Commissioner Stein also raised interesting considerations regarding the increased reliance on private placements and other exempt offerings. She observed that “Studies have shown that a sizable amount of capital is now raised in the private markets. In fact, amounts raised through unregistered offerings have outpaced the level of capital raising via registered offerings in recent years. More than $2 trillion, in fact, was raised privately in 2014. Regulation D offerings accounted for more than $1.3 trillion of this amount. In comparison, registered offerings amounted to approximately $1.35 trillion in 2014.” She also commented on the unicorn phenomenon and the need for some level of transparency and accountability in private markets.
PCAOB: No New Chair (For Now)
Here’s an excerpt from this WSJ article regarding the battle over whether Jim Doty will get another term as PCAOB Chair:
The Securities and Exchange Commission has decided not to decide on the leadership of the government’s audit regulator, at least for now. SEC Chairwoman Mary Jo White on Friday said her agency is waiting until it has a full complement of five commissioners before picking a head for the Public Company Accounting Oversight Board. The commission is currently down to just three members. Meanwhile, James Doty, the current PCAOB chairman whose term officially expired last October, can remain at the agency indefinitely until he’s either reappointed or the SEC taps a successor.
“It’s a decision I think should be left to the full commission, as in the past,” Ms. White told reporters, after remarks at a securities conference here. She added that Mr. Doty and the current PCAOB board were doing “quite well, without missing a beat.”
SEC Enforcement Lays Out Approach to Cybersecurity Cases
If you’ve ever attended the annual SEC Speaks conference, you know that the official program is an intensely uninteresting collection of short speeches by SEC officials who don’t have a lot of incentives to say groundbreaking things. But occasionally there are exceptions. I think Deputy Enforcement Director Stephanie Avakian’s discussion of cybersecurity cases on Friday was one of those.
Avakian broke those cases down into three categories.
1. Failures of registered entities to safeguard information. She cited the T. Jones Capital Equities Management case from September of last year (covered here) as an example of those.
2. Electronic thefts of material nonpublic information, and illicit securities trading following the thefts. Avakian cited the Dubovoy case filed in the District of New Jersey last August and updated on Thursday as an example of these.
3. Cyber-related disclosure failures by public companies. The SEC hasn’t brought any cases in this category yet, and much of Avakian’s discussion focused on why that is the case and how the SEC might get to the point of bringing one.
Assuringly for companies that are investing resources in cybersecurity and trying to do the right things for its customers and shareholders, Avakian said, “A company that has been a victim of an intrusion is just that: a victim.” She also said in several different ways that the Division understands that when attacks happen, critical facts can change and develop very quickly. These developing facts can make any necessary disclosures a moving target. Along these lines, the Enforcement Division will appreciate the difficulty of the circumstances, Avakian says. She added that the SEC is not looking to second guess well-thought decisions in this area.
With all of that said, the Enforcement Division very much wants companies that are victims of cyber attacks to involve appropriate law enforcement authorities as quickly as they reasonably can. It will also examine (1) whether companies have policies and procedures that are reasonably designed to protect customer information; and (2) whether companies with potential liability have self-reported issues to the Division. Regarding the second factor, the SEC’s Seaboard Report from 2001 continues to include the guideposts the Division will consider.
While no cases have yet been brought against public companies in this third category, Avakian can imagine circumstances in which the Commission does file a case to penalize inadequate cybersecurity disclosures. I can, too. Be careful out there.
– Broc Romanek