Lead Article: The SEC Enforcement Landscape – 2024 and Beyond
Sign Up for PublicationsThe Securities and Exchange Commission (“SEC”) has been stepping up enforcement activity over the past few years, and this trend showed no sign of slowing in 2024. Some have attributed this enhanced enforcement to a cultural shift following an increase in former federal prosecutors working at the SEC. P. Bantz, Emboldened SEC Spells Double Trouble for Defense Bar, Law 360 (Jun. 7, 2024), https://www.law360.com/articles/1845635/emboldened-sec-spells-double-trouble-for-defense-bar. In its October 2024 announcement that SEC Director Gurbir Grewal—a former federal prosecutor—was departing his position, the SEC touted its aggressive enforcement activity during Grewal’s tenure, which included “more than 2,400 enforcement matters resulting in orders for more than $20 billion in disgorgement, prejudgment interest, and civil penalties, more than 340 industry bars against individuals, more than $1 billion in awards to whistleblowers, and the return of billions of dollars to harmed investors.” Press Release, SEC, SEC Announces Departure of Enforcement Director Gurbir S. Grewal (Oct. 2, 2024), https://www.sec.gov/newsroom/press-releases/2024-162.
In 2023, the SEC brought 784 enforcement actions—a three percent increase over 2022—obtaining orders for more than $4.9B in civil penalties and disgorgement, and distributing $930M to harmed investors. Press Release, SEC, SEC Announces Enforcement Results for Fiscal Year 2023 (Nov. 14, 2023), https://www.sec.gov/newsroom/press-releases/2023-234 (“2023 Results”). In the face of this aggressive enforcement activity, companies and their directors, officers, and executives faced increased risk of coming under SEC scrutiny. Accordingly, now more than ever, companies and their leaders should stay abreast of the latest developments and seek legal counsel to aid them in navigating the intricacies of the securities space.
In July 2024, the SEC demonstrated its intent to continue aggressive enforcement by launching the Interagency Securities Council ("ISC"). The ISC’s “objective is to strengthen the cohesion between federal, state, and local agencies, enhance opportunities to collaborate on cases to protect investors, provide insight and guidance across the ecosystem to those who may not frequently operate in this space, and create a forum for unified efforts in combatting financial fraud.” Press Release, SEC, SEC Launches Interagency Securities Council to Coordinate Enforcement Efforts Across Federal, State, and Local Agencies (July 19, 2024), https://www.sec.gov/newsroom/press-releases/2024-86. This increased collaboration between agencies at multiple levels of government will likely increase in enforcement activity.
Increasing Focus on Individuals
As the SEC has increased its general enforcement efforts, it has also demonstrated an increased focus on individual accountability.
In 2023, roughly two-thirds of SEC cases involved charges against individuals. 2023 Results. In addition, the SEC obtained 133 orders barring individuals from serving as officers and directors of public companies—“the highest number in a decade.” 2023 Results.
In 2024, notable SEC enforcement actions against individuals included resolutions with executives of Ideanomics, Inc. (settling claims of misleading revenue guidance and improper revenue recognition, resulting in over $4M in penalites and disgorgement) and Cassava Sciences, Inc. (settling claims of misleading statements about clinical trials, resulting in more than $40M in penalties), as well as an ongoing case against executives from Medly Health (alleging that executives fraudulently inflated revenue to raise capital). Press Release, SEC, SEC Charges Ideanomics and Three Senior Executives with Accounting and Disclosure Fraud (Aug. 9, 2024), https://www.sec.gov/newsroom/press-releases/2024-94; Press Release, SEC, SEC Charges Cassava Sciences, Two Former Executives for Misleading Claims About Alzheimer’s Clinical Trial (Sept. 26, 2024), https://www.sec.gov/newsroom/press-releases/2024-151; Press Release, SEC, SEC Charges Three Former Executives of Pharmacy Startup Medly Health Inc. with Defrauding Investors (Sept. 12, 2024), https://www.sec.gov/newsroom/press-releases/2024-128. The SEC also scored a trial victory against Terraform Labs PTE, Ltd., and its founder, Do Kwon, on securities fraud charges—which resulted in an agreement for the defendants to pay more than $3.5B in disgorgement and $420M in penalties. Press Release, SEC, Terraform and Kwon to Pay $4.5 Billion Following Fraud Verdict (June 13, 2024), https://www.sec.gov/newsroom/press-releases/2024-73.
In remarks earlier this year at the Program on Corporate Compliance and Enforcement Spring Conference, then-Director Grewal provided insight into the SEC’s treatment of individual liability in the context of disclosure failures related to AI as a security threat. Gurbir S. Grewal, Remarks at Program on Corporate Compliance and Enforcement Spring Conference 2024 (Apr. 15, 2024), https://www.sec.gov/newsroom/speeches-statements/gurbir-remarks-pcce-041524). He made clear that SEC will take the same approach individuals as it does to companies, and so will “look at what a person actually knew or should have known; what the person actually did or did not do; and how that measures up to the standards of our statutes, rules, and regulations.” Id. Ultimately, he concluded, “folks who operate in good faith and take reasonable steps are unlikely to hear from us.” Id.
Insider Trading
Enforcement activity to combat insider trading—long an SEC focus—has also increased, with the SEC pursuing novel theories of liability to increase its reach.
In April 2024, the SEC obtained a jury verdict based on the novel theory of “shadow trading.” Shadow trading occurs when an individual has material non-public information about one company, and capitalizes on that insider knowledge to trade securities of a comparable competitor. In Securities and Exchange Commission v. Matthew Panuwat, 4:21-cv-06322 (N.D. Cal.), the SEC alleged that Mr. Panuwat learned material nonpublic information about his employer, Medivation—specifically, that it would soon be acquired—and then violated insider trading laws and breached a duty to Medivation not by buying its securities, but by buying call options of a closely comparable competitor, Incyte Corporation. SEC Litigation Release No. 25970, Securities and Exchange Commission v. Matthew Panuwat, 4:21-cv-06322 (N.D. Cal. filed Aug. 17, 2021), Jury Returns Verdict Finding Defendant Matthew Panuwat Liable for Insider Trading (April 8, 2024), https://www.sec.gov/enforcement-litigation/litigation-releases/lr-25970.
In Panuwat, the SEC relied on three theories of liability, each of which the court found at summary judgment “would be sufficient to meet the breach element of misappropriation”: (1) “Panuwat breached a specific duty not to trade on inside information arising from Medivation’s Insider Trading Policy;” (2) “Panuwat breached his duty under [his company’s] Confidentiality Agreement to refrain from using Medivation’s confidential information for his own personal benefit;” and (3) “Panuwat breached a duty of trust and confidence that was created when his employer, Medivation, entrusted him with confidential information.” Sec. & Exch. Comm’n v. Panuwat, 702 F. Supp. 3d 883, 898-899 (N.D. Cal. 2023).
Given its success in Panuwat, the SEC is likely to keep using this shadow trading theory to bring enforcement actions against individuals who possess insider information about one company and then trade the securities of comparable companies. Bigger picture, this successful expansion of insider trading liability exhibits the SEC’s tendency to push the boundaries of established precedent, stretching existing laws to cover new applications. With each such successful expansion, companies and their officers, directors, and executives can expect to see increased enforcement activity, as theories that survive the crucible of litigation spawn further investigations and suits.
Cybersecurity
The SEC has also increased its focus on cybersecurity. On September 2023, the SEC enacted new rules regarding cybersecurity and related disclosures, requiring companies’ annual reports to describe: (1) “their processes … for the assessment, identification, and management of material risks from cybersecurity threats; (2) “whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition;” (3) “the board’s oversight of risks from cybersecurity threats;” and (4) “management’s role in assessing and managing material risks from cybersecurity threats.” Id. These new rules also require companies to disclose any “material” cybersecurity incident via a Form 8-K within four days of determining that the incident was material. Id. That disclosure must “describe the material aspects of [the incident’s]: [n]ature, scope, and timing; and [i]mpact or reasonably likely impact.” Id. Finally, companies must amend their Form 8-K to disclose any new material information that was not determined or available at the time the company filed its original Form 8-K about the incident. Id.
Disputes are likely to arise over whether particular cybersecurity incidents, or information about those incidents, were material. But while these rules are new, the materiality standard is the same one applied by courts in traditional securities actions: “information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available.” Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, 88 Fed. Reg. 51896 (Aug. 4, 2023) (quotation marks and citations omitted).
The SEC has also made us of its specialized Crypto Assets and Cyber Unit to bring enforcement actions related to cybersecurity. For example, on June 18, 2024, the SEC announced that R.R. Donnelley & Sons Company (“RDD”) agreed to pay a $2,125,000 civil penalty to settle charges regarding disclosure and internal controls in connection with cybersecurity incidents. Press Release, SEC, SEC Charges R.R. Donnelley & Sons Co. with Cybersecurity-Related Controls Violations (Jun. 18, 2024), https://www.sec.gov/newsroom/press-releases/2024-75.
But the SEC has hit some roadblocks in attempting to expand liability by stretching longstanding laws into cyberspace. In Securities & Exchange Commission v. SolarWinds Corporation, 23-cv-09518-PAE (S.D.N.Y.), the United States District Court for the Southern District of New York rejected the SEC’s effort to expand disclosure-based liability into the cybersecurity context. There, after Solar Winds experienced a major cybersecurity breach, the SEC brought claims against the company and its head of information security based on the company’s disclosures about its cybersecurity practices and cybersecurity incidents. 2024 WL 3461952, at *1 (S.D.N.Y. July 18, 2024). Specifically, the SEC brought claims under Section 10(b) of the Exchange Act and Rule 10b-5 and Section 17(a) of the Securities Act based on a host of representations made by company both before and after the breach, including in disclosure statements, podcasts, blog posts, and a security statement posted to Solar Wind’s website. Id. at *23. But the court dismissed the SEC’s claims with respect to almost every disclosure targeted, allowing the SEC's claims to proceed on only a small set of statements that allegedly misrepresented SolarWinds’ cybersecurity practices and risks. Id. at *26-28. Most importantly, the court rejected the SEC’s argument that “SolarWinds’ cybersecurity deficiencies [we]re actionable under Section 13(b)(2)(B)(iii),” which concerns systems of internal accounting controls. The SEC alleged Section 13(b) violations based on SolarWinds’ alleged “poor access controls, weak internal password policies, and VPN security gaps.” Id. at *48. But the Court agreed with SolarWinds that Section 13(b)(2)(B) “as a matter of statutory construction, cannot reasonably be interpreted to cover a company’s cybersecurity controls.” Id.
Ultimately, SolarWinds demonstrates the value of challenging the SEC when it attempts to expand securities laws to cover new and developing spaces and technologies.
*****************************
As the SEC continues to step up enforcement activity—testing novel legal theories, increasing enforcement actions, and targeting both corporate and individual accountability—companies and their directors, officers, and executives face an increased risk of finding themselves targets of that activity. To minimize risk, companies and their leaders should stay up to date on developments in securities laws and SEC enforcement activity. As part of that effort, companies might consider hosting trainings for directors, officers, and executives to ensure they are aware of their and the company’s obligations and of what activities might draw the SEC’s attention. Companies might also consider reviewing and evaluating their policies and procedures to ensure that they align with agency guidance. Quinn Emanuel—with its deep bench of SEC enforcement veterans and industry-experts—is well situated to assist in those efforts, providing insight into the regulatory landscape and providing perspective to help augment applicable policies and procedures. And for those that find themselves targets of SEC’s enforcement activity, Quinn Emanuel’s trial lawyers can provide the foundation of an aggressive defense. So, whether you are looking to revamp your policies and procedures, get advice regarding securities, or find yourself in the SEC’s crosshairs, give us a call.