SEC Charges Four Companies for Misleading Cyber Disclosures

On October 22, 2024, the SEC announced settled charges in separate actions against four technology companies—Avaya Holdings Corp., Check Point Software Technologies Ltd., Mimecast Limited and Unisys Corp.—each of which was a downstream victim of the 2020 SUNBURST and SolarWinds cyber-attacks believed to be orchestrated by state-sponsored hackers in Russia. These actions represent the SEC’s first resolutions based on its multi-year investigation into the adequacy and accuracy of disclosures from downstream victims of the attack. The SEC alleged that each company negligently made materially misleading cybersecurity-related statements or omissions relating to the attacks in violation of Sections 17(a)(2) and 17(a)(3) of the Securities Act, as well as the various rules thereunder. Each company agreed to pay, while neither admitting nor denying the findings in the order, a civil penalty of between $990,000 and $4 million. SEC Commissioners Hester Pierce and Mark Uyeda issued a dissenting statement stating that “[r]ather than focusing on whether the companies’ disclosure provided material information to investors, the Commission engage[d] in a hindsight review to second-guess the disclosure and cite[d] immaterial, undisclosed details to support its charges.”

The four companies charged by the SEC are alleged to have certain common attributes: all were public technology or software companies (although two, Avaya and Mimecast, have since been taken private); all had installed at least one instance of the SUNBURST malware; and all experienced SUNBURST-related intrusions between at least 2020 and 2021 by the Russian nation-state threat actors who were responsible for the SUNBURST attack. The SEC alleged that all four negligently made materially misleading statements in light of their victimization. In explaining the materiality of the incidents, the SEC emphasized the nature of the respondents’ businesses, noting that, as IT service and software providers, the circumstances of the attacks would have been “critically important” for, e.g., the companies’ reputations, customers and investors. Although the disclosures and statements at issue in these four matters pre-date the SEC’s new cybersecurity disclosure rules, companies should closely consider these cases as reflecting the SEC’s latest views on materiality assessments and disclosure decisions regarding cybersecurity incidents.

In connection with the settled charges, Jorge G. Tenreiro, Acting Chief of the Crypto Assets and Cyber Unit, noted that “[d]ownplaying the extent of a material cybersecurity breach is a bad strategy. In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized. The federal securities laws prohibit half-truths, and there is no exception for statements in risk-factor disclosures.”

For more information, see the SEC’s press release and Debevoise Insights.


Cyber Whistleblower Leads to DOJ Civil Settlement

On October 22, 2024, the DOJ announced that The Pennsylvania State University (“Penn State”) agreed to pay $1.25 million to resolve whistleblower allegations that it violated the False Claims Act (the “FCA”). The allegations relate to Penn State’s failure to meet cybersecurity requirements in federal government contracts, misrepresentation of compliance timelines and failure to use a qualified external cloud service provider. This is the latest settlement of cybersecurity-related FCA claims since the DOJ announced its Civil Cyber-Fraud Initiative in October 2021. The case stems from the FCA’s qui tam provisions, which enable a private citizen to bring a lawsuit on behalf of the government. Penn State’s former Chief Information Officer, Matthew Decker, filed suit against Penn State in the Eastern District of Pennsylvania in 2023.

Decker alleged that, throughout his tenure at Penn State from 2015 to 2022, the university neglected to meet federal regulatory requirements to safeguard confidential information and violated federal agency contractual regulations. Decker further alleged that Penn State had provided false self-attestations of compliance to federal agencies from at least 2017 to 2022. Finally, he claimed that Penn State neglected to provide accurate dates and timelines for achieving compliance, as required by federal regulation. Decker filed the action after allegedly repeated attempts to raise internally the issue of compliance proved unsuccessful between 2018 and 2022. For example, Decker alleged that in 2018 he highlighted the compliance gaps to management and was told that Penn State was sufficiently compliant. He also alleged that he offered to create working groups to address compliance gaps, but Penn State had no interest in such working groups in early 2021. Ultimately, Decker alleged that he was allowed to put together a review team in April 2022, and the team’s review ultimately demonstrated that many records were falsified.

The Civil Cyber-Fraud Initiative represents, in conjunction with the DOJ’s pilot program offering financial awards to whistleblowers providing information on corporate crimes, the government’s focus on combating cyber threats. To mitigate risk under the FCA and better prepare for and respond to cybersecurity-related whistleblower complaints, companies should ensure their teams and members’ expertise are sufficient to complete an objective assessment and avoid whistleblower retaliation.

For more information, see the DOJ’s press release and Debevoise Insights.


SEC Announces Settled Charges Against Rimar Capital Entities and Owner for Defrauding Investors in “AI Washing” Scheme

On October 10, 2024, the SEC announced settled charges against Rimar Capital USA, Inc. (“Rimar USA”), Rimar Capital, LLC (“Rimar LLC”), Itai Liptz (owner and CEO of Rimar LLC and Rimar USA) and Clifford Boro (Rimar USA board member) for securities law violations in connection with materially false and misleading statements to investors regarding Rimar LLC’s use of AI to perform automated trading for advisory clients. According to the SEC’s order, Liptz and Boro made numerous misrepresentations in pitch decks, online posts in a member-only investment group and emails with claims about Rimar LLC’s technological operations. The claims included representing that Rimar LLC had an extensive infrastructure of coders and data processing capabilities. In reality, however, these capabilities belonged to overseas entities in which neither Rimar USA nor Rimar LLC had any ownership interest. Moreover, the marketing materials and solicitation communications repeatedly referred to Rimar LLC as having an AI-driven platform for trading stocks and crypto assets, among other products, despite having no such trading application.

Rimar USA, Rimar LLC, Liptz and Boro each agreed to cease and desist from further violations. Additionally, Liptz agreed to (i) pay disgorgement and prejudgment interest totaling $213,611, (ii) pay a $250,000 civil penalty and (iii) be subject to an investment company prohibition and associational bar. Boro agreed to pay a $60,000 civil penalty. Lastly, Rimar LLC agreed to be censured.

Andrew Dean, Co-Chief of the SEC Enforcement Division’s Asset Management Unit, issued a statement after the settlement emphasizing that “[a]s AI becomes more popular in the investing space,” the SEC “will continue to be vigilant and pursue those who lie about their firms’ technological capabilities and engage in ‘AI washing’.” This settlement follows the SEC’s earlier AI-related fraud cases in March 2024 against two investment advisers, Delphia (USA) Inc. and Global Predictions Inc., and in June 2024 against the founder and CEO of tech startup Joonko Diversity, Inc.

For more information, see the SEC’s press release and Debevoise Insights.


SEC Charges Advisory Firm WisdomTree with Failing to Adhere to Its Own Investment Criteria for ESG-Marketed Funds

On October 10, 2024, the SEC charged New York-based investment adviser WisdomTree Asset Management Inc. with making misstatements and for compliance failures relating to an investment marketing strategy purporting to reflect environmental, social and governance (“ESG”) factors. According to the SEC order, WisdomTree represented in prospectuses for three ESG-marketed ETFs that the funds would not invest in companies involved in certain products or activities, such as fossil fuels or tobacco, regardless of performance. WisdomTree, without policies or procedures in place to screen processes to avoid investments in these industries, relied on third-party data purchased from vendors to execute investments. The third-party data, however, failed to prevent WisdomTree’s ESG-marketed ETFs from investing in companies that its prospectuses prohibited, including coal mining and transportation, natural gas and tobacco.

WisdomTree agreed to a cease-and-desist order and censure along with a $4 million civil penalty. The order is significant in that it continues to represent the SEC’s focus on “greenwashing”. Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement, noted that “[w]hen investment advisers represent that they will follow particular investment criteria, whether that is investing in, or refraining from investing in, companies involved in certain activities, they have to adhere to that criteria and appropriately disclose any limitations or exceptions to such criteria.”

For more information, see the SEC’s press release.


Equity Finance Trends & Developments – 2024 Year in Review

The following summary is an excerpt of a publication from Debevoise’s Capital Markets practice on equity finance trends and developments in 2024. Please see the link here for the full publication.

In the past few years, both traditional and alternative capital-raising tools have seen substantial declines in activity due to various macroeconomic and political factors. However, 2024 appears to be a turning point for many of these markets. Although the IPO market remains lukewarm, equity capital markets have experienced their strongest year since the peak in 2021, with follow-on market activity approaching 2021 levels and the IPO market likely to recover in 2025. Similarly, PIPEs and convertibles bonds, which offer alternative sources of capital, appear poised to continue their uptick in activity for the rest of 2024 and beyond, after a slowdown in recent years.

Although challenges and sources of uncertainty remain (most significantly the incoming administration), continued economic recovery and growth and the US Federal Reserve’s interest rate cut and further potential interest rate cuts are expected to provide tailwinds for an active equity capital market as we enter 2025.


2025 SEC Division of Examinations Priorities

On October 21, 2024, the SEC’s Division of Examinations (the “Division”) released its 2025 examination priorities, which provide insight into the product, practices and services the Division views as presenting heightened risk to investors or capital markets and will focus on in future examinations. While subject to significant change based on the incoming administration, the Division’s current stated priorities include, among others, a focus on private fund advisers, integration of artificial intelligence, and risk areas impacting various market participants. In particular:

• Investment Advisers: The SEC remains focused on investment advisers’ adherence to fiduciary duties and compliance program effectiveness, including advisers to private funds. The focus on fiduciary duties emphasizes advice provided regarding high-cost products, unconventional instruments and illiquid and difficult-to-value assets. The priorities also add a focus on calculations of private fees and expenses and compliance programs, particularly as it relates to the use of advisers integrating artificial intelligence.
• Investment Companies: Investment companies can expect the SEC to focus on fund fees and expenses, oversight of affiliated and third-party service providers, portfolio management practices and disclosures, issues associated with market volatility, registered investment companies’ exposure to commercial real estate and compliance with new and amended rules.
• Broker-Dealers: The SEC will continue to monitor broker-dealers on their Regulation Best Interest practices and, relatedly, the content of the Form CRS. Products that are complex, illiquid or high risk, such as crypto assets, structured products or alternative investments, will continue to receive increased focus. The 2025 priorities highlight two new areas of review: timeliness of financial notifications and other required filings, and supervision of third-party or vendor-provided services that contribute to the records firms have used to prepare financial reporting information.
• Self-Regulatory Organizations and Clearing Agencies: The 2025 priorities reiterate nearly verbatim those outlined in 2024, including a focus on exchange governance, regulatory programs and participation in National Market Systems Plans in the examinations of national securities exchanges.
• Anti-Money Laundering: The SEC remains focused on the same AML priorities from 2024. The SEC will assess whether broker-dealer and registered investment companies are appropriately tailoring their AML programs to their business models and AML risks, conducting independent testing, establishing an adequate customer identification program and meeting their Suspicious Activity Reports filing obligations. While not specifically mentioned in the 2025 priorities, market participants should bear in mind the FinCEN’s new AML rule for investment advisors.
• Other Market Participants: In addition to the market participants described above, the 2025 priorities include areas of focus for municipal advisors, transfer agents, security-based swap dealers, security-based swap execution facilities and funding portals. Risk areas impacting various market participants includes cybersecurity, Regulations S-ID and S-P, the shortening of the standard settlement cycle, AI and emerging financial technologies and crypto assets.

For more information, see the 2025 examination priorities and Debevoise Insights.


SEC Rule-Making Agenda

The SEC’s Spring 2024 Regulatory Agenda was posted earlier this year, and a summary of these key rule changes is included below. On October 17, 2024, the SEC approved the publication of an agenda of its rulemaking actions for publication in Fall 2024, which was expected to be released by January 2025. However, we expect the SEC’s regulatory agenda and timing to be impacted by the incoming administration’s personnel and priorities. For more information, see the full regulatory agenda here.