The SEC Has Issued New Guidance On Cybersecurity Disclosures

On February 20, 2018, the SEC issued new interpretative guidance on public company disclosures related to cybersecurity risks and incidents. In addition to addressing public company disclosures, the new guidance reminds companies of the importance of maintaining disclosure controls and procedures to address cyber-risks and incidents and reminds insiders that trading while having non-public information related to cyber-matters could violate federal insider-trading laws.

The prior SEC guidance on the topic was dated, having been issued on October 13, 2011. For a review of this prior guidance, see HERE. The new guidance is not dramatically different from the 2011 guidance.

Introduction

The topic of cybersecurity has been in the forefront in recent years, with the SEC issuing a series of statements and creating two new cyber-based enforcement initiatives targeting the protection of retail investors, including protection related to distributed ledger technology (DLT) and initial coin or cryptocurrency offerings (ICO’s). Moreover, the SEC has asked the House Committee on Financial Services to increase the SEC’s budget by $100 million to enhance the SEC’s cybersecurity efforts. See my two-part blog series, including a summary of the recent speeches and initiatives, HERE and HERE.

The SEC incorporates cybersecurity considerations in its disclosure and supervisory programs, including in the context of its review of public company disclosures, its oversight of critical market technology infrastructure, and its oversight of other regulated entities, including broker-dealers, investment advisors and investment companies. Considering rapidly changing technology and the proliferation of cybersecurity incidents affecting both private and public companies (including a hacking of the SEC’s own EDGAR system and a hacking of Equifax causing a loss of $5 billion in market cap upon disclosure), threats and risks, public companies have been anticipating a needed update on the SEC disclosure-related guidance.

SEC Commissioner Kara Stein’s statement on the new guidance is grim on the subject, pointing out that the risks and costs of cyberattacks have been growing and could result in devastating and long-lasting collateral affects. Commissioner Stein cites a Forbes article estimating that cyber-crime will cost businesses approximately $6 trillion per year on average through 2021 and an Accenture article citing a 62% increase in such costs over the last five years.

Commissioner Stein also discusses the inadequacy of the 2011 guidance in practice and her pessimism that the new guidance will properly fix the issue.  She notes that most disclosures are boilerplate and do not provide meaningful information to investors despite the large increase in the number and sophistication of, and damaged caused by, cyberattacks on public companies in recent years. Commissioner Stein includes a list of requirements that she would have liked to see in the new guidance, including, for example, a discussion of the value to investors of disclosing whether any member of a company’s board of directors has experience, education, expertise or familiarity with cybersecurity matters or risks.

I have read numerous media articles and blogs related to the disclosure of cyber-matters in SEC reports. One such blog was written by Kevin LaCroix and published in the D&O Diary. Mr. LaCroix’s blog points out that according to a September 19, 2016, Wall Street Journal article, cyber-attacks are occurring more frequently than ever but are rarely reported. The article cites a report that reviewed the filings of 9,000 public companies from 2010 to the present and found that only 95 of these companies had informed the SEC of a data breach.

As reported in a blog published by Debevoise and Plimpton, dated September 12, 2016, (thank you, thecorporatecounsel.net), a review of Fortune 100 cyber-reporting practices revealed that most disclosures are contained in the risk-factor section of regular periodic reports such as Forms 10-Q and 10-K, as opposed to interim disclosures in a Form 8-K. Moreover, only 20 incidents were reported at all in the period from January 2013 through the third quarter of 2015.

However, as Commissioner Stein notes, the SEC only has so much authority or power through guidance, as opposed to rulemaking.  Commissioner Stein strongly advocates for new rulemaking in this regard. I do not think in the current environment advocating for fewer rules, that rulemaking related to cybersecurity disclosure will be made a priority. Moreover, I would not advocate for in-depth or robust further rules.  Disclosure is based on materiality, and a company has an ongoing obligation to disclose any material information, including that which is related to cybersecurity matters. I think the SEC can question principals-based specific disclosures, and whether they are robust enough, through review and comment on public company filings.  Certainly, the SEC staff, who reviews thousands of filings, has the knowledge of a lack of cybersecurity disclosure and can comment. In fact, if the SEC wrote a few standard cybersecurity-related disclosure comments and included them in a lot of comment letters, the marketplace would respond accordingly and beef up disclosure to avoid the comments.

Although I do not generally advocate for additional rules, Commissioner Stein makes one suggestion that I would support and that is adding the disclosure of cybersecurity event to the Form 8-K filing requirements. Although the new SEC guidance does not specifically require a Form 8-K, in light of the importance of these events, it seems it would be appropriate and the guidance itself requires “timely disclosure.”  However, without a specific requirement, a company could elect to disclose via a press release and/or the filing of a Form 8-K under Item 7.01 Regulation FD disclosure. When disclosing using a press release and Regulation FD item in a Form 8-K, a company may elect for the information to be “furnished, not filed.” Section 18 of the Exchange Act imposes liability for material misstatements or omissions contained in reports and other information filed with the SEC. However, reports and other information that are “furnished” to the SEC do not impose liability under Section 18. The antifraud provisions under Rule 10b-5 would still apply to the disclosure, but the stricter Section 18 liability would not.

New Guidance on Public Company Cybersecurity Disclosures

The new guidance begins with an introduction describing the importance of cybersecurity in today’s business world, driving the point home by comparing it to the importance of electricity. Cyber-incidents can take many forms, both intentional and unintentional, and commonly include the unauthorized access of information, including personal information related to customers’ accounts or credit information, data corruption, misappropriating assets or sensitive information or causing operational disruption. Attacks use increasingly complex methods, including malware, ransomware, phishing, structured query language injections and distributed denial-of-service attacks. A cyber-attack can be in the form of unauthorized access or a blocking of authorized access.

The purpose of a cyber-attack can vary as much as the methodology used, including for financial gain such as the theft of financial assets, intellectual property or sensitive personal information on the one hand, to a vengeful or terrorist motive through business disruption on the other hand. Perpetrators may be insiders and affiliates, or third parties including cybercriminals, competitors, nation-states and “hacktivists.”

When victim to a cyber-attack or incident, a company will have direct financial and indirect negative consequences, including but not limited to:

  • Remediation costs, including liability for stolen assets, costs of repairing system damage, and incentives or other costs associated with repairing customer and business relationships;
  • Increased cybersecurity protection costs to prevent both future attacks and the potential damage caused by same. These costs include organizational changes, employee training and engaging third-party experts and consultants;
  • Lost revenues from unauthorized use of proprietary information and lost customers;
  • Litigation;
  • Increased insurance premiums;
  • Damage to the company’s competitiveness, stock price and long-term shareholder value; and
  • Reputational damage.

Whereas the 2011 disclosure guidance was conservative in its tone, trying to strike a balance between satisfying the disclosure mandates of providing material information related to risks to the investing community with a company’s need to refrain from providing disclosure that could, in and of itself, provide a road map to the very breaches a company attempts to prevent, the new guidance is more blunt in the critical need to inform investors about material cybersecurity risks and incidents when they occur.

A company’s ability to timely and properly make any required disclosure of cybersecurity risks and incidents requires the company to implement and maintain disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.

Insider Trading

It is also important that public company officers, directors and other insiders respect the importance and materiality of cybersecurity risk and incident knowledge and not trade a company’s security when in possession of non-public information related to cybersecurity matters.  In that regard, companies should include cybersecurity matters in their insider trading policies and procedures. These insider trading policies should (i) guard against trading in the period between when a company learns of a cybersecurity incident and the time it is made public; and (ii) require the timely disclosure of such non-public information.

Guidance

Public companies have many disclosure requirements, including through periodic reports on Forms 10-K, 10-Q and 8-K, through Securities Act registration statements such as on Forms S-1 and S-3 and generally through the antifraud provisions of both the Exchange Act and Securities Act, which requires a company to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading.” The SEC considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.

As with all disclosure requirements, the disclosure of cybersecurity risk and incidents requires a materiality analysis. Although there continues to be no specific disclosure requirement or rule under either Regulation S-K or S-X that addresses cybersecurity risks, attacks or other incidents, many of the disclosure rules encompass these disclosures indirectly, such as risk factors, internal control assessments, management discussion and analysis, legal proceedings, disclosure controls and procedures, corporate governance and financial statements. As mentioned, as with all other disclosure requirements, an obligation to disclose cybersecurity risks, attacks or other incidents may be triggered to make other required disclosures not misleading considering the circumstances.

A company has two levels of cybersecurity disclosure to consider. The first is its controls and procedures and corporate governance to both address cybersecurity matters themselves and to address the timely and thorough reporting of same. The second is the reporting of actual incidents.  In determining the materiality of a particular cybersecurity incident, a company should consider (i) the importance of any compromised information; (ii) the impact of an incident on company operations; (iii) the nature, extent and potential magnitude of the event; and (iv) the range of harm such incident can cause, including to reputation, financial performance, customer and vendor relationships, litigation or regulatory investigations.

Of course, the new guidance is also clear that a company would not need to disclose the depth of information that could, in and of itself, provide information necessary to breach cyber-defenses. A company would not need to disclose specific technical information about cybersecurity systems, related networks or devices or specific devices and networks that may be more susceptible to attack due to weaker systems.

The new guidance also reminds companies that they have a duty to correct prior disclosures that the company determines were untrue at the time material information was made or omitted, and to update disclosures that become inaccurate after the fact.

Like the prior guidance, the new guidance provides specific input into areas of disclosure.

Risk Factors

Obviously, where appropriate, cybersecurity risks need to be included in risk factor disclosures. The SEC guidance in this regard is very common-sense. Companies should evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber-incidents and the severity and frequency of those incidents. Companies should consider the probability of an incident and the quantitative and qualitative magnitude of the risk, including potential costs and other consequences of an attack or other incident.  Consideration should be given to the potential impact of the misappropriation of assets or sensitive information, corruption of data or operational disruptions. A company should also consider the adequacy of preventative processes and plans in place should an attack occur.  Actual threatened attacks may be material and require disclosure.

As with all risk-factor disclosures, the company must adequately describe the nature of the material risks and how such risks affect the company. Likewise, generic risk factors that could apply to all companies should not be included. Risk factor disclosure may include:

  • Discussion of the company’s business operations that give rise to material cybersecurity risks and the potential costs and consequences, including industry specific risks and third-party and service-provider risks;
  • The costs associated with maintaining cybersecurity protections, including insurance coverage;
  • The probability of an occurrence and its potential magnitude;
  • Potential for reputational harm;
  • Description of past incidents, including their severity and frequency;
  • The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including any limits on the company’s ability to prevent or mitigate risks;
  • Existing and pending laws and regulations that may affect the companies cybersecurity requirements and the associated costs; and
  • Litigation, regulatory investigation and remediation costs associated with cybersecurity incidents.

Management Discussion and Analysis (MD&A)

In MD&A a company should consider all the same factors that it would consider in its risk factors.  A company would need to include discussion of cybersecurity risks and incidents in its MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential future incidents result in a material event, trend or uncertainty that is reasonably likely to have a material effect on the company’s results of operations, liquidity or financial condition, or could impact previously reported financial statements. The discussion should include any material realized or potential reduction in revenues, loss of intellectual property, remediation efforts, maintaining insurance, increase in cybersecurity protection costs, addressing harm to reputation and litigation and regulatory investigations.  Furthermore, even if an attack did not result in direct losses, such as in the case of a failed attempted attack, but does result in other consequences, such as a material increase in cybersecurity expenses, disclosure would be appropriate.

Business Description; Legal Proceedings

Disclosure of cyber-related matters may be required in a company’s business description where they affect a company’s products, services, relationships with customers and suppliers or competitive conditions. Likewise, material litigation would need to be included in the “legal proceedings” section of a periodic report or registration statement. The litigation disclosure should include any proceedings that relate to cybersecurity issues.

Financial Statements

Cyber-matters may need to be included in a company’s financial statements prior to, during and/or after an incident. Costs to prevent cyber-incidents are generally capitalized and included on the balance sheet as an asset. GAAP provides for specific recognition, measurement and classification treatment for the payment of incentives to customers or business relations, including after a cyber-attack.  Cyber-incidents can also result in direct losses or the necessity to account for loss contingencies, including those related to warranties, direct loss of revenue, providing customers with incentives, breach of contract, product recall and replacement, indemnification or remediation. Incidents can result in loss of, and therefore accounting impairment to, goodwill, intangible assets, trademarks, patents, capitalized software and even inventory.  Financial statement disclosure may also include expenses related to investigation, breach notification, remediation and litigation, including the costs of legal and other professional service providers.

Broad Risk Oversight

A company must disclose the extent of its board of directors’ role in the risk oversight of the company, such as how the board administers its oversight function and the effect this has on the board’s leadership structure. To the extent cybersecurity risks are material to a company’s business, this discussion should include the nature of the board’s role in overseeing the management of that risk. Information should also be included on how the board engages with management on cybersecurity risk management.

Controls and Procedures

The new guidance clearly provides that companies should adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including policy/procedure compliance related to the sufficiency of disclosure controls and procedures.  Procedures must address a company’s ability to record, process, summarize and report financial and other information in SEC filings.  Additionally, any deficiency in these controls and procedures should be reported.

The SEC reminds companies that their principal executive officer and principal financial officer must make individual certifications regarding the design and effectiveness of disclosure controls and procedures. These certifications should take into account cybersecurity-related controls and procedures.

Furthermore, as discussed above, a company should have proper policies and procedures preventing officers, directors and other insiders from trading on material nonpublic information related to cybersecurity risks and incidents.

Regulation FD and Selective Disclosure

Companies may have disclosure obligations under Regulation FD related to cybersecurity matters. Under Regulation FD, “when an issuer, or person acting on its behalf, discloses material nonpublic information to certain enumerated persons it must make public disclosure of that information.” The SEC reminds companies that these requirements also relate to cybersecurity matters and that, along with all the other disclosure requirements, policies and procedures should specifically address any disclosures of material non-public information related to cybersecurity.

SEC Statements On Cybersecurity – Part 2

On September 20, 2017, SEC Chair Jay Clayton issued a statement on cybersecurity that included the astonishing revelation that the SEC Edgar system had been hacked in 2016. Since the original statement, the SEC has confirmed that personal information on at least two individuals was obtained in the incident. Following Jay Clayton’s initial statement, on September 25, 2017, the SEC announced two new cyber-based enforcement initiatives targeting the protection of retail investors, including protection related to distributed ledger technology (DLT) and initial coin or cryptocurrency offerings (ICO’s).

The issue of cybersecurity is at the forefront for the SEC, and Jay Clayton is asking the House Committee on Financial Services to increase the SEC’s budget by $100 million to enhance the SEC’s cybersecurity efforts.

This is the second in a two-part blog series summarizing Jay Clayton’s statement, the SEC EDGAR hackingand the new initiatives. Part I of this blog, which outlined Chair Clayton’s statement on cybersecurity and the EDGAR hacking, can be read HERE . This second part in the series discusses the new cyber-based enforcement initiatives.

Previously I issued a blog outlining SEC guidance on the disclosure of cybersecurity matters, which can be read HERE.

Enforcement Initiatives

The SEC has established two new cybersecurity-related enforcement initiatives to address cyber-based threats and protect retail investors. The first is a creation of a Cyber Unit that will focus on targeting cyber-related misconduct. The second is the formation of a retail strategy task force that will focus on issues that directly affect retail investors.

Cyber Unit

The Cyber Unit will focus on:

  • Market manipulation schemes involving false information spread through electronic and social media
  • Hacking to obtain material nonpublic information in order to trade in advance of some announcement or event, or to manipulate the market for a particular security or group of securities
  • Violations involving distributed ledger technology (blockchain) and initial coin offerings (ICO’s)
  • Misconduct perpetrated using the dark web
  • Intrusions into retail brokerage accounts to conduct manipulative trading
  • Cyber-related threats to trading platforms and other critical market infrastructure

Chair Clayton formed the group with the goal of creating a cybersecurity working group to coordinate information sharing, risk monitoring, and incident response efforts throughout the agency. The Enforcement Division of the SEC has had to fast-track its expertise on matters related to cybersecurity including the advanced technologies that can be utilized.  It is thought that this focused enforcement initiative will further the SEC’s abilities to detect, respond to, and pursue misconduct.

On October 26, 2017, Stephanie Avakian, Co-Director of the Division of Enforcement gave a speech where she addressed both initiatives.   She addressed the obvious need for the Cyber Unit in today’s world of ever increasing cyber-related misconduct affecting the securities markets.

Expanding on the SEC’s list of areas of attention, Ms. Avakian indicates that the Cyber-Unit will also focus on cases involving failures by registered entities to take appropriate steps to safeguard information or ensure system integrity. The Cyber-Unit will work closely with the Office of Compliance, Inspections and Examinations (OCIE) in this area.

Further, the Cyber-Unit will review cases involving the failure by publicly reporting entities to properly report and disclose cyber related issues. The SEC has not yet brought a case in this space, but is expected to do so. The SEC expects companies’ to report cyber issues in risk factors and management discussion and analysis where appropriate and believes that the failure to do so could rise to a fraud issue under Rule 10b-5.

Retail Strategy Task Force

The Retail Strategy Task Force is planning to develop targeted initiatives to identify and pursue misconduct impacting retail investors.  The retail investor arena is a broad playing field including everything from the sales of unsuitable structured products to micro-cap pump-and-dump schemes. The Task Force will rely heavily on technology and analytics to identify problems. The Task Force includes enforcement personnel from around the country.

In her October 26, 2017 speech, Enforcement Co-Director, Stephanie Avakian stated, “this group will look at the many ways that retail investors intersect with the securities markets and look for widespread misconduct.” In a time of tight budgets, the SEC is focused on thinking strategically to identify problems and find the most efficient way to pursue enforcement actions including, as mentioned, with technology. Data analytics can be used to identify data by groups such as by product, by investor type, by location, by sales or trading practice, or by fee.  The SEC is even figuring out ways to use technology and data analytics to analyze the more than 16,000 tips it receives each year and integrate that data with other data points to identify issues.

Ms. Avakian gave specific examples of areas that the Retail Strategy Task Force will examine beyond the obvious Ponzi schemes and offering fraud, including:

  • Investment professionals steering customers to mutual fund share classes with higher fees, when lower-fee share classes of the same fund are available.
  • Abuses in wrap-fee accounts, including failing to disclose the additional costs of “trading away” or trading through unaffiliated brokers, and purchasing alternative products that generate additional fees.
  • Investors buying and holding products like inverse exchange-traded funds (ETFs) for long-term investment. These can be highly volatile products that are generally intended as a hedge against exposure to downward moving markets, and that face a long-term high risk of losing their principal. The SEC is increasingly seeing retail investors holding these products long-term, including in retirement accounts.
  • Problems in the sale of structured products to retail investors, including a failure to fully and clearly disclose fees, mark-ups, and other factors that can negatively impact returns; and
  • Abusive practices like churning and excessive trading that generate large commissions at the expense of the investor.

In addition to enforcement, the Retail Strategy Task Force will have an investor outreach and education component. In that regard, we can expect to see Investor Bulletins and other SEC investor communications generated from the Task Force’s findings and efforts.

SEC Sanctions BITCOIN Exchange Operator-A Case Study In Basic Registration And Exemption Requirements

On December 8, 2014, the SEC settled charges against a creative, but ill informed, entrepreneur for acting as an unlicensed broker-dealer and for violations of Section 5 of the Securities Act of 1933, as amended.  Ethan Burnside and his company, BTC Trading Corp., operated two online enterprises, BTC Virtual Stock Exchange and LTC-Global Virtual Stock Exchange, that traded securities using virtual currencies, bitcoin or litecoin.  Neither of these exchanges were registered as broker-dealers or stock exchanges.  In addition, Burnside and his company conducted separate transactions in which he offered investors the opportunity to use virtual currencies to buy or sell shares in the LTC-Global exchange itself and a separate litecoin mining venture he owned and operated.  These offerings were not registered with the SEC as required under the federal securities laws.

According to the SEC release on the matter, “the exchanges provided account holders the ability to use bitcoin or litecoin to buy, sell, and trade securities of businesses (primarily virtual currency-related entities) listed on the exchanges’ websites.  The venues weren’t registered as broker-dealers despite soliciting the public to open accounts and trade securities.  The venues weren’t registered as stock exchanges despite enlisting issuers to offer securities for the public to buy and sell.” The exchanges charged and collected transaction-based compensation for each executed trade on the platforms.

“Burnside operated two online enterprises that weren’t properly registered to engage in the securities business they were conducting,” said Andrew M. Calamari, Director of the SEC’s New York Regional Office.  “The registration rules are vitally important investor protection provisions, and no exemption applies simply because an entity is operating on the Internet or using a virtual currency in securities transactions.”

Because Burnside cooperated with the SEC, he was able to settle the charges for only $68,000 and a bar from acting in the securities industry with the right to re-apply after two years.  The SEC release notes that “the penalty amount reflects prompt remedial acts taken by Burnside as he cooperated with the SEC’s investigation.”

The SEC did not make any allegations related to fraud.  The SEC’s news release did not contain any negative inflammatory language against Burnside or his entities, and his penalty was extremely light for today’s regulatory environment.  Burnside has the ability to apply to re-enter the securities business after two years.  Clearly Burnside tried to create and operate a valid business, and more than that, he did a good job of it.

Burnside, however, failed to comply with and (obviously) seek the advice of experienced securities counsel.  On the highest level, Burnside failed to follow the most basic premises of securities transactions: (i) registration or exemption as a broker-dealer; (ii) registration or exemption of an exchange; (iii) registration or exemption for the sale of DTC and LTC securities; and (iv) ensuring either registration or exemption for the sale of listed issuer’s securities.  Admittedly, the process for each of these items can be complicated, expensive and time-consuming, but every entrepreneur that is considering engaging in a business that involves securities on any level needs to consider these basic high-level issues before proceeding.

How BTC and LTC Worked

Both BTC and LTC operated as online bitcoin- and litecoin-denominated stock exchanges.  Using bitcoins or litecoins as the currency, users bought, sold and traded securities in both initial and secondary offerings of businesses listed on the website.  Although the sites were open to anyone, they became popular with virtual currency enthusiasts, and most of the issuers on the site were currency-related businesses, including virtual currency mining operations.  According to the SEC release, a virtual currency “miner” is “an individual or entity that participates in a decentralized virtual currency network by running special software to solve complex algorithms in a distributed proof-of-work or other distributed proof system used to validate transactions in the virtual currency system. Certain virtual currencies (e.g., bitcoin and litecoin), self-generate units of the currency by rewarding miners with newly created coins.”

There were no restrictions on who could open an account, which account opening was completed using a simple online registration form.  The only information required was an e-mail address, and accordingly, account holders could be anonymous.  There were no restrictions or even information requests related to accreditation or sophistication.  Once registered, users could view their account history and balance online.  Deposits of bitcoins and litecoins were made using software, and such deposits were maintained by BTC and LTC and commingled in a single virtual wallet.  Users could withdraw their currency at any time.  The sites strictly operated in bitcoins and litecoins and did not offer any method to convert the virtual currency to USD or other currencies.

Users could place trades in the securities of the listed issuers, including straight purchases and sales and option trades.  Users would enter a bid or ask through an online order book.  Trades were matched using a software system and all trades, quotes and dividends were publicly displayed on the site.  The site also reported such information as trading volume for issuers.  The trading on the sites was completely self-contained; that is, no trades were routed to outside venues or sources. BTC and LTC charged transaction-based compensation for executing trades

In order for an issuer to offer and sell securities, it would submit an online application and an investment contract for the purchase of its securities.  The issuer’s application included a description of its business and the investment being offered.  LTC and BTC charged a flat fee for listing.  The issuers also agreed to a “terms of service” that included various representations and warranties by the issuer, including that its business was “legal in the United States.”  BTC and LTC shareholders approved all issuers through an online voting process.

Once approved, the issuer could list and sell securities.  No certificates were issued for sold securities, but rather ownership of shares was recorded in line account statements that were updated and provided to shareholders every 12 hours.  The issuers were able to upload and post business plans and other marketing materials, post updates and new releases and otherwise communicate with their shareholder base and prospective investors.  BTC and LTC acted as limited moderators over the postings.  Burnside also regularly posted on his own sites and others soliciting users for the sites.

BTC and LTC also listed and sold its own securities on the sites.  Each of the issuers, including BTC and LTC, engaged in general solicitation in the sale of securities.  Upon being contacted by the SEC, Burnside promptly completed an orderly wind-down of both sites.

None of the issuers registered their securities or the offerings with the SEC.  None of the issuers took steps to ensure an exemption from registration was available, such as limiting the offerings to accredited investors only, verifying accredited status when using general solicitation, providing specified disclosure documents, or complying with state blue sky laws.

Registration or exemption as a broker-dealer

Subject to limited exemption, the Exchange Act makes it unlawful for any broker or dealer to “effect any transaction in, or to induce or attempt to induce the purchase or sale, of any security…unless such broker or dealer is registered.”  The Exchange Act defines a “broker” as “a person, including a company, engaged in the business of effecting transaction in securities for the account of others.”  Case law indicates that a person is engaged in the business of effecting securities transactions if he or she “regularly participates in securities transactions at key point in the chain of distribution.”

In addition, in accordance with the SEC Guide to Broker-Dealer Registration, providing any of the following services may require the individual or entity to be registered as a broker-dealer:

  • “finders,” “business brokers,” and other individuals or entities that engage in the following activities:investment advisers and financial consultants;
    • Finding investors or customers for, making referrals to, or splitting commissions with registered broker-dealers, investment companies (or mutual funds, including hedge funds) or other securities intermediaries;
    • Finding investment banking clients for registered broker-dealers;
    • Finding investors for “issuers” (entities issuing securities), even in a “consultant” capacity;
    • Engaging in, or finding investors for, venture capital or “angel” financings, including private placements;
    • Finding buyers and sellers of businesses (i.e., activities relating to mergers and acquisitions where securities are involved);
  • persons that market real estate investment interests, such as tenancy-in-common interests, that are securities;
  • persons that act as “placement agents” for private placements of securities;
  • persons that effect securities transactions for the accounts of others for a fee, even when those other people are friends or family members;
  • persons that provide support services to registered broker-dealers; and
  • persons that act as “independent contractors” but are not “associated persons” of a broker-dealer

There are several exemptions from broker-dealer registration.

Title II of the JOBS Act created a limited exemption to the broker-dealer registration requirements for certain intermediaries that facilitate Rule 506 offerings.  In particular, Section 4(b) of the Securities Act of 1933 (“Securities Act”) added an exemption to the broker-dealer registration requirements such that an individual or entity will not be deemed a broker-dealer as a result of the following:

(A)  That person maintains a platform or mechanism that permits the offer, sale, purchase, or negotiation of or with respect to securities, or permits general solicitations, general advertisements, or similar or related activities by issuers of such securities, whether online, in person, or through any other means;

(B)  That person, or any person associated with that person, co-invests in such securities; or

(C)  That person, or any person associated with that person, provides ancillary services with respect to such securities.

Ancillary services are defined as (i) the provision of due diligence services in connection with the offer, sale, purchase, or negotiation of such security, so long as such services do not include, for separate compensation, investment advice or recommendations to issuers or investors; and (ii) the provision of standardized documents to the issuers and investors, so long as such person or entity does not negotiate the terms of the issuance for and on behalf of third parties and issuers are not required to use the standardized documents as a condition of using the service.

The exemption from registration as a broker or dealer also requires that such person and each person associated with such person (i) does not receive any compensation in connection with the purchase or sale of the security; (ii) does not have possession of customer funds or securities in connection with the purchase or sale; and (iii) is not subject to statutory disqualification pursuant to Section 3(a)(39) of the Exchange Act (i.e., bad boy provisions).

Burnside could potentially have operated a Title II exempt website geared towards bitcoin and litcoin investments.  For a discussion as to how this could be structured, see my blog HERE.

Registration or exemption of an exchange

Section 5 of the Exchange Act of 1934, as amended, makes it unlawful for any broker, dealer, or exchange, directly or indirectly, to effect any transaction in a security, or to report any such transaction, in interstate commerce, unless the exchange is registered as a national securities exchange or is exempted from such registration. Section 3(a)(1) of the Exchange Act defines an “exchange” as “any organization, association, or group of persons, whether incorporated or unincorporated, which constitutes, maintains, or provides a market place or facilities for bringing together purchasers and sellers of securities or for otherwise performing with respect to securities the functions commonly performed by a stock exchange as that term is generally understood….”  Exchange Act Rule 3b-16 further defines an exchange to mean “an organization, association, or group of persons that: (1) brings together the orders for securities of multiple buyers and sellers; and (2) uses established, non-discretionary methods (whether by providing a trading facility or by setting rules) under which such orders interact with each other, and the buyers and sellers entering such orders agree to the terms of the trade.” The Commission has also stated that “an exchange or contract market would be required to register under Section 5 of the Exchange Act if it provides direct electronic access to persons located in the U.S.”

Clearly LTC and BTC operated as an exchange, without registration or an exemption.  Under almost any analysis, LTC and BTC would have been required to register as an exchange to operate as it did.

Registration or exemption for the sale of securities

Burnside offered and sold securities of BTC, LTC and his virtual currency mining business without either an effective registration statement or available exemption.  In addition, each of the issuers on the BTC and LTC websites offered and sold securities without either an effective registration statement or available exemption.  All issuers engaged in general solicitation in relation to the sale of securities.

Section 5 of the Securities Act of 1933 makes it is unlawful for any person to directly or indirectly “offer” or “sell” securities without a valid effective registration statement unless an exemption is available.  Companies desiring to offer and sell securities to the public with the intention of creating a public market or going public must file a registration statement containing all material information concerning the company and the securities offered with the SEC and provide that filed registration statement to prospective investors.  The registration statement is filed using a form S-1.  None of the issuers in this case filed a registration statement with the SEC.

In lieu of registration, each issuer would need to satisfy an exemption from registration.  Although other exemptions may have been available, the most obvious potential exemption for the issuers in this case would be 506(c).  Rule 506(c) permits the use of general solicitation and advertising to offer and sell securities under Rule 506, provided that the following conditions are met:

1.the issuer takes reasonable steps to verify that the purchasers are accredited;
2.all purchasers of securities must be accredited investors, either because they fit within one of the categories in the definition of accredited investor, or the issuer reasonably believes that they do, at the time of the sale; and

3.all terms and conditions of Rule 501 and Rules 502(a) and (d) must be satisfied.

For an in-depth discussion on Rule 506(c), see my blog HERE.

Inquiries of a technical nature are always encouraged. Contact us now.

What Is A Security? The Howey Test And Reves Test

Sometimes it’s good to go back to basics.  In my blogs I often refer to the registration and exemption requirements in the Sec,urities Act of 1933 as amended (“Securities Act”).  Section 5 of the Securities Act makes it unlawful to offer or sell any security unless a registration statement is in effect as to that security or there is an available exemption from registration.  Similarly, I often refer to the broker-dealer registration requirements.  To be a “broker” or “dealer,” a person must be engaged in the business of effecting transactions in securities.

In today’s small cap world corporate finance transactions often take the form of a convertible note and/or options and warrants, the conversion of which relies on Section 3(a)(9) of the Securities Act.  Section 3(a)(9) is an exemption available for the exchange of one security for another (such as a convertible note for common stock).  Likewise, Rule 144(d)(3)(i) allows the tacking of a holding period where the securities being sold were acquired solely in exchange for other securities of that company.  In the wake of the SEC actions against E-Trade, brokerage firms have been examining whether the underlying “note” is indeed a security qualifying for the use of Section 3(a)(9) and Rule 144 tacking of a holding a period.  (See Here )

Moreover, where a transaction involves a security, the anti-fraud provisions and accompanying rights and remedies found in the state and federal securities laws will apply.

Clearly the overriding question of “what is a security” is fundamental to the analysis of security law matters.  Surprisingly (or not), what would appear to be a simple definitional discussion actually involves a lengthy and complex area of the securities laws.  Accordingly this blog is merely a high-level discussion as to what is a security, and specifically excludes a discussion of derivatives, which will be the topic of a future blog.

Statutory Definitions

Both the Securities Act and the Securities Exchange Act of 1934 (“Exchange Act”) contain definitions of a security.

Section 2(a)(1) of the Securities Act defines a security as:

The term “security” means any note, stock, treasury stock, security future, security-based swap, bond, debenture, evidence of indebtedness, certificate of interest or participation in any profit-sharing agreement, collateral-trust certificate, preorganization certificate or subscription, transferable share, investment contract, voting-trust certificate, certificate of deposit for a security, fractional undivided interest in oil, gas, or other mineral rights, any put, call, straddle, option, or privilege on any security, certificate of deposit, or group or index of securities (including any interest therein or based on the value thereof), or any put, call, straddle, option, or privilege entered into on a national securities exchange relating to foreign currency, or, in general, any interest or instrument commonly known as a “security”, or any certificate of interest or participation in, temporary or interim certificate for, receipt for, guarantee of, or warrant or right to subscribe to or purchase, any of the foregoing.

Section 3(a)(10) of Exchange Act defines a security as:

The term “security” means any note, stock, treasury stock, security future, security-based swap, bond, debenture, certificate of interest or participation in any profit-sharing agreement or in any oil, gas, or other mineral royalty or lease, any collateral-trust certificate, preorganization certificate or subscription, transferable share, investment contract, voting-trust certificate, certificate of deposit for a security, any put, call, straddle, option, or privilege on any security, certificate of deposit, or group or index of securities (including any interest therein or based on the value thereof), or any put, call, straddle, option, or privilege entered into on a national securities exchange relating to foreign currency, or in general, any instrument commonly known as a “security”; or any certificate of interest or participation in, temporary or interim certificate for, receipt for, or warrant or right to subscribe to or purchase, any of the foregoing; but shall not include currency or any note, draft, bill of exchange, or banker’s acceptance which has a maturity at the time of issuance of not exceeding nine months, exclusive of days of grace, or any renewal thereof the maturity of which is likewise limited.

The definitions are substantially similar and are not intended to be treated differently in application.  It was the congressional intent that the definition of security be very broad to encompass all forms of investment instruments and contracts that may be used in the commercial world.

Notably, the statutory definition contains qualifying language—to wit, “unless the context otherwise requires” which requires a facts and circumstances analysis of the particular matter in question where such facts and circumstances reasonably raise questions as to whether a security is involved or intended in a particular transaction.

SEC v. W.J. Howey Co.

The landmark U.S. Supreme Court case interpreting the definition of an “investment contract” as a security is SEC v. W. J. Howey Co., 328 U.S. 293 (1946), the result of which has become commonly known as the “Howey Test.”

Under the Howey Test, whether an investment instrument is a security requires a substance-over-form analysis.  Clearly a “stock” or “bond” is a security, but an investment contract can take many different forms and its underlying character may not be as easily recognizable.  The Howey Test defines an investment contract as follows:

“… an investment contract for purposes of the Securities Act means a contract, transaction or scheme whereby a person invests his money in a common enterprise and is led to expect profits solely from the efforts of the promoter or a third party…. Such a definition…permits the fulfillment of the statutory purpose of compelling full and fair disclosure relative to the issuance of the many types of instruments that in our commercial world fall within the ordinary concept of a security…. It embodies a flexible rather than a static principle, one that is capable of adaptation to meet the countless and variable schemes devised by those who seek the use of the money of others on the promise of profits.”

To further break down the analysis, Howey established a four-part test.  In particular, an investment contract exists where there is:

(i) An investment of money – Although in Howey the term “money” was used, subsequent case law has expanded this concept to include any form of consideration with value.

(ii) In a common enterprise – The subsequent court cases are not consistent regarding the meaning of a “common enterprise.”  The majority of federal courts define a common enterprise as involving “horizontal commonality,” which involves the pooling of money or assets from multiple investors whereby the investors share in the profits and risk in some proportion.

However, another group of federal courts define a common enterprise as involving “vertical commonality,” which focuses on the relationship of the parties.  In vertical commonality, the investor’s profit or loss is subject to the efforts of the promoter putting together the deal, regardless of the existence or status of other investors.  Vertical commonality can further be broken down into “broad vertical commonality” whereby the promoter’s profits are not tied to the investor’s profits and “narrow vertical commonality” whereby the promoter only profits if the investor profits.

The bottom line is that if a commonality of enterprise is found, regardless of the form it has taken, this factor in the test will be satisfied.

(iii) With an expectation of profits – Profits can either be in the form of capital appreciation, cash return on investment or other earnings (including dividends or interest).  Profits for purposes of the Howey Test refers particularly to a return to the investor and not necessarily the success of the enterprise as a whole.  A Ponzi scheme clearly involves a security, even though the enterprise itself is designed to be a failure.

The analysis turns on a finding that the investor is motivated by a return on his investment. So for instance, in a later case, the court found that sale of shares in a housing cooperative that were bundled with the cost of the apartment itself and used for common operating expenses and upkeep of the building, did not give rise to a securities transaction where the investors were attracted solely by the prospect of acquiring a place to live, and not by financial returns on their investments.

However, courts have found that the sale of a condominium unit itself can be a security where (i) the offer of the unit is accompanied with an opportunity to participate in a rental pool; (ii) the offer of the unit requires use of an exclusive rental agent; (iii) the offer of a unit that limits time of use of the owner or involves shared ownership (time share arrangements); or (iv) advertising the sale of a unit with an emphasis on economic benefit (such as rental income or tax benefits).

(iv) Which are derived solely from the efforts of the promoters or third parties – The efforts of the promoter(s) or third party(ies) must be undeniably significant in the success or failure of the enterprise.

Applying the Howey Test, courts have interpreted a security to include such diverse items as citrus groves, warehouse receipts, chinchillas, minks, diamonds, bullion, pay phones, real estate and equipment, and condominium units, when they were offered or sold under circumstances involving the investment of money and expectation of a return through the efforts of others.

The Howey Test actually interprets an “investment contract” in the context of the statutory definition and, as later clarified by the Supreme Court in Landreth Timber Co. v. Landreth, is not meant to be used to decide whether all securities are indeed a “security.”  Accordingly, even though where the sale of a business is completed through the sale of stock or other equity interests, the ultimate success of the investment is dependent on the efforts of the investor/buyer, the stock or other equity is clearly a security in the statutory definition and the Howey Test does not apply.  In particular, Landreth confirms that where a business is sold via the sale of the equity in the business, it is a security and the registration and exemption provisions of Section 5, broker-dealer registration requirements under the Exchange Act and anti-fraud provisions under both the Securities Act and Exchange Act apply.

Promissory Notes – Reves v. Ernst & Young

Although the term “note” is specifically included in the statutory definition of a security, case law has determined that not every “note” is a security.  The Exchange Act and SEC specifically exclude notes with a term of less than nine months, the proceeds of which are used for a current transaction, from the definition of a “security.”  Moreover, numerous lower courts had carved out exemptions over the years for commercial paper type notes such as purchase money loans and privately negotiated bank loans.

Relying on Howey, many courts developed an analysis based on the risk of the loan.  That is, the issue revolved around whether the lender had contributed “risk capital” subject to the entrepreneurial or managerial efforts of the borrower.  Relying on Landreth, other courts decided a “note” is a security as it appears in the statutory definition.

Analyzing and bringing together the line of lower court opinions, the U.S. Supreme Court in Reves v. Ernst & Young, 494 U.S. 56 (1990) adopted the “family resemblance” test to determine whether a note is a security.

Under the “family resemblance” test, one must start with the presumption that a note is a security which presumption is rebutted if the note bears a resemblance to one of the enumerated categories on a judicially developed list of exceptions.  If the “note” does not bear a resemblance to an item on the list, the analysis continues to determine if a new category should be added to the list.

The following is a list of notes that have judicially been determined to fall outside the definition of a “security”:

(i) a note delivered in consumer financing;

(ii) a note secured by a mortgage on a home;

(iii) a  short-term  note  secured  by  a  lien  on  a  small  business  or some of its assets;

(iv) a note evidencing a character loan to a bank customer;

(v) a short-term  note  secured  by  an  assignment  of  accounts receivable;

(vi) a note which simply formalizes an open-account debt incurred in the ordinary course of business (particularly if, as in the case of the customer of a broker, it is collateralized); and

(vii) a  note  evidencing  loans  by  commercial  banks  for  current operations.

In determining whether a note bears a resemblance to one of the enumerated exceptions to a security, or whether a new exception should be added, the courts consider:

(i) The motivation of seller and buyer – The first factor is described as the motivation that prompts “a reasonable seller and buyer to enter into” the transaction.  If the seller’s motivation is to raise money for his/her business and the buyer’s motivation is to earn profits, then the note is likely a security.  Even if the note is not necessarily characteristic of a security, if the investor reasonably expected that they were buying a security, and would be protected by the accompanying securities laws, the courts can determine that indeed a security has been sold.

(ii) The plan of distribution of the instrument – The second factor determines whether the instrument is being distributed for investment or speculation.  If the note instrument is being offered and sold to a broad segment or the general public for investment purposes, it is a security.

(iii) The reasonable expectations of the investing public – An instrument will be deemed a security where the reasonable expectation of the investing public is that the securities laws (and accompanying anti-fraud provisions) apply to the investment.

(iv) The presence of alternative regulatory regime – The fourth and final factor is a determination whether another regulatory scheme “significantly reduces the risk of the instrument, thereby rendering the application of the Securities Act unnecessary.”  The FDIC and ERISA laws are two such examples.

Both before and after Reves, the issue of whether bank notes or CD’s are a security has been often litigated.  In Marine Bank vs. Weaver, 455 U.S. 551 (1982), the U.S. Supreme Court held that a federally insured bank CD is not a security. In that case the court relied heavily on the fact that the bank was federally regulated and the subject CD was federally insured.  The Court stated that CDs could be securities subject to the Act in other contexts, and that instruments “must be analyzed and evaluated on the basis of the content of the instruments in question, the purposes intended to be served and the factual setting as a whole.”

The exclusion for a note which simply formalizes an open-account debt incurred in the ordinary course of business warrants further discussion.  Under this analysis a note evidencing a trade payable such as for office supplies or attorney’s fees is not a security and Section 3(a)(9) may not be relied upon to exchange such a note for common stock.  However, such a note could be considered a security such as where the note is convertible into common stock and represents an investment decision by the creditor to exchange its trade debt for a security of the company.  In such a case, though, the creditor could not rely on Rule 144 to tack onto the holding period of the trade payable, as the trade payable itself is not a security.