1. SDNY Judge Holds SEC Failed to Adequately Plead Risk Disclosure and Controls Claims in SolarWinds

On July 18, 2024, the United States District Court for the Southern District of New York issued an opinion in Securities and Exchange Commission v. SolarWinds Corp. et al.  District Judge Paul A. Engelmayer rejected the SEC’s first ever attempt to bring a cyber enforcement action charge of internal accounting control violations under Section 13(b)(2)(B), finding that cybersecurity controls are not internal accounting controls.

The case centered on the SEC’s allegations that SolarWinds Corp., a company selling high-end software, and its Vice President and Chief Information Security Officer Timothy G. Brown made materially false and misleading statements regarding the company’s cybersecurity practices.

The SEC’s enforcement action claimed that SolarWinds and Brown were responsible for two types of deficient disclosures. First, the SEC alleged that SolarWinds misleadingly promoted its cybersecurity practices and products, particularly its Orion software platform, while understating its cybersecurity risks. Second, the SEC claimed that following a series of cyberattacks, culminating in the December 2020 SUNBURST attack conducted by state-sponsored hackers, SolarWinds minimized the scope and severity of the attacks in its public risk disclosures.

The court’s decision partially granted and partially denied the defendants’ motion to dismiss. The court sustained the SEC’s claims based on the company’s Security Statement—a statement published on SolarWinds’ website that made broad representations regarding SolarWinds’ cybersecurity practices—finding the SEC adequately pleaded it was false and misleading.

But Judge Engelmayer, in addition to rejecting the SEC’s Section 13(b)(2)(B) claim, also dismissed all charges based on the cybersecurity risk disclosures in SolarWinds’ public filings, holding that SolarWinds’ cybersecurity risk disclosures “enumerated in stark and dire terms the risks the company faced were its cybersecurity measures to fail.” Judge Engelmayer explained that companies are not required to revise risk disclosures for individual cybersecurity incidents if the existing disclosures already provide robust coverage of cybersecurity-related risks and consequences.

For more information, read our client alert.

2. SEC Charges Andrew Left and Citron Capital for Using “Bait-and-Switch” Tactics

On July 26, 2024, the SEC filed a complaint against Andrew Left, an activist short publisher, and Citron Capital, LLC, his online platform, in the Central District of California. The complaint alleges that Left misused the Citron Research platform to engage in a fraudulent scheme from March 2018 to December 2020, which allowed him to generate approximately $20 million in illegal trading profits. The SEC claims that Left and Citron Capital violated the antifraud provisions of Section 17(a) of the Securities Act of 1933, Section 10(b) of the Securities Exchange Act of 1934, and Rule 10b-5 thereunder.

According to the SEC, Left exploited his Citron Research platform by establishing positions in target companies, then publishing reports and tweets that influenced the market to move in his favor. Unbeknownst to investors, Left would then quickly reverse his positions, capitalizing on the price movements he induced. In other words, Left allegedly would buy back stock after telling his readers to sell, and sell stock after telling his readers to buy. The complaint details several allegedly deceptive acts, including the creation of anonymous websites and fake invoices to conceal payments from a hedge fund in exchange for publishing certain reports and tweets.

The SEC is seeking permanent injunctions against Left and Citron Capital, conduct-based injunctions against Left, and a bar for Left from acting as an officer or director of a public issuer. Additionally, the SEC seeks disgorgement of ill-gotten gains with prejudgment interest and civil penalties. In a parallel action, the DOJ announced criminal chargesagainst Left.

3. SEC Complaint Sufficiently Alleges Investment Firm Qualifies as a “Broker-Dealer”

On July 22, 2024, Judge Angel Kelley denied defendants’ motion to dismiss in SEC v. Auctus Fund Management, holding that the definition of a “dealer” under the Exchange Act covers entities engaged in the business of buying and selling securities for their own account, irrespective of whether they face customers directly.

In its complaint, the SEC accused defendants of operating as dealers without proper registration, in violation of the Securities Exchange Act of 1934. The SEC sought disgorgement of profits under 15 U.S.C. § 78u(d)(7), claiming that defendants had unlawfully profited from their activities. The core of the SEC’s allegations was that defendants engaged in the business of buying and selling securities through convertible loan agreements with various companies, often at a significant discount, and subsequently sold these securities at a profit. Defendants “(1) brought to the market billions of new shares of stock over the course of many years, involving over 100 public companies, (2) identified and solicited customers for their convertible note business, and (3) generated over $100 million in profit from converting debt to stock for resale in the market.” This activity, according to the SEC, required registration as securities dealers, which the defendants had not obtained.

In their motion to dismiss, defendants argued that their activities did not classify them as broker-dealers because they did not engage in buying and selling securities to effectuate customer orders but did so for investment purposes. They contended that the legislative history and intent of the Exchange Act supports their interpretation that their actions did not necessitate dealer registration.

The court rejected these arguments. The court emphasized that the statutory language of the Exchange Act and its legislative history do not support a distinction between customer-facing and non-customer-facing dealers. Furthermore, the court found that the defendants’ activities fell squarely within the business of buying and selling securities, given the regularity and volume of their transactions. The court also rejected defendants’ due process arguments that the SEC’s enforcement action was unexpected and thus violated their rights to fair notice under the Fifth Amendment.

4. Plaintiff Challenges the Use of FINRA’s Disciplinary Tribunals in Wake of Jarkesy

On July 15, 2024, D. Allen Blankenship filed a first amended complaint in the United States District Court for the Eastern District of Pennsylvania against the Financial Industry Regulatory Authority (FINRA). The complaint seeks a preliminary and permanent injunction to halt FINRA’s disciplinary proceedings against Blankenship, which he argues are being conducted in an improper forum without a jury, in violation of his Seventh Amendment rights.

The case stems from an inquiry initiated by FINRA following Blankenship’s termination by Independent Financial Group, LLC (IFG) for alleged policy violations related to mutual fund transactions and unauthorized discretionary actions. Blankenship’s complaint asserts that the disciplinary proceedings should be conducted in an Article III court with a jury, rather than in FINRA’s in-house forum, the Office of Hearing Officers. In particular, the FINRA complaint details allegations of unsuitable investment recommendations, which Blankenship contends are essentially common law fraud claims. He cites the recent Supreme Court decision in SEC v. Jarkesy, which held that the SEC’s in-house administrative proceedings violate the Seventh Amendment when they concern certain common law claims that Blankenship contends resemble those FINRA wishes to pursue against him.

Blankenship is requesting that the court declare the FINRA proceedings void under the Seventh Amendment and enjoin FINRA from continuing its disciplinary proceedings in its in-house forum.

For more information on SEC v. Jarkesy, read our client alert.

The “Decentralized” Crypto Fight Continues as SEC Files Al-Naji Complaint

On July 30, 2024, the SEC filed a complaint against Nader Al-Naji in the Southern District of New York, alleging securities fraud involving over $257 million raised from investors through the sale of crypto asset securities associated with the BitClout platform. The complaint alleges that Al-Naji misused investor funds for personal gain, including luxury purchases and payments to close relatives. The complaint further alleges that Al-Naji promoted BitClout as a decentralized platform in order to avoid regulatory scrutiny when, in reality, Al-Naji maintained significant control over the issuance and sale of its native token, BTCLT.

The SEC’s complaint asserts that Al-Naji violated multiple sections of the Securities Act of 1933 and the Securities Exchange Act of 1934 by offering and selling unregistered securities and engaging in fraudulent practices. The SEC seeks various forms of relief including injunctions to prevent further violations, disgorgement of ill-gotten gains with interest, civil penalties, and prohibitions against Al-Naji serving as an officer or director of any public company. The U.S. Attorney’s Office for the Southern District of New York also announced charges against Al-Naji in a parallel action.

This post comes to us from Morrison & Foerster LLP. It is based on the firm’s memorandum, “Top 5 SEC Enforcement Developments for July 2024,” dated August 21, 2024, and available here.