Each month, we publish a roundup of the most important SEC enforcement developments for busy in-house lawyers and compliance professionals. This month we examine:

  • Fraud and internal control failure charges against SolarWinds and its Chief Information Security Officer (CISO);
  • Dropped charges against two cryptocurrency executives;
  • The Director of the SEC Enforcement Division’s statements concerning compliance best practices and conditions for Chief Compliance Officer (CCO) liability;
  • The SEC’s examination priorities for 2024; and
  • New rules targeting short-selling disclosures and securities lending.

1. SEC Charges SolarWinds and Top Security Officer with Fraud and Internal Control Failures

For the first time, the SEC has (1) charged a public company with scienter-based fraud in connection with a cybersecurity incident, and (2) sued an individual executive as part of its case. The complaint charges SolarWinds Corp. and its CISO, Timothy Brown, with fraud and violations of the reporting and internal controls provisions of the Securities Exchange Act of 1934.

With allegations dating back to the company’s 2018 IPO, the complaint accuses SolarWinds of failing to devise an adequate system of internal controls and SolarWinds and Brown of knowingly misrepresenting cybersecurity practices to investors. According to the complaint, Brown and engineers at SolarWinds knew that the company’s security protocols left the company “in a very vulnerable state.” Despite this knowledge, the SEC alleges, the company painted a “false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”

The complaint also alleges that SolarWinds understated known security risks and made an incomplete disclosure about the “SUNBURST” cyberattack. The nearly two-year long attack targeted the company’s flagship “Orion” software platform and resulted in a drop in SolarWinds’s share price of nearly 35% percent after disclosure.

In announcing the charges, Director Grewal underscored the importance of “implement[ing] strong controls calibrated to your risk environments and level[ing] with investors about known concerns.”

SolarWinds responded to the filing, accusing the SEC of overreach and stating that the litigation will discourage future public-private partnerships and valuable information sharing.

For more information, read our full client alert.

2. SEC Drops Aiding and Abetting Charges Against Ripple Executives

The SEC dropped charges against Ripple Labs CEO Bradley Garlinghouse and Executive Chairman Christian Larsen alleging the executives aided and abetted Ripple’s institutional sales of its XRP token. The dismissal follows the rejection of the SEC’s request for interlocutory appeal of District Court Judge Analisa Torres’s summary judgment ruling.

The SEC’s case against the blockchain firm and its executives involved allegations that Ripple, Garlinghouse, and Larsen violated securities laws when they sold the firm’s XRP token to investors. In her summary judgment ruling, Judge Torres held that Ripple violated the law when it sold XRP to institutional investors because the token, in that context, constituted an unregistered security. Judge Torres rejected the allegation that the sale of the token to programmatic investors and other distributions of the token violated securities laws, granting summary judgment on those claims to Ripple and the executives.

Judge Torres declined to decide, however, whether Garlinghouse and Larsen “aided and abetted” Ripple’s unlawful institutional sales, leaving the parties to prepare for trial on that claim. If the case had proceeded, the SEC would have been tasked with proving that the executives had knowledge of or acted with reckless disregard for the facts that made Ripple’s transactions illegal.

Defense counsel attributed the dismissal to the weakness of the SEC case, but the SEC likely had broader strategic goals motivating its decision, as the dismissal renders the rest of the summary judgment order immediately appealable.

Developments in the Ripple Labs litigation contrast sharply with the outcome of the LBRY case. As explained in our November 2022 client alert, LBRY was recently found liable for violating securities laws for failing to register its offer and sale of digital tokens. LBRY announced that it will not appeal the court’s decision and has instead reported plans to dissolve. SEC Commissioner Hester Peirce noted her displeasure with the Commission’s decision to bring the action against LBRY.

3. Head of SEC Enforcement Division Gurbir Grewal Outlines Best Practices for Securities Law Compliance and “Rare” Conditions for CCO Liability

In remarks at the New York Bar Association’s Compliance Institute on October 24, the Director of the SEC’s Division of Enforcement Gurbir Grewal outlined what he called a “culture of proactive compliance.” Director Grewal encouraged compliance professionals to educate themselves about the law and developments, particularly in emerging and heightened areas of risk for their business. Director Grewal urged engagement across the business to understand the “activities, strategies, risks, financial incentives, counterparties, and sources of revenues and profits.” Finally, Director Grewal argued that compliance professionals needed to ensure effective execution, asserting that the SEC frequently encounters firms with good policies but poor implementation. And where compliance efforts fall short, Director Grewal unsurprisingly argued that firms should turn themselves in, claiming that the SEC has “aggressively rewarded” self‑reporting and cooperation in recent years.

Director Grewal then turned to what he called the elephant in the room: “when does the Enforcement Division recommend charges against a compliance officer?” He called such actions “rare,” suggesting that the SEC will not second-guess a compliance officer’s good-faith judgments. The Commission typically will bring an enforcement action against a CCO only where, he said, the individual affirmatively participated in misconduct unrelated to the compliance function, misled regulators, or entirely failed to carry out their compliance responsibilities.

SEC Chair Gary Gensler’s speech the next day at the Securities Enforcement Forum touched on some of the same ideas, but also emphasized the SEC’s enforcement themes of holding “bad actors” accountable, bringing high-impact cases, and a focus on gatekeepers. His speech can be found here.

4. SEC Examiners to Focus on Information Security, Emerging Fintech, and Anti-Money Laundering Programs in 2024

The SEC’s Division of Examinations released its annual report on examination priorities. The SEC said that the report was released earlier than usual in “the hope that it will better inform investors and registrants of the key risks, trends and examination topics that we plan to focus on in the upcoming year.”

For investment advisers, the report identified compliance with advisers’ duties of care and loyalty and the effectiveness of internal policies and procedures as priorities. And for broker dealers, the Division will prioritize whether recommendations were made in the customer’s best interest, focusing on, among other things, product and investment recommendations and conflict disclosures. The report also highlights information security, crypto assets and emerging fintech, and anti-money laundering protocols as priorities.

With respect to information security and operational resiliency, the Division said it would review firms’ policies, controls, practices, and procedures, as well as past responses to any cyber-related incidents. This includes review of policies relating to third-party providers and staff training on the protection of client records.

Where registrants are involved in crypto assets, the Division said that it would review whether firms follow their standard of conduct when recommending or advising on crypto, and whether firms review, update, and enhance their compliance practices, risk disclosures, and operational resiliency practices.

Finally, the Division will focus on anti-money laundering protocols at broker-dealers and other investment companies to ensure compliance with laws requiring appropriate diligence and internal controls.

5. New Rules Target Short-Selling Disclosures and Securities Lending

The SEC adopted two new rules that, it said, would provide more transparency and efficiency in short selling.

The securities lending rule requires brokers, dealers, and other intermediaries to disclose the terms of a securities loan to the Financial Industry Regulatory Association (FINRA) by the end of the day on which the loan was created or modified. Though some information, such as the names of the parties, will remain confidential, FINRA will publish other information such as the name of the security being borrowed and the type of collateral involved in the transaction. But because implementation of the rule requires FINRA to publish its own regulation establishing methods for data collection, the rule may not go into effect for nearly two years.

The short-selling reporting rule, by contrast, will go into effect in about one year. The rule is focused on hedge funds and other institutional investment managers and requires reporting of a monthly average of daily gross short positions in reporting company issuers (1) in an equity security with a value of $10 million or more, or (2) in the equivalent of 2.5% or more of the outstanding shares. The Commission will receive, aggregate, and release the reports on a delayed basis. For equity securities in non-reporting company issuers, firms are required to report gross short positions with a value of $500,000 or more at the close of trading hours on any settlement date during the calendar month.