SEC, FBI Defend New Cyber Incident Disclosure Rule at Aspen Cyber Summit

Feds mount defense of SEC cyber rule

Federal government officials said on Wednesday that they are taking great pains to make sure that a Securities and Exchange Commission cyber incident disclosure rule wouldn’t leave companies more vulnerable to attacks.

***

One of the main criticisms from industry groups is that the four-day disclosure window in the rule could have the opposite effect, giving hackers a road map to carry out more attacks.

But the rule isn’t designed to provide that level of specificity that might help attackers, an SEC official said at the Aspen Cyber Summit on Wednesday. Instead, it’s about “materiality” — a legal standard about whether something is likely to have significantly altered information used in deciding whether to invest.

***

Furthermore, the rule allows companies to go to the Justice Department and seek a delay on disclosure if the attorney general deems that such a disclosure would harm national security. Justice Department officials said at the summit Wednesday that they were also ramping up the policies and procedures to help companies work with them in such situations.

SEC Charges Algorithmic Trader Matthew Melton with Defrauding Investors Out of More Than $1.5 Million

The Securities and Exchange Commission today charged Matthew Melton for fraud in connection with material misrepresentations to investors about the performance of his Price Physics trading algorithm and his misappropriation of more than $1.5 million of investor proceeds.

According to the SEC’s complaint, which was filed in the United States District Court for the Southern District of New York, between April 1, 2018, and October 31, 2020, Melton raised more than $3.4 million from at least 23 investors in Puerto Rico and elsewhere who shared an affinity for outdoor activities. Melton allegedly asserted that he would profitably trade stock index futures through the use of his Price Physics trading algorithm, which, he claimed, had generated consistent returns of 12 percent per month. Contrary to these claims, the complaint alleges, Melton’s trading was consistently unprofitable….

Ransomware gang files SEC complaint over victim’s undisclosed breach

The ALPHV/BlackCat ransomware operation has taken extortion to a new level by filing a U.S. Securities and Exchange Commission complaint against one of their alleged victims for not complying with the four-day rule to disclose a cyberattack.

Earlier today, the threat actor listed the software company MeridianLink on their data leak with a threat that they would leak allegedly stolen data unless a ransom is paid in 24 hours.

US Audit Board Pads Inspections Funding in $385 Million Budget

The US accounting oversight board plans to hire more inspectors next year to vet the work of auditors around the world as the agency tries to combat a rise in the rate of audits that fall short of core standards, under its 2024 budget approved Thursday.

The $384.7 million spending plan the Public Company Accounting Oversight Board backed unanimously would mark a 10% increase over current funding levels, the regulator said Thursday.

The spending plan calls for adding 20 jobs, half of them targeted for the agency’s inspections division….

SEC Sues SolarWinds and its CISO for Fraud and Other Violations Related to Massive Data Breach

Notably, the CISO is the only individual defendant named in the SEC’s suit, even though the Commission previously sent Wells Notices to other SolarWinds officers and employees. As we discussed in a prior post, SolarWinds previously disclosed that “certain current and former executive officers and employees” had received Wells Notices stating “that the SEC staff has made a preliminary determination to recommend that the SEC file a civil enforcement action against the recipients alleging violations of certain provisions of the U.S. federal securities laws.”

The SEC does not normally file suits against defendants in a piecemeal fashion, and likely won’t here, given that its investigation appears to be over. If the SEC’s enforcement staff were still investigating other potential defendants, we would expect the SEC’s press release to disclose the existence of an ongoing investigation. The fact that the SEC did not charge other executives is a standout feature of this action. It sends CISOs and other information security professionals a message that, in at least some cases, the buck stops with them for cyber control deficiencies and cyber disclosures.

FINRA’s Reg BI CCO Enforcement Action: A Canary in a Coal Mine?

In October 2023, FINRA brought a settled case against a chief compliance officer (CCO) because his firm allegedly had inadequate procedures pertaining to excessive trading. For this violation, the CCO wasn’t charged for supervisory failures; he didn’t affirmatively participate in misconduct unrelated to his compliance function; he didn’t intentionally help to mislead regulators; and there is no evidence that he exhibited a wholesale failure to carry out his responsibilities. Nonetheless, he was charged and sanctioned. Is this an example of the proverbial canary in a coal mine?

Is everything an accounting control violation now?

While the SEC’s expansive view of the internal accounting controls provisions to reach clearly non-accounting conduct has so far centered on stock buybacks, the SEC noted in a footnote in the Charter order that it had always interpreted the provisions to apply to “corporate accountability” more broadly. Companies should be aware that the future enforcement approach might not be limited to buybacks. Any scenario in which a company engages in transactions with corporate assets in a manner that does not fully comply with a particular board authorization could come under SEC scrutiny for potentially deficient internal accounting controls, especially if there is a linkage to conduct that a majority of SEC commissioners believes falls short of good corporate practice.

SEC administrative enforcement process called into question, highlighting importance of private actions

The Supreme Court took the case and is scheduled to hear oral argument on Nov. 29, 2023. Over 35 amici have filed briefs weighing in on these issues. Groups of administrative law scholars and the American Bar Association filed briefs in support of the SEC; meanwhile, attorneys general from 18 states, along with high-profile individuals like Mark Cuban and Elon Musk, filed briefs in support of Jarkesy. The Supreme Court is expected to issue a decision sometime next year.

As oral argument before the Supreme Court approaches, focus among legal scholars will likely — and understandably — be on the contours of the “non-delegation” doctrine, which has wide-ranging implications on the ability of federal agencies, including the SEC, to exercise their authority. However, those most focused on uprooting corporate fraud understand that Jarkesy could also mark a new era of securities enforcement.

Under the current legal landscape, SEC enforcement actions constitute one of two major mechanisms that investors rely on for the deterrence and punishment of securities fraud — the other is private securities actions brought by the injured shareholders themselves….

Former Needham Police Officer Sentenced for Insider Trading Conspiracy

A former Needham police officer was sentenced yesterday for conspiring to trade on inside information about a Massachusetts company’s planned acquisition of a California semiconductor company.

David Forte, 60, of Acton, was sentenced by U.S. District Court Judge Allison D. Burroughs to one year of supervised release, with the first six months to be served in home confinement. Judge Burroughs also imposed a $25,000 fine. Forte was charged in January 2022 along with co-conspirators John Younis and Gregory Manning. In June 2023, Forte was convicted by a federal jury of one count of conspiracy to commit securities fraud and one count of securities fraud.