orders found that the threat actor likely behind the SolarWinds hack had accessed the companies’ systems without authorization, and that each company had negligently minimized the incident in its public disclosures.

• The SEC alleged that following the SolarWinds Orion hack, one company described its risks as hypothetical in two Form 10-Ks. The SEC’s order found that the company had in fact experienced two SolarWinds-related intrusions over a period of 16 months, affecting at least 33 gigabytes of data and 34 cloud-based accounts, including those with administrative privileges. The SEC found that the materially misleading statements resulted from the company’s alleged failure to design controls and procedures to ensure timely processing of material cybersecurity incidents. The SEC imposed a $4 million civil penalty.
• A second company, a global provider of digital communications products and services, was alleged to have negligently made materially misleading statements in its quarterly Form 10-Q. The order alleges that in December 2020, the company discovered that two servers, separate from its corporate network, had installations of SolarWinds’ Orion software infected with malicious code by a likely nation-state threat actor. This same threat actor had also allegedly compromised the company’s cloud email and sharing environment. The 10-Q minimized the compromise, omitting material facts about the incident's scope and potential impact. The SEC found these statements omitted the likely nation-state attribution, the threat actor's long-term presence in the company’s systems, the access to the shared files, and the targeting of the cybersecurity personnel's mailbox. Taking into account the company’s cooperation, the SEC imposed a $1 million civil penalty.
• A third company, a provider of IT security products and services, allegedly identified two infected servers on its network. Soon after, a third-party vendor notified the company of potential unauthorized activity in the company’s environment. An internal investigation determined that the malicious activity related to the SolarWinds compromise occurred at various points during a four-month period in 2020 and that two corporate accounts had been compromised. The SEC found that the company’s disclosures were too generic and omitted the risks arising out of the SolarWinds compromise. The SEC imposed a $995,000 civil money penalty.
• A fourth company, a provider of cloud security and risk management services, allegedly learned that the same threat actor behind SolarWinds’ Orion software had exfiltrated a company-issued authentication certificate used by approximately 10% of its customers and compromised five customers’ cloud platforms using the certificate. The threat actor also accessed internal email, source code, a database with encrypted customer credentials, and server and configuration information for thousands of customers. The SEC concluded that the company’s disclosures concerning the event negligently failed to include the number of customers whose credentials or server and configuration information were accessed by the threat actor. The SEC also concluded that the company failed to disclose that the actor had accessed and exfiltrated a large percentage of its source code. The SEC imposed a $990,000 civil penalty.

Following the release of these four settled orders, in a dissenting opinion, Commissioners Peirce and Uyeda expressed their views that the Commission was “playing Monday morning quarterback.” They criticized the Commission’s arguments on the materiality of the incidents, challenging its determinations and claiming that the Commission ignored the reasonable investor standard. Commissioners Peirce and Uyeda encouraged the Commission to start treating companies subject to cyberattacks as victims of a crime, rather than the perpetrators of one.

SEC CHARGES TWO COMPANIES WITH ‘AI WASHING’

On October 10, 2024, the Commission announced charges against an investment adviser, related entities, their owner and CEO, and a board member for making false and misleading statements about the investment adviser’s purported use of AI to perform automated trading for advisory client accounts.

The SEC determined that the CEO and director raised nearly $4 million from 45 investors to develop an investment adviser that the SEC determined made false and misleading statements that it had an AI-driven platform for trading securities. The SEC alleged that the CEO “lured investors and clients with multiple fabrications, including with buzzwords about the latest AI technology.” The CEO consented to pay disgorgement and a civil penalty totaling nearly $500,000 and the director consented to a $60,000 civil penalty.

Less than a week later, on October 15, 2024, the SEC charged an AI and robotics start-up company, and its founder and CEO, with making false and misleading statements regarding the company’s operations and products. In a complaint filed in the US District Court for the Southern District of Florida, the SEC alleges that the defendants misrepresented that the company was “making the world’s first humanoid robot and hologram assistant for household use.” Through social media and mass marketing emails, defendants raised approximately $141,000.

Defendants allegedly told investors they expected to launch the hologram—which would be capable of forming “deep and meaningful relationship with humans” and assist with complex tasks such as crisis-management, psychological therapy, and childcare—in 2022 and the robot in 2023. According to the SEC, in April 2023, the company “effectively ran out of money.”

Additionally, the SEC alleges that defendants also misrepresented the founder’s experience and qualifications and did not disclose her personal relationship with an investor who endorsed the company.

The company’s founder and CEO agreed to pay a civil penalty of $50,000 and disgorgement of approximately $13,000, and to be subject to an investment company prohibition and associational bar.

SEC CHARGES TWO COMPANIES WITH ALLEGED VIOLATIONS OF THE FCPA

On October 16, 2024, the SEC announced that an aerospace and defense company agreed to pay more than $124 million, and retain an independent compliance monitor for three years, to resolve charges that it had violated the FCPA in connection with payments made to assist in obtaining contracts with the Qatari military. A portion of the company’s civil penalty will be offset by a criminal fine in a parallel criminal action.

The SEC determined that the company paid bribes of nearly $2 million between 2011 and 2017 to Qatari military and other foreign officials through sham subcontracts with a supplier to obtain Qatari military defense contracts. From the early 2000s through 2020, it allegedly paid over $30 million to a Qatari agent who was a relative of the Qatari Emir and a member of the Council of the Ruling Family in connection with additional defense contracts.

According to the SEC, this was done under circumstances that created an anticorruption risk, inaccurate records, and a wholesale breakdown of the company’s due diligence process and accounting controls. The SEC also determined that the company continued to work with the Qatari agent even after numerous employees raised concerns about risks of corruption and despite a lack of adequate documentation of the agent’s services.

Earlier in the month, a global technology provider agreed to pay a $1.1 million civil penalty to settle charges that it violated the FCPA through bribes paid by its wholly owned Indian subsidiary. In that case, the SEC alleged that beginning in early 2020, employees of the company’s subsidiary sought an award contract with an Indian railway zone. To be eligible to bid on the contract, the Research Design and Standards Organization within the Indian government must give approval.

The SEC determined that employees of the subsidiary used a scheme that involved using a third-party agent to make bribe payments to railway officials, in exchange for being added to a supplier list and winning the Indian railway zone contract for $34,323. In April 2022, the agent invoiced subsidiary for “commission charges,” which were improper payments to government officials but were falsely recorded as legitimate contractor services.

The SEC also found that employees of the company’s subsidiary engaged in several other attempts to rig the tender bidding process for government contracts, concluding that such misconduct reflected a breakdown in internal accounting controls, training, compliance, and tone at the top.