Supreme Court Punches SEC APs Right in the Seventh Amendment

On June 27, 2024, in a long-awaited ruling with significant implications for the securities industry and administrative agencies more generally, the U.S. Supreme Court affirmed the Fifth Circuit’s decision in Jarkesy v. SEC, holding that the Seventh Amendment right to a jury trial precluded the SEC from pursuing monetary penalties for securities fraud violations through in-house administrative adjudications.

The Supreme Court’s opinion addressed only the following question, which the majority described as a “straightforward” one: “whether the Seventh Amendment entitles a defendant to a jury trial when the SEC seeks civil penalties against him for securities fraud.” The majority answered this question in the affirmative.

The Seventh Amendment provides that “[i]n Suits at common law . . . the right of trial by jury shall be preserved.” This constitutional guarantee, the Court underscored, is not limited only to the “common-law forms of action recognized” at the time the Seventh Amendment was ratified but extends to a statutory claim if the claim is “legal in nature.” The Court held that any curtailment of the Seventh Amendment right “should be scrutinized with the utmost care.”

Key Takeaways:

• The Court’s ruling was limited to securities fraud claims, but other SEC claims seeking legal remedies may be impacted, as well as claims by other federal agencies that may have been adjudicated in-house previously.

• We expect that the SEC will continue its practice of bringing new enforcement actions in district court, except when a claim only is available in the administrative forum.

• Because of the majority decision’s focus on fraud’s common-law roots, the decision raises questions about whether the SEC may bring negligence-based or strict liability claims seeking penalties administratively.

• The Court did not resolve other constitutional questions concerning the SEC’s administrative law judges, including whether the SEC’s use of administrative proceedings violates the non-delegation doctrine and whether the SEC’s administrative law judges are unconstitutionally protected from removal in violation of Article III.

• We anticipate additional litigation regarding these unresolved issues.

For more information, see Debevoise Insights here.

SEC Releases New Guidance on Material Cybersecurity Incident Disclosure

On June 24, 2024, the staff of the Division of Corporation Finance of the SEC released five new C&DIs relating to the disclosure of material cybersecurity incidents under Item 1.05 of Form 8-K. While the fact patterns underlying the new C&DIs focus on ransomware, issuers should consider the guidance generally in analyzing disclosure obligations for cybersecurity events. A summary of the C&DIs updates is below.

ITEM 1.05 OF FORM 8-K

• Completed ransomware attack does not absolve materiality determination: The cessation or apparent cessation of the incident prior to the materiality determination does not necessarily indicate that the incident was not material, and the registrant still needs to make a determination regarding the incident’s materiality.

• Completed material cybersecurity event must still be disclosed: A cybersecurity incident that a registrant determines to have had a material impact or that is reasonably likely to result in a material impact on the registrant must still be disclosed on a Form 8-K within four business days after the registrant makes a materiality determination, even if the cessation or apparent cessation of the incident occurs prior to the filing of the Form 8-K.

• Insurance coverage: When determining whether a cybersecurity incident is material, reimbursement for a ransomware payment under a registrant’s insurance policy does not mean that it is immaterial.

• Amount of ransomware payment: The size of the ransomware payment, by itself, is not determinative of whether a cybersecurity incident is material and is only one fact relevant to a registrant’s materiality determination.

• Related immaterial cybersecurity events: If a registrant experiences a series of cybersecurity incidents that, individually, are determined to be immaterial, the registrant should consider whether those prior incidents might be related, and if so related, determine whether the cybersecurity incidents, when viewed collectively, are material. In particular, the C&DIs highlight that Item 106(a) of Regulation S-K includes in the definition of cybersecurity incident “a series of related unauthorized occurrences.”

For more information followed by the full text of the new C&DIs, see Debevoise Insights here.

SEC Targets AI Washing in Private Capital Markets: “Old School Fraud Using New School Buzzwords”

On June 11, 2024, the SEC filed its third matter this year involving AI washing. This particular case is noteworthy for several reasons: it is the Commission’s first litigated AI-washing matter, concerns statements made to raise funds from private market investors and involves parallel criminal charges.

The SEC’s complaint alleges that Ilit Raz, the founder and Chief Executive Officer of tech startup Joonko Diversity, Inc. (“Joonko”), made claims about Joonko’s use of “AI-based technology,” a “proprietary algorithm” and “machine learning,” none of which actually existed, to help clients find job candidates from diverse backgrounds. The majority of the alleged misrepresentations about Joonko’s technology platform were made in presentations and marketing materials provided to private equity and venture capital firms, as well as to individuals, for the purpose of raising private capital.

Until now, the SEC’s campaign against AI washing has targeted registered investment advisers, broker-dealers and public companies. But the case against Raz demonstrates that the SEC is not limiting its scrutiny of AI representations to any particular market participants. This case makes clear that the SEC will scrutinize all AI-related claims made by any companies or firms, public or private, seeking to attract investors to raise capital.

The charges against Raz reinforce the importance of clear, accurate and comprehensive statements about the use of technology, automation and artificial intelligence for all companies seeking to raise capital from sources other than the public markets.

For more information, see Debevoise Insights here.

Incident Response Plans Are Now Accounting Controls? SEC Brings First-Ever Settled Cybersecurity Internal Controls Charges

On June 18, 2024, the SEC announced that communications and marketing provider RRD agreed to pay approximately $2.1 million to resolve charges arising out of its response to a 2021 ransomware attack and consented to a cease-and-desist order that found that it violated two provisions of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), in connection with its cybersecurity practices between November 2021 and January 2022: Section 13(b)(2)(B) (the internal accounting controls provision) and Rule 13a-15(a) (“Controls and procedures” relating to disclosure). The SEC specifically noted that, because RRD’s controls were not designed to ensure that relevant information was escalated and did not indicate who was responsible for reporting to management, RRD failed to adequately assess such information for potential disclosure.

According to the SEC, RRD’s response to the attack revealed deficiencies in its cybersecurity policies and procedures and related disclosure controls. The SEC alleged that RRD had failed to implement a “system of cybersecurity-related internal accounting controls” to provide reasonable assurances that access to the company’s assets—namely, its information technology systems and networks—was permitted only with management’s authorization. In addition, the SEC asserted that RRD had failed to gather and review information about the incident for potential disclosure on a timely basis. In particular, the SEC alleged that RRD failed to properly instruct the firm responsible for managing its cybersecurity alerts on how to prioritize such alerts and then failed to act upon the incoming alerts from this firm.

The settlement marks a striking expansion of the SEC’s view of its oversight authority relating to public company cybersecurity policies and procedures. In particular, the SEC Enforcement Division’s “expansive interpretation” of Section 13(b)(2)(B)—the internal accounting controls provision added to the Exchange Act by the Foreign Corrupt Practices Act of 1977—as covering incident response policies is in clear tension with the director of the SEC’s Division of Corporation Finance’s recent statement disclaiming any intent on the part of the Commission to prescribe particular cybersecurity risk management policies and procedures.

The RRD settlement does not provide any limiting principle for the scope of Section 13(b)(2)(B) enforcement. Instead, the RRD settlement troublingly suggests that, in the wake of a successful cyberattack, public companies can expect the Enforcement Division to pursue any substantial intrusion as evidence of an underlying per se internal controls violation.

Given this emerging area of public company cybersecurity enforcement risk, issuers may wish to consider several enhancements to their cybersecurity policies and procedures, which we have covered in our prior Debevoise Data Blog posts here and here.

For more information, see Debevoise Insights here.

Dual Listing for Depositary Receipts

A number of companies listed outside the United States have been reported to be considering listing in the United States, citing the greater liquidity and deeper investor base that U.S. exchanges offer. A successful dual listing—maintaining a listing outside the United States while also having a listing on a U.S. exchange—requires (i) careful coordination with regulators, exchanges and clearing systems and (ii) consideration of certain key issues related to a dual listing of a company’s global depositary receipts (“GDRs”) listed outside the United States by way of an “upgrade” of its Regulation S GDRs into American depositary receipts (“ADRs”).

In order to permit the trading of depositary receipts in the United States on an unrestricted basis, a company would need to “upgrade” its Regulation S GDR program into an ADR program. The “upgrade” would entail making certain technical changes to the deposit agreement and renaming the Regulation S GDRs as ADRs. In order to allow for the listing of depositary receipts on a U.S. exchange or over-the-counter market, the ADRs would need to be registered on a Form F-6 with the SEC. For companies looking to list the ADRs on either the New York Stock Exchange or Nasdaq, with or without a public offering in the United States, the underlying securities (such as common stock or ordinary shares) would additionally need to be registered on a Form F-1 with the SEC. Absent an exemption, a consequence of a program “upgrade” can in certain circumstances be that a company becomes subject to the periodic reporting requirements of the Exchange Act. The primary exemption available to foreign private issuers is Rule 12g3-2(b), which requires that a foreign private issuer must:

• not currently be required to file or furnish reports under Section 13(a) or section 15(d) of the Exchange Act;

• maintain a class of securities listed on one or more exchanges in a foreign jurisdiction that is in its primary trading market; and

• promptly publish on its website or through an electronic information delivery system generally available to the public, in English, certain home country disclosure documents that the foreign private issuer has: (a) made public pursuant to the law of its home country; (b) filed with a securities exchange; or (c) distributed to its security holders, including, at a minimum, English translations of its annual report (including annual financial statements), interim reports that contain financial statements, press releases and all other communications and documents distributed directly to holders of each class of securities to which the exemption relates.

In addition to compliance with applicable SEC requirements, a company will need to consider any filing obligations or restrictions under the rules of the local jurisdiction or exchange where the GDRs are listed, which may involve the potential requirements to publish a prospectus.

To ensure that trading continues uninterrupted upon the U.S. listing of the ADRs, a listed company (and its legal advisors) will need to explain the proposed structuring of the “upgrade” and steps required in connection with the “upgrade” to the depositary bank and clearing systems early to ensure that the ADRs will be able to retain the same security identifiers (i.e., ISIN and CUSIP) that the Regulation S GDRs have. In addition, clear communication will need to be made to existing Regulation S GDR investors throughout the process to clearly explain the securities held and where (and how) they may be traded following an “upgrade.” Following the “upgrade,” the company will have to continue to comply with the requirements of local law and stock exchange listing rules applicable to its GDR listing outside the United States, as well as those new regulations relating to the U.S. listing, which may at times conflict.

We expect that pursuing dual listings will be an increasingly attractive option as companies with GDRs listed on the London Stock Exchange and other international exchanges continue to look to the United States for greater liquidity for their securities.

For more information, see Debevoise Insights here.


SEC Rule-Making Agenda

The SEC’s Spring 2024 Regulatory Agenda was posted in July 2024. A summary of certain key pending rule changes is included below, along with the SEC’s announced release date. For more information, see the full regulatory agenda here.

This publication is for general information purposes only. It is not intended to provide, nor is it to be used as, a substitute for legal advice. In some jurisdictions it may be considered attorney advertising.