Last week the Commission filed eleven new enforcement actions. They focused largely on cybersecurity and false statements.

Be careful, be safe this week

SEC Enforcement – Filed and Settled Actions

Statistics: This week the Commission filed 5 new civil injunctive actions and 6 new administrative proceedings, excluding tag-along actions and those that present a conflict for the author.

Cybersecurity: In the Matter of Unisys Corporation, Adm. Proc. File No. 3-22272 (October 22, 2024). Respondent is a Delaware corporation based in Blue Bell, Pennsylvania. The firm’s shares are traded on the NYSE. The company information tech network and resources regularly store and transmit customer data and information as well as its own. The matter here involved two incidents. First, in December 2020, Unisys identified a computer that was part of its network that had a version of SolarWinds Orion software. The company believed the device had likely been infected with malicious code that allowed for unauthorized activity on affected computers and networks. Unisys also received notifications about, and discovered, compromises of, its environment. Those compromises took place over a period of about 16 months beginning in January 2020. The issues and compromises involved at least seven network credentials and 34 cloud-based accounts. At least 33 gigabytes of data had been transferred. Unisys was aware that its investigations involved gaps based on the activity analyzed. The firm also believed that the issues likely arose from a nation-state threat actor. In its Form 10-K for the fiscal years ended December 31, 2020 and 2021, the firm made disclosures regarding the incident. Those disclosures were not accurate. Specifically, they did not accurately describe the intrusions. The disclosures also did not accurately describe the risk of unauthorized data access, phrasing it in hypothetical terms rather than specifically stating what happened. Second, in July 2022, the firm experienced a separate threat actor. It was a Russian-speaking ransomware group that successfully compromised the network. That group successfully exfiltrated certain cybersecurity product and platform software code for products the company offers to customers. Prior to December 2022 Unisys’ incident response policies did not reasonably require cybersecurity personal to report information to company disclosure decision makers. It also did not require cybersecurity personnel to report information to the disclosure decision makers. Thus, senior cybersecurity personnel repeatedly did not report incidents to executive management and the legal department. Subsequently, the firm took a number of remedial steps regarding its policies and disclosed a material weakness in its disclosure controls. The complaint alleges violations of Securities Act Sections 17(a)(2) and 17(a)(3). The Commission considered the firm’s remedial acts and cooperation. Respondent resolved the matter, consenting to the entry of a cease-and-desist order based on the Sections cited in the Order. In addition, Respondent agreed to pay a penalty of $4 million. See also In the Matter of Mimecast Ltd., Adm. Proc. File No. 3-22271 (Oct. 22, 2024)(similar incident and issues re cybersecurity incident; resolved on similar terms); In the Matter of Check Point Software Technologies, Ltd., Adm. Proc. File No. 3-22270 (Oct. 22, 2024)(similar issues and resolution); In the Matter of Mimecast Ltd., Adm. Proc. File No. 3-22271 (Oct. 22, 2024)(similar issues and resolution); In the Matter of Avaya Holdings Corp., Adm. Proc. File No. 3-22269 (Oct. 22, 2024)(similar issues resolved on similar terms).

Research – false statements: SEC v. Choi, Civil Action No. 2:24-cv-09082 (C.D. Ca. Filed October 22, 2024). Named as defendant in the action is Ryan Choi. He holds brokerage licenses and was registered with the State of California as an investment adviser from 2017 through 2018 – just prior to the events in this case. He at times worked with Andrew Left, an activist short publisher. Mr. Choi has used the moniker Citron Capital, LLC for years. Beginning in late October 2019 Mr. Ryan assisted Andrew Left in preparing tweets and reports published through Citron Research by Mr. Left. Citron frequently identified short selling opportunities or those viewed as long investment candidates. The price of the target stock frequently moved in a manner that was consistent with the recommendations. In December 2020 Mr. Choi worked with Mr. Left on research and content for two buy recommendations. Mr. Left issued the recommendations through Citron Research. Mr. Choi failed to act reasonably in conducting the research or due diligence that was provided to Mr. Left as support for the recommendations he included in the Citron Research tweets, according to the complaint. Once the investments were made, Mr. Choi quickly traded on price increases that followed after the two transactions. He also traded on price increases without disclosing the basis for his trading. Throughout the process Mr. Choi failed to act reasonably and was negligent. The complaint alleges violations of Securities Act Section 17(a)(3). To resolve the action, Mr. Choi consented to the entry of a final judgment permanently enjoining him from violating the Section cited in the complaint. The final judgment also requires him to pay a penalty of $115,231, disgorgement of $1,647,217 and prejudgment interest of $64,818. See Lit. Rel. No. 26164 (October 22, 2024).

False statements: In the Matter of Wisdomtree Asset Management, Inc., Adm. Proc. File No. 3-22268 (October 21, 2024) is a proceeding which names as respondent the adviser. Wisdom Tree is a Commission registered investment adviser. It had about $73 billion in regulatory assets under management at the end of March 2024. Beginning in about March 2020, and continuing until November 2022, Respondent advised three exchange-traded Funds. The Funds had been approved and marketed based on representations that they were part of a strategy change that the Board was developing and would operate by screening out companies that had “any involvement” in fossil fuels and tobacco – they would be ESG compliant. In fact, they were not. One of the adviser’s vendors, for example, told the firm that it had not eliminated certain retailers who obtained less than 10% of their revenues from retail sales of tobacco products. Another vendor only eliminated a subset of companies involved in fossil fuels as the adviser knew. The adviser did not inform the Board or revise the prospectuses for the ESG Funds to reflect these points until November 2022. The Order alleges violations of Advisers Act Sections 206(2) and 206(4) and Investment Company Act Section 34(b). To resolve the matter Respondent consented to the entry of a cease-and-desist order based on the Sections cited in the Order and the related Rules. In addition, the firm agreed to pay a penalty of $4 million.

FinCEN

Meeting: FinCEN joined partner Financial Transactions and Reports Analysis Center of Canada (FINTRAC) in co-hosting the first FinCEN-FINTRAC anti-money laundering/anti-terrorist financing symposium on October 24 & 25, 2024. The meeting brought together officials from Canada, the U.S., Australia, the Netherlands and the U.K. (here).

ESMA

Report: The European Securities and Markets Authority published its first annual report on EU carbon markets on October 7, 2024 (here).

Hong Kong

Seminar: The Securities and Futures Commission of Hong Kong hosted a seminar on October 24, 2024, focused on discussions of key challenges and opportunities for the industry. In part the meeting centered on proactive measures to foster continued growth and stability of the capital markets. Recent trends in the area were also identified and discussed here.
.

Singapore

Paper: The Monetary Authority of Singapore published a consultation paper focused on regulatory approaches and regulations for digital token service providers that was issued under the Financial Services and Markets Act of 2022. The paper was published on October 24, 2024 (here).

Tagged with: , ,

Cybersecurity is a great concern for organizations of all types and sizes. There is a significant potential for a wide variety of issues to arise from such a disruption. This is particularly true for public companies which are required to make filings with the Commission that may involve disclosing the event and response.

Last week the Commission reported four proceedings in which issuers were charged with violations of the securities laws based on cyber incidents. See, e.g. In the Matter of Unisys Corporation, Adm. Proc. File No. 3-22272 (October 22, 2024).

Respondent is a Delaware corporation based in Blue Bell, Pennsylvania. The firm’s shares are traded on the NYSE. The company information tech network and resources regularly stored and transmitted its customers’ data and information as well as its own.

The matter here involving Unisys centers on two incidents. First, in December 2020 Unisys identified a computer that was part of its network that had a version of SolarWinds Orion software. The company believed the device had likely been infected with malicious code that allow for unauthorized activity on affected computers and networks. Unisys also received notifications about, and discovered, compromises of its environment. Those compromises took place over a period of about 16 months beginning in January 2020. The issues and compromises involved at least seven network credentials and 34 cloud-based accounts. At least 33 gigabytes of data had been transferred. Unisys was aware that its investigations involved gaps based on the activity analyzed. The firm also believed that the issues likely arose from a nation-state threat actor.

In its Form 10-K for the fiscal years ended December 31, 2020 and 2021, the firm made disclosures regarding the incident. Those disclosures were not accurate. Specifically, they did not accurately describe the intrusions. The disclosures also did not accurately describe the risk of unauthorized data access, phrasing it in hypothetical terms rather than specifically stating what happened.

Second, in July 2022, the firm experienced a separate threat actor. It was a Russian-speaking ransomware group that successfully compromised the network. This group successfully exfiltrated certain cybersecurity product and platform software code for products the company offers to customers.

Prior to December 2022 Unisys’ incident response policies did not reasonably require cybersecurity personal to report information to company disclosure decision makers. It also did not require cybersecurity personnel to report information to the disclosure decision makers. Thus, senior cybersecurity personnel repeatedly failed to report incidents to executive management and the legal department.

Subsequently, the firm took a number of remedial steps regarding its policies and disclosed a material weakness in its disclosure controls. The complaint alleges violations of Securities Act Sections 17(a)(2) and 17(a)(3). The Commission considered the firm’s remedial acts and cooperation.

Respondent resolved the matter, consenting to the entry of a cease-and-desist order based on the Sections cited in the Order. In addition, Respondent agreed to pay a penalty of $4 million. See also In the Matter of Mimecast Ltd., Adm. Proc. File No. 3-22271 (Oct. 22, 2024)(similar incident and issues re cybersecurity incident; resolved on similar terms); In the Matter of Check Point Software Technologies, Ltd., Adm. Proc. File No. 3-22270 (Oct. 22, 2024)(similar issues and resolution); In the Matter of Mimecast Ltd., Adm. Proc. File No. 3-22271 (Oct. 22, 2024)(similar issues and resolution); In the Matter of Avaya Holdings Corp., Adm. Proc. File No. 3-22269 (Oct. 22, 2024)(similar issues resolved on similar terms).

Tagged with: ,