In order to provide an overview for busy in-house counsel and compliance professionals, we summarize below some of the most important SEC enforcement developments from the past month, with links to primary resources. This month's installment features:

  • An undisclosed CEO perks settlement based, in part, on a related-party transaction;
  • A settled cyber enforcement action based on a ransomware attack;
  • An allegedly fraudulent digital asset offering touted by well-known celebrities;
  • A settlement in SEC v. Vale S.A., an ESG disclosure case; and
  • A revenue recognition case involving inflated estimates at completion or EACs.

1. Greenbrier and Former CEO Agree to Pay $1.1 Million for Failing to Disclose Perks and Payments

On March 2, 2023, the SEC brought a settled action against the Greenbrier Companies Inc. ("Greenbrier"), an Oregon-based freight transportation supply company, and its founder and former CEO, William A. Furman ("Furman"), for failure to disclose in the company's proxy statements perks provided to Furman and other Greenbrier executives. The SEC's settled order charged that Greenbrier and Furman were negligent under Section 17(a)(2) and (3) of the Securities Act of 1933; that Greenbrier committed reporting, books and records, and internal controls violations; and that Furman caused Greenbrier's reporting, books and records, and internal controls violations. Without admitting or denying the SECs allegations, Greenbrier and its former CEO agreed to pay a $1 million and a $100,000 civil fine, respectively, in addition to other relief. The settlement did not include an officer and director bar.

As with other SEC enforcement actions focused on undisclosed perks, this one also involved a jet, but with a related-party transaction twist. Furman owned a private plane, which he leased to a management company to charter flights for third parties. During the fiscal years of 2017 to 2021, Greenbrier paid nearly $3 million to charter Furman's plane but failed to disclose that Furman received around $1.6 million of that amount. The SEC also focused on undisclosed perks amounting to $320,000 provided to other Greenbrier executives, mostly in the form of travel-related expenses for executives' spouses. Greenbrier did not disclose these perks and payments in its 2017 to 2020 proxy statements. Item 402 of Regulation S-K requires registrants to disclose the total value of all perquisites and other personal benefits provided to named executives who receive at least $10,000 worth of such items in a given year.

The SEC noted its consideration of Greenbrier's remedial acts in accepting its offer of settlement. Specifically, the order noted that Greenbrier "(i) developed new internal controls over perquisite and other proxy disclosures, expense reporting, and travel and (ii) trained NEOs and employees on expense report completion and the D&O Questionnaire."

#PerksAndPayments #FlyAndDisclose #CivilPenaltiesForNonDisclosure

2. SEC Settles Charges Against Blackbaud Inc. over Cyber Incident Disclosures

On March 9, 2023, the SEC brought its first cyber incident disclosure-related enforcement action since the summer of 2021 against Blackbaud Inc. ("Blackbaud"), a South Carolina-based cloud-computing company. In a settled action, Blackbaud agreed, on a neither admit nor deny basis, to pay $3 million in civil penalties in connection with allegedly misleading disclosures about a 2020 ransomware attack that affected over 13,000 customers.

Blackbaud provides donor data management software to nonprofit organizations and, accordingly, had access to sensitive customer data, including financial account information and Social Security numbers. In May 2020, Blackbaud's IT personnel discovered a ransomware attack and concluded that it may have been ongoing for several months. On July 16, 2020, Blackbaud determined that at least one million customer files were exfiltrated, affecting around one-quarter of its customers, but did not analyze the content of the files. Blackbaud then announced the incident on its website but stated that the attacker did not access bank account information or Social Security numbers. By the end of July 2020, both IT and customer relations personnel learned that the attackers accessed sensitive information, including bank account and Social Security numbers, but failed to escalate this to senior management responsible for public disclosures. The SEC alleged that Blackbaud then filed a misleading 10-Q in August 2020 that omitted this information. It was later disclosed in a September 2020 8-K, in which Blackbaud disclosed for the first time that "the cybercriminal may have accessed some unencrypted fields intended for bank information, social security numbers, usernames and/or passwords."

The SEC's order brought settled negligence, disclosure, and internal controls charges, alleging that Blackbaud violated Sections 17(a)(2) and (3) of the Securities Act, Section 13(a) of the Securities Exchange Act of 1934, and Rules 13a-13 and 13a-15(a) thereunder. As with other SEC cyber incident actions, the SEC remains focused on whether information regarding the incident was escalated for a prompt materiality assessment.

#CyberIncidentEscalationMatters #RansomewareAttack #CommunicationBreakdown

3. SEC Files Charges Against a Crypto Entrepreneur for an Alleged Unregistered Securities Offering and Market Manipulation, and Against Celebrities for Touting

On March 22, 2023, the SEC filed an enforcement action in the U.S. District Court for the Southern District of New York against crypto asset entrepreneur Justin Sun and three of his wholly owned companies for the unregistered offer and sale of crypto asset securities and for market manipulation via wash trading. The SEC's federal court complaint also named two celebrities—singer/songwriter Austin Mahone and DeAndre Cortez Way (a/k/a Soulja Boy)—for touting the securities on Twitter without disclosing their compensation, in violation of Section 17(b) of the Securities Act. On the same day, the SEC filed settled charges, also for touting in violation of Section 17(b), against Lindsay Lohan, Jake Paul, Michele Mason (Kendra Lust), Miles Parks McCollum (Lil Yachty), Shaffer Smith (Ne-Yo), and Aliaune Thiam (Akon).

The SEC's complaint alleges that Sun and his companies offered and sold the securities Tronix (TRX) and BitTorrent (BTT) as investments through multiple unregistered "bounty programs." These programs directed interested parties to promote the tokens on social media, join and recruit others to Telegram and Discord channels, and create BTT accounts in exchange for TRX and BTT distributions. The SEC also alleged that Sun orchestrated a scheme to inflate the apparent trading volume of TRX in the secondary market, directing his employees to engage in more than 600,000 wash trades of TRX between two accounts Sun controlled for almost a year. This resulted in millions of TRX wash trades daily during that time. Sun allegedly sold TRX into the secondary market and generated $31 million from illegal, unregistered offers and sales of TRX. Sun also paid the celebrities to promote the unregistered offerings, but specifically directed them to hide their compensation for doing so. The six celebrities who settled their charges agreed to pay a total of more than $400,000 in disgorgement, interest, and penalties.

In other crypto news, on March 6, 2023, the U.S. District Court for the Southern District of Florida unsealed the SEC's complaint, which had been filed in February 2023 to obtain an asset freeze and other emergency relief against Miami-based investment adviser BKCoin Management LLC and one of its principals, Kevin Kang, for allegedly raising over $100 million from crypto investors, but diverting over $3.6 million of funds raised to make Ponzi-like payments and misappropriating additional funds for personal use. The court granted the emergency relief the SEC requested and has appointed a receiver.

#CryptoEnforcement #CelebrityTouting #DiscloseThatComp

4. Vale S.A., Brazilian Mining Company, Settles Federal Court Action for Allegedly False and Misleading ESG Disclosures

On March 28, 2023, the SEC announced that it entered into a $55.9 million settlement agreement with Vale S.A. ("Vale"), a Brazilian mining company and one of the largest iron ore producers in the world, in connection with allegedly false and misleading disclosures the company made about the safety of its dams prior to the 2019 Brumadinho dam collapse that killed 270 people. The SEC accused Vale in April 2022 with making materially false and misleading claims that the dam was safe before it collapsed and contended that the company knew that Brumadinho did not meet internationally recognized dam safety standards. The disaster killed 270 people and Vale lost more than $4 billion in market capitalization in the following days. The settlement has been approved by Judge LaShann DeArcy Hall of the U.S. District Court for the Eastern District of New York.

According to the SEC's complaint, Vale manipulated multiple dam safety audits and regularly misled local governments, communities, and investors about the safety of the dam through its environmental, social, and governance (ESG) disclosures. The dam's collapse was due to a geophysical phenomenon known as liquefaction, which occurs when a dam's stability is compromised due to saturated dam waste deposits losing strength and stiffness and then a triggering event occurs that causes the dam to fail. The SEC alleged Vale was well aware of the risks of liquefaction, as another dam co-owned by Vale failed for the same reason in 2015. Yet the SEC alleged that, since at least 2016, Vale knowingly concealed findings of dam instability from its own experts and actively engaged in deceptive acts to skirt around regulatory safety requirements, including manipulating multiple dam safety audits and obtaining numerous fraudulent stability certificates. The SEC alleged Vale's dam did not meet internationally recognized safety standards despite Vale's public sustainability reports contending the dam was certified as stable to the government, community, and investors. Although the SEC's complaint included fraud charges, Vale has agreed to a negligence settlement and will pay to the SEC a $25 million civil penalty and disgorgement and pre-judgment interest of $30.9 million, among other relief.

#ESGDisclosuresMatter #DamSafety

5. U.S. Navy Shipbuilder Executives Charged with Accounting Fraud

On March 31, 2023, the SEC filed charges in the U.S. District Court for the District of Alabama accusing three executives—Craig D. Perciavalle, Joseph A. Runkel, and William O. Adams—of Mobile, Alabama-based shipbuilder Austal USA LLC ("Austal USA") with perpetrating a revenue recognition scheme. The Department of Justice filed a parallel criminal action. Austal USA is a wholly owned subsidiary of Austal, Ltd. ("Austal"), an Australian defense contractor to the U.S. Navy. The SEC charged the three executives with violating Section 10(b) of the Exchange Act and Rule 10b-5 thereunder, and with aiding and abetting Austal USA's Section 10(b) and Rule 10b-5 violations.

According to the SEC, the three executives orchestrated a revenue recognition scheme which involved using artificially low estimates at completion (EAC) for ships Austal USA built for the U.S. Navy. The three executives allegedly directed Austal USA personnel responsible for calculating the EACs to "arbitrarily lower" them to meet Austal USA's budgets. Austal USA understated cost estimates for shipbuilding with knowledge that actual costs were rising and higher than planned, which resulted in Austal USA reporting inflated revenue and earnings before interest and tax (EBIT) to Austal. This allegedly caused Austal to publicly report overstated revenue and EBIT in filings that were available to U.S. investors. In addition, the SEC accused the executives of attempting to conceal the fraud by lying to Austal USA auditors.

#USNAVY #AccountingFraud #ArtificialCompliance

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved