"SEC Enforcement: Priorities and Trends"

Wednesday, November 15, 2023

Course Materials:

The SEC's Division of Enforcement recently completed another active year, with several high-profile investigations, enforcement actions and settlements, and the agency's enforcement efforts show no sign of letting up in 2024. Corporate boards and management and their legal advisors need to stay up to date on the SEC's enforcement priorities and trends in the agency's enforcement efforts in order to ensure that they stay out of its crosshairs. Join our panel of experts as they share lessons learned from recent enforcement activities and insights into what the new year might hold.

  • Scott Kimpel, Partner, Hunton Andrews Kurth LLP
  • Allison O'Neil, Partner, Locke Lord LLP
  • Kurt Wolfe, Of Counsel, Quinn Emanuel Urquhart & Sullivan, LLP

Among other topics, this program will cover:

  1. SEC Enforcement Activities in 2023 and Priorities for 2024
  2. Monetary and Non-Monetary Penalties
  3. Accounting and Disclosure Actions
  4. Actions Targeting Gatekeepers
  5. Whistleblower Developments and Trends
  6. Self-Reporting and Cooperation Credit
  7. Coordination with DOJ Investigations

John Jenkins, Managing Editor, CCRcorp and TheCorporateCounsel.net: Welcome to today's webcast, "SEC Enforcement: Priorities and Trends." The SEC's Division of Enforcement recently completed another active year with several high-profile investigations, enforcement actions and settlements, and the agency's enforcement efforts show no sign of letting up in 2024. In fact, the agency just announced another high-profile enforcement action targeting a stock buyback.

We've assembled a panel of experts to share their insights into the lessons learned from recent enforcement proceedings and some expectations about what the new year might hold. Joining me are Scott Kimpel, a partner at Hunton Andrews Kurth; Allison O'Neil, a partner at Locke Lord; and Kurt Wolfe, Of Counsel at Quinn Emanuel. Kurt is going to kick off this program with an overview of the SEC's 2023 activities and some thoughts on priorities for 2024.

SEC Enforcement Activities in 2023 and Priorities for 2024

Kurt Wolfe, Of Counsel, Quinn Emanuel Urquhart & Sullivan, LLP: Long story short, there is no sign of letting up from the SEC's Division of Enforcement. Just yesterday, the SEC's Division of Enforcement released its annual enforcement results for fiscal year 2023. The SEC's fiscal year runs through September 30. We'll walk through some of the high-level figures and then open this up for a conversation about what Allison and Scott thought about last year.

2023 was, by most measures, another record-breaking year for the Division of Enforcement. It seems to be a record-breaking year almost every year for the last several years - we'll talk about a couple exceptions - but here are some of the figures. In fiscal 2023, the SEC filed 784 total enforcement actions. That was a 3% increase over fiscal year 2022, and that included 501 original or "standalone" enforcement actions. That figure was an 8% increase over the prior fiscal year. For some perspective, the number was 760 in 2022, 697 in 2021, 715 in 2020, 863 in 2019 and 821 in 2018. We see similar trends with this notion of standalone cases. A good example is in the insider trading context, where you may have several individuals charged maybe even later in time that they aren't going to all count as a standalone case if they are grouped together on one side of the "v."

Overall, I think the thrust is that the numbers are trending up again. 2021 was a little bit of a drop-off in terms of just sheer numbers, but that's not unexpected following a change in administration and a transition to a new Chair and new Director of Enforcement. Some folks on the Staff don't like it when we talk about the numbers, but I think it's a good way to get a sense of what's happening directionally over there.

Beginning with Chair Gensler's first full year at the helm, things have been trending up. In 2022, the numbers were up 9% over 2021. This year, the numbers were up 3% over last year. Anyone who practices in SEC enforcement defense will tell you not to expect any slowdown in the future. Even if there was a change of administration in next year's presidential election, it would take a number of years before we would see the numbers start to dip again, if that happened at all. I don't know that we necessarily saw that when Jay Clayton was the Chair just a number of years ago. We saw similar patterns emerge with respect to the amount of penalties and disgorgement that were ordered by the SEC in fiscal year 2023.

A question I had in the back of my head was, what's driving these numbers? In recent years, we've seen a number of sweeps that helped boost the results. These were mostly in the investment advisor space. There was a sweep targeting books and records violations stemming from advisors' and broker-dealers' use of text message applications, things so-called "off-channel communications." There was a separate sweep into advisors' marketing practices, but the sweeps weren't only in the advisor space. In June, the SEC announced the sweep that targeted insider trading. It captured 13 individuals, including several corporate executives and corporate insiders, a police chief and a SPAC board member who, collectively, allegedly profited more than $40 million through their insider trading schemes.

The second question that popped into my head is, how do these cases break out? What kind of cases are they? What are the things that this audience probably cares about? Delinquent filings were 121 of the cases filed by the SEC last year. That was 15% of all the cases charged. There were 11 cases under the Foreign Corrupt Practices Act last year; that was 1% of the cases. There were 32 insider trading cases that comprised 4% of all the cases filed. Issuer reporting and audit and accounting cases are now lumped together, with 107 cases last year or 14% of all cases charged.

You have to start digging into the cases beyond that to learn a lot. It used to be that the Division of Enforcement gave us a nice, glossy 30 to 40-page packet with a letter from the Director of Enforcement, notes from Senior Staff and details of some of its programmatic focal points. Now, we get a glorified press release. That's been the practice during Chair Gensler's reign at the Commission.

We can pick out some of the disclosure cases that are in there. We can pick out some of the sweeps, including a sweep that focused on 13D and 13G reports, but beyond that, it really is reading tea leaves or focusing on individual actions to get a sense of maybe where the SEC's priorities are or will be going forward. Allison and Scott, did anything jump out to you in the press release or is there anything you are following more generally?

Allison O'Neil, Partner, Locke Lord LLP: We'll talk about this a little later, but what jumped out to me is the record number of whistleblower calls and tips they received in 2023. It was up by 50% and they received more than 18,000 calls. I think that's a sign of what's more to come. Yes, there were sweeps, but there were phone calls being made, as well.

Scott Kimpel, Partner, Hunton Andrews Kurth LLP: It's always a challenge to suss out patterns when you look at these statistics, in part, because the SEC's docket is entirely discretionary. Unlike at the Department of Justice where the FBI is duty-bound to investigate just about any credible complaint that comes in, the SEC is not. They can, and they do, pass on a lot of things. Some they don't view as significant, some are sent to other regulators and some are just not chosen for other idiosyncratic reasons. The other issue is that the process for investigating a case can take years. Some of these are cases that originated two to four years ago, and some even longer than that. You have a five-year statute of limitations generally and through creative use of tolling agreements and other techniques, some of these cases go on for a long time.

There's a certain portion of the SEC's docket that is dictated by circumstances outside its control. There's always going to be Ponzi schemes, affinity frauds and prime bank frauds, which now is mostly crypto cases. Those are the street crime cases that they always have to investigate just because they're so prominent, but with everything else they have to make conscious decisions. Even with some of those numbers, you made a choice to bring one big case against one large bank or corporate defendant and you needed to have 10 people working on it. Well, those 10 people could have also worked in smaller cases. There are resource allocation questions that go into these decisions, too.

It's odd to think that the SEC's resources are constrained. The Enforcement Division has around 1,500 people now, most of whom are lawyers or paralegals. They have a budget of somewhere around $700 million. I don't know that we've ever encountered a situation where the SEC threw in the towel and said, "We're out of money, so we're not going to litigate this case," but they do have to make those decisions at some point. In particular, when they have a number of big cases in-house, it does take the air out of them.

Wolfe: We do need to get in the weeds to understand what they're going to continue to focus on. I'll throw out one high-level question to the two of you just to get your reactions. Looking at the press release, if we focus on the cases that cluster among the most popular, or at least have the most numbers, it's the things we tend to see time and again. It's securities offering, broker-dealer and investment advisor cases, the delinquent filings, and we can almost set those to the side. There are some legitimate delinquent filings there in the 13Ds and 13Gs, and then there is the issue of reporting cases. Year after year, we see those types of cases comprise the largest number of SEC enforcement actions. I have no idea where crypto fits in here, because I don't see it as its own category, but it's there. Should we talk about potential shifts in focus in the year to come?

Kimpel: Well, I think we already see a few of those. John alluded to the stock buyback case that the SEC brought yesterday, which was by no means a clear legal theory. There were two Commissioners that dissented, so why are we even bringing this case? You see that a lot in the fine print when the SEC brings a standalone disclosure controls case or standalone internal controls case. They didn't set out to investigate for disclosure controls. They set out to bring a fraud case and they just determined that the evidence didn't lead them to a fraud charge.

We're seeing things like more ESG and cybersecurity cases. Those are both areas where the Enforcement Division has stood up specialized units. There's a number of specialized units that focus on particular areas. The thing is, if you're in the Crypto Assets and Cyber Unit, those are the only two kind of cases you get to bring. If it's a slow week or a slow month, you've got to find something to do with your time. That's different than someone who's just waiting for whatever happens to come in through the whistleblower office or wherever else the cases are originating.

O'Neil: When you think about where the priorities lie, it seems to be on enhancing the public trust and getting back to investor protection. To some extent, it doesn't matter what the flavor is, whether it's crypto or cybersecurity. Social media influence is something that people on the street talk about, because we see people like Tom Brady being caught up in that. I think all that comes down to public trust and making sure people feel good about the market.

Kimpel: That's certainly true. I've spent more time in the last year or two explaining the anti-touting rules to people than I have in the first 20-something years of my career - "Anti what? You mean I have to actually disclose that I'm getting paid to do this?"

O'Neil: The whistleblowers and some of these social media influences are what's going to cause everyday folks to stop and think more. It's not the actions brought against the C-suite, but the guy who's playing golf with his buddies that wants to let them know about a great stock tip.

Wolfe: Yes, absolutely. A couple of those callouts are particularly relevant for our audience today, especially the ESG and cyber cases that manifest as disclosure cases. You can feel however you want about the ESG requirements and the proposed rulemakings that may or may not ever come out, but right now, those are disclosure cases.

Monetary and Non-Monetary Penalties

Wolfe: Let's talk a little bit about monetary and non-monetary penalties. At a high level, the SEC has broad authority to get a number of different types of sanctions or remedies in enforcement actions, whether they are litigated in federal district court before an administrative law judge or even in a settled matter. The SEC can get civil monetary penalties. They can get disgorgement plus interest. In some cases, they can get bars and suspensions for senior executives or officers. They can get other types of injunctive relief or cease and desist orders. There's a wide range of things the SEC can do in enforcement proceedings.

That, of course, is to say nothing about the collateral consequences that can flow from SEC enforcement. As defense counsel, I hate to say it, but just the defense costs. Anytime you get a subpoena or even a request to voluntarily comply with a request for documents or information, that's going to cost you money and it can be disruptive to your business and the corporate pocketbook. You also risk reputational harm. There could be disclosure obligations that flow from an SEC enforcement action. Companies could lose their well-known seasoned issuer eligibility, they can lose certain safe harbors that might have been available or the exemptions that apply to certain private offerings. There's a whole litany of things that can come as a result of an SEC enforcement action.

We're focusing on priorities and trends, so this isn't going to be a primer on what the SEC can do, but just to set the table, if you will. In terms of priorities and trends, the SEC is looking to make public examples of companies and individuals and they're pretty open about that.

Chair Gensler spoke at the Annual Securities Enforcement Forum in Washington, D.C., a few weeks ago. He emphasized the importance of what he called "high-impact cases" and these are designed to capture the public's attention and imagination. He said, "All cases are important and that's why we work quickly to seek penalties and prophylactic relief to keep bad actors out of the markets. It's important to us that you in the audience work with your clients to create a culture of proactive compliance. There's also those cases that will garner the attention of lawyers, compliance officers and the like far beyond this room, and yes, often get reported by the press. They help change behavior and bring greater compliance with the law."

How do we see this trend playing out, this idea that they're looking for public examples? I've observed two ways over the last year and a half: bundled cases and higher penalties.

Bundled cases are when we see these press releases that say something like, "The SEC charges 13 of those, 16 of those, 27 of those, etc." You read down and you're like, "This is a technical violation. They all filed something late or forgot, or it's a minor books and records violation. For one thing, please show me where the investor harm is." It's never there, but they're bringing these cases anyway and they're bundling them together. You're not going to read about one 13D case in The Wall Street Journal, but 16? You just got a headline. The SEC has always done this to some extent. That sometimes comes out of sweeps, or sometimes they just lump them together when they realize they've got a cluster. They'll put out a press release along the lines of, "We did an initiative and here are the results." That gets to the Chair's point about getting eyeballs on the cases and trying to change culture of compliance within companies.

Enforcement Director Grewal has been open about how they think about penalties and remedies. He says they need to both punish and deter wrongdoing. He says that penalties in an SEC enforcement case cannot just be considered "another business expense." They're going to insist on larger penalties, because they think it has a deterrent effect. They think it's going to continue to get headlines.

It's a bit of a perfect storm on the penalties front. If we think back just a few years ago to the Kokesh and the Liu cases, which together stand for the propositions that the SEC can seek a disgorgement remedy, but they can only look back five years and certain other restrictions will apply to their ability to get that remedy. Following those cases, we heard from the co-directors of enforcement where they said, "That's fine. We'll just rebalance the way that we are calculating or calibrating penalties or sanctions in SEC enforcement matters. If we can't get as much disgorgement, we'll just ask for more penalties." With the way that the statutory authority works for the SEC, the Commission can demand anywhere between $11,000 and $1.1 million per violation. They're really only limited in terms of penalty to the creativity of the Staff who's charging the case.

We're starting to see this playing out. Earlier, we talked in terms of numbers of enforcement actions and how there was this little dip in 2020. There's a little bit of a lag here, because that's how it tends to play out with the penalty's figures and the disgorgement. Again, we saw post-2020 when the co-directors announced they were going to start thinking about penalties differently, we see those numbers start to tick back up. Now, we're starting to get at or near record levels in terms of the amount of penalties. 2023 would've been the highest ever but for 2022, which was anomalous in all respects in terms of the amount of penalties ordered.

The only thing I'll add is undertakings. This is the non-monetary piece of this. It's always been a feature of some SEC enforcement actions, but we're seeing it more frequently and they're becoming more onerous. The SEC has the authority to seek what they refer to as undertakings in litigated, adjudicated matters and settled matters. These are affirmative steps that the SEC will require companies to take in connection with resolving an SEC enforcement matter. They can be hiring a compliance monitor that will come in and help right-size your compliance program or a corporate monitor who gets paid to babysit the company and report back to the SEC. They can require companies to have the person who owns the company relinquish control, change the size or makeup of the board of directors, or require you to create an independent committee with some authority.

All of these undertakings can be tailored to the particular misconduct that's alleged or the particular company or sector that the company operates in. It's something that the SEC has gone out of its way to highlight in its enforcement report and in recent speeches by the Chair and Director of Enforcement, just to say, "This is something we're going to do more of. We are going to expect and demand that companies will commit to a culture of compliance if they want to settle SEC enforcement." If you want to pay the higher penalty, you're also potentially going to need to agree to some undertakings.

Those are my takeaways on monetary and non-monetary penalties currently. Scott and Allison, what are your thoughts?

Kimpel: The non-monetary penalties are interesting because when you're talking about a settlement, particularly an administrative settlement, the SEC views that as a private contractual negotiation. I recall having this many times when I was on the Staff. They don't view themselves as bound by their statutes when they negotiate one of those. For example, it's becoming common in crypto cases that the designer of the token has to burn them all and shut down their blockchain. There's nothing in the '33 Act or the '34 Act that gives the SEC that power. In fact, even some of the undertakings you just went through that are standard, are those called out in the statute? They're hinted around and there's some language, but I think the SEC has become creative with some of its undertakings. It's something they like in settlement, but it's also something that gives some defendants pause. You couldn't go before an Article III judge and get those remedies if you're the SEC. It creates an interesting dynamic.

O'Neil: As the undertakings get more creative and we're seeing more holding folks to the foot fault, I'm becoming more concerned on behalf of my clients when an undertaking is so vast. You think to yourself, even though we have instilled a culture of compliance, that there could be a technicality that results for an inability to follow something specific. Not through any intention, but just the onerous nature of them. We're pushing back to the extent that we can on some of these, just out of fear that there will be a violation.

When we're thinking about some of the headlines and what's going on, part of me feels, particularly with crypto, that the SEC has been chasing the headline. When the harm's already out there and people already know, there's a real feeling or pressure that, "We've got to do something to react to the bad acts that have occurred." That's driving some of it, as well. Not that there aren't certain folks that like a press release on their own, too, for the bundling, but I feel that that's happening with the SEC and other government agencies.

Accounting and Disclosure Actions

Wolfe: Scott, can you talk to us about some accounting and disclosure actions?

Kimpel: You provided a good setup because these are commonly messaging cases. The SEC can't be everywhere. They can't bring every case, they can't even bring a small percentage of the cases they'd like to bring. They have to pick and choose. If you have to pick and choose, you're going to go big and you're going to try and convey a lot more force in the marketplace. Your quotes from Chair Gensler's speech reveal that.

Messaging cases generally have three factors: a prominent individual or corporate defendant, a brand name or product that everybody uses or has heard of, a novel fact pattern, and something that's programmatically important in terms of an area of the law, particularly if it's a new or emerging issue. We've alluded to SolarWinds - we had one client tell us that their CISO was having puppies after he read that case. That's the point. They want to put the fear of God in people, because they know they can't sue everybody. They're hoping that by scaring 99% of the public, they won't have to sue 99% of the public. That's borne out when you look at the vast cross-section of cases they brought over the last year. They love sweeps where they can bring one case against 20 people. That scores a lot more points in the public relations machine than a standalone insider trading case against some mid-level investment banker.

There were quite a few accounting cases, some of them on somewhat novel theories. A case against ComEd and Exelon was a political corruption case that morphed into a disclosure case. A case against Newell for misleading descriptions of revenue metrics and a case against Fluor involving accounting errors, they love to bring a few of those every year just to remind people they haven't forgotten about them since Sarbanes-Oxley. There also were tons of FCPA cases against the who's who of prominent public companies.

There's one ESG case we've been watching a lot that was brought against Vale, which had to do with a tragic situation in South America where a mine burst, flooded downriver and killed a number of townspeople. The SEC's theory is, "You were telling people that your safety was top-notch. By misleading on the safety, that was misleading to investors." What was notable about that case, too, is it was largely statements made not in 10-Ks and 10-Qs, but in an ESG or sustainability report. There's this false sense of security in the marketplace that as long as it's not in our 10-K or our 10-Q, we can say just about anything we want. Well, when you read SEC, private lawyer and private plaintiff complaints, they not only cite the '34 Act but also media interviews and any bit of information they can get their hands on to show that the company made those statements.

Another ESG case was against Activision-Blizzard. It was a disclosure controls case that the company was not selecting and analyzing workplace misconduct complaints. Again, why is the SEC bringing that case? They think they can, and it's done to be a message that if you don't collect this information and report on it, we may come after you, too. This was a couple of years ago now, but they brought a RegFD case against AT&T. I mention that one because that was litigated before the same judge that's been assigned the SolarWinds case.

Cybersecurity is a huge emerging area. The SEC has brought a number of cases over the years where they've said, "Your risk factors were weak" or "Your disclosure controls were weak because CISO knew something and didn't tell the CFO and therefore, you didn't disclose everything you needed to in an 8-K or a 10-Q." SolarWinds was a particularly pernicious incident. This follows a couple of summers ago when hundreds of companies got subpoenas from the SEC in an odd email format that ironically got lost in a lot of spam filters because it looked like phishing. In the SolarWinds case, the SEC charged not just the company, but also the CISO, for a variety of aiding and abetting antifraud claims, disclosure control violations and for internal control violations. It's the same judge as the one who heard the AT&T case. It's going to be interesting. If you go back and read the order he wrote, there are several pages of analysis on materiality. This is a judge that understands materiality and that's going to be one of the central issues if and when that case gets litigated.

Kurt mentioned the sweep they did on a number of generally smaller public companies that had widespread failures to file either Section 13 or Section 16 reports. For insiders, a few 13Ds also were sucked up into that. That was an interesting case because it wasn't just the companies that had the violations, but they aided and abetted their insiders' violations by not making timely filings on their behalf. That's another one of those scary things because just about every public company in America, as a courtesy, will file the Section 16 reports on behalf of their insiders. We've all had this situation where there's an administrative error or a paperwork error and something gets filed a day late. Well, should you be on guard now? Yes, but hopefully it won't be to the volume that we had in the case there.

There's also a couple of interesting cases that the SEC has brought on 10b5-1. They brought a case against Cheetah Mobile and its insiders for having plans that supposedly didn't comply with the rule. The undertakings that those executives agreed to going forward was that they would comply with the new 10b5-1 rules even before they went into effect. There's another creative use of undertakings. Then, there is the one that was announced yesterday that got a heady dissent from two of the commissioners against Charter Telecom. The theory there is that even though the board had approved the buyback programs, the 10b5-1 plans the company put in place were not sufficiently monitored and those created accounting internal control violations.

The SEC also is starting to use enforcement cases to undergird its rulemaking initiatives. One of the critiques of the new stock buyback rules is that there wasn't a market failure the SEC identified. Well, boom, we got two enforcement cases. There's your market failure. In the case of cyber, we have new cybersecurity rules going into effect next month. Again, what was the real market failure? Were there widespread failures to make disclosures on cyber in the past? Now we've got SolarWinds to prove that it is a problem. I think you're going to continue to see the SEC using the enforcement docket to support rulemaking. We have a number of ESG rulemakings in the pipeline, and I think you're going to continue to see the SEC trying to link those two together as they move forward.

Wolfe: In some respects, it feels like SEC enforcement has returned to something like a glass windows approach to enforcement. The thinking goes back to the early '90s in New York City. If there were broken windows and the police weren't out there arresting people, then folks thought they could get away with it. You have to get rid of all the broken windows. This feels like that, but I have trouble reconciling that with some of the things that Director Grewal said in the speech I alluded to earlier - "market participants must realize that complying with securities laws is cheaper than violating those laws." Sometimes I wonder if that's true, especially as they continue to roll out new rules and new rulemaking proposals. If we're living in a "foot faults always result in enforcement action" type of environment. I have trouble marrying those concepts together.

Actions Targeting Gatekeepers

Kimpel: This a good place to talk about gatekeepers, another technique the SEC uses as a force multiplier - "We're resource constrained. We can't be everywhere at any given time. How do we deputize the public to do our work for us?" For many years, they've focused on the role of so-called gatekeepers. The classic examples would be the outside auditors and, to a lesser degree, outside counsel. I always found it interesting that those two groups are lumped together, because they have different duties, different clients and different responsibilities under their ethical canons.

This is a constantly growing group. Now, I think the SEC would add to the list of gatekeepers, in no particular order, in-house counsel, in-house compliance personnel, CCOs, the internal audit function, executive officers, not just the CEO or the CFO, independent directors, etc.

There's another speech that Director Grewal gave just a few weeks ago to the New York City Bar Association that underscores some of the challenges for gatekeepers. He also said, "We do not second-guess good faith judgments of compliance personnel made after reasonable inquiry." That gave a little bit of comfort, at least to the CCO community. He also gave three examples of situations where the SEC will pursue enforcement actions against gatekeepers and compliance personnel: when the compliance personnel affirmatively participated in misconduct, where compliance personnel misled regulators and where there was a wholesale failure to carry out compliance responsibility.

Grewal gave a series of examples of cases against CCOs. Some of them were low-hanging fruit - the CCO who engaged in insider trading or the one who backdated books and records - but he also alluded to a recent enforcement case against one of the large accounting firms. It's somewhat disconcerting that both the SEC and the PCAOB are increasingly bringing cases against large accounting firms. It's on any number of different theories - quality control, auditor independence, auditor malfeasance, etc. In some cases, they've charged very senior people at some of the firms and at least one of the firms litigated.

That's another side effect of this new emboldened SEC Enforcement Division - you're seeing more big cases get litigated. There could be a number of reasons for that. Some of that is just if you're going to have to pay a huge penalty anyway, why not let a judge get a shot at it? Some of it is things that we used to be able to negotiate out in settlement; the SEC's not so willing to move on. For example, we used to be able to get a 17(a) charge in exchange for a 10(b) charge. Now, the SEC is increasingly insisting on 10(b) charges in settlement. Some of our clients don't have the resources to litigate and so they'll take whatever they can. The SEC knows that, too. If you're in a situation where you're going to have to pay eight or nine figures in penalties and have a number of other charges against you, what do you have to lose by litigating? All that is an outgrowth of the way the SEC's been managing the enforcement program in the last several years.

I'll kick it to Allison to talk about whistleblower developments and trends.

Whistleblower Developments and Trends

O'Neil: Throughout this call and in advance of it, we've been trying to figure out and glean what we could from the priorities and the trends. In my opinion, this was the year of the whistleblower. That may be the biggest takeaway from my perspective.

Fiscal year 2023 was a record-breaking year. The SEC issued whistleblower awards totaling nearly $600 million. There was a $279 million award that went to one whistleblower, which was more than double the prior highest award of $114 million in October 2020. The interesting thing about the case where the whistleblower received a $279 million award is that the tip didn't promote the investigation. The investigation was ongoing, but it had widened the scope of the investigation significantly. An interesting thing to think about is what the monetary sanctions were. In that case, we don't know exactly what was collected, but it had to have been an astronomical figure since the award was $279 million and it can only be between 10% and 30% of the award.

We know that tips are up and we know that dollars are up. Awards to whistleblowers are up. I think about this quite a bit, because my fear is that it causes what I like to call an "uninformed informant." Someone who sees something that they think is going wrong, they think they see fraud, they think something isn't being handled well, and when they see the dollars involved, they go running and may make a tip. That could spell disaster for some of our clients.

The one takeaway that I've seen in some of the cases that my clients have been involved in is often that a whistleblower tried to say something to somebody within the company and it wasn't listened to. As I look back on the year I had, it's easy not to pay attention when someone's complaining, particularly when they're a complainer. In a day and age where someone can screen capture an IM or a chat that uses words that will get the SEC's attention, I think paying attention to those more than not might be helpful.

Kurt and Scott, what are your thoughts on whistleblowers?

Wolfe: It's just remarkable how successful the program continues to be and it really is driving enforcement investigations and enforcement actions. I saw an article this morning that said, combined, the SEC and CFTC whistleblower programs have now paid out more than $2 billion to whistleblowers. The vast majority of that is the SEC, but as a promotional matter, my goodness, have they been successful at getting folks to come forward to the point where if you get a cold call from the SEC, you should just assume there's a whistleblower. In investigating the case and thinking about the posture you want to take with the Staff, you should just assume. If you're getting these questions in a voluntary request for production and you're like, "Wow, that's very specific," alarm bells should be going off and you should assume there's a whistleblower. Now, never ever should you go find the whistleblower. But you need to think about how you're going to handle that case differently.

O'Neil: I would say back to you, even if it was an industry, even if 200 letters went out, it may not be a whistleblower within your organization, but there was a whistleblower at one of those organizations that caused this focus into the industry. It's remarkable how it results in so many cases. As you've said, if you want to talk about a press release and PR, the success of this program is being touted over and over again.

Kimpel: They brought a series of cases over the years and there were several recently against companies who had NDAs, employment agreements or other employment manual language that wasn't being enforced, but that was overly broad and perceived by the SEC as crimping or chilling the ability of whistleblowers to come forward. They've brought a number of enforcement cases on those, quite a few for employment severance agreements, but they brought a relatively novel one not that long ago over a generic employee non-disclosure agreement. In an unrelated matter, I got an NDA from someone and thought to myself, do I need to worry about SEC whistleblower provisions in this? It's just something that you have to think about.

Having been at the SEC in the down period around Madoff and when things were at a low and seeing how they completely have rebuilt their surveillance function to be built around tips, complaints, and referrals that come in, it really has changed the way that the SEC originates cases and pursues cases. The old joke was that they got their leads from The Wall Street Journal. The new reality is there's a large volume of information coming in. Not all of it is actionable and some of it is just downright wrong, but even a broken clock can be right twice a day. That's enough for the SEC to say, "Wait a second, this person seems to know something interesting and important and different. Let's talk to them and let's see what's going on here."

It has changed the way a lot of cases are originated. I have the same thought when you get an out-of-the-blue, very specific request for information. It can only almost only come from someone who's inside the business and knows it well. To your point, we're not suggesting you go out and retaliate against whistleblowers, but it changes the way that you handle the entire litigation from that point forward.

Wolfe: It's a good call out too, on the cases that strike at efforts to chill whistleblowers like the Rule 21F-17 cases, because what we're starting to see is the Staff looking a little bit behind what an agreement says. I'm familiar with a number of matters where there's a whistleblower in the SEC. The third or fourth question out of their mouth is like, "Can we see the severance agreement or the separation agreement or the NDA?" They want to know what it says and if it looks like a paper tiger, the next question is, what did they actually do? Did they just pull this thing off the shelf from some public source? Does it look exactly like every other company's or were they actually thoughtful about what they put in the agreements and how they're implementing it? That's definitely something you should be thinking about and even consider looking at what those NDAs, separation agreements and things like that say and how they read.

Kimpel: As soon as the SEC announces another one of those cases, I immediately forward the order to my employment law colleagues because they're the ones that are on the ground drafting these things. It's led to a lot of interesting conversations about, this is market practice, this is unusual or this is this or is not. Again, that's why the SEC does it. They want the word to spread. They don't want to have to keep bringing those cases. They would prefer for companies to change their language. Making sure it gets into the right hands in your organization and making sure that the employment lawyers are knowledgeable at least in this area as the securities lawyers is important.

Self-Reporting and Cooperation Credit

Wolfe: Let's talk about self-reporting and cooperation for a couple minutes, and then I'll let Allison bring us home with thinking about how the SEC and DOJ may collaborate or coordinate. Self-reporting is a nice transition from the whistleblower conversation, because on some level, you can't even think about self-reporting if you don't know that there's a potential violation of the laws that's happening at your company. How might you find out about a whistleblower, even an uninformed informant? They can log complaints internally and you should take them seriously. You can learn about it from internal audit. You can think about looking into potential violations because there's a sweep or because you see an SEC enforcement action against a company that looks an awful lot like yours.

When these things happen, you should start to think, what should we do? Is it worth kicking the tires and doing a little bit of investigation to see if there are any potential concerns? Then you can make an informed decision about next steps, because the SEC does have a cooperation program and will give some credit for folks that do broadly any or all of four things. These come from an old report called the Seaboard Report that talks about, what does cooperation look like? When will the Staff give you credit? What the SEC is interested in is, how are you self-policing at the company? Did you self-report the potential misconduct? Did you take steps to remediate, and are you willing to cooperate with law enforcement authorities in connection with an investigation if one happens?

There is an open debate about whether to self-report at all or when. A lot of folks will say, "No, you should just never do it, even in connection with a sweep, an amnesty or a leniency program." We've seen a number of these over the past couple of years, and this was more a feature in past administrations where they would say share selection disclosure cases. Come in and tell us that you got this thing wrong and we will not insist on any penalty at all. Maybe there's going to be some disgorgement to make harmed investors whole. Even then some folks would say, "Don't do it."

It really depends, for me, on the facts and circumstances. How bad is the misconduct? What is the likelihood that you're going to be found out? Do you think there are benefits in connection with some kind of leniency program that make it a good idea to go in and talk to the Staff? There's no "yes" or "no" answers all the time. You need to evaluate it depending on what you know. How serious are the allegations? How likely do you think it was that there were real problems?

At the end of the day, there are a few questions that tend to circle around this. One is, why would you do it? If you have questions about whether you're going to derive any real benefit, the SEC would say, "Because they actually give it in some cases." In the enforcement report that came out yesterday, they pointed to cases where they did give credit and, in some cases, not bringing a case at all or insisting on substantially diminished charges or a lower penalty. Disgorgement usually isn't on the table to negotiate. If there's harm, there's harm, but some of the other types of sanctions that the SEC has at its disposal, they will give credit. I've seen it happen in cases that I've been in, but you have to be willing to commit to those other elements - the remediation, the cooperation.

This leads to another question of, when should you do it? As soon as you think it is likely that there are actual problems. You've had a chance to investigate it. This isn't like, "We got an internal report. Sounds pretty serious. Let's pick up the phone and call the SEC." You're better served to get to know the facts and maybe conduct a couple of interviews. It depends on the seriousness of the allegations, but if you're going to go into the SEC or any other agency, you have to know what happened or have a good version of it. Even if you go in and say, "We need to do more work. Here's the gist. Here's what we think happened." You need to do that work. You're also going to need to talk to your senior management, maybe to the board of directors, before you self-report. You have to do that groundwork before you get to that crisis point where you're going to make a decision.

The next thing is, how do you do it, or to whom do you do it? A lot of times it's just finding a good home on the Staff, someone you have a relationship with, you've had cases with in the past. Someone that you think knows that particular area well. To Scott's point earlier, there are dedicated units. If you have a cyber case, maybe you want to call someone in the cyber unit because they understand what the requirements are. They understand what industry practices are, at least from a disclosure standpoint, versus just spinning the wheel at the SEC and letting that case land where it may. Once you're there, it has to be meaningful cooperation. You can't go in and then decide you're uncomfortable with this. If you're going to take that decision, you've got to get in. It's more than just complying with requests for documents and information or showing up for an interview. You've got to be committed to the cooperation once you get in there if you do want to get any kind of credit on the back end.

O'Neil: Kurt, don't you think that - especially where we're seeing more technicalities, more cases being brought for foot faults - you can take the steps of doing the remediation and updating your practices internally without taking that final step of reporting?

Wolfe: I do. That's happening a lot more, especially if you find is a technical violation. You can fix the problem, and everyone is comfortable with it. The Staff may be annoyed if they learn about it later and you didn't come talk to them. Well, what did you do? We investigated, we figured it out. We rooted out the problem, we fixed it. It's a good story.

O'Neil: I was going to say it's still a good story, and there's so much handwringing about whether to go in and sometimes that's the better course.

Kimpel: There's a huge debate. We could have a whole hour just on that question itself. I've seen situations that have gone well, but to your point Kurt, you got to go in early and you got to be totally open and you're probably firing people. You're going above and beyond to get the kind of special treatment that they promised, because they don't give it to everybody who cooperates. If you come in midstream or they feel like you're not being fully candid, or you came in because you were shamed into it, that doesn't count in terms of cooperation credit.

I've seen situations where folks have gone in thinking they were just reporting a foot fault and it metastasized into a vast investigation on some other unrelated issue that took years to resolve. That's the sort of "no good deed goes unpunished" situation where it probably was something they could have just remediated on their own and moved on and no one would've turned it into the situation it became. Lots of different issues you have to consider when that's on the table.

Coordination with DOJ Investigations

O'Neil: I'll just bring us home on coordination between DOJ and the SEC. Again, we saw a lot of cross-agency coordination continue into 2023. Candidly, that sort of coordination wasn't just between DOJ and SEC. It involved other agencies, including people like Homeland Security.

Scott talked a little bit earlier about some of the tools that are in hand, particularly in the insider trading space. We saw the use of data analytics to help identify unusual trading patterns. We saw increased cases between the DOJ and SEC involving friends and family insider trading. We also saw some bundled cases that Kurt talked about earlier, too. All of that resulted in headlines and we'll see more of that to come.

Wolfe: I'm seeing more folks from the criminal side sitting in on meetings and interviews than I did earlier in my career and I'm not sure if that's a bug or a feature of the current enforcement environment, but I am seeing more of our friends with a different kind of badge.

O'Neil: They're just sitting there, though. They just sit.

Kimpel: Just observing.

Jenkins: Thanks Scott, Kurt and Allison, this was a terrific discussion that covered an awful lot of topics. This concludes today's webcast.