As Liz mentioned last week in her blog about the 2 year sentence for a former product manager at Coinbase who illegally traded in tokens, in early May, the jury returned a guilty verdict in what has been referred to as the first “insider trading” conviction involving NFTs. But, rather than charge insider trading, the U.S. Attorney’s Office actually relied on wire fraud and money laundering charges, which avoided the question of whether the NFTs constituted securities. This Norton Rose Fulbright alert summarizes the facts of the case:
According to the indictment, at the time of the alleged offenses, Nathaniel Chastain was an employee of OpenSea, the largest online market for NFTs. OpenSea typically featured certain NFTs on its homepage, and changed the featured NFT multiple times each week. Chastain was responsible for selecting the NFT to be featured on OpenSea’s homepage, and OpenSea kept this information confidential until the selected NFT appeared on its homepage. The publicity from being featured on OpenSea’s homepage often resulted in substantial increases in the price that buyers were willing to pay for that NFT, as well as the prices of other NFTs made by that same creator. Chastain was alleged to have used his knowledge of upcoming featured NFTs to purchase those NFTs, or other NFTs made by the same creator, in advance of the NFT being featured on OpenSea’s homepage. Chastain then sold those NFTs shortly after they were featured, by which time they had often doubled or even tripled in value, resulting in substantial profit to Chastain.
. . . Chastain’s conviction was not based on trading in any security or commodity, but on the somewhat creative theory of prosecution that Chastain had misappropriated OpenSea’s property, in the form of its confidential business information regarding which NFTs would be featured on OpenSea’s homepage. The government argued that, based on Carpenter v. United States, 484 U.S. 19 (1987), a case involving securities rather than digital assets, because OpenSea employees were obliged to keep this information confidential and use it only for the benefit of OpenSea, Chastain’s conduct defrauded OpenSea of its property, i.e., its confidential business information.
As Liz has blogged, in the Coinbase case, the SEC filed a parallel complaint, which did allege that the trading violated Section 10(b) of the Exchange Act and Rule 10b-5 thereunder and will turn on whether the crypto assets are securities. Per this article from Proskauer, there the defendants argue that secondary market trades involving crypto tokens are not securities transactions, even if the tokens were investment contracts at issuance, since there are “no binding promises running from the developers to the tokenholders.”
As the Jim Hamilton blog recently highlighted, Better Markets, the nonprofit organization focused on Wall Street reform, released a fact sheet last month arguing that the SEC needs to do a comprehensive analysis of the exempt offering framework, the expansion of which, it argues, has come at the expense of the public markets and investor protection. Citing the failed WeWork IPO versus a $100 million private placement by Theranos for which only a Form D was filed, the fact sheet suggests that “the public market framework has proven its merit, while exempt offerings pose major risks.” Here are the stats they cite regarding the relative size of public versus private capital raises:
More than two-thirds of new capital raising in the U.S. securities markets occurs in private markets that are largely unregulated, opaque, and inaccessible to the public. The SEC estimates that in 2019, “registered offerings accounted for $1.2 trillion (30.8 percent) of new capital, compared to approximately $2.7 trillion (69.2 percent) . . . raised through exempt offerings.” Over the past decade, there has been a steady increase in Regulation D offerings,” the most relied upon exemption under the Securities Act.
While the fact sheet calls for more action, it highlights the following “positive steps” on the SEC’s agenda:
The SEC has listed several proposed rules for consideration by the Commission in its Fall Agenda that could reevaluate the role exempt offerings play in our capital markets. They include amendments to Regulation D and improvements to Form D, the currently almost meaningless filing that accompanies offerings under rule 506 D; changes to the definition of shareholder of record that helps determine which companies must file periodic reports with the SEC about their operations and financial condition; and adjustments to the Rule 144 holding period, which governs the resale of restricted securities issued in private offerings.
Dave has blogged about the SEC’s agenda with respect to Regulation D, statements by Commissioner Crenshaw and the SEC’s Investor Advisory Committee discussing the growth of the private markets earlier this year. Does the SEC face obstacles in proposing related rulemaking?
This CLS Blue Sky Blog post and paper by Alexander I. Platt of the University of Kansas School of Law suggests that the SEC may not have legal authority to impose ongoing disclosure obligations on unicorns as was suggested by Commissioner Crenshaw. He also authored a paper for the Michigan Law Review in August of last year that questioned the SEC’s authority to mandate a “look-through” to the beneficial owners for purposes of the shareholder count under 12(g) of the Exchange Act.
Plus, as Liz blogged, the departing members of the SEC’s Small Business Capital Formation Advisory Committee shared parting thoughts in February of this year urging the SEC to continue to focus on five objectives—one of which was recognizing the importance of the private markets for small business growth. Nonetheless, addressing risks posed by the growth of the private markets has been a recent topic of interest for the SEC, and we’ll eagerly await the Spring 2023 Reg Flex agenda to see where these topics sit.
Liz and Lawrence recently blogged that the climate change rules are still under consideration at the SEC, and final rules may be delayed until later this year. Companies often wait until a final rule is adopted before preparing for a new disclosure regime, but for many reasons, that didn’t seem wise with the climate change proposal (and the time to comply with PVP really confirmed that for me). With many recommending companies prepare early—including this blog—did they actually heed that advice?
This Deloitte survey seems to suggest that they did. Here is an excerpt from the forward with promising stats in terms of preparedness for the final rules, if adopted this year:
We released an ESG readiness report in March 2022, at which time 21% of executives indicated that their companies had established a cross-functional working group—made up of executives across finance, accounting, risk, legal, sustainability and other business leaders—to drive strategic attention to ESG for the business. A similar profile of respondents surveyed recently noted that progress in establishing a cross-functional working group has nearly tripled to 57%.
ESG readiness and external assurance remain valuable tools in preparation and can make a significant impact on a company’s governance and reporting processes and controls. Our recent findings show that nearly all (96%) executives plan to seek external assurance for the next reporting cycle, with 61% already seeking external assurance and 35% seeking external assurance for the first time. These findings indicate that more mature ESG programs typically have key components of an effective governance structure like ESG councils and assurance processes in place.
While companies are actively working to meet the growing need for high-quality ESG performance metrics, some challenges remain. When surveyed, 35% of executives reported that their greatest challenge is the accuracy and completeness of data, and another 25% cited access to quality data as the greatest challenge. To ameliorate this, 99% of companies are somewhat or very likely to invest in more technologies and tools over the next 12 months.
Those numbers on external assurance and new technology investments are impressive to me! Keep in mind that 300 executives at publicly owned companies with a minimum annual revenue requirement of $500 million or more were surveyed in August and September 2022 for these stats. I’m sure the numbers would be very different with a different set of respondents. To that point, ISS recently released an article that concluded: “most corporates are unprepared to integrate complex climate-related considerations in their strategy and disclosures.” But still, the survey results may make an important point for any laggards out there—given these moves, there may be less empathy for those who procrastinate.
Unlike the positive developments on climate change preparedness, John recently blogged that many boards aren’t entirely comfortable with their companies’ level of cyber-readiness and even boards that include a cyber expert face challenges in effectively overseeing cyber issues. This article from the CPA Journal provides a timely list of key considerations to allow boards, audit committees or cybersecurity committees to quickly understand the status of their organization’s cybersecurity program. Here are a few of the recommendations:
Inventory and categorization of all assets. A complete, accurate, timely list of all assets should be available upon demand. This list should include internal (within the company) and external (outsourced, cloud) assets. Each asset should be categorized by its risk in order to prioritize controls, including vulnerability remediation. The primary oversight concern is that if management cannot identify the assets it is responsible for, how can it protect them?
Quality of internal audit comments. Directors can learn a lot about their organizations through the internal audit reports performed and the issues raised by those reports. From an oversight perspective, it is essential that such reports have an independent review, appropriate scope, and recommendations that add value to the organization. The inherent complexity of technology and its continued evolution causes managerial control challenges. Even when a prior security issue has been remediated, technological advances may require that a new control be implemented.
Managing accounts. The number, type, and utilization of user and system accounts can be a leading indicator of how well an organization manages these accounts. If administered properly, access, accountability, and monitoring accounts enable organizational activity while protecting data. Considerations include the number and percentage of users designated as privileged, stale users (accounts not used within a specific time), and generic accounts (not assigned to individuals). From an oversight perspective, primary concerns are the effectiveness of administering user privileges to enforce organizational controls and ensuring accountability for activities over protected digital resources.
Confirming the assurance provided by penetration testing. There are various definitions, forms, and scopes related to penetration testing. The idea is to simulate an attack that an intruder could conduct. Often directors are presented with results that summarize technical vulnerabilities. From an oversight perspective, directors should ensure that the scope of what was tested is clear. This should include not only which assets were tested but scope limitations, assumptions, and other factors that could provide a false sense of security when reviewing testing results.
It’s safe to say there’s a lot at stake in the Slack direct listing appeal, which we’ve blogged about repeatedly here since it’s one for the books. This insight from Woodruff Sawyer identifies a related area that would be impacted by the decision—the D&O insurance market. Here’s an excerpt:
D&O insurance carriers have, to date, treated direct listings much like traditional IPOs. This is to say that the price of D&O insurance whether going public through a direct listing or a traditional IPO has been the same.
If Slack prevails, however, there will be an argument that direct listings should be able to pay less for D&O insurance than IPO companies since they do not have to worry about Section 11 liability.
On the other hand, if Slack loses, the consequences could go further than just direct listings.
In the meantime, for any companies looking to go public when things start to look up, check out these 2023 editions of Woodruff Sawyer’s Guides to D&O Insurance for IPOs and Direct Listings and for Foreign IPOs and Direct Listings, with interactive timelines and key considerations and recommendations on topics including private company coverage, local D&O policies and cyber coverage.
Last Friday, the U.S. Chamber of Commerce issued a press release that it has filed a lawsuit in the U.S. Court of Appeals for the Fifth Circuit challenging the SEC’s new Share Repurchase Disclosure Modernization rules:
The Chamber’s lawsuit challenges the SEC’s rule under the Administrative Procedure Act, as well as the U.S. Constitution. The agency’s mandatory disclosure requirements not only risk the public airing of important managerial decisions but also compel speech in violation of the First Amendment.
The Chamber worries that the rule will discourage buybacks and harm investors that benefit from them. As Dave blogged last week after the rules were adopted, the SEC acknowledged in the adopting release that repurchases, together with dividends, provide an avenue to return capital to shareholders and are often employed in a way that may be aligned with shareholder value maximization. And when Commissioner Peirce asked whether the Staff believed the level of buybacks was suboptimal, Corp Fin Director Erik Gerding responded that the release does not take a position but instead requires greater information to allow investors to do so. But, as Dave further notes, it seems the SEC still questions the motives behind repurchases and the “rationale here seems to be that the data dump of daily repurchase activity will facilitate speculative analysis as to the rationale for share repurchases based on the relative timing of those repurchases.”
Will this granular disclosure requirement discourage repurchases even though investors will still want them? I always think about how the plaintiffs’ bar will use new information, and I suspect any chilling effect on repurchases will depend on how that all plays out, as predicted in this Freshfields blog:
We also expect to see increased interest from the plaintiffs bar scrutinizing the issuer’s rationale for its share repurchases, the criteria used to determine the amount of repurchases as well as whether insiders can participate during the pendency of the repurchases, all information that was previously not readily available to the public. Lastly, this information may be used by regulators—not just to determine compliance with these rules, but also as evidence of an issuer’s intent and views on the company and its valuation.
With major corporate scandals involving private companies coming to light in recent years—from Theranos to FTX—it may not come as a surprise that the SEC seems poised to ramp up regulation and scrutiny to protect private investors in early-stage startup companies. This Perkins Coie alert advises that all privately held companies should be mindful of their representations to investors, sophisticated or not, given the following recent developments:
– The SEC’s April 2023 announcement of an action against the founder and CEO of a private startup company that was sold to a financial institution for $175 million based on alleged false and fabricated data concerning the number of customers
– Commissioner Crenshaw’s January 2023 speech at the 50th Annual Securities Regulation Institute where she called for increased disclosure and accountability for private companies that raise funds under the Rule 506 exemption
– SEC considering amending Form D
The alert goes on to suggest that private companies adopt some practices that are “par for the course” for public companies, including recruiting board members who will hold management accountable, creating a disclosure policy, keeping financial information up to date, and hiring independent technical experts.
Speaking of SEC scrutiny, yesterday the SEC announced that it has charged 10 microcap companies with failing to comply with Regulation A. As Liz recently blogged, Reg A offerings have increased in popularity after the JOBS Act but remain a lesser-used capital-raising alternative, possibly due to continued perception of high offering costs, no doubt driven by the number of hoops that companies still need to jump through under Reg A+. For any companies that have recently completed a Reg A offering or intend to in the future, these recent charges serve as an important reminder that the SEC is looking out for companies that circumvent the requirements or make fundamental changes after the offering statement has been qualified by the SEC:
According to the SEC’s orders, between December 2019 and May 2022, each of the 10 microcap companies obtained qualification from the SEC for their securities offerings using Regulation A, but they subsequently made one or more significant changes to their offerings without meeting the requirements of the exemption. The SEC’s orders found that such changes included improperly increasing the number of shares offered, improperly increasing or decreasing the price of shares offered, failing to file updated financial statements at least annually for ongoing offerings, engaging in prohibited at the market offerings, or engaging in prohibited delayed offerings. As a result, each of the microcap companies offered and sold securities in violation of the offering registration provisions.
Each of the 10 companies agreed to cease and desist from violations of Section 5 of the Securities Act and to pay civil penalties ranging from $5,000 to $90,000.
This report from PwC addresses a recent resurgence in material weaknesses with the number disclosed in 10-Ks increasing by 73% from 2021 to 2022 and 25% from the first quarter of 2022 to the first quarter of 2023. Here are some other statistics from the report:
– 62% of material weaknesses in 2022 are driven from smaller companies with revenue ranging from $100M – $500M. Contrary to this, there has been an improvement in the volume of material weaknesses for larger companies with revenue > $5B as material weaknesses have dropped 59% since 2020.
– 55% of material weaknesses reported relate to the following key areas:
Financial close process, which includes a range of issues related to the timely gathering of data for use in the close process. It can also include issues with accounting policies and procedures that prevent timely, accurate or complete information from being reported.
Personnel inadequacies and SOD issues, which relates to deficiencies in the number, training, qualifications, and conduct of resources. It also captures when issues associated with segregation of duties are raised.
IT general controls, spanning the suite of controls across the IT domains (access to programs and data, computer operations, system change management, and system implementation). Deficiencies in IT general controls can be more pervasive in nature, and have a downstream impact on the reliability of business process controls or data.
The report attributes these trends to the following factors and suggests some key steps for remediation and prevention:
– Increase in IPOs and SPACs in recent years. Although IPOs and SPACs have recently slowed down, the effects of poor controls in transactions completed before 2022 can linger. These companies typically have fewer resources and a leaner operating model, which can result in weaknesses related to inadequate personnel, oversight and level of reviews. Forty-three percent of all US IPOs since 2017 disclosed at least one material weakness before going public. In addition to this, PwC’s research reveals that most de-SPAC companies are likely at greater risk for fraud within just two years of going public due to material weaknesses and internal control deficiencies in a number of key areas.
– Increase in digitization and technology investments. Companies often overlook risk mitigation measures and controls intended to address digital transformation initiatives such as cloud migration, greater automation, and increasing reliance on machine learning.
– Increase in turnover of resources. Whether related to restructuring efforts or resignations, there is often insufficient change management, transition, and transfer of knowledge to new control owners as turnover occurs.