Tag: Ripple

The SEC Has Issued New Guidance On Cybersecurity Disclosures

Posted on by Laura Anthony, Esq.

On February 20, 2018, the SEC issued new interpretative guidance on public company disclosures related to cybersecurity risks and incidents. In addition to addressing public company disclosures, the new guidance reminds companies of the importance of maintaining disclosure controls and procedures to address cyber-risks and incidents and reminds insiders that trading while having non-public information related to cyber-matters could violate federal insider-trading laws.

The prior SEC guidance on the topic was dated, having been issued on October 13, 2011. For a review of this prior guidance, see HERE. The new guidance is not dramatically different from the 2011 guidance.

Introduction

The topic of cybersecurity has been in the forefront in recent years, with the SEC issuing a series of statements and creating two new cyber-based enforcement initiatives targeting the protection of retail investors, including protection related to distributed ledger technology (DLT) and initial coin or cryptocurrency offerings (ICO’s). Moreover, the SEC has asked the House Committee on Financial Services to increase the SEC’s budget by $100 million to enhance the SEC’s cybersecurity efforts. See my two-part blog series, including a summary of the recent speeches and initiatives, HERE and HERE.

The SEC incorporates cybersecurity considerations in its disclosure and supervisory programs, including in the context of its review of public company disclosures, its oversight of critical market technology infrastructure, and its oversight of other regulated entities, including broker-dealers, investment advisors and investment companies. Considering rapidly changing technology and the proliferation of cybersecurity incidents affecting both private and public companies (including a hacking of the SEC’s own EDGAR system and a hacking of Equifax causing a loss of $5 billion in market cap upon disclosure), threats and risks, public companies have been anticipating a needed update on the SEC disclosure-related guidance.

SEC Commissioner Kara Stein’s statement on the new guidance is grim on the subject, pointing out that the risks and costs of cyberattacks have been growing and could result in devastating and long-lasting collateral affects. Commissioner Stein cites a Forbes article estimating that cyber-crime will cost businesses approximately $6 trillion per year on average through 2021 and an Accenture article citing a 62% increase in such costs over the last five years.

Commissioner Stein also discusses the inadequacy of the 2011 guidance in practice and her pessimism that the new guidance will properly fix the issue.  She notes that most disclosures are boilerplate and do not provide meaningful information to investors despite the large increase in the number and sophistication of, and damaged caused by, cyberattacks on public companies in recent years. Commissioner Stein includes a list of requirements that she would have liked to see in the new guidance, including, for example, a discussion of the value to investors of disclosing whether any member of a company’s board of directors has experience, education, expertise or familiarity with cybersecurity matters or risks.

I have read numerous media articles and blogs related to the disclosure of cyber-matters in SEC reports. One such blog was written by Kevin LaCroix and published in the D&O Diary. Mr. LaCroix’s blog points out that according to a September 19, 2016, Wall Street Journal article, cyber-attacks are occurring more frequently than ever but are rarely reported. The article cites a report that reviewed the filings of 9,000 public companies from 2010 to the present and found that only 95 of these companies had informed the SEC of a data breach.

As reported in a blog published by Debevoise and Plimpton, dated September 12, 2016, (thank you, thecorporatecounsel.net), a review of Fortune 100 cyber-reporting practices revealed that most disclosures are contained in the risk-factor section of regular periodic reports such as Forms 10-Q and 10-K, as opposed to interim disclosures in a Form 8-K. Moreover, only 20 incidents were reported at all in the period from January 2013 through the third quarter of 2015.

However, as Commissioner Stein notes, the SEC only has so much authority or power through guidance, as opposed to rulemaking.  Commissioner Stein strongly advocates for new rulemaking in this regard. I do not think in the current environment advocating for fewer rules, that rulemaking related to cybersecurity disclosure will be made a priority. Moreover, I would not advocate for in-depth or robust further rules.  Disclosure is based on materiality, and a company has an ongoing obligation to disclose any material information, including that which is related to cybersecurity matters. I think the SEC can question principals-based specific disclosures, and whether they are robust enough, through review and comment on public company filings.  Certainly, the SEC staff, who reviews thousands of filings, has the knowledge of a lack of cybersecurity disclosure and can comment. In fact, if the SEC wrote a few standard cybersecurity-related disclosure comments and included them in a lot of comment letters, the marketplace would respond accordingly and beef up disclosure to avoid the comments.

Although I do not generally advocate for additional rules, Commissioner Stein makes one suggestion that I would support and that is adding the disclosure of cybersecurity event to the Form 8-K filing requirements. Although the new SEC guidance does not specifically require a Form 8-K, in light of the importance of these events, it seems it would be appropriate and the guidance itself requires “timely disclosure.”  However, without a specific requirement, a company could elect to disclose via a press release and/or the filing of a Form 8-K under Item 7.01 Regulation FD disclosure. When disclosing using a press release and Regulation FD item in a Form 8-K, a company may elect for the information to be “furnished, not filed.” Section 18 of the Exchange Act imposes liability for material misstatements or omissions contained in reports and other information filed with the SEC. However, reports and other information that are “furnished” to the SEC do not impose liability under Section 18. The antifraud provisions under Rule 10b-5 would still apply to the disclosure, but the stricter Section 18 liability would not.

New Guidance on Public Company Cybersecurity Disclosures

The new guidance begins with an introduction describing the importance of cybersecurity in today’s business world, driving the point home by comparing it to the importance of electricity. Cyber-incidents can take many forms, both intentional and unintentional, and commonly include the unauthorized access of information, including personal information related to customers’ accounts or credit information, data corruption, misappropriating assets or sensitive information or causing operational disruption. Attacks use increasingly complex methods, including malware, ransomware, phishing, structured query language injections and distributed denial-of-service attacks. A cyber-attack can be in the form of unauthorized access or a blocking of authorized access.

The purpose of a cyber-attack can vary as much as the methodology used, including for financial gain such as the theft of financial assets, intellectual property or sensitive personal information on the one hand, to a vengeful or terrorist motive through business disruption on the other hand. Perpetrators may be insiders and affiliates, or third parties including cybercriminals, competitors, nation-states and “hacktivists.”

When victim to a cyber-attack or incident, a company will have direct financial and indirect negative consequences, including but not limited to:

  • Remediation costs, including liability for stolen assets, costs of repairing system damage, and incentives or other costs associated with repairing customer and business relationships;
  • Increased cybersecurity protection costs to prevent both future attacks and the potential damage caused by same. These costs include organizational changes, employee training and engaging third-party experts and consultants;
  • Lost revenues from unauthorized use of proprietary information and lost customers;
  • Litigation;
  • Increased insurance premiums;
  • Damage to the company’s competitiveness, stock price and long-term shareholder value; and
  • Reputational damage.

Whereas the 2011 disclosure guidance was conservative in its tone, trying to strike a balance between satisfying the disclosure mandates of providing material information related to risks to the investing community with a company’s need to refrain from providing disclosure that could, in and of itself, provide a road map to the very breaches a company attempts to prevent, the new guidance is more blunt in the critical need to inform investors about material cybersecurity risks and incidents when they occur.

A company’s ability to timely and properly make any required disclosure of cybersecurity risks and incidents requires the company to implement and maintain disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.

Insider Trading

It is also important that public company officers, directors and other insiders respect the importance and materiality of cybersecurity risk and incident knowledge and not trade a company’s security when in possession of non-public information related to cybersecurity matters.  In that regard, companies should include cybersecurity matters in their insider trading policies and procedures. These insider trading policies should (i) guard against trading in the period between when a company learns of a cybersecurity incident and the time it is made public; and (ii) require the timely disclosure of such non-public information.

Guidance

Public companies have many disclosure requirements, including through periodic reports on Forms 10-K, 10-Q and 8-K, through Securities Act registration statements such as on Forms S-1 and S-3 and generally through the antifraud provisions of both the Exchange Act and Securities Act, which requires a company to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading.” The SEC considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.

As with all disclosure requirements, the disclosure of cybersecurity risk and incidents requires a materiality analysis. Although there continues to be no specific disclosure requirement or rule under either Regulation S-K or S-X that addresses cybersecurity risks, attacks or other incidents, many of the disclosure rules encompass these disclosures indirectly, such as risk factors, internal control assessments, management discussion and analysis, legal proceedings, disclosure controls and procedures, corporate governance and financial statements. As mentioned, as with all other disclosure requirements, an obligation to disclose cybersecurity risks, attacks or other incidents may be triggered to make other required disclosures not misleading considering the circumstances.

A company has two levels of cybersecurity disclosure to consider. The first is its controls and procedures and corporate governance to both address cybersecurity matters themselves and to address the timely and thorough reporting of same. The second is the reporting of actual incidents.  In determining the materiality of a particular cybersecurity incident, a company should consider (i) the importance of any compromised information; (ii) the impact of an incident on company operations; (iii) the nature, extent and potential magnitude of the event; and (iv) the range of harm such incident can cause, including to reputation, financial performance, customer and vendor relationships, litigation or regulatory investigations.

Of course, the new guidance is also clear that a company would not need to disclose the depth of information that could, in and of itself, provide information necessary to breach cyber-defenses. A company would not need to disclose specific technical information about cybersecurity systems, related networks or devices or specific devices and networks that may be more susceptible to attack due to weaker systems.

The new guidance also reminds companies that they have a duty to correct prior disclosures that the company determines were untrue at the time material information was made or omitted, and to update disclosures that become inaccurate after the fact.

Like the prior guidance, the new guidance provides specific input into areas of disclosure.

Risk Factors

Obviously, where appropriate, cybersecurity risks need to be included in risk factor disclosures. The SEC guidance in this regard is very common-sense. Companies should evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber-incidents and the severity and frequency of those incidents. Companies should consider the probability of an incident and the quantitative and qualitative magnitude of the risk, including potential costs and other consequences of an attack or other incident.  Consideration should be given to the potential impact of the misappropriation of assets or sensitive information, corruption of data or operational disruptions. A company should also consider the adequacy of preventative processes and plans in place should an attack occur.  Actual threatened attacks may be material and require disclosure.

As with all risk-factor disclosures, the company must adequately describe the nature of the material risks and how such risks affect the company. Likewise, generic risk factors that could apply to all companies should not be included. Risk factor disclosure may include:

  • Discussion of the company’s business operations that give rise to material cybersecurity risks and the potential costs and consequences, including industry specific risks and third-party and service-provider risks;
  • The costs associated with maintaining cybersecurity protections, including insurance coverage;
  • The probability of an occurrence and its potential magnitude;
  • Potential for reputational harm;
  • Description of past incidents, including their severity and frequency;
  • The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including any limits on the company’s ability to prevent or mitigate risks;
  • Existing and pending laws and regulations that may affect the companies cybersecurity requirements and the associated costs; and
  • Litigation, regulatory investigation and remediation costs associated with cybersecurity incidents.

Management Discussion and Analysis (MD&A)

In MD&A a company should consider all the same factors that it would consider in its risk factors.  A company would need to include discussion of cybersecurity risks and incidents in its MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential future incidents result in a material event, trend or uncertainty that is reasonably likely to have a material effect on the company’s results of operations, liquidity or financial condition, or could impact previously reported financial statements. The discussion should include any material realized or potential reduction in revenues, loss of intellectual property, remediation efforts, maintaining insurance, increase in cybersecurity protection costs, addressing harm to reputation and litigation and regulatory investigations.  Furthermore, even if an attack did not result in direct losses, such as in the case of a failed attempted attack, but does result in other consequences, such as a material increase in cybersecurity expenses, disclosure would be appropriate.

Business Description; Legal Proceedings

Disclosure of cyber-related matters may be required in a company’s business description where they affect a company’s products, services, relationships with customers and suppliers or competitive conditions. Likewise, material litigation would need to be included in the “legal proceedings” section of a periodic report or registration statement. The litigation disclosure should include any proceedings that relate to cybersecurity issues.

Financial Statements

Cyber-matters may need to be included in a company’s financial statements prior to, during and/or after an incident. Costs to prevent cyber-incidents are generally capitalized and included on the balance sheet as an asset. GAAP provides for specific recognition, measurement and classification treatment for the payment of incentives to customers or business relations, including after a cyber-attack.  Cyber-incidents can also result in direct losses or the necessity to account for loss contingencies, including those related to warranties, direct loss of revenue, providing customers with incentives, breach of contract, product recall and replacement, indemnification or remediation. Incidents can result in loss of, and therefore accounting impairment to, goodwill, intangible assets, trademarks, patents, capitalized software and even inventory.  Financial statement disclosure may also include expenses related to investigation, breach notification, remediation and litigation, including the costs of legal and other professional service providers.

Broad Risk Oversight

A company must disclose the extent of its board of directors’ role in the risk oversight of the company, such as how the board administers its oversight function and the effect this has on the board’s leadership structure. To the extent cybersecurity risks are material to a company’s business, this discussion should include the nature of the board’s role in overseeing the management of that risk. Information should also be included on how the board engages with management on cybersecurity risk management.

Controls and Procedures

The new guidance clearly provides that companies should adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including policy/procedure compliance related to the sufficiency of disclosure controls and procedures.  Procedures must address a company’s ability to record, process, summarize and report financial and other information in SEC filings.  Additionally, any deficiency in these controls and procedures should be reported.

The SEC reminds companies that their principal executive officer and principal financial officer must make individual certifications regarding the design and effectiveness of disclosure controls and procedures. These certifications should take into account cybersecurity-related controls and procedures.

Furthermore, as discussed above, a company should have proper policies and procedures preventing officers, directors and other insiders from trading on material nonpublic information related to cybersecurity risks and incidents.

Regulation FD and Selective Disclosure

Companies may have disclosure obligations under Regulation FD related to cybersecurity matters. Under Regulation FD, “when an issuer, or person acting on its behalf, discloses material nonpublic information to certain enumerated persons it must make public disclosure of that information.” The SEC reminds companies that these requirements also relate to cybersecurity matters and that, along with all the other disclosure requirements, policies and procedures should specifically address any disclosures of material non-public information related to cybersecurity.

SEC Statements On Cybersecurity – Part 2

Posted on by Laura Anthony, Esq.

On September 20, 2017, SEC Chair Jay Clayton issued a statement on cybersecurity that included the astonishing revelation that the SEC Edgar system had been hacked in 2016. Since the original statement, the SEC has confirmed that personal information on at least two individuals was obtained in the incident. Following Jay Clayton’s initial statement, on September 25, 2017, the SEC announced two new cyber-based enforcement initiatives targeting the protection of retail investors, including protection related to distributed ledger technology (DLT) and initial coin or cryptocurrency offerings (ICO’s).

The issue of cybersecurity is at the forefront for the SEC, and Jay Clayton is asking the House Committee on Financial Services to increase the SEC’s budget by $100 million to enhance the SEC’s cybersecurity efforts.

This is the second in a two-part blog series summarizing Jay Clayton’s statement, the SEC EDGAR hackingand the new initiatives. Part I of this blog, which outlined Chair Clayton’s statement on cybersecurity and the EDGAR hacking, can be read HERE . This second part in the series discusses the new cyber-based enforcement initiatives.

Previously I issued a blog outlining SEC guidance on the disclosure of cybersecurity matters, which can be read HERE.

Enforcement Initiatives

The SEC has established two new cybersecurity-related enforcement initiatives to address cyber-based threats and protect retail investors. The first is a creation of a Cyber Unit that will focus on targeting cyber-related misconduct. The second is the formation of a retail strategy task force that will focus on issues that directly affect retail investors.

Cyber Unit

The Cyber Unit will focus on:

  • Market manipulation schemes involving false information spread through electronic and social media
  • Hacking to obtain material nonpublic information in order to trade in advance of some announcement or event, or to manipulate the market for a particular security or group of securities
  • Violations involving distributed ledger technology (blockchain) and initial coin offerings (ICO’s)
  • Misconduct perpetrated using the dark web
  • Intrusions into retail brokerage accounts to conduct manipulative trading
  • Cyber-related threats to trading platforms and other critical market infrastructure

Chair Clayton formed the group with the goal of creating a cybersecurity working group to coordinate information sharing, risk monitoring, and incident response efforts throughout the agency. The Enforcement Division of the SEC has had to fast-track its expertise on matters related to cybersecurity including the advanced technologies that can be utilized.  It is thought that this focused enforcement initiative will further the SEC’s abilities to detect, respond to, and pursue misconduct.

On October 26, 2017, Stephanie Avakian, Co-Director of the Division of Enforcement gave a speech where she addressed both initiatives.   She addressed the obvious need for the Cyber Unit in today’s world of ever increasing cyber-related misconduct affecting the securities markets.

Expanding on the SEC’s list of areas of attention, Ms. Avakian indicates that the Cyber-Unit will also focus on cases involving failures by registered entities to take appropriate steps to safeguard information or ensure system integrity. The Cyber-Unit will work closely with the Office of Compliance, Inspections and Examinations (OCIE) in this area.

Further, the Cyber-Unit will review cases involving the failure by publicly reporting entities to properly report and disclose cyber related issues. The SEC has not yet brought a case in this space, but is expected to do so. The SEC expects companies’ to report cyber issues in risk factors and management discussion and analysis where appropriate and believes that the failure to do so could rise to a fraud issue under Rule 10b-5.

Retail Strategy Task Force

The Retail Strategy Task Force is planning to develop targeted initiatives to identify and pursue misconduct impacting retail investors.  The retail investor arena is a broad playing field including everything from the sales of unsuitable structured products to micro-cap pump-and-dump schemes. The Task Force will rely heavily on technology and analytics to identify problems. The Task Force includes enforcement personnel from around the country.

In her October 26, 2017 speech, Enforcement Co-Director, Stephanie Avakian stated, “this group will look at the many ways that retail investors intersect with the securities markets and look for widespread misconduct.” In a time of tight budgets, the SEC is focused on thinking strategically to identify problems and find the most efficient way to pursue enforcement actions including, as mentioned, with technology. Data analytics can be used to identify data by groups such as by product, by investor type, by location, by sales or trading practice, or by fee.  The SEC is even figuring out ways to use technology and data analytics to analyze the more than 16,000 tips it receives each year and integrate that data with other data points to identify issues.

Ms. Avakian gave specific examples of areas that the Retail Strategy Task Force will examine beyond the obvious Ponzi schemes and offering fraud, including:

  • Investment professionals steering customers to mutual fund share classes with higher fees, when lower-fee share classes of the same fund are available.
  • Abuses in wrap-fee accounts, including failing to disclose the additional costs of “trading away” or trading through unaffiliated brokers, and purchasing alternative products that generate additional fees.
  • Investors buying and holding products like inverse exchange-traded funds (ETFs) for long-term investment. These can be highly volatile products that are generally intended as a hedge against exposure to downward moving markets, and that face a long-term high risk of losing their principal. The SEC is increasingly seeing retail investors holding these products long-term, including in retirement accounts.
  • Problems in the sale of structured products to retail investors, including a failure to fully and clearly disclose fees, mark-ups, and other factors that can negatively impact returns; and
  • Abusive practices like churning and excessive trading that generate large commissions at the expense of the investor.

In addition to enforcement, the Retail Strategy Task Force will have an investor outreach and education component. In that regard, we can expect to see Investor Bulletins and other SEC investor communications generated from the Task Force’s findings and efforts.

What Is A Security? The Howey Test And Reves Test

Posted on by Laura Anthony, Esq.

Sometimes it’s good to go back to basics.  In my blogs I often refer to the registration and exemption requirements in the Sec,urities Act of 1933 as amended (“Securities Act”).  Section 5 of the Securities Act makes it unlawful to offer or sell any security unless a registration statement is in effect as to that security or there is an available exemption from registration.  Similarly, I often refer to the broker-dealer registration requirements.  To be a “broker” or “dealer,” a person must be engaged in the business of effecting transactions in securities.

In today’s small cap world corporate finance transactions often take the form of a convertible note and/or options and warrants, the conversion of which relies on Section 3(a)(9) of the Securities Act.  Section 3(a)(9) is an exemption available for the exchange of one security for another (such as a convertible note for common stock).  Likewise, Rule 144(d)(3)(i) allows the tacking of a holding period where the securities being sold were acquired solely in exchange for other securities of that company.  In the wake of the SEC actions against E-Trade, brokerage firms have been examining whether the underlying “note” is indeed a security qualifying for the use of Section 3(a)(9) and Rule 144 tacking of a holding a period.  (See Here )

Moreover, where a transaction involves a security, the anti-fraud provisions and accompanying rights and remedies found in the state and federal securities laws will apply.

Clearly the overriding question of “what is a security” is fundamental to the analysis of security law matters.  Surprisingly (or not), what would appear to be a simple definitional discussion actually involves a lengthy and complex area of the securities laws.  Accordingly this blog is merely a high-level discussion as to what is a security, and specifically excludes a discussion of derivatives, which will be the topic of a future blog.

Statutory Definitions

Both the Securities Act and the Securities Exchange Act of 1934 (“Exchange Act”) contain definitions of a security.

Section 2(a)(1) of the Securities Act defines a security as:

The term “security” means any note, stock, treasury stock, security future, security-based swap, bond, debenture, evidence of indebtedness, certificate of interest or participation in any profit-sharing agreement, collateral-trust certificate, preorganization certificate or subscription, transferable share, investment contract, voting-trust certificate, certificate of deposit for a security, fractional undivided interest in oil, gas, or other mineral rights, any put, call, straddle, option, or privilege on any security, certificate of deposit, or group or index of securities (including any interest therein or based on the value thereof), or any put, call, straddle, option, or privilege entered into on a national securities exchange relating to foreign currency, or, in general, any interest or instrument commonly known as a “security”, or any certificate of interest or participation in, temporary or interim certificate for, receipt for, guarantee of, or warrant or right to subscribe to or purchase, any of the foregoing.

Section 3(a)(10) of Exchange Act defines a security as:

The term “security” means any note, stock, treasury stock, security future, security-based swap, bond, debenture, certificate of interest or participation in any profit-sharing agreement or in any oil, gas, or other mineral royalty or lease, any collateral-trust certificate, preorganization certificate or subscription, transferable share, investment contract, voting-trust certificate, certificate of deposit for a security, any put, call, straddle, option, or privilege on any security, certificate of deposit, or group or index of securities (including any interest therein or based on the value thereof), or any put, call, straddle, option, or privilege entered into on a national securities exchange relating to foreign currency, or in general, any instrument commonly known as a “security”; or any certificate of interest or participation in, temporary or interim certificate for, receipt for, or warrant or right to subscribe to or purchase, any of the foregoing; but shall not include currency or any note, draft, bill of exchange, or banker’s acceptance which has a maturity at the time of issuance of not exceeding nine months, exclusive of days of grace, or any renewal thereof the maturity of which is likewise limited.

The definitions are substantially similar and are not intended to be treated differently in application.  It was the congressional intent that the definition of security be very broad to encompass all forms of investment instruments and contracts that may be used in the commercial world.

Notably, the statutory definition contains qualifying language—to wit, “unless the context otherwise requires” which requires a facts and circumstances analysis of the particular matter in question where such facts and circumstances reasonably raise questions as to whether a security is involved or intended in a particular transaction.

SEC v. W.J. Howey Co.

The landmark U.S. Supreme Court case interpreting the definition of an “investment contract” as a security is SEC v. W. J. Howey Co., 328 U.S. 293 (1946), the result of which has become commonly known as the “Howey Test.”

Under the Howey Test, whether an investment instrument is a security requires a substance-over-form analysis.  Clearly a “stock” or “bond” is a security, but an investment contract can take many different forms and its underlying character may not be as easily recognizable.  The Howey Test defines an investment contract as follows:

“… an investment contract for purposes of the Securities Act means a contract, transaction or scheme whereby a person invests his money in a common enterprise and is led to expect profits solely from the efforts of the promoter or a third party…. Such a definition…permits the fulfillment of the statutory purpose of compelling full and fair disclosure relative to the issuance of the many types of instruments that in our commercial world fall within the ordinary concept of a security…. It embodies a flexible rather than a static principle, one that is capable of adaptation to meet the countless and variable schemes devised by those who seek the use of the money of others on the promise of profits.”

To further break down the analysis, Howey established a four-part test.  In particular, an investment contract exists where there is:

(i) An investment of money – Although in Howey the term “money” was used, subsequent case law has expanded this concept to include any form of consideration with value.

(ii) In a common enterprise – The subsequent court cases are not consistent regarding the meaning of a “common enterprise.”  The majority of federal courts define a common enterprise as involving “horizontal commonality,” which involves the pooling of money or assets from multiple investors whereby the investors share in the profits and risk in some proportion.

However, another group of federal courts define a common enterprise as involving “vertical commonality,” which focuses on the relationship of the parties.  In vertical commonality, the investor’s profit or loss is subject to the efforts of the promoter putting together the deal, regardless of the existence or status of other investors.  Vertical commonality can further be broken down into “broad vertical commonality” whereby the promoter’s profits are not tied to the investor’s profits and “narrow vertical commonality” whereby the promoter only profits if the investor profits.

The bottom line is that if a commonality of enterprise is found, regardless of the form it has taken, this factor in the test will be satisfied.

(iii) With an expectation of profits – Profits can either be in the form of capital appreciation, cash return on investment or other earnings (including dividends or interest).  Profits for purposes of the Howey Test refers particularly to a return to the investor and not necessarily the success of the enterprise as a whole.  A Ponzi scheme clearly involves a security, even though the enterprise itself is designed to be a failure.

The analysis turns on a finding that the investor is motivated by a return on his investment. So for instance, in a later case, the court found that sale of shares in a housing cooperative that were bundled with the cost of the apartment itself and used for common operating expenses and upkeep of the building, did not give rise to a securities transaction where the investors were attracted solely by the prospect of acquiring a place to live, and not by financial returns on their investments.

However, courts have found that the sale of a condominium unit itself can be a security where (i) the offer of the unit is accompanied with an opportunity to participate in a rental pool; (ii) the offer of the unit requires use of an exclusive rental agent; (iii) the offer of a unit that limits time of use of the owner or involves shared ownership (time share arrangements); or (iv) advertising the sale of a unit with an emphasis on economic benefit (such as rental income or tax benefits).

(iv) Which are derived solely from the efforts of the promoters or third parties – The efforts of the promoter(s) or third party(ies) must be undeniably significant in the success or failure of the enterprise.

Applying the Howey Test, courts have interpreted a security to include such diverse items as citrus groves, warehouse receipts, chinchillas, minks, diamonds, bullion, pay phones, real estate and equipment, and condominium units, when they were offered or sold under circumstances involving the investment of money and expectation of a return through the efforts of others.

The Howey Test actually interprets an “investment contract” in the context of the statutory definition and, as later clarified by the Supreme Court in Landreth Timber Co. v. Landreth, is not meant to be used to decide whether all securities are indeed a “security.”  Accordingly, even though where the sale of a business is completed through the sale of stock or other equity interests, the ultimate success of the investment is dependent on the efforts of the investor/buyer, the stock or other equity is clearly a security in the statutory definition and the Howey Test does not apply.  In particular, Landreth confirms that where a business is sold via the sale of the equity in the business, it is a security and the registration and exemption provisions of Section 5, broker-dealer registration requirements under the Exchange Act and anti-fraud provisions under both the Securities Act and Exchange Act apply.

Promissory Notes – Reves v. Ernst & Young

Although the term “note” is specifically included in the statutory definition of a security, case law has determined that not every “note” is a security.  The Exchange Act and SEC specifically exclude notes with a term of less than nine months, the proceeds of which are used for a current transaction, from the definition of a “security.”  Moreover, numerous lower courts had carved out exemptions over the years for commercial paper type notes such as purchase money loans and privately negotiated bank loans.

Relying on Howey, many courts developed an analysis based on the risk of the loan.  That is, the issue revolved around whether the lender had contributed “risk capital” subject to the entrepreneurial or managerial efforts of the borrower.  Relying on Landreth, other courts decided a “note” is a security as it appears in the statutory definition.

Analyzing and bringing together the line of lower court opinions, the U.S. Supreme Court in Reves v. Ernst & Young, 494 U.S. 56 (1990) adopted the “family resemblance” test to determine whether a note is a security.

Under the “family resemblance” test, one must start with the presumption that a note is a security which presumption is rebutted if the note bears a resemblance to one of the enumerated categories on a judicially developed list of exceptions.  If the “note” does not bear a resemblance to an item on the list, the analysis continues to determine if a new category should be added to the list.

The following is a list of notes that have judicially been determined to fall outside the definition of a “security”:

(i) a note delivered in consumer financing;

(ii) a note secured by a mortgage on a home;

(iii) a  short-term  note  secured  by  a  lien  on  a  small  business  or some of its assets;

(iv) a note evidencing a character loan to a bank customer;

(v) a short-term  note  secured  by  an  assignment  of  accounts receivable;

(vi) a note which simply formalizes an open-account debt incurred in the ordinary course of business (particularly if, as in the case of the customer of a broker, it is collateralized); and

(vii) a  note  evidencing  loans  by  commercial  banks  for  current operations.

In determining whether a note bears a resemblance to one of the enumerated exceptions to a security, or whether a new exception should be added, the courts consider:

(i) The motivation of seller and buyer – The first factor is described as the motivation that prompts “a reasonable seller and buyer to enter into” the transaction.  If the seller’s motivation is to raise money for his/her business and the buyer’s motivation is to earn profits, then the note is likely a security.  Even if the note is not necessarily characteristic of a security, if the investor reasonably expected that they were buying a security, and would be protected by the accompanying securities laws, the courts can determine that indeed a security has been sold.

(ii) The plan of distribution of the instrument – The second factor determines whether the instrument is being distributed for investment or speculation.  If the note instrument is being offered and sold to a broad segment or the general public for investment purposes, it is a security.

(iii) The reasonable expectations of the investing public – An instrument will be deemed a security where the reasonable expectation of the investing public is that the securities laws (and accompanying anti-fraud provisions) apply to the investment.

(iv) The presence of alternative regulatory regime – The fourth and final factor is a determination whether another regulatory scheme “significantly reduces the risk of the instrument, thereby rendering the application of the Securities Act unnecessary.”  The FDIC and ERISA laws are two such examples.

Both before and after Reves, the issue of whether bank notes or CD’s are a security has been often litigated.  In Marine Bank vs. Weaver, 455 U.S. 551 (1982), the U.S. Supreme Court held that a federally insured bank CD is not a security. In that case the court relied heavily on the fact that the bank was federally regulated and the subject CD was federally insured.  The Court stated that CDs could be securities subject to the Act in other contexts, and that instruments “must be analyzed and evaluated on the basis of the content of the instruments in question, the purposes intended to be served and the factual setting as a whole.”

The exclusion for a note which simply formalizes an open-account debt incurred in the ordinary course of business warrants further discussion.  Under this analysis a note evidencing a trade payable such as for office supplies or attorney’s fees is not a security and Section 3(a)(9) may not be relied upon to exchange such a note for common stock.  However, such a note could be considered a security such as where the note is convertible into common stock and represents an investment decision by the creditor to exchange its trade debt for a security of the company.  In such a case, though, the creditor could not rely on Rule 144 to tack onto the holding period of the trade payable, as the trade payable itself is not a security.