SEC Statements On Cybersecurity – Part 2

On September 20, 2017, SEC Chair Jay Clayton issued a statement on cybersecurity that included the astonishing revelation that the SEC Edgar system had been hacked in 2016. Since the original statement, the SEC has confirmed that personal information on at least two individuals was obtained in the incident. Following Jay Clayton’s initial statement, on September 25, 2017, the SEC announced two new cyber-based enforcement initiatives targeting the protection of retail investors, including protection related to distributed ledger technology (DLT) and initial coin or cryptocurrency offerings (ICO’s).

The issue of cybersecurity is at the forefront for the SEC, and Jay Clayton is asking the House Committee on Financial Services to increase the SEC’s budget by $100 million to enhance the SEC’s cybersecurity efforts.

This is the second in a two-part blog series summarizing Jay Clayton’s statement, the SEC EDGAR hackingand the new initiatives. Part I of this blog, which outlined Chair Clayton’s statement on cybersecurity and the EDGAR hacking, can be read HERE . This second part in the series discusses the new cyber-based enforcement initiatives.

Previously I issued a blog outlining SEC guidance on the disclosure of cybersecurity matters, which can be read HERE.

Enforcement Initiatives

The SEC has established two new cybersecurity-related enforcement initiatives to address cyber-based threats and protect retail investors. The first is a creation of a Cyber Unit that will focus on targeting cyber-related misconduct. The second is the formation of a retail strategy task force that will focus on issues that directly affect retail investors.

Cyber Unit

The Cyber Unit will focus on:

  • Market manipulation schemes involving false information spread through electronic and social media
  • Hacking to obtain material nonpublic information in order to trade in advance of some announcement or event, or to manipulate the market for a particular security or group of securities
  • Violations involving distributed ledger technology (blockchain) and initial coin offerings (ICO’s)
  • Misconduct perpetrated using the dark web
  • Intrusions into retail brokerage accounts to conduct manipulative trading
  • Cyber-related threats to trading platforms and other critical market infrastructure

Chair Clayton formed the group with the goal of creating a cybersecurity working group to coordinate information sharing, risk monitoring, and incident response efforts throughout the agency. The Enforcement Division of the SEC has had to fast-track its expertise on matters related to cybersecurity including the advanced technologies that can be utilized.  It is thought that this focused enforcement initiative will further the SEC’s abilities to detect, respond to, and pursue misconduct.

On October 26, 2017, Stephanie Avakian, Co-Director of the Division of Enforcement gave a speech where she addressed both initiatives.   She addressed the obvious need for the Cyber Unit in today’s world of ever increasing cyber-related misconduct affecting the securities markets.

Expanding on the SEC’s list of areas of attention, Ms. Avakian indicates that the Cyber-Unit will also focus on cases involving failures by registered entities to take appropriate steps to safeguard information or ensure system integrity. The Cyber-Unit will work closely with the Office of Compliance, Inspections and Examinations (OCIE) in this area.

Further, the Cyber-Unit will review cases involving the failure by publicly reporting entities to properly report and disclose cyber related issues. The SEC has not yet brought a case in this space, but is expected to do so. The SEC expects companies’ to report cyber issues in risk factors and management discussion and analysis where appropriate and believes that the failure to do so could rise to a fraud issue under Rule 10b-5.

Retail Strategy Task Force

The Retail Strategy Task Force is planning to develop targeted initiatives to identify and pursue misconduct impacting retail investors.  The retail investor arena is a broad playing field including everything from the sales of unsuitable structured products to micro-cap pump-and-dump schemes. The Task Force will rely heavily on technology and analytics to identify problems. The Task Force includes enforcement personnel from around the country.

In her October 26, 2017 speech, Enforcement Co-Director, Stephanie Avakian stated, “this group will look at the many ways that retail investors intersect with the securities markets and look for widespread misconduct.” In a time of tight budgets, the SEC is focused on thinking strategically to identify problems and find the most efficient way to pursue enforcement actions including, as mentioned, with technology. Data analytics can be used to identify data by groups such as by product, by investor type, by location, by sales or trading practice, or by fee.  The SEC is even figuring out ways to use technology and data analytics to analyze the more than 16,000 tips it receives each year and integrate that data with other data points to identify issues.

Ms. Avakian gave specific examples of areas that the Retail Strategy Task Force will examine beyond the obvious Ponzi schemes and offering fraud, including:

  • Investment professionals steering customers to mutual fund share classes with higher fees, when lower-fee share classes of the same fund are available.
  • Abuses in wrap-fee accounts, including failing to disclose the additional costs of “trading away” or trading through unaffiliated brokers, and purchasing alternative products that generate additional fees.
  • Investors buying and holding products like inverse exchange-traded funds (ETFs) for long-term investment. These can be highly volatile products that are generally intended as a hedge against exposure to downward moving markets, and that face a long-term high risk of losing their principal. The SEC is increasingly seeing retail investors holding these products long-term, including in retirement accounts.
  • Problems in the sale of structured products to retail investors, including a failure to fully and clearly disclose fees, mark-ups, and other factors that can negatively impact returns; and
  • Abusive practices like churning and excessive trading that generate large commissions at the expense of the investor.

In addition to enforcement, the Retail Strategy Task Force will have an investor outreach and education component. In that regard, we can expect to see Investor Bulletins and other SEC investor communications generated from the Task Force’s findings and efforts.

What Is A Security? The Howey Test And Reves Test

Sometimes it’s good to go back to basics.  In my blogs I often refer to the registration and exemption requirements in the Sec,urities Act of 1933 as amended (“Securities Act”).  Section 5 of the Securities Act makes it unlawful to offer or sell any security unless a registration statement is in effect as to that security or there is an available exemption from registration.  Similarly, I often refer to the broker-dealer registration requirements.  To be a “broker” or “dealer,” a person must be engaged in the business of effecting transactions in securities.

In today’s small cap world corporate finance transactions often take the form of a convertible note and/or options and warrants, the conversion of which relies on Section 3(a)(9) of the Securities Act.  Section 3(a)(9) is an exemption available for the exchange of one security for another (such as a convertible note for common stock).  Likewise, Rule 144(d)(3)(i) allows the tacking of a holding period where the securities being sold were acquired solely in exchange for other securities of that company.  In the wake of the SEC actions against E-Trade, brokerage firms have been examining whether the underlying “note” is indeed a security qualifying for the use of Section 3(a)(9) and Rule 144 tacking of a holding a period.  (See Here )

Moreover, where a transaction involves a security, the anti-fraud provisions and accompanying rights and remedies found in the state and federal securities laws will apply.

Clearly the overriding question of “what is a security” is fundamental to the analysis of security law matters.  Surprisingly (or not), what would appear to be a simple definitional discussion actually involves a lengthy and complex area of the securities laws.  Accordingly this blog is merely a high-level discussion as to what is a security, and specifically excludes a discussion of derivatives, which will be the topic of a future blog.

Statutory Definitions

Both the Securities Act and the Securities Exchange Act of 1934 (“Exchange Act”) contain definitions of a security.

Section 2(a)(1) of the Securities Act defines a security as:

The term “security” means any note, stock, treasury stock, security future, security-based swap, bond, debenture, evidence of indebtedness, certificate of interest or participation in any profit-sharing agreement, collateral-trust certificate, preorganization certificate or subscription, transferable share, investment contract, voting-trust certificate, certificate of deposit for a security, fractional undivided interest in oil, gas, or other mineral rights, any put, call, straddle, option, or privilege on any security, certificate of deposit, or group or index of securities (including any interest therein or based on the value thereof), or any put, call, straddle, option, or privilege entered into on a national securities exchange relating to foreign currency, or, in general, any interest or instrument commonly known as a “security”, or any certificate of interest or participation in, temporary or interim certificate for, receipt for, guarantee of, or warrant or right to subscribe to or purchase, any of the foregoing.

Section 3(a)(10) of Exchange Act defines a security as:

The term “security” means any note, stock, treasury stock, security future, security-based swap, bond, debenture, certificate of interest or participation in any profit-sharing agreement or in any oil, gas, or other mineral royalty or lease, any collateral-trust certificate, preorganization certificate or subscription, transferable share, investment contract, voting-trust certificate, certificate of deposit for a security, any put, call, straddle, option, or privilege on any security, certificate of deposit, or group or index of securities (including any interest therein or based on the value thereof), or any put, call, straddle, option, or privilege entered into on a national securities exchange relating to foreign currency, or in general, any instrument commonly known as a “security”; or any certificate of interest or participation in, temporary or interim certificate for, receipt for, or warrant or right to subscribe to or purchase, any of the foregoing; but shall not include currency or any note, draft, bill of exchange, or banker’s acceptance which has a maturity at the time of issuance of not exceeding nine months, exclusive of days of grace, or any renewal thereof the maturity of which is likewise limited.

The definitions are substantially similar and are not intended to be treated differently in application.  It was the congressional intent that the definition of security be very broad to encompass all forms of investment instruments and contracts that may be used in the commercial world.

Notably, the statutory definition contains qualifying language—to wit, “unless the context otherwise requires” which requires a facts and circumstances analysis of the particular matter in question where such facts and circumstances reasonably raise questions as to whether a security is involved or intended in a particular transaction.

SEC v. W.J. Howey Co.

The landmark U.S. Supreme Court case interpreting the definition of an “investment contract” as a security is SEC v. W. J. Howey Co., 328 U.S. 293 (1946), the result of which has become commonly known as the “Howey Test.”

Under the Howey Test, whether an investment instrument is a security requires a substance-over-form analysis.  Clearly a “stock” or “bond” is a security, but an investment contract can take many different forms and its underlying character may not be as easily recognizable.  The Howey Test defines an investment contract as follows:

“… an investment contract for purposes of the Securities Act means a contract, transaction or scheme whereby a person invests his money in a common enterprise and is led to expect profits solely from the efforts of the promoter or a third party…. Such a definition…permits the fulfillment of the statutory purpose of compelling full and fair disclosure relative to the issuance of the many types of instruments that in our commercial world fall within the ordinary concept of a security…. It embodies a flexible rather than a static principle, one that is capable of adaptation to meet the countless and variable schemes devised by those who seek the use of the money of others on the promise of profits.”

To further break down the analysis, Howey established a four-part test.  In particular, an investment contract exists where there is:

(i) An investment of money – Although in Howey the term “money” was used, subsequent case law has expanded this concept to include any form of consideration with value.

(ii) In a common enterprise – The subsequent court cases are not consistent regarding the meaning of a “common enterprise.”  The majority of federal courts define a common enterprise as involving “horizontal commonality,” which involves the pooling of money or assets from multiple investors whereby the investors share in the profits and risk in some proportion.

However, another group of federal courts define a common enterprise as involving “vertical commonality,” which focuses on the relationship of the parties.  In vertical commonality, the investor’s profit or loss is subject to the efforts of the promoter putting together the deal, regardless of the existence or status of other investors.  Vertical commonality can further be broken down into “broad vertical commonality” whereby the promoter’s profits are not tied to the investor’s profits and “narrow vertical commonality” whereby the promoter only profits if the investor profits.

The bottom line is that if a commonality of enterprise is found, regardless of the form it has taken, this factor in the test will be satisfied.

(iii) With an expectation of profits – Profits can either be in the form of capital appreciation, cash return on investment or other earnings (including dividends or interest).  Profits for purposes of the Howey Test refers particularly to a return to the investor and not necessarily the success of the enterprise as a whole.  A Ponzi scheme clearly involves a security, even though the enterprise itself is designed to be a failure.

The analysis turns on a finding that the investor is motivated by a return on his investment. So for instance, in a later case, the court found that sale of shares in a housing cooperative that were bundled with the cost of the apartment itself and used for common operating expenses and upkeep of the building, did not give rise to a securities transaction where the investors were attracted solely by the prospect of acquiring a place to live, and not by financial returns on their investments.

However, courts have found that the sale of a condominium unit itself can be a security where (i) the offer of the unit is accompanied with an opportunity to participate in a rental pool; (ii) the offer of the unit requires use of an exclusive rental agent; (iii) the offer of a unit that limits time of use of the owner or involves shared ownership (time share arrangements); or (iv) advertising the sale of a unit with an emphasis on economic benefit (such as rental income or tax benefits).

(iv) Which are derived solely from the efforts of the promoters or third parties – The efforts of the promoter(s) or third party(ies) must be undeniably significant in the success or failure of the enterprise.

Applying the Howey Test, courts have interpreted a security to include such diverse items as citrus groves, warehouse receipts, chinchillas, minks, diamonds, bullion, pay phones, real estate and equipment, and condominium units, when they were offered or sold under circumstances involving the investment of money and expectation of a return through the efforts of others.

The Howey Test actually interprets an “investment contract” in the context of the statutory definition and, as later clarified by the Supreme Court in Landreth Timber Co. v. Landreth, is not meant to be used to decide whether all securities are indeed a “security.”  Accordingly, even though where the sale of a business is completed through the sale of stock or other equity interests, the ultimate success of the investment is dependent on the efforts of the investor/buyer, the stock or other equity is clearly a security in the statutory definition and the Howey Test does not apply.  In particular, Landreth confirms that where a business is sold via the sale of the equity in the business, it is a security and the registration and exemption provisions of Section 5, broker-dealer registration requirements under the Exchange Act and anti-fraud provisions under both the Securities Act and Exchange Act apply.

Promissory Notes – Reves v. Ernst & Young

Although the term “note” is specifically included in the statutory definition of a security, case law has determined that not every “note” is a security.  The Exchange Act and SEC specifically exclude notes with a term of less than nine months, the proceeds of which are used for a current transaction, from the definition of a “security.”  Moreover, numerous lower courts had carved out exemptions over the years for commercial paper type notes such as purchase money loans and privately negotiated bank loans.

Relying on Howey, many courts developed an analysis based on the risk of the loan.  That is, the issue revolved around whether the lender had contributed “risk capital” subject to the entrepreneurial or managerial efforts of the borrower.  Relying on Landreth, other courts decided a “note” is a security as it appears in the statutory definition.

Analyzing and bringing together the line of lower court opinions, the U.S. Supreme Court in Reves v. Ernst & Young, 494 U.S. 56 (1990) adopted the “family resemblance” test to determine whether a note is a security.

Under the “family resemblance” test, one must start with the presumption that a note is a security which presumption is rebutted if the note bears a resemblance to one of the enumerated categories on a judicially developed list of exceptions.  If the “note” does not bear a resemblance to an item on the list, the analysis continues to determine if a new category should be added to the list.

The following is a list of notes that have judicially been determined to fall outside the definition of a “security”:

(i) a note delivered in consumer financing;

(ii) a note secured by a mortgage on a home;

(iii) a  short-term  note  secured  by  a  lien  on  a  small  business  or some of its assets;

(iv) a note evidencing a character loan to a bank customer;

(v) a short-term  note  secured  by  an  assignment  of  accounts receivable;

(vi) a note which simply formalizes an open-account debt incurred in the ordinary course of business (particularly if, as in the case of the customer of a broker, it is collateralized); and

(vii) a  note  evidencing  loans  by  commercial  banks  for  current operations.

In determining whether a note bears a resemblance to one of the enumerated exceptions to a security, or whether a new exception should be added, the courts consider:

(i) The motivation of seller and buyer – The first factor is described as the motivation that prompts “a reasonable seller and buyer to enter into” the transaction.  If the seller’s motivation is to raise money for his/her business and the buyer’s motivation is to earn profits, then the note is likely a security.  Even if the note is not necessarily characteristic of a security, if the investor reasonably expected that they were buying a security, and would be protected by the accompanying securities laws, the courts can determine that indeed a security has been sold.

(ii) The plan of distribution of the instrument – The second factor determines whether the instrument is being distributed for investment or speculation.  If the note instrument is being offered and sold to a broad segment or the general public for investment purposes, it is a security.

(iii) The reasonable expectations of the investing public – An instrument will be deemed a security where the reasonable expectation of the investing public is that the securities laws (and accompanying anti-fraud provisions) apply to the investment.

(iv) The presence of alternative regulatory regime – The fourth and final factor is a determination whether another regulatory scheme “significantly reduces the risk of the instrument, thereby rendering the application of the Securities Act unnecessary.”  The FDIC and ERISA laws are two such examples.

Both before and after Reves, the issue of whether bank notes or CD’s are a security has been often litigated.  In Marine Bank vs. Weaver, 455 U.S. 551 (1982), the U.S. Supreme Court held that a federally insured bank CD is not a security. In that case the court relied heavily on the fact that the bank was federally regulated and the subject CD was federally insured.  The Court stated that CDs could be securities subject to the Act in other contexts, and that instruments “must be analyzed and evaluated on the basis of the content of the instruments in question, the purposes intended to be served and the factual setting as a whole.”

The exclusion for a note which simply formalizes an open-account debt incurred in the ordinary course of business warrants further discussion.  Under this analysis a note evidencing a trade payable such as for office supplies or attorney’s fees is not a security and Section 3(a)(9) may not be relied upon to exchange such a note for common stock.  However, such a note could be considered a security such as where the note is convertible into common stock and represents an investment decision by the creditor to exchange its trade debt for a security of the company.  In such a case, though, the creditor could not rely on Rule 144 to tack onto the holding period of the trade payable, as the trade payable itself is not a security.