Based on a statement released yesterday by Gurbir Grewal, Director of the Division of Enforcement at the SEC, it appears that yesterday was the SEC’s “Insider Trading Day,” with the agency bringing charges against 13 defendants in four separate insider trading schemes. Grewal’s statement notes:
Public trust is essential to the fair and efficient operation of our markets. But when public company insiders take advantage of their status for personal gain, as we allege here, the investing public loses confidence that the markets work fairly and for them. Today’s actions reaffirm our commitment to leveraging all the tools at our disposal, including our data analytics initiatives, to investigate these abusive trading practices, hold accountable bad actors and ensure the integrity of our markets.
While I don’t believe that Insider Trading Day will gain traction as a national holiday (although I admit that it would be nice to have another holiday, even if it is dedicated to insider trading enforcement), the SEC was clearly seeking to make a statement by announcing all of these actions on the same day. For those charged with insider trading compliance, these cases provide a good demonstration of the many ways in which things can go awry when individuals are tempted to engage in illegal insider trading and tipping. For those who might be tempted to engage in this sort of conduct, the Insider Trading Day cases are a good reminder of the overwhelming legal peril that insider trading and tipping can put you in, including spending time in a correctional institution.
If you are like me, you have spent a lot of time thinking about insider trading – you learn about it in school, you watch movies like Wall Street and The Wolf of Wall Street, you draft and review insider trading policies, you answer questions about when an individual can trade in compliance with an insider trading policy. If you tell someone at a cocktail party that you are a securities lawyer, they will probably ask you about insider trading, because that is what people often associate with the SEC and the securities laws. Despite all of this contemplation of insider trading over the years, when Insider Trading Day rolls around and the SEC announces a bunch of insider trading cases, I ask myself: “Why do they do it?”
Insider trading enforcement has long been a focus of the SEC. Over the years, in cases like Cady, Roberts and Texas Gulf Sulphur, the SEC sought to address the fundamentally unfair notion of trading on the basis of material nonpublic information, and the judge-made theories of insider trading emerged from the general antifraud provisions of the securities laws. As this SEC Historical Society piece notes, in the 1980s, when former SEC Chairman John Shad was asked about insider trading, he announced “we’re going to come down with hobnail boots.” Hobnail boots, for the uninitiated, are boots with nails inserted in the soles, so they would really hurt if some SEC Chairman attacks you with them. And with that statement, we got the great insider trading characters of our age in Ivan Boesky and Michael Milken, and of course the fictional Gordon Gecko from the movie Wall Street. It is not as if the SEC and criminal authorities ever went soft on insider trading after the 1980s – during my time at the SEC, insider trading always topped the list of Enforcement priorities and many cases were brought in the ensuing years.
So why, after we toil over an 8-page insider trading policy, conduct countless insider trading training programs and send periodic reminders about insider trading topics to employees and directors, do some people still choose to pilfer material nonpublic information and share it with their friends for profit? Obviously greed is the real motivator, but the one thing that I think is common in insider trading cases is that, for some reason, the individuals involved did not think that they would get caught.
I observe that there appears to be a common misconception among individuals charged with insider trading that their various efforts to hide their misconduct and their trading through faceless markets will somehow prevent detection. Unfortunately for them, nothing could be further from the truth. The SEC and the SROs dedicate substantial resources toward market surveillance, and inevitably they will detect trading anomalies and connections that allow them to investigate potential insider trading cases. With constant advances in data science and computing, these market surveillance efforts just get bigger and better, making the chances of conducting an undetected insider trading ring much smaller. Perhaps this is a point that we should all emphasize more in our insider trading training sessions, because I would hope that if people realized just how sophisticated the surveillance effort is, they might think twice about misappropriating the company’s material nonpublic information and trading or tipping.
I would be remiss if I let this week go by without encouraging you to sign up for our September conferences. As we approach July 4th, that always signals to me that the summer is passing by quickly and “back to school” time will be here in no time. As I have mentioned before, you will not want to miss the educational opportunities in September at our virtual conferences. Among the many topics that we plan to cover is “Insider Trading & Buybacks — What You Need to Do Now,” so you can hear the latest thinking on these very important issues.
Last week at the Financial Times Cyber Resilience Summit, SEC Enforcement Director Gurbir Grewal spoke on the topic of the SEC’s approach to cybersecurity issues, while not weighing in on the pending rulemaking activity for public companies and regulated entities. He shared five principles “that guide the work we are doing across the Enforcement Division to ensure that registrants take their cybersecurity and disclosure obligations seriously.” The five principles are:
1. “[W]hen there are cyber attacks on publicly traded companies and other market participants, we consider the investing public to also be potential victims of those incidents…So in addition to ensuring that market participants are doing their part to prevent and respond to cyber events, our goal is to prevent additional victimization by ensuring that investors receive timely and accurate required disclosures.”
2. “[F]irms need to have real policies that work in the real world, and then they need to actually implement them; having generic “check the box” cybersecurity policies simply doesn’t cut it.”
3. “[R]egistrants [must] regularly review and update all relevant cybersecurity policies to keep up with constantly evolving threats. What worked 12 months ago probably isn’t going to work today, or at a minimum may be less effective. And relatedly, registrants and the professionals that counsel them would be well-served by reviewing the Commission’s enforcement actions and public orders on these topics. They clearly outline what good compliance looks like and where and how registrants fall short with their cybersecurity obligations.”
4. “When a cyber incident does happen, the right information must be reported up the chain to those making disclosure decisions. If they don’t get the right information, it doesn’t matter how robust your disclosure policies are.”
5. “[W]e have zero tolerance for gamesmanship around the disclosure decision. Here, I am talking about those instances where folks are more concerned about reputational damage than about coming clean with shareholders and the customers whose data is at risk. Companies might, for example, stick their head in the sand, or work hard to persuade themselves that disclosure is not necessary based on their hyper technical readings of the rules, or by minimizing the cyber incident. Don’t do that. It doesn’t work for the customers whose data is at risk. It doesn’t work for the shareholders who are kept in the dark about material information. And it most certainly doesn’t work for the company, which will most likely face stiffer penalties once the breach gets out, as it invariably will, and if it turns out that the company violated its obligations.”
Grewal went on to note that, with respect to cybersecurity matters and more broadly, “firms that meaningfully cooperate with an SEC investigation, including by coming in to speak with us or self-reporting, receive real benefits, such as reduced penalties or even no penalties at all.”
In his speech last week at the Financial Times Cyber Resilience Summit, SEC Enforcement Director Gurbir Grewal made the point that companies must regularly review and update cybersecurity polices and keep abreast of the SEC’s enforcement actions in the area for insights into “what good compliance looks like.” If you are looking for resources to facilitate that regular review, check out the “Cybersecurity” Practice Area on TheCorporateCounsel.net. There is an incredible array of resources available in the Practice Area on cybersecurity and data privacy matters, including the latest coverage of SEC enforcement actions and SEC guidance, updates on the SEC’s rulemaking efforts, the latest thought leadership on corporate governance considerations, very helpful checklists and coverage of federal and state-level legislative and rulemaking developments.
If you do not have access to the Practice Areas and other resources available on TheCorporateCounsel.net, sign up today. During the first 100 days as an activated member, you may cancel for any reason and receive a full refund.
It is that time of year when the Supreme Court wraps up its term and issues a long list of decisions. While rulings on several high profile cases are expected very soon, the Court recently weighed in on perhaps the more mundane topic of whether a state can require a company, as a condition of doing business in the state, to consent to being sued there for any and all claims. As my colleagues at Morrison Foerster note in this alert, inMallory v. Norfolk Southern Railway Co., 599 U.S. __ (2023), the Court concluded that such a requirement is consistent with the Fourteenth Amendment’s due process clause, opening the door to a major increase in out-of-state corporations’ exposure to lawsuits if states seek such consents from businesses.
The case involved Pennsylvania’s long-arm statute, which authorizes Pennsylvania courts to exercise “general personal jurisdiction” over any corporation that is registered with the state (which is a requirement of doing business in the state). The MoFo alert notes:
In a fractured opinion, the Supreme Court vacated and remanded, ruling that Pennsylvania’s consent scheme does not violate the Due Process Clause. Although five Justices agreed that the state court ruling should be vacated and remanded, Justice Gorsuch wrote for a majority of the Court only for portions of his opinion. Justice Alito filed an opinion concurring in part and concurring in the judgment, and Justice Barrett filed a dissenting opinion for four Justices. Justice Jackson also filed a concurring opinion.
* * * *
Mallory represents a potentially vast increase in out-of-state corporations’ exposure to jurisdiction in unexpected places, often where jury verdicts are excessive. After the decision, states can now require companies to consent to personal jurisdiction as a condition of doing business there (even if another state has a greater interest in the underlying dispute). And while the Court’s opinion is fractured, it is clear that a majority of Justices agree that consent remains an independently sufficient ground for exercising general personal jurisdiction.
What remains unclear, however, is how many states will accept that invitation. As discussed in oral argument, laws like Pennsylvania’s may deter smaller businesses from operating in a particular state. States may conclude that those concerns outweigh any interest in providing a forum for suit. And even if states do enact such laws, a majority of the Court may view them as invalid, between the dissent’s due-process/federalism reasoning and Justice Alito’s dormant-Commerce-Clause analysis, which is likely to be tested in the next phase of this case.
I have to admit, it has been a while since I thought about the dormant Commerce Clause!
Earlier this week, the PCAOB announced that it had proposed amendments to its standards to address auditor responsibilities when using technology-assisted analysis of information in electronic form. The deadline for public comment on the proposal is August 28, 2023. The proposal includes changes to update aspects of AS 1105, Audit Evidence, and AS 2301, The Auditor’s Responses to the Risks of Material Misstatement. In the announcement for this proposal, the PCAOB notes:
The proposal seeks to improve audit quality by reducing the likelihood that an auditor who uses technology-assisted analysis will issue an opinion without obtaining sufficient appropriate audit evidence. In particular, the proposal would bring greater clarity to auditor responsibilities in the following areas:
Using reliable information in audit procedures: Technology-assisted analysis often involves analyzing vast amounts of information in electronic format. The proposal would emphasize auditor responsibilities when evaluating the reliability of such information. For example, when auditors test a company’s controls over electronic information, their testing should include controls over the company’s information technology related to such information.
Using audit evidence for multiple purposes: Technology-assisted analysis can be used to provide audit evidence for various purposes in an audit. For example, performing risk assessment procedures when planning an audit and performing substantive procedures in response to the auditor’s risk assessment. The proposal would specify that if an auditor uses audit evidence from an audit procedure for more than one purpose, the auditor should design and perform the procedure to achieve each of the relevant objectives.
Designing and performing substantive procedures: When designing and performing substantive procedures, auditors can use technology-assisted analysis to identify transactions and balances that meet certain criteria and warrant further investigation. For example, auditors can identify all transactions within an account processed by a certain individual or exceeding a certain amount. The proposal would clarify the factors the auditor should consider as part of that investigation, including whether the identified items represent a misstatement or a control deficiency or indicate a need for the auditor to modify its risk assessment or planned procedures.
The staff of the Public Company Accounting Oversight Board (PCAOB) from time to time provides Spotlights to highlight timely information for auditors, audit committee members, investors, and others. Our oversight activities continue to indicate that investors and other stakeholders look to audit committees of public companies to oversee the quality and sufficiency of the accounting and financial reporting processes of public companies, as well as the audits of public companies. As part of audit committees’ audit oversight responsibilities, it is important that audit committees engage in effective two-way communication with auditors and ask relevant questions throughout the audit.
This “Spotlight: Audit Committee Resource” suggests questions that may be of interest to audit committee members to consider amongst themselves or in discussions with their independent auditors, particularly given today’s economic and geopolitical landscape. Stakeholders may also consider other Spotlights as reference points for relevant discussions, including our April 2023 Spotlight, “Staff Priorities for 2023 Inspections.”
The Spotlight addresses a number key areas that are of interest audit committees, including the risk of fraud, risk assessment and internal controls, auditing and accounting risks, digital assets, M&A activities, use of the work of other auditors, talent and Its impact on audit quality, independence, critical audit matters and cybersecurity.
My colleagues at Morrison Foerster have announced the results of a second annual “GCs and ESG” survey. The highlights of the survey are described as follows:
The results show that ESG considerations have quickly evolved into a top corporate priority over the past year as companies are increasingly balancing ESG regulatory and internal mandates with a focus on both enhancing positive impact for the benefit of shareholders and stakeholders and mitigating negative ESG externalities. As priorities have shifted, so, too, has ESG leadership, with seventy-two percent of respondents this year reporting that either the CEO, Chief Compliance Officer or another C-Suite leader is spearheading ESG strategy, whereas it was only ten percent last year. The top ESG efforts have also shifted somewhat from last year’s focus on “G” (governance) to “E” (environment) this year. This shift is likely due to both more mature governance frameworks and increasing regulatory mandates from leading government agencies across the globe.
On the topic of the ESG backlash that has been coming up more and more these days, the survey indicates that almost half of respondents report that they have neither experienced nor been impacted by anti-ESG backlash, while others report that they have responded to the backlash by focusing on specific, granular areas of concern, such as climate, human rights, or DEI. Fifteen percent of respondents report that they are no longer using the term “ESG” or have changed terminology in response to the anti-ESG backlash. Larger and publicly held companies were more likely than smaller and privately held companies to not use the term “ESG.”
Join us today at 2:00 pm Eastern on CompensationStandards.com for our annual webcast, “Proxy Season Post-Mortem: The Latest Compensation Disclosures” – to hear from Mark Borges of Compensia, Ron Mueller of Gibson Dunn and me as we analyze this year’s proxy season. The duration of this program has been extended to 90 minutes so we can share practical insights that will help you finalize your Dodd-Frank clawback policy.
If you attend the live version of this program, CLE credit will be available. You just need to fill out this form to submit your state and license number and complete the prompts during the program. Members of CompensationStandards.com are able to attend this critical webcast at no charge. The webcast cost for non-members is $595. If you’re not yet a member, try a no-risk trial now. Our “100-Day Promise” guarantees that during the first 100 days as an activated member, you may cancel for any reason and receive a full refund. If you have any questions, email sales@ccrcorp.com – or call us at 1-800-737-1271.