With the Labor Day holiday now behind us, it is a good time to review the SEC’s active enforcement docket and to look ahead to likely areas of continuing enforcement attention as we head into the fall.  The record over the past few months reflects a continuing emphasis on certain major program areas, along with progress on a new enforcement initiative:

Whistleblower Awards.  The whistleblower program continues to be a tremendous source of investigative leads for the enforcement staff.  In July and August alone, the SEC announced bounty payments to six whistleblowers totaling $196 million.  These announcements included an award of $82 million to a single individual who provided information that led to the opening of an investigation.  In addition, two separate whistleblowers received awards of $37 million each in connection with different matters.

Cyber Controls.  On June 18, in the latest in its series of enforcement cases arising from cyber intrusions, the SEC charged R.R. Donnelley & Sons Co. with internal accounting and disclosure controls violations.  In settling on a neither admit nor deny basis, Donnelley agreed to pay a $2.125 million civil penalty.  This result is entirely consistent with the line of cases in which the SEC has faulted public companies for weak disclosure controls and consequent failures to make timely and complete disclosure about cybersecurity lapses or intrusions.

Electronic Communications.  Continuing another major trend, on August 14, the SEC announced the latest tranche of cases against financial services firms for failure to preserve “off-system” electronic communications by their personnel.  A total of 26 firms admitted to violations and agreed to pay $390 million in penalties.  The continued focus in this area has implications that go beyond the regulated firms that are subject to statutory requirements to preserve business-related communications.  In every SEC investigation, there continues to be a heightened focus on promptly taking steps to preserve all potentially relevant communications, including all data on personal devices.  A failure to take appropriate preservation steps at the outset of an investigation can lead the enforcement staff to pursue an investigation more aggressively and to seek larger penalties than might otherwise be imposed.

Accounting Investigations.  Accounting-related investigations are a perennial area of emphasis.  On August 9, the SEC announced settled enforcement actions against Ideanomics, Inc. and three current and former executives.  The no admit/no deny charges were based on a variety of improper accounting and financial reporting practices.  The company’s settlement included a $1.4 million penalty and an undertaking to retain an independent consultant to make recommendations for improvements in accounting controls.

“AI Washing.”  After several public statements by Chairman Gary Gensler and Enforcement Director Gurbir Grewal, the SEC has begun bringing enforcement actions alleging “AI washing” – these cases involve claims by the Commission that a company’s assertions that its business relies upon artificial intelligence are materially false and misleading.  The first two cases, brought last March, involved investment managers that misrepresented their use of AI in providing investment advice to clients.  Then, on June 11, the SEC brought its first case in this genre involving the offer and sale of securities.  The SEC charged the former CEO of a defunct AI recruitment company, Joonko Diversity Inc.  Some of the false statements alleged in the SEC’s complaint related to Joonko’s supposed use of AI in matching candidates to job openings.  While the cases brought so far in this area have appeared to involve relatively egregious misrepresentations, we expect the SEC to focus on disclosure practices with respect to a broader array of businesses asserting that their past successes or future prospects rely upon innovative uses of AI.

To sum up, the SEC Enforcement Division’s activities over the summer months reinforce themes that we have emphasized many times before:

• In view of the SEC’s robust whistleblower program, it has never been more important for companies to take effective steps to encourage their personnel to voice concerns internally first, so that any potential misconduct can be detected and remedied before developing into a more serious problem.
• It is prudent to give special attention to areas that are the subject of heightened enforcement scrutiny, such as disclosure controls and reporting around cyber incidents; accounting and financial reporting practices; and public statements concerning a company’s use of AI in its business activities.
• Companies should consider whether there is a need to update or clarify their policies and procedures relating to the use of ephemeral methods of electronic communications, including the use of personal devices for  business-related communications.
• And, as we have often advised, the best defense is a tone from the top of the organization that reinforces the importance of ethical business practices, backed by a strong compliance culture and a carefully designed and up-to-date system of controls.

This post comes to us from Wachtell, Lipton, Rosen & Katz. It is based on the firm’s memorandum, “Summer Takeaways in SEC Enforcement,” dated September 3, 2024.