Troubled Waters: Navigating SEC Compliance and Enforcement

For a second consecutive year, Metropolitan Corporate Counsel (now Corporate Counsel Business Journal) co-hosted a roundtable series on global risk with longtime contributor Clifford Chance, which provided subject-matter expertise and helped facilitate three dinner discussions with an esteemed group of general counsel and chief compliance officers.

The attendees cumulatively represent companies with approximately $150 billion in annual revenues, locations in more than 100 countries and operations across a wide array of industries, including banking, insurance, asset management, industrials, rail, petrochemicals, information management and real estate.

The legal executives attended the dinners on the precondition that the discussion be conducted pursuant to the Chatham House Rule so their identities and the names of their companies would be kept anonymous. The goal was to encourage frank and open discussion among the participants.

If you are interested in further information about the Legal Executive Dinner Roundtable Series, please contact us at

As the u.s. government’s chief regulator and enforcer of securities laws, the Securities and Exchange Commission is widely viewed as a white knight in its role protecting the interests of investors.

But for companies that run afoul of its myriad and ever-­evolving rules and regulations, the SEC might sometimes be seen as more of a necessary evil.

That’s why toeing the line with the SEC is a chief concern for public companies and their boards of directors. Staying apprised of the SEC’s initiatives, being prepared and knowing how to react when a corporate misstep occurs can be a complicated dance.

To kick off the second session of the 2017 Dinner Roundtable Series on Global Risk, co-hosted by Corporate Counsel Business Journal and Clifford Chance, CCBJ publisher Kristin Calve opened by introducing the Clifford Chance partners at the table: David DiBari (Litigation, Washington, D.C.) and Sarah Jones (Mergers and Acquisitions, New York), the events co-hosts, and the evening’s featured experts, ­Robert Rice (Litigation & Dispute Resolution, New York) and ­Kathleen Werner (Capital Markets, New York).

Rice, a former assistant U.S. attorney in the Southern ­District of New York who also served as chief counsel to then-SEC chair Mary Jo White, said that SEC enforcement actions have been on the rise the past five years, and he expects that trend to continue.

“This is not your parents’ SEC,” he said. “It has added a significant number of subject-matter experts to its enforcement team and has become a very sophisticated organization.” Also, he said, the SEC “has jumped with both feet into the world of data analytics” and now can crunch data as fast or faster than people in the private sector.

Specifically, Rice said he expects an uptick in corporate disclosure and reporting cases, and that there may be significant actions regarding violations of the Foreign Corrupt Practices Act. In addition, “the whistleblower program is alive and well, and we will likely see a continuing increase in tips and dollar awards,” he said.

While Rice saw those trends continuing, Werner said that there are important changes taking place elsewhere. The SEC is winding down providing new guidance on what had been one of its recent initiatives regarding companies’ use of non-GAAP performance measures. As that is happening, the SEC is shifting focus to the burgeoning issues of cyber­security and disclosure.

“Cybersecurity absolutely keeps boards awake at night,” Werner said, pointing to several recent high-profile hacks that affected billions of people.

The example that received the most attention was the hack of Equifax, one of the nation’s largest credit-reporting agencies, where a data breach started in mid-May and wasn’t discovered until July 29. During that period hackers accessed the personal information of nearly 145 million people.

But it wasn’t until September 7 that the company revealed the breach. And by that time a few Equifax executives had sold some of their stock in the company. Werner said the 40-day delay, as well as the stock sales, was exactly the kind of thing that attract SEC scrutiny.

A far bigger breach occurred at Yahoo. The search engine first revealed in September 2016 that 500 million user accounts had been hacked in 2014, then subsequently revealed other hacks affecting even more users. This past October the company admitted that all three billion of its users’ accounts had been breached.

Even the SEC itself is not immune. The agency said in September that its Edgar database was penetrated in 2016 and that hackers could have gotten access to market-moving information before it was publicly available. “The SEC is very focused on this now,” said Werner, “especially after its own hack.”

The key issues in situations like these are “when do you disclose, and what do you have to say,” she said. Current financial filings to the SEC don’t address the issue. As Werner put it: “There is no line item for disclosing hacks.”

When a company discovers a breach, it must determine if it is a material event and, if so, the extent of the loss or harm. Doing that can take time, and that is the reason you don’t see many quick disclosures following a hack, Werner said.

The SEC has signaled that it will want to see companies disclose any potential cybersecurity exposure in their annual 10-K filings. “It’s almost inconceivable that a public company wouldn’t have some disclosure in their risk factors,” Werner said. “And it shouldn’t be boilerplate.”

The Best Defense Is a Good Offense

That’s just a start. The Clifford Chance partners emphasized one crucial point: The best defense is a good offense in the form of having plans and protocols in place for dealing with hacks and intrusions. “Try to build a reasonable record showing that you have taken steps,” Werner said. “That ultimately will be the way to defend disclosures to the SEC and other regulators.”

A company should have a chief information officer in charge of the effort, a working group that does routine testing of the protocols, and detailed records of all of its efforts. “It’s about establishing a process that shows you took reasonable steps,” said DiBari.

“When problems arise, regulators often look at the company’s compliance culture and assess the tone from the top, as illustrated by, for instance, whether the compliance department has a seat at the table in the C-suite, and has appropriate resources,” Rice said. “You don’t want to be anywhere near the line, and want to make certain that your policies, procedures and controls are best practices.”

That said, even the best-laid plans may not be enough. Rice explained that regulators sometimes look though the “antiseptic lens of hindsight 18 months later” and conclude that, because there was a problem, a company’s systems were somehow deficient.

One of the roundtable’s guests noted that implementing and maintaining these programs was costly and that the SEC hadn’t seemed to have taken that into account. Rice agreed. “Cost related to systems and controls is typically not prominent on their radar screen,” he said.

DiBari added that there is no gold standard on how much a company should spend on its system. “You design it to bring it within your company’s risk tolerance,” he said.

Focus on Cryptocurrency

The conversation went far beyond hack attacks. Werner said she also expected the SEC to focus on regulating the ever-advancing realm of blockchain technology and cryptocurrency, pointing to a 21(a) report the SEC issued this July that she said was the first time the agency had referred to cryptocurrency as securities, which puts them under SEC purview.

Blockchain technology and cryptocurrency have ­morphed from something that provided a service into something that is profiting from the process, Werner said. “The SEC is clearly worried that investors are being sucked in. But on the other hand, there is some promise in real-time access to balance sheets of participants in the marketplace.”

Every key market player is working on blockchain technology, Werner said. One example is, an online retailer that announced in September its subsidiary TZero had entered a joint venture that would launch an alternative trading platform for digital coins.

Werner said the SEC and the Commodities Futures ­Trading Commission could work together to regulate blockchain and cybersecurity, but that right now “the law and the regulators are so far behind the technology.”

Engaging with the SEC

While questions from the roundtable participants generally followed the flow of the discussion, several areas of interest stood out. One of those went back to the Equifax case, where company executives sold stock between the time the breach was discovered and the day it was revealed to the public, sending the stock down by a third in value in little more than a week.

A chief compliance officer’s question: If he knew about something that would likely move his company’s stock once made public, and an employee who was unaware of the news came to him asking approval to sell stock, what should he do?

“If the person trading had no reason to know of material non-public information, there is no legal liability for ­trading,” Rice answered, in response to the hypothetical question. Rice cautioned that considering the risk an SEC investigation poses to a company’s reputation, it’s small solace if an 18-month investigation that is frequently in the headlines ultimately reveals no wrongdoing.

The real question for everyone, Werner said, is, “How do I engage with the SEC?”

It’s the corporate version of what a driver should say to the policeman who just pulled him over for a traffic violation. Cooperation is key when the SEC comes knocking on a company’s window with questions about anything ranging from corporate disclosure to FCPA adherence to whistleblower accusations.

“You need to be diligent and proactive in your investigation and in dealing with the SEC staff,” Rice said.

Published January 11, 2018.