United States: Early SEC Enforcement Trends From Chairman Gary Gensler's First 100 Days

Gary Gensler was sworn in as chair of the Securities and Exchange Commission on April 17, 2021. Chairman Gensler has promised to strengthen transparency and accountability in the financial markets. Under Chairman Gensler, we expect the SEC's Division of Enforcement - led by Gurbir Grewal, who began work at the agency on July 26 - to be better resourced, highly active and more aggressive. In this blog post, we review enforcement activity from the first 100 days of Chairman Gensler's term to identify preliminary indications of trends we can expect as the new regime's enforcement initiatives gain steam.

Enforcement scrutiny of SPACs

Over the past year, US securities markets have experienced an exponential rise in the use of special purpose acquisition companies (SPACs) as an alternative to traditional initial public offerings and direct listings. SEC staff members have published a stream of investor alerts, bulletins and other warnings, which are summarized here, about potential disclosure issues surrounding SPACs. Although the number of SPAC registrants has recently slowed, Chairman Gensler and SEC staff have continued to voice concerns about the SPAC boom.

During his congressional testimony in May 2021, for example, Chairman Gensler stated that the surge of SPACs raises several questions: "First and foremost, are SPAC investors being appropriately protected? Are retail investors getting the appropriate and accurate information they need at each stage - the first blank-check IPO stage and the second target IPO stage?" Chairman Gensler also expressed concern that the interests of SPAC sponsors, advisers and private investment in public equity (PIPE) investors may not be completely aligned with the interests of other investors. Chairman Gensler reported that the SEC is considering additional rules and guidance, and that multiple SEC divisions are closely monitoring SPACs to ensure the protection of investors.

There was little doubt that the Enforcement Division would also be focused on SPACs. On July 13, 2021, the SEC announced settled charges against a SPAC named Stable Road Acquisition Company, the SPAC's CEO, and its proposed merger target Momentus Inc., an early-stage space transportation company, as well as litigated charges against Momentus's CEO. The SEC alleged that Momentus and its CEO violated federal antifraud provisions by, among other things, falsely claiming that its propulsion system had been "successfully tested" in space. The SEC brought non-scienter claims against Stable Road and its CEO, alleging that Stable Road repeated the target's misleading statements in public filings and failed to conduct adequate due diligence on the company. In a press release announcing the charges, Chairman Gensler pointedly observed: "The fact that Momentus lied to Stable Road does not absolve Stable Road of its failure to undertake adequate due diligence to protect shareholders." 

Momentus, Stable Road and Stable Road's CEO agreed to pay civil penalties of $7 million, $1 million, and $40,000, respectively. Momentus and Stable Road also agreed to provide PIPE investors with the right to terminate their subscription agreements prior to the shareholder vote to approve the merger, while Momentus agreed to create an independent board committee and to retain an independent compliance consultant to review the company's ethics and compliance programs.

The Momentus action makes clear that, as expected, the SEC will be taking an aggressive approach to enforcement in the SPAC arena, with a focus not only on individuals and entities that mislead investors but also on those that it claims were negligent in failing to conduct adequate due diligence to ensure that statements appearing in public filings are accurate and not misleading. The speed with which the SEC brought this action is particularly noteworthy - the registration statement and amendments at issue were filed in late 2020 and March 2021, signaling a rapid investigation. And the fact that Chairman Gensler took the unusual step of commenting on these actions in the SEC's press release reflects a clear intent to send a strong public message.

Highly active whistleblower program

Chairman Gensler has also emphasized his support for strengthening the SEC's whistleblower program, pledging in written responses to questions by US Sen. Chuck Grassley that he is committed to reducing "processing times in SEC whistleblower award determinations" and agreeing "that awards should be granted in a timely manner, as whistleblowers often have to incur significant expenses and withstand significant uncertainty and distress when waiting for the SEC's determination." Recent trends indicate that he intends to follow through on these promises.

In fiscal year 2020, the SEC authorized whistleblower awards of roughly $175 million to 39 individuals - three times the number of individuals receiving awards as in the next-highest fiscal years. The pace and amount of SEC whistleblower awards have continued to increase at a rapid rate in Chairman Gensler's first 100 days. Since issuing its first award under Chairman Gensler on April 23, 2021, the SEC issued awards to 35 individuals, totaling approximately $130 million.¹ These awards represent approximately 13% of the total awarded to all whistleblowers since the program's inception in 2011, and more than 160% of the total awarded over the same time period in 2020.

On June 2, 2021, the SEC awarded approximately $23 million to two whistleblowers whose assistance led to successful SEC and related actions. One of the whistleblowers filed the application for the award 18 days after the 90-day deadline, typically a fatal procedural defect. Nevertheless, the SEC invoked its rarely used discretionary authority under Section 36(a) of the Exchange Act to waive the procedural defect and grant the whistleblower award. In doing so, the SEC noted that "[s]trict application of the deadline would result in undue hardship to [the claimant], particularly in light of [the claimant's] significant contributions to the successful enforcement of the Covered Action and certain unique obstacles faced by" the whistleblower. Given that the waiver of the deadline has been denied in the past, this decision to invoke its discretionary authority demonstrates the value that the SEC's current leadership places on whistleblower tips they deem meritorious.

Recent whistleblower awards also suggest that the SEC intends to interpret provisions of the federal securities laws in a manner designed to encourage whistleblowers to come forward. On May 19, 2021, the SEC announced an award of $28 million, one of largest ever issued under the program, even though the SEC determined there was "not a strong nexus between the Claimant's information" and the underlying charges. In the final order, the SEC noted that although the "charges involved misconduct in geographical regions that were not the subject of the Claimant's information," an award would nonetheless be granted that "appropriately recognizes Claimant's level of contribution to the Covered Action and Related Action."

The pace of recent activity suggests that the SEC may soon surpass total whistleblower awards of $1 billion since issuing its first award in 2012. Moreover, the SEC's recent decision not to require compliance with the application deadline signals the SEC's emphasis on encouraging others to take advantage of the whistleblower program by reporting potential violations of the federal securities laws. In light of the increased activity of the SEC's whistleblower program, companies should maintain robust compliance programs to identify and address potential issues proactively and through appropriate internal processes.

Continued focus on cybersecurity disclosures

The SEC has been scrutinizing public company disclosures surrounding cybersecurity risks for several years. In 2017, former Chairman Jay Clayton created a dedicated Cyber Unit within the Enforcement Division. This unit was responsible for the investigation that led to 2018 charges against Yahoo for allegedly misleading investors by failing to disclose a large data breach. And, in 2018, the SEC issued a public statement and new interpretive guidance on public company cybersecurity disclosures. Yet, despite the SEC's professed focus on the space, charges against public companies for alleged cybersecurity disclosure failures have been rare. Indeed, past enforcement leadership was careful to message that the agency would not second-guess "good faith exercises of judgment about cyber-incident disclosure."

In June 2021, however, the SEC announced settled charges against title insurer First American Financial Corporation arising out of the company's disclosures regarding past cybersecurity incidents. According to the SEC, First American publicly disclosed in a June 2019 press statement and Form 8-K a cybersecurity vulnerability that had exposed more than 800 million images from title and escrow documents dating back to 2003, including images containing sensitive personal data such as Social Security numbers and financial information. In the 2019 press statement, First American claimed that it "took immediate action to address the situation and shut down external access to the application."

The SEC found that at the time of the June 2019 disclosures, First American's "information security personnel had been aware of the vulnerability for months and the company's information technology personnel did not remediate it, leaving millions of document images exposed to potential unauthorized access for months." According to the SEC, the senior executives responsible for the company's public disclosures were not informed that information security personnel had flagged the vulnerability months earlier but didn't remedy the issue. The SEC alleged that "[t]hese senior executives thus lacked certain information to fully evaluate the company's cybersecurity responsiveness and the magnitude of the risk from the ... vulnerability at the time they approved the company's disclosures." 

In the SEC's announcement of the matter, Kristina Littman, chief of the Cyber Unit, stated: "Issuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures." First American agreed to an order charging it with failing to maintain adequate cybersecurity disclosure controls and requiring it to pay a $487,616 penalty.

The First American case is notable because it is one of the first instances in which the SEC has brought charges in the absence of an actual data breach or intrusion by a third party. The focus was solely on whether the issuer's policies, procedures and controls were adequate to ensure that senior management is made aware of significant cybersecurity vulnerabilities and incidents so that they can assess their materiality and disclosure implications.

In addition, in mid-June 2021, the SEC requested information from what appears to have been hundreds of public companies that it had reason to believe had been affected by the SolarWinds cyberattack. The SEC requested that these companies voluntarily provide information about when they learned they might have been affected, what if any impact it had had, and what, if anything, they had done to remediate the matter. In return, the SEC indicated it would not take enforcement action on those who voluntarily provided the requested information. To get the benefits of this offer, however, companies also had to disclose information about other cyber incidents (e.g., hacks, data breaches or ransomware attacks) since October 1, 2019, where third parties gained unauthorized access for more than 24 hours, regardless of materiality. With respect to this information about other compromises, the SEC said it would not promise no enforcement action but would instead evaluate each incident on a case-by-case basis.

The SEC's request was notable for several reasons. It was signed by Melissa Hodgman, then acting director of the Division of Enforcement. Given that such requests typically come from line-level staff attorneys, and directors rarely if ever make such requests themselves, the SEC was clearly signaling the importance of this inquiry and the heightened importance of cyber investigations more generally. The breadth and scope of the request - sent to hundreds of public companies and requesting information about not only SolarWinds but also other incidents - was no doubt calculated to send a message to public companies as to the seriousness of the SEC's focus on cybersecurity disclosures. Even though the majority of companies that received these requests are unlikely to have had incidents that should have been disclosed, the SEC's actions have caused public companies to scrutinize their policies, procedures, and controls with respect to cyber incidents, their remediation and their disclosure. Indeed, with this voluntary request, the SEC has likely had more of an impact on the conduct of public companies than it could have with any single enforcement action.

Renewed emphasis on insider trading and Rule 10b5-1

Although insider trading has always been an Enforcement Division priority, the early days of Chairman Gensler's term suggest a renewed focus on insider trading violations. In recent months, the SEC has brought multiple cases highlighting the agency's ability to police difficult-to-detect insider trading schemes. For example, in June 2021, the SEC filed a case against a six-person Silicon Valley insider trading ring, and in July, it announced an enforcement action against a Greek national for selling insider trading tips on the dark web. In announcing the actions, the SEC emphasized the "sophisticated data analysis" employed by the SEC's Market Abuse Unit and its commitment "to target misconduct wherever it occurs and regardless of perpetrators' efforts to hide their tracks." We expect the Enforcement Division to continue to devote considerable resources to insider trading investigations under Chairman Gensler's leadership. 

Relatedly, in sweeps and various other investigations, the SEC has been requesting information focused on Rule 10b5-1 trading plans, including their implementation and execution. Since taking the helm, Chairman Gensler also has expressed concern about potential abuses of Rule 10b5-1 trading plans. Rule 10b5-1 was adopted by the SEC in 2000 to create an affirmative defense for companies and insiders who transact in company stock pursuant to a preestablished trading plan. The SEC's updated rulemaking agenda suggests that the staff may soon recommend amendments to the rule.

Chairman Gensler has highlighted five potential gaps in the coverage of Rule 10b5-1:

1. He has suggested that it may be appropriate to impose a mandatory multi-month delay between adoption of a plan and the first trade to mitigate the potential for misuse of material nonpublic information
2. He has asked the staff to consider limitations on when and how plans may be canceled
3. He has asked staff to consider requiring that companies, directors and officers disclose the adoption and terms of their plans
4. He has expressed concern that there is currently no limit on companies or insiders adopting multiple 10b5-1 plans or choosing among multiple plans one that is most favorable for a particular transaction
5. He has requested that staff consider amendments to address the relationship between 10b5-1 plans and corporate stock buybacks

The coming months will demonstrate whether the SEC truly intends to make sweeping amendments to Rule 10b5-1. In the meantime, companies should reevaluate their 10b5-1 policies. Companies that have already adopted some of these best practices, such as prohibiting cancelation of plans, adopting a plan during an issuer's open trading window (usually shortly after announcing quarterly or annual results) and disclosing use of such plans in a company's public filings, will be best positioned to adapt to future amendments to the rule and to avoid unwanted Division of Enforcement scrutiny.

ESG Task Force

Chairman Gensler's SEC also appears poised to bring enforcement actions against companies that fail adequately to disclose environment, social and governance (ESG) risks. On March 4, 2021, the SEC announced the creation of a Climate and ESG Task Force within the Division of Enforcement. According to the SEC, the task force, consisting of 22 members drawn from throughout the Enforcement Division, will use "sophisticated data analysis" and focus initially on identifying material gaps or misstatements in issuers' disclosures regarding climate risks. The task force will also analyze disclosure and compliance issues surrounding ESG strategies employed by investment advisers.

Since the creation of the task force, Chairman Gensler has reemphasized the SEC's focus on ESG disclosures. In a statement on June 23, 2021, he announced that the SEC may adopt proposed rules to require enhanced ESG disclosures in areas including human capital management, diversity and climate change. In keeping with the agencywide focus on ESG disclosures, the Division of Examinations recently announced that an "Enhanced Focus on Climate-Related Risks" will be a key priority for 2021 exams of SEC registrants; these exams may in turn yield referrals to the Enforcement Division.

As Commissioner Hester Peirce has observed, the SEC has always pursued violations of its antifraud provisions, and the ESG task force's enforcement actions will presumably "not be based on any new standard." But with dedicated staff focused on scrutinizing potentially false or misleading ESG-related statements, the task force is sure to bring enforcement actions in this space. Public companies and registered entities should carefully consider their unique ESG and climate risk profile and the adequacy of existing disclosures to investors.

Conclusion

The SEC's fiscal year ends on September 30, 2021. Typically, as the fiscal year end approaches, the SEC brings enforcement actions at an increased rate. The last months of the fiscal year also often include particularly significant and impactful cases. As the year progresses, we will continue to monitor emerging enforcement trends under Chairman Gensler and Director Grewal.

Footnote

1. Compare Press Release, SEC Awards Over $50 Million to Joint Whistleblowers, Release No. 2021-62 (Apr. 15, 2021) (noting approximately $812 million awarded to 151 individuals since 2012), available at https://www.sec.gov/news/press-release/2021-62, with Press Release, SEC Awards Nearly $3 Million to Whistleblower, Release No. 2021-134 (Jul. 21, 2021) (noting approximately $942 million awarded to 186 individuals since 2012), available at https://www.sec.gov/news/press-release/2021-134.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.