As the Securities and Exchange Commission (SEC) enters the third year of the Trump administration, its regulatory and enforcement goals remain largely unchanged. At the direction of Chairman Jay Clayton, the SEC continues to focus on protecting Main Street investors, streamlining regulations and encouraging capital formation. Despite some recent and expected turnover on the Commission, the agency has made steady progress toward these goals thanks to the continuity of its leadership. All SEC division directors remain the same heading into 2019.
Elad L. Roisman, formerly chief counsel for the Republican-led Senate Banking Committee, joined the SEC in September 2018 as its newest commissioner, replacing Michael S. Piwowar. Roisman has identified increasing capital formation and instilling investor confidence as his top priorities.
Although each of the commissioners has advocated similar regulatory priorities, it is not clear that they agree with how those priorities should be addressed. For instance, Commissioners Hester M. Peirce and Robert J. Jackson Jr. have advocated different approaches to the regulation of investments in crypto assets. Peirce has urged the SEC to be less conservative in its approach to such investments and has said she would like to leave decisions about crypto assets to individual investors. Jackson, on the other hand, favors a cautious approach, citing investor inexperience and the current threat of fraud in the cryptocurrency market. (See “As Interest in Blockchain Technology Grows, So Do Attempts at Guidance and Regulation.”)
The withdrawal by the SEC staff of two letters issued to proxy advisory firms Institutional Shareholder Services and Glass Lewis that addressed conflicts of interest and the ability of investment advisers to satisfy their fiduciary duties in reliance on the voting recommendations by the firms also was a point of contention among the commissioners. Clayton touted the withdrawal as an accomplishment that allowed for a wider discussion of the role proxy advisory firms play and as a step toward his goal of modernizing the SEC’s rules. However, Jackson downplayed the move, saying, “The law governing investor use of proxy advisors is no different today than it was yesterday.”
To date, these differing opinions on how best to accomplish the SEC’s broader goals has not impacted the advancement of Clayton’s priorities. Indeed, rule changes under Clayton have often been approved unanimously by the SEC. The differing views on the Commission, however, could have a more significant impact on future progress. This may be even more relevant depending on who is identified to replace Commissioner Kara M. Stein. Her term concluded at the end of December 2018, and thus far no one has been nominated to replace her.
IPO Participation. In 2018, the SEC continued to take steps to tackle the issue of companies delaying initial public offerings (IPO) and relying on private capital. For example, the SEC sought to make IPOs more enticing by expanding the scope of the nonpublic review program set forth in the JOBS Act. The agency also increased its definition of “smaller reporting company” to allow even more issuers to use scaled disclosures. Likewise, the SEC is continuing to look for ways to modernize and simplify disclosures to decrease the financial burden that comes with registration and capital access. In late December 2018, the SEC changed its rules to allow all public companies to rely on Regulation A, one of the exceptions from its securities registration requirements. The SEC’s efforts have been helped by positive market conditions, and the number of IPOs has increased from 103 in 2016 to 163 in 2017 and 199 in 2018, according to Thomson Reuters.
U.S. Proxy Voting System. The SEC also has taken the first steps toward pursuing long-requested changes to the U.S. proxy voting system. In November 2018, the SEC hosted several roundtable discussions that covered a number of areas of concern in the proxy system. Specifically, the roundtables centered on the proxy voting process, the shareholder proposal process and the increasing role proxy advisory firms play. The discussion regarding proxy advisory firms garnered the most attention. The SEC sought input on three main topics: proxy advisory firms’ conflicts of interest; their effect on investor voting and industry practices; and their regulation moving forward. What, if any, regulation will emerge from the roundtable remains to be seen. However, the growing importance of proxy advisory firms, coupled with the occurrence of the roundtable, signals that the SEC is considering regulations in this area. Further, in unofficial statements following the roundtable, Roisman expressed an openness to regulations that would create a rebuttal period following the issuance of a proxy firm opinion.
Cybersecurity. Cybersecurity matters will remain a key focus for the SEC in 2019. In particular, the SEC is expected to scrutinize company disclosures and policies related to cybersecurity. In public statements and guidance, the SEC has emphasized the importance of cybersecurity disclosures in the material risks section of mandatory filings, as well as the importance of proper implementation and disclosure of board oversight programs designed to avoid cyberrisks.
Risk Disclosures. Based on its actions in 2018, the SEC is expected in 2019 to remain focused on the obligations of companies to ensure that all their public disclosures are complete and accurate, and that investors are alerted to trends and developments that could impact the company’s business and prospects. The SEC brought a number of high-profile enforcement actions in 2018 that signaled its desire for companies to look beyond just the specific disclosure requirements of SEC forms. There are a number of significant developments already expected in 2019 that could trigger a requirement for updated disclosures, including Brexit and the end of Libor. The SEC staff has publicly stated its intent to track these and other market developments and the responses made by companies.
The number of enforcement actions the SEC filed in fiscal year 2018 increased by approximately 8.8 percent from fiscal year 2017, and total penalties ordered increased approximately 72.9 percent, to $1.44 billion, according to SEC statistics. Overall monetary remedies obtained by the SEC (penalties and disgorgement) increased by a more modest 4 percent, to $3.95 billion. (A significant driver of the increase was a settlement in which a Brazilian company agreed to pay $933 million in disgorgement and an $853 million penalty.)
Focus on Protecting Retail Investors. While overall enforcement activity increased in fiscal year 2018, the SEC’s focus on financial institutions has diminished under the Trump administration. Likewise, a November 2018 New York Times article noted a significant decline in actions against large public companies. Instead, the SEC continues to prioritize cases involving protection of retail investors, with half of the 490 stand-alone enforcement actions brought in fiscal year 2018 involving allegations or findings of wrongdoing that harmed such investors.
Individual Accountability. The SEC also is focused on individual accountability, especially as it relates to senior corporate officers and other prominent figures within organizations. We expect that focus to continue. In fiscal year 2018, 72 percent of the SEC’s stand-alone enforcement actions involved charges against at least one individual, including a U.S. congressman as well as the former CEO and chief financial officer of Walgreens Boots Alliance, Inc.
Tailored Remedies. The SEC is tailoring remedies, including ordering equitable relief in the form of specific undertakings, to address particular misconduct. This willingness to use a wide range of remedial tools in novel ways to address misconduct was evident in the enforcement actions against the CEOs of Theranos Inc. and Tesla Inc. In its settlement with Theranos, the SEC included undertakings that required the CEO to relinquish her voting rights and guarantee that she would not profit from a sale of the company unless other investors were compensated first. According to the SEC, these requirements were meant to protect investors from the CEO’s potential misuse of her controlling position. In the Tesla matter, the SEC was concerned about the CEO’s communication practices and the alleged lack of sufficient oversight and control over those communications. The specifications in that settlement included that the CEO resign as chairman of the company, and that Tesla add two independent directors to its board and establish a committee of independent directors to oversee the CEO’s public communications.
In addition to these types of customized undertakings, the SEC is increasingly imposing conduct-based injunctions specifically calibrated to address the infraction that was the object of the enforcement action. The goal of these injunctions is to require specific changes in offending companies that address the conduct at issue. The Enforcement Division is expected to continue to seek these types of narrowly focused remedies in the coming year.
Cybersecurity. The SEC’s enforcement staff also is increasingly focused on cybersecurity and related issues, including the timeliness and accuracy of disclosures of cyber-related issues and the need to implement sufficient internal accounting controls to prevent cyber breaches. The SEC announced the creation of its Cyber Unit in September 2017, and in fiscal year 2018, it brought 20 stand-alone cases related to cyberfraud. By the end of the fiscal year, the Cyber Unit had more than 225 ongoing cyber-related investigations. It is notable that, in many of these investigations, companies that were victims of cyberattacks now find themselves under investigation for how they responded to the attacks.
The Commission is focused on public companies’ and financial institutions’ policies surrounding cybersecurity, emphasizing the need for public companies to make prompt and accurate cyber-related disclosures. In April 2018, the Cyber Unit was involved in bringing a cyber-related enforcement action against a technology company for allegedly misleading shareholders by not disclosing a data breach in its public filings for nearly two years. The $35 million settlement was the first SEC enforcement action against a public company relating to the disclosure of a data breach.
The SEC also is sending a clear message that it expects issuers to not only act responsibly in the event of a cybersecurity incident but also to institute appropriate controls to mitigate the risks of cyber-related threats and safeguard company assets from those risks. In October 2018, the SEC issued an investigation report detailing the Enforcement Division’s probe into the internal accounting controls of nine issuers that were victims of “business email compromises,” a form of cyber fraud. The SEC issued the report of investigation, forgoing a traditional enforcement action, to communicate the SEC’s view that this issue is problematic and to put issuers and individuals on notice that the SEC intends to pursue enforcement actions concerning similar conduct in the future.
Similarly, the SEC is sending the message to financial institutions that they also must have sufficient safeguards in place to protect sensitive client information. The SEC brought proceedings against a broker-dealer and investment adviser related to alleged failures in cybersecurity policies and procedures following a cyberattack that compromised the personal information of thousands of customers in violation of Regulations S-P (Privacy of Consumer Financial Information) and S-ID (Identity Theft Red Flags).
Also in the past few years, the number of digital assets and crypto asset offerings, mainly initial coin offerings (ICOs), have increased significantly. In response, the Cyber Unit began to address misconduct relating to digital assets and ICOs. As of the end of fiscal year 2018, the Commission had brought over a dozen enforcement actions involving ICOs, focusing on allegations of fraud as well as compliance with the registration requirements of the federal securities laws. Additional ICO enforcement actions are likely in 2019.
We expect the SEC to continue to streamline current regulations and focus its enforcement efforts on protecting retail investors. This focus, however, should not be interpreted by companies as a signal that the SEC will be lax in enforcing remaining regulations. Companies need to be careful to produce timely and accurate disclosures, especially when discussing risk factors and cybersecurity. Companies also should not assume that the focus on protecting retail investors indicates that the SEC has relaxed its enforcement efforts against other market participants. Rather, SEC enforcement statistics from 2018 reflect a continued robust enforcement program, particularly in areas such as cybersecurity.