On October 30, 2023, the Securities and Exchange Commission filed claims against a software company (the “Company”) and its Chief Information Security Officer for alleged fraud and internal control failures relating to known cybersecurity risks and vulnerabilities.  SEC v. SolarWinds Corp., et al., No. 23-cv-9518 (S.D.N.Y. Oct. 30, 2023).  The SEC’s complaint alleges that the Company made misleading omissions, in connection with its disclosure in December 2020, that it had suffered a cyberattack that compromised its customers’ information.

On March 15, 2023, the Department of Justice (“DOJ”) announced that Michigan-based bank Sterling Bancorp, Inc. (“Sterling”) agreed to plead guilty to securities fraud for allegedly filing false statements relating to its 2017 initial public offering (“IPO”) and 2018 and 2019 annual financial reports. As part of its guilty plea, Sterling agreed to pay fines totaling $69 million, including $27.2 million in restitution to non-insider stockholders.

On January 17, 2023, Assistant Attorney General Kenneth A. Polite delivered remarks announcing revisions to the Department of Justice (“DOJ”) Criminal Division’s Corporate Enforcement Policy (“CEP”) at Georgetown Law Center.  The revisions aim to encourage additional companies to voluntarily self-disclose potential criminal conduct they may uncover by setting more granular incentives that will be provided to companies in such circumstances.  While there is still substantial subjectivity embedded in the revised policy regarding when and how such incentives will be made available to companies, the revisions will put added pressure on companies to make self-disclosures in certain circumstances.

On September 15, 2022, Deputy Attorney General Lisa O. Monaco delivered remarks on the Department of Justice’s corporate prosecution priorities at New York University, at the invitation of the University’s Project on Corporate Compliance and Enforcement.  While many of her comments were simply a reiteration of existing priorities, some were potentially meaningful changes.  Indeed, by clarifying certain points and strengthening others, Monaco emphasized the “carrot and stick” approach to signal loud and clear that the DOJ remains as focused as ever on pursuing corporate crime.  She unambiguously encouraged corporations both to self-report potential criminal activity and cooperate in the investigation of culpable individuals, indicating that failure to do so could lead to severe consequences.  At the same time, as has long been the case, the policies leave somewhat subjective the true nature of any “carrot” and any “stick” that would apply in any given case, making the decision of how corporations should deal with potential criminal conduct one of the most challenging decisions corporations can face.

On June 23, 2022, FINRA’s Department of Enforcement announced a settlement in which a broker-dealer agreed to pay $3.6 million in fines, $4.77 million in disgorgement, and partial restitution of over $625,000 to resolve the broker-dealer’s alleged misconduct under the Exchange Act and NASD and FINRA Rules in connection with three IPOs and seven follow-on offerings between June 2016 and December 2018 for which the broker-dealer acted as underwriter, as well as for other supervisory and operational violations.

On May 18, 2022, a divided panel of the U.S. Court of Appeals for the Fifth Circuit issued a significant decision in George Jarkesy and Patriot28 LLC v. SEC, ruling that the use of administrative proceedings by the Securities and Exchange Commission (“SEC”) was unconstitutional because, among other reasons, the Court found that Congress impermissibly delegated the decision of whether to bring enforcement actions as administrative proceedings or district court actions without providing adequate guidance to the SEC.  The decision is limited to the Fifth Circuit and will undoubtedly be appealed, but it raises significant questions about the use of administrative proceedings even beyond the SEC.

On Tuesday, April 12, the U.S. Securities and Exchange Commission (SEC) fined David Hansen, the former Chief Information Officer of NS8, Inc., a Las Vegas-based fraud detection and prevention software firm, approximately $100,000 for interfering with an employee’s ability to communicate with the SEC in violation of Rule 21F-17(a).  The SEC alleged that Hansen violated the rule by restricting the employee’s access to NS8’s IT systems and monitoring his use of corporate computer systems following the employee providing a tip to the SEC about NS8’s corporate practices.  In dissent, SEC Commissioner Hester Peirce said that the application of Rule 21F-17(a) was inappropriate in this case, arguing that restricting the tipster’s access to IT systems and monitoring their use did not impede their ability to communicate with the SEC and was a reasonable step in preventing unauthorized disclosure of NS8’s data to private parties and the media.

On March 17, 2022, FINRA issued a notice to member firms about Rule 3110 as it pertains to the potential liability of Chief Compliance Officers (CCOs) for failure to discharge designated supervisory responsibilities.  (Regulatory Notice 22-10, “the Notice”).  The Notice provides welcome guidance, clarifying when CCOs will, and will not, be held liable for supervisory violations and explicitly acknowledging that CCOs are generally not responsible for all supervisory activity within member firms.

On January 14, 2022, Judge William Orrick of the United States District Court for the Northern District of California issued an order denying a former biopharmaceutical company executive’s motion to dismiss and allowing the Securities and Exchange Commission (“SEC”) to proceed with a first-of-its-kind insider trading action against a corporate insider for misappropriating confidential nonpublic information related to his employer’s upcoming merger to purchase securities issued by a third company that was not involved in the transaction.

On September 17, 2021, the Securities and Exchange Commission (“SEC”) vacated $1.6 million in fines and penalties that the Financial Industry Regulatory Authority (“FINRA”) had previously levied against Scottsdale Capital Advisors Corp. (“Firm”) and three of its officers (“Applicants,” collectively).  In 2015, FINRA alleged that the Firm failed to maintain appropriate internal controls and executed sales of unregistered microcap securities for its foreign financial institution customers.  The next year, following a disciplinary hearing, FINRA imposed a $1.5 million fine on the Firm, a lifetime bar on one of the Firm’s officers, and a $50,000 fine and a two-year suspension on the two remaining Firm officers.  In reviewing FINRA’s findings on appeal by the Applicants, the SEC overturned the sanctions after determining that FINRA’s National Adjudicatory Council (“NAC”) applied incorrect legal standards, failed to adequately explain the basis of its conclusions, and conflated applicable regulations in its case against the Firm.

On August 17, 2021, the Securities and Exchange Commission (“SEC”) charged a former executive of California-based biopharmaceutical company Medivation Inc. with violating § 10(b) of the Securities Exchange Act of 1934 (“Exchange Act”) and Rule 10b-5 for allegedly relying upon inside information he obtained through the course of his employment at Medivation to purchase stock of a different company, Incyte Corp., a practice that some academics have dubbed “shadow trading.”  According to the SEC’s complaint—filed in the United States District Court for the Northern District of California—Matthew Panuwat, the then-head of business development at Medivation, purchased short-term, out-of-the money stock options in Incyte Corp., a biopharmaceutical company similar to Medivation, immediately after learning that Medivation would soon announce its upcoming acquisition by Pfizer.  The SEC claims that Panuwat knew that investment bankers engaged by Medivation had cited Incyte as a comparable company in their valuation analysis and that the announcement of Medivation’s sale to Pfizer would likely cause Incyte’s stock price to increase.  This is one of the SEC’s first enforcement actions based on this novel theory, and Panuwat may be expected to vigorously contest not only the facts but the legal underpinnings of the SEC’s complaint.