Category Archives: Enforcement

A Regulation FD Double Down – DraftKings

Back in April 2013, the SEC issued a Report of Investigation addressing dissemination of information via social media channels.  The report focused on a Netflix CEO’s use of social media to disclose information relevant to investors without previously telling investors that information would be released via social media.  In the report the SEC announced that social media disclosure of information was likely not public disclosure for purposes of Regulation FD, unless investors had previously been alerted that specific social media channels would be used to disseminate information to the public.

Unfortunately, on July 27, 2023, DraftKings’ public relations firm posted information about “really strong growth” on the personal X and LinkedIn accounts of the company’s CEO.  The company had not provided prior notice that social media accounts would be used to make information public.  DraftKings’ management instructed the public relations firm to remove the posts soon after they were published.  Given that the social media posts provided previously non-public information about growth and that the information was likely material, this was probably an inadvertent selective disclosure.

Regulation FD describes two types of selective disclosure, intentional and non-intentional.  Each type has a separate required time frame to make information public.  From Regulation FD:

(a) Whenever an issuer, or any person acting on its behalf, discloses any material nonpublic information regarding that issuer or its securities to any person described in paragraph (b)(1) of this section, the issuer shall make public disclosure of that information as provided in § 243.101(e):

(1) Simultaneously, in the case of an intentional disclosure; and

(2) Promptly, in the case of a non-intentional disclosure.

The term “promptly” is defined in the rule:

Promptly. “Promptly” means as soon as reasonably practicable (but in no event after the later of 24 hours or the commencement of the next day’s trading on the New York Stock Exchange) after a senior official of the issuer (or, in the case of a closed-end investment company, a senior official of the issuer’s investment adviser) learns that there has been a non-intentional disclosure by the issuer or person acting on behalf of the issuer of information that the senior official knows, or is reckless in not knowing, is both material and nonpublic.

If in fact the social media posts were non-intentional disclosures, “prompt” disclosure would have been appropriate.  Unfortunately, DraftKings did not make this information public until they did their regular earnings release seven days later.

The company entered into a cease-and-desist order and paid a civil money penalty of $200,000.

You can find more details, including discussion of the materiality of the information, how DraftKings’ policies related to the disclosures, and the impact of DraftKings’ cooperation during the investigation, in the SEC’s Press Release and the related Order.

As always, your thoughts and comments are welcome!

Insider Transaction and Beneficial Ownership Reporting – An Enforcement Reminder

On September 25, 2024, the Enforcement Division announced settled actions against 23 companies and individuals relating to Section 16 and Section 13 reporting.  The various actions involved:

Failure of individuals to file Section 16 reports;

Failure of companies to report delinquent Section 16 reports; and

Failure of companies to file Forms 13D, 13G, 13F, and Section 16 reports.

The companies and individuals involved paid fines totaling $3.8 million.  The Enforcement Division included a link to a September 27, 2023 announcement of a similar sweep involving 11 cases, making it clear that this continues to be a focus of their work.

As always, your thoughts and comments are welcome.

Still an Enforcement Focus – More Attempts to Limit Whistleblower Protections

On September 9, 2024, the SEC announced settled charges against seven companies for attempting to limit whistleblower rights through provisions in employment, separation and other agreements.  As you can read in the SEC’s Press Release and the related Orders, one  company tried to force employees to waive their right to whistleblower awards such as those the SEC pays to qualified whistleblowers.

This case is the latest in a litany of recent enforcement actions, including against J.P. Morgan for attempting to limit customers’ ability to blow the whistle and against D.E. Shaw and Co. L.P., Monolith Resources. and CBRE, Inc. for using employee agreements that violated whistleblower protection rules.

All these cases and the related civil penalties send direct and clear reminders to proactively review employment, termination and similar agreements to assure they do not run afoul of the whistleblower protection rules.

As always, your thoughts and comments are welcome!

A “Green” Enforcement Action

On September 10, 2024, the SEC announced a settled enforcement action against Keurig Dr Pepper, Inc. related to statements the company made in its 2019 and 2020 Form 10-Ks about the recyclability of its K-Cup coffee and tea pods.  In Item 1 of the company’s Form 10-K for the year ended December 31, 2020, the company said:

“In December 2020, we achieved our goal of making all K-Cup pods sold in the U.S. recyclable by the end of 2020, having converted all K-Cup pods sold in Canada to a recyclable format in 2018. The new pods are made of polypropylene #5 plastic, a material that is accepted curbside for recycling by many communities, and we have conducted extensive testing with municipal recycling facilities to validate that they can be effectively recycled. We continue to engage with municipalities and recycling facilities to advance the quantity and quality of recycled polypropylene and have committed $10 million toward the advancement of polypropylene recycling in the U.S. through the Polypropylene Recycling Coalition, an effort led by The Recycling Partnership and funded by leading brands, recyclers, converters and producers of polypropylene.”

According to the SEC’s Order what the company did not disclose in the 2019 and 2020 annual reports was that two large recycling companies “provided negative feedback concerning the commercial feasibility of curbside recycling of pods” and indicated that “they did not presently intend to accept pods for recycling.”

Without admitting or denying the findings Keurig Dr Pepper entered into a cease-and-desist order and paid a civil money penalty of $1,500,000.

An interesting aspect of this case is that it was brought under Section 13(a) of the 1934 Act and related Exchange Act Rule 13a-1, which relate to complete and accurate annual reports.

As always, your thoughts and comments are welcome.

Loops Do Close

Several years ago, on May 3, 2021, the SEC announced a settled enforcement action against Under Armour, Inc.  The starting point for this case was a 23% stock price drop when Under Armour disclosed that their revenue growth rate, historically over 20%, had fallen to 12% for the fourth quarter of 2016.  According to the SEC’s Accounting and Auditing Enforcement Release, the company used sales “pull forwards” to hide this slowing revenue growth rate from mid-2015 to the end of 2016.  The company paid a $9 million civil penalty and entered into a cease-and-desist order.

In this kind of case the SEC’s enforcement is usually only part of the story.  In a Form 8-K filed on June 20, 2024, more than three years after the SEC action, the company reported a settlement in related class action litigation:

Item 8.01. Other Events.

As previously disclosed, since early 2017 Under Armour, Inc. (the “Company”) has been engaged in securities class action litigation in the United States District Court for the District of Maryland (the “District Court”) under the caption In re Under Armour Securities Litigation, Case No. 17-cv-00388-RDB (the “Consolidated Securities Action”). The complaint asserted claims regarding the Company’s disclosures and accounting practices in connection with its sales between the third quarter of 2015 and the fourth quarter of 2016, specifically asserting claims under Sections 10(b) and 20(a) of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), against the Company and Mr. Plank and under Section 20A of the Exchange Act against Mr. Plank.

On June 20, 2024, the Company and Mr. Plank entered into a Memorandum of Understanding (the “MOU”) with plaintiffs containing the material terms of a settlement resolving the Consolidated Securities Action. The parties intend to prepare a formal stipulation of settlement describing the terms of the proposed settlement, which will be presented to the District Court for preliminary approval in the coming weeks. Following preliminary approval of the proposed settlement by the District Court and a notice and review period for Class members, plaintiffs will seek final approval of the proposed settlement from the District Court. The settlement is not an admission of fault or wrongdoing by the Company or Mr. Plank.

The MOU provides that the Company will pay or will cause to be paid an amount equal to $434 million to the members of the class in the Consolidated Securities Action, which includes all persons and entities who purchased or otherwise acquired Class A and Class C common stock of Under Armour between September 16, 2015 and November 1, 2019(subject to certain exclusions) (the “Class”). As of March 31, 2024, the Company reported $858.7 million of cash and cash equivalents on its consolidated balance sheets, and no drawings on its $1.1 billion revolving credit facility.

As always, your thoughts and comments are welcome!

Yet Another Cybersecurity Enforcement Action

On June 18, 2024, the SEC announced a settled enforcement action against R.R. Donnelly & Sons Co. focused on both ICFR and disclosure controls and procedures related to cybersecurity risk.  As you can read in the related Order, the company used an outside service provider to help monitor cybersecurity matters.  The service provider notified the company’s security personnel about a “network ransomware intrusion.”  Based in part on input from the service provider, R.R. Donnelly did not take further action or conduct a deeper investigation.  In this case the SEC maintains that R.R. Donnelly did not maintain effective ICFR related to cybersecurity risk because the company did not have appropriate controls to respond to these warnings.  In addition, the Order maintains that the company’s disclosure controls and procedures did not appropriately inform management responsible for making disclosure decisions about cybersecurity incidents.

The company, which cooperated with the SEC in the investigation, entered into a cease-and-desist order and paid a $2.125 million civil penalty.

In reaction to this enforcement, Commissioners Hester M. Peirce and Mark T. Uyeda gave a Statement titled “Hey, look, there’s a hoof cleaner! Statement on R.R. Donnelley & Sons, Co.,” which provides an interesting discussion of administrative versus accounting controls related to cybersecurity issues.

You can read about earlier cybersecurity related enforcement actions in this post which involves a CISO and this post which also mentions disclosure controls and procedures.

As always, your thoughts and comments are welcome!

Enforcement Timing – Company Versus Auditor Time Lag

In this blog post we explored the almost two-year time lag between an SEC enforcement against a company and a related enforcement against the company’s auditor.  In a pair of more recent cases this time lag is much shorter.  In this August 15, 2023, Accounting and Auditing Enforcement Release, the SEC enumerates a number of material misstatements in the financial statements of Ault Alliance, Inc. (Ault). Issues involved included failure to disclose interests in related person transactions, improper recording of purported consulting services and erroneous accounting for investments.  Ault made multiple restatements.  The Release also asserts that Ault failed to maintain accounting and disclosure controls.

On January 18, 2024, only five months later, the SEC brought an Administrative Proceeding against the company’s auditor.  The case against the auditor is complex, involving Ault and several other engagements.  In addition, it is interesting that this action was brought using the SEC’s internal administrative court processes.  Even with these complexities, the time lag between the company enforcement and the administrative proceeding against the auditor is notably shorter.

As always, your thoughts and comments are welcome!

SEC Enforcement for Deficient Disclosures About Related Person Transactions

On March 7, 2024, the SEC announced settled charges against Skechers U.S.A., Inc. for failure to disclose related person transactions in its proxy statements and Part III of Form 10-K.  The Enforcement Order details several instances where family members and persons sharing the same household as directors and executive officers received compensation from Skechers in excess of the $120,000 disclosure threshold specified in Regulation S-K Item 404.  In addition, two executives had loans from the company related to unreimbursed personal expenses paid by the company in excess of $120,000.

This case has a proxy focus similar to the many cases the SEC has brought relating to inadequate perks disclosures.

The company entered into a cease and desist order and paid a fine of $1.25 million.

As always, your thoughts and comments are welcome.

Auditor Fraud and the Related Client Impact

On May 3, 2024, the SEC announced charges against a Colorado audit firm, BF Borgers CPA PC and its owner, Benjamin F. Borgers.  The SEC’s Accounting and Auditing Enforcement Release’s extensive charges include:

“…the deliberate and systematic failure to audit and review public company and SEC-registered broker-dealer clients’ financial statements in accordance with Public Company Accounting Oversight Board (“PCAOB”) standards … and their fraudulent issuance of audit reports falsely representing that they had done so from at least January 2021 through at least June 2023.”

These failures affected over 350 clients and more than 1,500 SEC filings.

The firm and its owner will pay civil money penalties of $12 million and $2 million respectively.  They are also denied the privilege of appearing or practicing before the Commission and censured.

This case is eerily similar to a 2009 case against Moore & Associates Chartered and Michael J. Moore.  That case involved over 300 clients and also resulted in fines and bars.  (Mr. Moore’s violations actually continued, as you can read in this 2015 Litigation Release.)

Both these cases were brought by the SEC rather than the PCAOB, perhaps because of the structure of the PCAOB’s enforcement activities imposed by the Sarbanes Oxley Act.  Another interesting aspect of these two cases is the difference in the magnitude of the penalties.  In the Moore case the firm paid disgorgement of $179,500 and Moore paid a penalty of $130,000, amounts significantly less than the BF Borgers penalties.

You can find the PCAOB’s 2022 inspection report for BF Borgers CPA PC here.

Companies and their audit committees should be conscious of the issues created when an audit firm does not perform appropriately.  Because of the magnitude and complexity of the issues former BF Borgers clients face, CorpFin and the Office of the Chief Accountant issued this Statement addressing issues including the requirement to file a change in auditor Form 8-K and the impact on annual and quarterly reporting.

As always, your thoughts and comments are welcome.

Cybersecurity Enforcement and Chief Information Security Officers

SolarWinds Corporation, a provider of IT infrastructure management software products, completed its IPO in the fall of 2018.  In its IPO registration statement and periodic reporting, the company disclosed lengthy cybersecurity risk factors.  For example, in its December 31, 2019 Form 10-K, the company included this risk factor:

If we sustain system failures, cyberattacks against our systems or against our products, or other data security incidents or breaches, we could suffer a loss of revenue and increased costs, exposure to significant liability, reputational harm and other serious negative consequences.

We are heavily dependent on our technology infrastructure to sell our products and operate our business, and our customers rely on our technology to help manage their own IT infrastructure. Our systems and those of our third-party service providers are vulnerable to damage or interruption from natural disasters, fire, power loss, telecommunication failures, traditional computer “hackers,” malicious code (such as viruses and worms), employee or contractor theft or misuse, and denial-of-service attacks, as well as sophisticated nation-state and nation-state-supported actors (including advanced persistent threat intrusions). The risk of a security breach or disruption, particularly through cyberattacks or cyber intrusion, including by computer hacks, foreign governments, and cyber terrorists, has generally increased the number, intensity and sophistication of attempted attacks, and intrusions from around the world have increased. In addition, sophisticated hardware and operating system software and applications that we procure from third parties may contain defects in design or manufacture, including “bugs” and other problems that could unexpectedly interfere with the operation of our systems.

Because the techniques used to obtain unauthorized access or to sabotage systems change frequently and generally are not identified until they are launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures. We may also experience security breaches that may remain undetected for an extended period and, therefore, have a greater impact on the products we offer, the proprietary data contained therein, and ultimately on our business.

The foregoing security problems could result in, among other consequences, damage to our own systems or our customers’ IT infrastructure or the loss or theft of our or our customers’ proprietary or other sensitive information.

(Note:  Balance of the risk factor is omitted.)

This risk factor provides a general discussion of cybersecurity risk.  It does not address the nature and extent of actual cybersecurity risks facing the company, any specific steps the company is taking to address cybersecurity risk, or the strengths and weaknesses of the company’s cybersecurity defenses.

After the company experienced a major cybersecurity breach, these issues were at the center of the SEC’s charges against the company and, interestingly, the company’s Chief Information Security Officer (“CISO”).  According to the SEC’s Press Release and the related Complaint, the company was aware that its defenses against cybersecurity attacks were weak and that the company was extremely vulnerable to cyberattack.

The Press Release states:

“SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown (The CISO), that SolarWinds’ remote access set-up was ‘not very secure’ and that someone exploiting the vulnerability ‘can basically do whatever without us detecting it until it’s too late,’ which could lead to ‘major reputation and financial loss’ for SolarWinds.”

Similarly, as described in the Press Release and Complaint, in 2018 and 2019 the CISO made presentations that stated the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”

SolarWinds’ public statements about its cybersecurity practices and risks were very different from its internal discussions and documentation.  As companies implement the SEC’s new cybersecurity disclosures, there are clear lessons in this case.

The Press Release and Complaint provide more details and discussion.

As always, your thoughts and comments are welcome!