Though many, if not most, of the measures implemented to address the COVID pandemic have since been rolled back, the transition from fully in-person to remote and hybrid work environments appears to be here to stay. While these arrangements provide employees with additional convenience and flexibility, they also come with risks for companies that are subject to the recordkeeping provisions of federal securities laws and whose employees encounter material nonpublic information ("MNPI") in the course of their work. Over the past few years, the U.S. Securities and Exchange Commission ("SEC") has been increasingly aggressive in bringing charges for violations of federal securities laws resulting, at least in part, from the risks associated with remote work environments.
From the beginning of the pandemic, the SEC warned about potential risks to market integrity posed by the transition to remote work.1 For example, in March 2020, the SEC issued a statement urging companies to be mindful of market integrity and confidentiality obligations.2 Given the unprecedented times, the SEC warned that remote work posed increased risks for insider trading and may lead a greater number of people to have access to MNPI than in normal times. They further cautioned that the MNPI "may hold an even greater value than under normal circumstances."3 In the years since, the SEC's concerns have materialized in a string of enforcement actions against individuals who gained access to MNPI as a result of the pandemic and misappropriated that information in pursuit of profit.
Remote Work Environments Risks: MNPI
Remote work environments pose unique risks with regard to the confidentiality of MNPI. Often housemates are working in close proximity, overhearing each other's work-related phone calls, and in reach of each other's laptops or printers. As the definition for MNPI continues to expand, more individuals are exposed to more MNPI than would have been in the pre-pandemic work environment, which means the opportunities for that information to be misappropriated have multiplied. Two high-profile cases within the last year indicate that the SEC is keenly aware of the increased risk and intent on bringing charges when misappropriation does occur.
In June 2023, the SEC filed charges against Steven Teixeira and his friend Jordan Meadow, a broker-dealer, for insider trading.4 Teixeira was in a romantic relationship with an executive assistant at an investment bank. Allegedly, while the executive assistant was working remotely due to the pandemic, Teixeira obtained MNPI from her laptop about possible upcoming mergers and acquisitions. Teixeira then allegedly used that MNPI to buy call options on certain companies prior to the public announcements of the deals, and he shared the MNPI with Meadow, who began to trade on it as well. Teixeira allegedly made just under $30,000 from the scheme, but Meadow allegedly made over $700,000 by recommending the trades to his customers and receiving commissions.
Earlier this year, in a similar case, the SEC brought insider trading charges against Tyler Loudon in connection with his alleged misappropriation of MNPI about an upcoming acquisition of BP p.l.c.5 Loudon's wife, a manager of mergers and acquisitions at BP, worked on the company's planned acquisition of TravelCenters of America Inc. ("TA"). The SEC alleges that Loudon overheard his wife's phone calls about the planned deal and then, unbeknownst to his wife, used that information to purchase shares of TA's stock before the public announcement of the merger. The alleged scheme resulted in $1.76 million in illegal trading profits for Loudon.
Remote Work Environments Risks: Off-Channel Communications
The SEC has also cracked down on another byproduct of remote work: the use of off-channel communications in violation of federal securities laws' recordkeeping provisions. The past year has seen a wave of enforcement actions against broker-dealers and investment advisers that failed to prevent or preserve work-related, off-channel communications by their employees.
A slew of high-profile cases and settlements began last May, when two broker-dealers paid a total of over $22 million to settle charges that they had violated those recordkeeping provisions.6 The firms admitted that their employees often used personal devices and messaging apps, such as WhatsApp, to communicate about business matters, such that neither firm was preserving most of the communications. Then, in August, the SEC announced a $289 million settlement with 10 broker-dealers for failing to preserve off-channel communications by employees using their personal devices.7 In February 2024, yet another slew of broker-dealers and investment advisers were charged over their employees' use of personal devices, racking up another combined $81 million in civil penalties in order to settle the charges against them.8
Finally, earlier this month, one more settlement was announced: investment adviser Senvest Management LLC paid a $6.5 million penalty for violations of the Investment Advisers Act of 1940 resulting from employees' use of personal devices and messaging platforms.9 In addition to the dollar figure, Senvest agreed to cease and desist from further violations and engage a compliance consultant to review its policies regarding communications found on personal devices.
Conclusions and Risk Mitigation Guidance
As set forth above, in its early pandemic guidance, the SEC warned that telework may pose increased risks to market integrity and the Commission forecasted its intent to vigilantly enforce federal securities laws in an effort to protect market integrity.10 In the past few years, the SEC has demonstrated its commitment to those issues via its aggressive enforcement of insider trading and recordkeeping laws. Entities should heed the SEC's urging to "be mindful of their established disclosure controls and procedures, insider trading prohibitions, codes of ethics, and Regulation FD and selective disclosure prohibitions."
Broker-dealers and investment advisors should be especially vigilant about compliance risks. In August 2020, the SEC's Office of Compliance Inspections and Examinations ("OCIE") published a risk alert about pandemic-related considerations specifically for those types of entities. The alert outlines certain categories of risk mitigation recommendations, including suggestions for the "supervision of personnel" and the "protection of investor and other sensitive information."11 To ensure the proper supervision of firm personnel, OCIE encouraged firms to modify their policies, procedures, and practices to address:
- The potential lack of oversight from supervisors when employees work remotely;
- The potential that communications will occur between employees using personal devices from remote locations, rather than using the systems of the firm; and
- Reviews of remote trading, particularly with regard to "high volume investments."
To ensure the protection of sensitive information, OCIE recommended that firms devote attention to the specific vulnerabilities—cybersecurity-related and otherwise—created by remote work. The Commission encouraged firms to:
- Enhance the security of their systems, including "identity protection practices" and the use of multifactor identification;
- Provide additional cybersecurity training regarding, among other things, phishing, password-protection, and cyberattacks; and
- Encrypt data and communications stored on both firm-owned and personal devices.
In light of this guidance, and the wave of enforcement actions that have occurred since, entities should prioritize the mitigation of risk regarding MNPI and off-channel communications by reviewing and regularly assessing their policies, procedures, and compliance trainings to ensure that they reflect the Commission's recommendations, regularly consider how MNPI is defined in light of the information its employees have access to, and sufficiently address the unique risks posed by now seemingly permanent remote work environments.
Interested in more information?
Footnotes
1 Stephanie Avakian and Steven Peikin, "Statement Regarding Market Integrity," SEC (Mar. 23, 2020), https://www.sec.gov/news/public-statement/statement-enforcement-co-directors-market-integrity.
2 Id.
3 Id.
4 "Jordan Meadow and Steven Teixeira," SEC (June 30, 2023), https://www.sec.gov/litigation/litreleases/lr-25765.
5 "SEC Charges Husband of Energy Company Manager with Insider Trading," SEC (Feb. 22, 2024) https://www.sec.gov/news/press-release/2024-24 (last visited Apr. 10, 2024).
6 "SEC Charges [Two Broker-Dealers] with Widespread Recordkeeping Failures," SEC (May 11, 2023), https://www.sec.gov/news/press-release/2023-91.
7 "SEC Charges 11 Wall Street Firms with Widespread Recordkeeping Failures," SEC (Aug. 8, 2023), https://www.sec.gov/news/press-release/2023-149.
8 "Sixteen Firms to Pay More Than $81 Million Combined to Settle Charges for Widespread Recordkeeping Failures," SEC (Feb. 9, 2024), https://www.sec.gov/news/press-release/2024-18.
9 "SEC Charges Advisory Firm Senvest Management with Recordkeeping and Other Failures," SEC (Apr. 3, 2024), https://www.sec.gov/news/press-release/2024-44.
10 Stephanie Avakian and Steven Peikin, "Statement Regarding Market Integrity," SEC (Mar. 23, 2020), https://www.sec.gov/news/public-statement/statement-enforcement-co-directors-market-integrity.
11 "Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers," SEC Off. Compliance Inspections and Examination (Aug. 12, 2020), https://www.sec.gov/files/Risk%20Alert%20-%20COVID-19%20Compliance.pdf.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.