Earlier this week, the SEC announced what I am pretty sure is the first “AI washing” case against a public company. (Please correct me if I’m wrong – we like to keep a solid record here.) Here’s more detail:
According to the SEC’s order, Presto made false and misleading claims about Presto Voice in Commission filings and public statements from November 2021 through May 2023. The order found that Presto’s statements regarding the technology powering Presto Voice were misleading because Presto failed to disclose that, for a period of time, the AI speech recognition technology in all units of Presto Voice that the company had then deployed was owned and operated by a third party.
Subsequently, Presto did deploy Presto Voice units powered by its own AI speech recognition technology with certain customers, but it falsely claimed that its own AI product eliminated the need for human order-taking. In fact, the vast majority of drive-thru orders placed through this version of Presto Voice required human intervention. The SEC’s order also found that Presto misleadingly disclosed its reported rate of orders completed without human intervention using this technology.
The SEC had previously brought charges against two investment advisors earlier this year and against at least one former founder and CEO, relating to private fundraising activity. As Dave predicted last March, it was only a matter of time before we’d see an action against a public company. Outgoing SEC Chair Gary Gensler has been talking about “AI washing” quite a bit – and he shared disclosure tips for artificial intelligence topics back in September (see this Baker Donelson memo for additional insights on preparing AI disclosures).
With all that build-up, I was a little surprised to see that the remedy in this inaugural action was merely a cease-and-desist order. The SEC did not impose a civil penalty – even though the fact pattern included a lot of the SEC’s favorite enforcement topics. For example, the company was a de-SPAC, and – wait for it – the order says that the company had no disclosure controls and procedures:
During this time period, Presto had no established process for drafting, reviewing, or approving periodic or current reports required to be filed with the Commission. Although Presto adopted a policy for review of press releases in December 2023, it never implemented disclosure controls and policies and procedures for reviewing periodic or current reports required to be filed by the company. As a result, Presto did not have an established process to ensure that the information required to be disclosed in its filings was recorded, processed, summarized, and reported accurately, or that information required to be disclosed by the company was accumulated and communicated to Presto’s management for timely assessment and disclosure pursuant to applicable rules and regulations. The result of this failure is that no one at Presto was formally responsible for ensuring that the information disclosed in Presto’s Commission filings was accurate.
I’d like to think this is a sign of brighter days ahead when it comes to leniency for deficient DCPs. What’s more likely is that it was unrealistic to collect a fine here. The SEC said the company cooperated, and it has since deregistered.
In addition to our “Artificial Intelligence” Practice Area on this site for governance and disclosure issues, we have a new resource. If you’re looking for direction on other compliance issues arising from AI, cyber, and other emerging technologies, make sure to check out our new “AI Counsel” blog! John and Zachary are sharing best practices and providing alerts about evolving issues for front-line risk management and compliance professionals.
Earlier this week, the SEC announced settled charges based on disclosure a hospitality services company made about its investigation into a completed ransomware incident. Here’s more detail from the complaint:
[The company stated that the cybersecurity incident] resulted in “potential exposure of certain employee personal information.” Ashford went on to state, “[w]e have completed an investigation and have identified certain employee information that may have been exposed, but we have not identified that any customer information was exposed.”
Ashford, however, knew or should have known that, contrary to its public disclosures, customer information was exposed, because, as Ashford knew or should have known, the files exfiltrated in the September 2023 Cyber Incident did contain customer information, including but not limited to sensitive personally identifiable information (“PII”) and financial information for some of Ashford’s customers.
This will be one of the final – if not the final – cyber enforcement action announced under outgoing Chair Gary Gensler’s leadership, and we don’t know yet whether it will continue to be an area of focus. But for now, the settlement underscores the need to pay close attention to the details of any cybersecurity incident disclosure. Here are 4 reasons why:
1. The Enforcement Division pays attention to cyber disclosures, even if they are outside of the new(ish) line-item requirements. Here, the incident and initial disclosure occurred prior to compliance date for reporting material cybersecurity incidents on Form 8-K. The disclosures appeared in the company’s discussion of litigation proceedings in its periodic reports, as well as in a risk factor in the company’s Form 10-K. Following the initial disclosure, the Staff reached out to the company to request additional information, which the company voluntarily provided, but it also continued to repeat the disclosure in subsequent filings until August 2024, when it removed language that it had “not identified any customer information was disclosed” and stated that it had notified affected individuals.
2. The investigation really dug into the terms and execution of the company’s incident response plan, in order to determine whether the company “knew or should have known” that the disclosure was materially false and misleading. In this case, the SEC said that the file names in the list suggested that the files contained sensitive customer information. For example, hundreds of file names contained titles such as “guest incident report” and “guest folio” with a corresponding customer name and/or date of their stay. However, when the company contacted employees whose departments maintained those files and asked them whether they kept customer PII, they did not have them review the file trees for the compromised data and apparently did not involve the employees in the incident response plan. The SEC said that had the employees seen the file tree, they would have known there was PII, and that the company’s response was inconsistent with its incident response plan.
3. As support for its allegation that the statements were material, the SEC cited to risk factor disclosure that said, “protection of business partners, employees and company data is critically important to [it].” (In other words, in addition to ensuring your cyber disclosure is accurate, it’s also important to vet language in your risk factors to ensure that you aren’t overstating the importance of particular issues.)
4. The allegedly problematic disclosures first appeared in a Form 10-Q filed in November 2023, which wasn’t that long ago, and the company is no longer a registered issuer. The SEC investigated and settled these charges rather quickly and pursued the settlement even though the company deregistered. It assessed a modest penalty of $115k, which took into account the company’s cooperation. The company didn’t admit or deny the allegations.
Lastly, the charges include a couple of unexpected Easter eggs about equity awards and Form S-8 registration statements. That’s because in addition to charges under Section 13(a) of the Exchange Act, the SEC brought a charge under Section 17(a)(3) of the Securities Act, which prohibits engaging in any transaction “which operates or would operate as a fraud or deceit upon the purchaser.” What’s interesting here is that the charge seems to be based on the company’s grants of stock and deferred stock to its directors under an equity incentive plan registered on Form S-8.
In footnote 2 of the 2018 concept release on compensatory security offerings, the SEC shed light on the parameters of the “no-sale” theory for compensatory grants. I didn’t dig into the details of the restricted stock grants in the case at hand, but it appears the SEC considered the directors to be “purchasers” – which implies that the “no-sale” position was a “no-go.” So, remember to be cautious if you are ever looking to rely on that theory, and to carefully consider your facts. Moreover, even though the only “purchasers” were directors who presumably had full information, the SEC here enforced the disclosure standard for the publicly filed registration statement, which may come as a surprise to some people.
If your company suffers a cybersecurity attack, one of the many things you may have to worry about is proving that your board did enough to prevent the incident in the first place. This Skadden memo explains how Delaware fiduciary duties apply to cybersecurity oversight – and suggests approaches to a few common areas of cyber risk:
First, in a world of expanding supply chain risks and “shadow IT,” boards should oversee company processes to track technology assets and understand associated threats. This could be satisfied, for example, via an IT asset mapping exercise, where the organization evaluates the location and interconnections among its various IT devices and networks to understand on what its IT systems depend and what is most critical. The board will want to ensure that management is aware of any technology blind spots, like unmanaged IT assets, and how the company addresses potential blind spots.
Second, regulators increasingly expect companies to adopt clear roles and responsibilities for cybersecurity and IT governance. The chain of command and authority should be clear and should ultimately route up to the board.
Third, boards need to understand to what extent their organization’s IT depends on other companies or specific pieces of technology. Several recent cases have highlighted the ways in which attacks on the software supply chain can have cascading effects far beyond the initial attack. In some sectors, such as financial services, regulators already expect boards to receive summaries or full reports of IT dependency that help pinpoint critical systems or third-party service providers.
If these three dimensions are not accounted for in a company’s governance procedures, officers and directors could face probing questions about the quality and sufficiency of their cybersecurity oversight.
The Skadden team notes that good records are critical to proving that the board acted in good faith to establish and monitor systems for cybersecurity risks, especially since plaintiffs are frequently using books and records demands as a prelude to litigation. They offer these recommendations:
– Consider delegating cybersecurity and data privacy oversight to a board committee and review that committee’s charter to consider specific cybersecurity language.
– Take steps to establish monitoring and compliance systems for cybersecurity issues and pay ongoing attention to them. This may include consulting legal counsel and other experts to identify where risks may arise and how best to monitor them.
– Directors should receive reports from management regarding internal and external cybersecurity events at whatever intervals make sense for a particular company.
– Coordinate with management and advisers regarding compliance with new cybersecurity disclosure rules and regulations.
– Given stockholders’ increasingly frequent demands to inspect corporate books and records as a prelude to litigation, boards should document their efforts and processes in sufficient detail to demonstrate the attention they have paid to understanding and overseeing risk and compliance systems and their responses to any cybersecurity issues that have arisen.
As expected, the SEC has announced that it’s monitoring the impact of the California wildfires on capital markets and lists contact info for the divisions that affected companies can call if they have questions. The announcement also warns against scams and links to summaries of what the DHS, FEMA, and the U.S. government are doing to help wildfire victims.
We continue to hope for the best for all of our members and friends who are affected by this disaster.
I mentioned yesterday that we have seen a number of announcements and settlements out of the SEC Enforcement Division over the past few weeks. When it comes to activity to cover on this blog, I have an embarrassment of riches.
Yesterday, the SEC filed a complaint against Elon Musk in D.C. federal district court, relating to how he reported his ownership stake in Twitter way back in 2022. The WSJ offered this summary:
The SEC’s lawsuit, filed in federal court in the District of Columbia, says Musk’s delayed disclosure of his ownership allowed him to save more than $150 million on buying Twitter stock.
The late disclosure hurt investors who sold at artificially low prices because they didn’t know about Musk’s plans, the SEC says.
The lawsuit comes after a long investigation that Musk sometimes delayed by not appearing for testimony. Musk, now closely aligned with President-elect Donald Trump, will likely ask the commission’s next leader to withdraw the case, teeing up a major test of the agency’s independence from the White House.
As you might remember, and as set forth in the complaint, Musk disclosed his ownership stake in Twitter on a Schedule 13G, more than 20 days after crossing the 5% threshold. The SEC alleges:
Musk understood that any substantial increase in Twitter’s common stock price would increase his costs to purchase shares. Accordingly, Musk’s wealth manager cautioned the broker to make the purchases in a way that would minimize any increase in Twitter’s stock price that might result from the purchases.
Musk and his wealth manager also understood that once Musk’s Twitter stake was disclosed to the public, Twitter’s common stock price might substantially increase.
By the time he filed the 13G, Musk owned 9% of the company’s outstanding common stock and had been in conversations with Twitter about possibly joining the board – and whether the company would consider going private. That’s why, at the time, most securities lawyers watching from the sidelines were surprised that the report was on Schedule 13G rather than Schedule 13D. In its complaint, the SEC also takes issue with that choice.
The SEC is seeking an injunction against further violations of Section 13(d) and Rule 13d-1, disgorgement plus interest, and a civil penalty. Obviously, this is a high-profile case – but if you’re thinking that the SEC wouldn’t spend time pursuing this type of action against people who are not Elon Musk, that’s not quite right. John blogged about a big enforcement sweep just a few months ago – and Meredith shared that the Staff has also been issuing comments. The WSJ also points out that Section 13(d) enforcement is not unusual – and that it’s a strict liability regime:
The new claims against Musk might be hard for a friendlier administration to immediately dismiss. That is because the measure Musk allegedly violated is what regulators call a strict-liability rule. Just as police officers don’t have to prove drivers intended to speed to issue a ticket, regulators don’t have to show an investor meant to violate 13D to bring an enforcement action.
The commission routinely enforces the 13D rule. For instance, in March regulators required HG Vora Capital Management, an investment adviser, to pay a $950,000 fine for violating the regulation. HG Vora disclosed an intent to take over trucking firm Ryder seven days after the 13D deadline, according to the SEC.
Marc Fagel, a former director of the SEC’s San Francisco office, said the need to deter others from doing the same thing may explain why the commission acted. “If you can get away with it when it’s front-page news, why bother to comply at all?” he said.
Keep in mind that the activities that are the subject of this complaint also preceded the amendments to Regulation 13D-G that were adopted a little over a year ago. Now, the deadlines are even tighter – and “machine readable” requirements have also kicked in.
Over the past couple of years, severalcompanies have paid fines to the SEC to settle claims that they had made deficient disclosure about related party transactions. With this settlement from late last week, we can add another one to the list. It’s a timely reminder for everyone working on 10-Ks and proxies! The SEC’s order alleges:
On March 8, 2021, Shift4 filed a Form 10-K for its fiscal year ended December 31, 2020. The Form 10-K indicated that the related person transaction information required by Item 404 was incorporated by reference to Shift4’s forthcoming proxy statement.
On April 27, 2021, Shift4 filed a definitive proxy statement, which included the election of directors and failed to disclose that a sibling of an executive officer and director (as well as a child of a different director), in 2020, had received approximately $1.1 million in compensation while serving as a nonexecutive employee of the company.
In addition, the proxy statement failed to disclose that a sibling of an executive officer and director (as well as a stepchild of a different director), in 2020, received $281,609 from Shift4 as payment of residual commissions while acting as an independent sales agent not employed by the company.
Similar omissions happened the following year, and the year after that. Because both the 10-K and the proxy were involved, the SEC asserted violations of Exchange Act Section 13(a), Rule 13a-1, Section 14(a) and Rule 14a-3.
The company agreed to pay $750,000 to settle the claim. The SEC said it considered the company’s prompt remedial efforts in assessing that penalty – which included making disclosures and improvements to policies and procedures. Check out this blog from Meredith about how to improve your controls for family member employees before you end up with an RPT disclosure violation. We also had a great webcast on this topic last year – here’s the transcript. And remember that smaller reporting companies have a different lookback period and may have a different disclosure threshold.
Congrats to SEC Chief Accountant Paul Munter, who is retiring from federal service effective January 24th, according to a Commission press release published yesterday. We covered many of Paul’s 22 statements and speeches on this blog. We wish him the best!
“Don’t cross the boss” can be decent advice, depending on the type of boss you have. At the SEC, though, who is the boss right now?
On one hand, Gary Gensler is still in charge for one more week – and he had a certain view on the SEC’s priorities and how to accomplish them. On the other hand, while it’s too early to make solid predictions, Paul Atkins has been tapped to lead the Commission and has made a lot of public comments about easing companies’ regulatory burdens, and he could also transform the enforcement environment. At least one former SEC official thinks things could get a little less treacherous for companies, and that he’ll encourage the Enforcement Division to focus more on individual wrongdoers.
The anticipated shift probably adds a wrinkle to in-process enforcement actions. The SEC’s newsroom has announced a number of settlements over the past few weeks, but of course the one the SEC announced last week with Vince McMahon – former WWE CEO and Linda McMahon’s legal spouse – caught my eye. Yes, celebrity gossip is what drew me in, but the nerdy securities law issues are what kept me reading till the very end.
The gist of the SEC’s findings, which Vinny Mac neither admits nor denies, is that he entered into two hush money agreements under which he, individually, paid a total of $10.5 million. However, the Mac Attack also signed the agreements on behalf of the company, which also benefitted from releases of claims. He didn’t inform WWE’s board, legal department, accountants, financial reporting personnel, or auditor, about the agreements. So, nobody considered whether those transactions needed to be accounted for or disclosed by the company. According to the SEC’s order, that was a problem:
McMahon’s failure to disclose the Agreements caused material misstatements in WWE’s 2018 and 2021 annual reports and certain quarterly reports. Because the payments required by the 2019 agreement were not recorded, even though the amounts were paid or to be paid by McMahon, WWE overstated its 2018 net income by approximately 8% for the year and approximately 22% for the fourth quarter of 2018. Similarly, because the payments required by the 2022 agreement were not recorded, WWE overstated its 2021 net income and the net income for the fourth quarter of 2021 by approximately 1.7% and 4.9%, respectively. In addition, these Agreements should have been disclosed as related party transactions. The subsequent payments were also not reflected in the books and records of the Company.
Quoting again from the order, here’s why this caused a restatement:
Although McMahon was obligated to pay all amounts owed, the payments under the Settlement Agreements should have been recognized as expenses by the Company as of December 31, 2018 and as of December 31, 2021. WWE was a party to the Agreements, as evidenced by McMahon signing on behalf of the Company. In addition, WWE benefitted from the Settlement Agreements, receiving releases and avoiding reputational harm caused by allegations of misconduct by its CEO being made public.
As noted above, not only was there a restatement issue, but because the CEO, Chairman and principal stockholder agreed to make the payments on behalf of the Company, the SEC said that in addition to recording the expense, WWE was also required to disclose the transactions and the subsequent payments when made as related party transactions under GAAP.
But wait, there’s more! After the agreements came to light and the board investigated and identified the restatement triggers, it clawed back incentive compensation payments that McMahon received during the 12-month periods following filings containing the financial statement periods that the company was required to restate. That takes care of one aspect of the required Sarbanes-Oxley clawback (in this case, the smaller part dollar-wise). What the company did not do was claw back profits received from stock sales during the applicable period. The SEC is not one to let any prong of a SOX 304 clawback slip by, so it brought a claim for that too.
Like I said, this order has something for everyone. The SEC brought claims under various provisions. The press release summarizes:
McMahon consented to the entry of the SEC’s order finding that he violated the Securities Exchange Act by knowingly circumventing WWE’s internal accounting controls and that he directly or indirectly made or caused to be made false or misleading statements to WWE’s auditor. The order also finds that McMahon caused WWE’s violations of the reporting and books and records provisions of the Exchange Act. Without admitting or denying the SEC’s findings, McMahon agreed to cease-and-desist from violating those provisions, pay a $400,000 civil penalty, and reimburse WWE $1,330,915.90 pursuant to Section 304(a) of the Sarbanes-Oxley Act.
That penalty seemed relatively light to me, but maybe it’s reasonable under the circumstances. Not only are enforcement priorities an open question, but I can certainly see how a person who’s not well-versed in accounting literature would assume that payments they made individually wouldn’t affect the company’s financials or disclosures. Actually, though, a similar scenario is described right in a Staff Accounting Q&A. I guess that’s why you’d want to run your agreements by the accountants and lawyers.
As reported by Reuters, a committee in Arizona today is considering an application that could have big ramifications for lawyers. From Bloomberg:
Big Four accounting firms have intermittently been seen as a potential threat to Big Law firms, even though they’ve never competed for complex legal work in the US. Many industry observers have said that could possibly change if the Big Four were able to overcome the barrier to practicing law in the US, the world’s largest and most important legal market.
A committee that makes recommendations to Arizona’s top court is slated on Jan. 14 to review an ABS application filed by KPMG Law US. Arizona, unlike most other states, allows approved entities to provide legal services even if some of their owners are not lawyers.
KPMG and other accounting firms have provided legal-adjacent services to companies in the US, but have been restricted from practicing law or providing legal advice. Most US states’ professional ethics rules limit the practice of law, which has a broad definition, and law firm ownership, to licensed lawyers.
KPMG says that if approved, its work would “complement” the services of traditional law firms. Its focus would be on large-scale, process-driven work, such as volume contracting, remediation exercises, M&A-driven harmonization of contracts, and other legal managed services. Stay tuned!
Big 4 firms have been making a play for legal services for more than two decades. This Artificial Lawyer blog says that in countries where they’ve entered the market, they haven’t “rocked the world.” Richard predicts we’d likely see the same (minimal) impact here.
What do you think? Please participate in our anonymous poll to share your view on what would happen if KPMG gets the license it’s seeking: