On January 29, 2019, the SEC announced four settlements with publicly-traded companies for failure to maintain adequate internal control over financial reporting.

None of the companies was charged with making false or inaccurate statements, either about its ICFR or otherwise; indeed, each had repeatedly disclosed material weaknesses in ICFR over many years.

These cases are interesting for at least three reasons:

  • They were announced together to send a message about the SEC’s focus on its agenda to strengthen accounting and controls at public companies.
  • The cases are about controls, and not about disclosure. Material weaknesses in ICFR are not just a disclosure issue: a continuing failure to maintain adequate controls is a violation of law, even if the failure is fully disclosed and there is no other disclosure problem.
  • The cases join several recent instances in which the SEC has shown a willingness to use the internal controls provisions of the Securities Exchange Act of 1934 independently of specific disclosure requirements.

Please click here to read the full alert memorandum.

As discussed in Cleary Gottlieb’s December 21, 2018 Alert Memorandum, on December 18, 2018, the U.S. Court of Appeals for the D.C. Circuit issued an important ruling in In re Grand Jury Subpoena, holding, inter alia, that foreign state-owned corporations are subject to criminal jurisdiction in the United States and upholding Special Counsel Mueller’s authority to serve and enforce a grand jury subpoena on a sovereign entity.

The foreign state-owned corporation subsequently sought a stay of enforcement of the contempt order from the Supreme Court, which Chief Justice Roberts granted.  This Alert Memorandum focuses on two key developments that took place on January 8, 2019.  First, the Supreme Court, voting as a whole, lifted the administrative stay previously entered by Chief Justice Roberts.  Second, the D.C. Circuit Court issued its full, albeit partially redacted, opinion, which provides additional reasoning for the panel’s decision, seeks to reconcile any purported conflict with rulings issued by other Circuit Courts on the legal question at hand, and focuses on the state owned nature of the entity involved.

Please click here to read the full Alert Memorandum.

On December 26, 2018, the SEC announced settled charges against ADT Inc. after finding that ADT, in two earnings releases, gave undue emphasis to non-GAAP adjusted EBITDA figures because they identified the relevant GAAP measures only later and much less prominently.

Without admitting or denying the SEC’s factual or legal claims, ADT agreed to an administrative settlement finding violations of Section 13(a) of the Securities Exchange Act of 1934 and Rule 13a-11 thereunder, relating to the requirements of Item 10(e) of Regulation S-K that an issuer present “with equal or greater prominence . . . the most directly comparable financial . . . measures” calculated under GAAP when it includes non-GAAP financial measures in filings and certain other reports to the Commission.

This is just the second enforcement action concerning non-GAAP disclosures that the SEC has brought against an issuer in the two-and-a-half years since the issuance of Staff guidance on non-GAAP disclosure requirements, and it is the first during SEC Chair Jay Clayton’s tenure.  It also is the first action related to non-GAAP disclosures finding a violation of only Section 13(a) of the Exchange Act without an accompanying finding that the disclosure in question constituted a material misstatement or omission.

Please click here to read the full alert memorandum.

On December 18, 2018, the District of Columbia Circuit Court of Appeals issued an important ruling in In re Grand Jury Subpoena, holding that foreign state-owned corporations are subject to criminal jurisdiction in the United States and that the exceptions to sovereign immunity set forth in the Foreign Sovereign Immunities Act (the “FSIA”)[1] apply to criminal as well as to civil cases.[2]  The court also rejected the foreign sovereign entity’s argument that it should be excused from complying with a subpoena because doing so would violate the law of the respondent’s country of incorporation.  Although In re Grand Jury Subpoena arises in the context of enforcing a grand jury subpoena, its language and holding could potentially be extended to criminal prosecutions of a foreign state or state-owned entity.

Continue Reading D.C. Circuit Rules in Special Counsel Mueller Investigation That State-Owned Corporations Are Subject to Criminal Jurisdiction in the United States

On November 15, 2018, the Division of Enforcement (the “Division”) of the U.S. Commodity Futures Trading Commission (“CFTC”) released its Annual Report on the Division of Enforcement (the “Report”), highlighting the enforcement division’s recent initiatives and reinforcing its focus on cooperation and self-reporting.  The Report provides a succinct overview of the Division’s enforcement priorities over the last year, discusses its overall enforcement philosophy, sets out key metrics about the cases brought in the last year, and highlights its key initiatives for the coming year.  While the Division’s priorities—preserving market integrity, protecting customers, promoting individual accountability, and increasing coordination with other regulators and criminal authorities—do not mark a departure from prior guidance, the Report does highlight the Division’s particular focus on individual accountability and a few target areas of enforcement.  Continue Reading Virtual Currencies, Manipulation, Cooperation, and More: CFTC Enforcement Division’s 2018 Annual Report

There have been plenty of press reports about the SEC’s settlement with Elon Musk arising from his tweeting about taking Tesla private.  But the concurrent settlement with Tesla itself provides interesting lessons for disclosure and governance at public companies.

Tesla agreed to pay a $20 million penalty and agreed to several “undertakings” to strengthen its governance and controls including a requirement that it add two independent directors to its Board.  And, under his own settlement, Musk agreed to step down for three years as chairman of the Board of Directors, although he is allowed to continue as CEO.  Continue Reading The Tesla Settlement – What It Means for Other Companies

On October 15, 2018, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a $16 million settlement with Anthem, Inc. over alleged violations of federal privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA).  The settlement resolves an investigation following a data breach that exposed protected health information of nearly 79 million people.  According to OCR, the incident is the largest health data breach to date in the United States and Anthem’s payment similarly represents the largest HIPAA settlement to date.  The settlement is consistent with OCR’s recent focus on enforcing regulatory requirements to conduct an accurate and thorough risk analysis and maintain appropriate mechanisms to monitor systems that contain protected health information and to control access to that information. It also highlights the agency’s distinct cybersecurity remediation approach. Continue Reading The U.S. Department of Health And Human Services Settles With Anthem for Record $16M Over Alleged HIPAA Violations

Last month, Guatemalan President Jimmy Morales effectively shut down the operation of the UN-operated International Commission against Impunity in Guatemala (called by its Spanish initials, “CICIG”) by declining to renew its mandate past its September 2019 expiration date and by barring the head of CICIG, Iván Velásquez, from re-entering the country.  CICIG, a uniquely independent organ of the United Nations (“U.N.”), was created in 2007 to support and assist Guatemalan institutions in identifying, investigating, and prosecuting public corruption.  Over the past decade, it has investigated nearly 200 public officials, and its efforts led to the prosecution and ultimate resignation of former Guatemalan President, Otto Pérez Molina.[1]  Continue Reading Anti-Corruption in Guatemala: A Critical Moment for CICIG

The £16.4 million fine imposed by the UK Financial Conduct Authority on Tesco Personal Finance plc provides a salutary lesson on the regulatory exposure associated with failing adequately to prepare for and respond to a cyber-attack – one of the FCA’s stated regulatory priorities.

The episode illustrates how cybersecurity failures can expose a business not only to increasingly draconian penalties under the EU’s General Data Protection Regulation where personal data is involved (effective from 25 May 2018), but also to regulatory enforcement penalties where systems are not in place or are not operated effectively in a crisis.

It highlights the critical importance for businesses of:

  • Establishing cybersecurity and data protection compliance firmly on the management and risk agenda. More than just the costs of doing business in the digital economy, these can give rise to serious regulatory and franchise exposure;
  • Taking effective action to prevent foreseeable cyber-attacks;
  • Establishing appropriate crisis management procedures and providing training to staff on how to invoke them, including through desktop exercises that provide scenario planning training; and

Engaging constructively and immediately with the relevant authorities and stakeholders to mitigate even greater damage to the business once an attack has occurred.

Please click here to read the full alert memorandum.

On September 27, 2018, in remarks delivered at the 5th Annual Global Investigations Review New York Live Event, Deputy Assistant Attorney General Matthew S. Miner reported on the accomplishments of the Department of Justice (“DOJ”) over the course of the last twelve months.  Importantly, he also discussed recent changes to the DOJ’s policies on prosecution of business organizations and how those changes have been implemented.[1]  Miner highlighted the DOJ’s efforts to incentivize and provide guidance to companies to self-report, cooperate and remediate corporate misconduct while underscoring the importance of robust compliance programs to detect and prevent wrongdoing and to obtain full credit in resolving investigations by the DOJ. Continue Reading DOJ Remarks Highlight Changes to White Collar Policy