Category Archives: Enforcement

Cybersecurity Enforcement and Chief Information Security Officers

SolarWinds Corporation, a provider of IT infrastructure management software products, completed its IPO in the fall of 2018.  In its IPO registration statement and periodic reporting, the company disclosed lengthy cybersecurity risk factors.  For example, in its December 31, 2019 Form 10-K, the company included this risk factor:

If we sustain system failures, cyberattacks against our systems or against our products, or other data security incidents or breaches, we could suffer a loss of revenue and increased costs, exposure to significant liability, reputational harm and other serious negative consequences.

We are heavily dependent on our technology infrastructure to sell our products and operate our business, and our customers rely on our technology to help manage their own IT infrastructure. Our systems and those of our third-party service providers are vulnerable to damage or interruption from natural disasters, fire, power loss, telecommunication failures, traditional computer “hackers,” malicious code (such as viruses and worms), employee or contractor theft or misuse, and denial-of-service attacks, as well as sophisticated nation-state and nation-state-supported actors (including advanced persistent threat intrusions). The risk of a security breach or disruption, particularly through cyberattacks or cyber intrusion, including by computer hacks, foreign governments, and cyber terrorists, has generally increased the number, intensity and sophistication of attempted attacks, and intrusions from around the world have increased. In addition, sophisticated hardware and operating system software and applications that we procure from third parties may contain defects in design or manufacture, including “bugs” and other problems that could unexpectedly interfere with the operation of our systems.

Because the techniques used to obtain unauthorized access or to sabotage systems change frequently and generally are not identified until they are launched against a target, we may be unable to anticipate these techniques or to implement adequate preventative measures. We may also experience security breaches that may remain undetected for an extended period and, therefore, have a greater impact on the products we offer, the proprietary data contained therein, and ultimately on our business.

The foregoing security problems could result in, among other consequences, damage to our own systems or our customers’ IT infrastructure or the loss or theft of our or our customers’ proprietary or other sensitive information.

(Note:  Balance of the risk factor is omitted.)

This risk factor provides a general discussion of cybersecurity risk.  It does not address the nature and extent of actual cybersecurity risks facing the company, any specific steps the company is taking to address cybersecurity risk, or the strengths and weaknesses of the company’s cybersecurity defenses.

After the company experienced a major cybersecurity breach, these issues were at the center of the SEC’s charges against the company and, interestingly, the company’s Chief Information Security Officer (“CISO”).  According to the SEC’s Press Release and the related Complaint, the company was aware that its defenses against cybersecurity attacks were weak and that the company was extremely vulnerable to cyberattack.

The Press Release states:

“SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown (The CISO), that SolarWinds’ remote access set-up was ‘not very secure’ and that someone exploiting the vulnerability ‘can basically do whatever without us detecting it until it’s too late,’ which could lead to ‘major reputation and financial loss’ for SolarWinds.”

Similarly, as described in the Press Release and Complaint, in 2018 and 2019 the CISO made presentations that stated the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”

SolarWinds’ public statements about its cybersecurity practices and risks were very different from its internal discussions and documentation.  As companies implement the SEC’s new cybersecurity disclosures, there are clear lessons in this case.

The Press Release and Complaint provide more details and discussion.

As always, your thoughts and comments are welcome!

Channel Stuffing to Manipulate a Non-GAAP Measure?  Enforcement!

When a company presents a non-GAAP measure investors generally should ask, “Is this non-GAAP measure presented to try and make things look better than the story the related GAAP measure tells?”  For example, in this SEC enforcement against ADT, the company presented adjusted EBITDA in the headline of its earnings release, highlighting a 7% increase, but did not mention that the company’s GAAP loss had increased from $(141) to $(157) million until later in the release.  Highlighting a positive change in a non-GAAP measure while the comparable GAAP measure deteriorates raises significant questions.  In addition, ADT did not follow Regulation S-K Item 10(e), which clearly applies to a company’s earnings release, and requires that GAAP measures be presented with equal or greater (OK, really greater) prominence than the comparable non-GAAP measure.

In an interesting twist on this process, as discussed in a recent enforcement release, a company disclosed a non-GAAP measure that was not as positive as the related GAAP measure, but used a classic revenue manipulation strategy to make the non-GAAP measure look more positive.

In the headline for its third-quarter 2016 earnings release, Newell Brands said:

Newell Brands Announces Third Quarter Results

Net Sales Growth of 158.5%; Core Sales Growth of 3.0%

New Strategic Plan Transformation into Action

Raises 2016 Guidance to Top Half of Range

Provides 2017 Initial Outlook

At first glance, all appears reasonable with this headline.  In particular, placing GAAP sales growth before the non-GAAP measure “core sales growth” follows the S-K Item 10(e) requirements discussed above, and avoids the frequent “equal or greater prominence” non-GAAP measure comment.

The large difference between the GAAP and non-GAAP sales growth rates raises a number of questions.  The earnings release notes that the GAAP sales growth is primarily due to the impact of an acquisition.  The question that naturally arises is, “what would have happened to sales without the acquisition?”

Below is the rationale for the company’s presentation of “core sales growth.”  In its non-GAAP measure disclosures Newell Brands says:

“The company’s management believes that core sales provides a more complete understanding of underlying sales trends by providing sales on a consistent basis as it excludes the impacts of acquisitions (other than the Jarden acquisition, which is included in core sales on a pro forma basis starting in the second quarter of 2016), planned or completed divestitures, the deconsolidation of the company’s Venezuelan operations and changes in foreign currency from year-over-year comparisons.”

This presents a reasonable rationale for the presentation of the non-GAAP measure, and, in fact, the non-GAAP measure presents a reasonably positive picture.

This seemed true until September 29, 2023, when the SEC released an Accounting and Auditing Enforcement Release describing how Newell and its former CEO engaged in a classic revenue manipulation scheme – channel stuffing or “pull-forwards” – designed to inflate this non-GAAP measure.  According to the AAER:

“During the last month of each quarter in the Relevant Period, Newell employees determined that its sales were inadequate to achieve management goals, including internal targets, guidance to investors, or analyst estimates. As part of an effort to achieve those goals, Polk (the former CEO) was made aware of and approved plans to pull forward sales scheduled for subsequent quarters. To do so, Newell employees identified orders scheduled for delivery early the following quarter and obtained customer permission to deliver those orders in the current quarter. Newell employees then informed Polk of the volume of orders that had been pulled forward.”

Many companies have used this strategy to try and maintain a sales growth rate.  As we discussed in this post about Under Armour (where you can find links to a number of similar cases), this is not an unusual kind of fraud.  In this case, however, it is interesting that the strategy was used specifically to manipulate the non-GAAP measure for “core sales growth.”

The company and the former CEO both entered into cease and desist orders and paid fines of $12,500,000 and $110,000, respectively.

As always, your thoughts and comments are welcome!

Enforcement Division Announces 2023 Results

On November 14, 2023, the Division of Enforcement announced its 2023 results in this Press Release and  related Addendum.  According to the Press Release, the Division of Enforcement:

    • Brought 784 enforcement actions, an increase of 3%;
    • Levied financial remedies totaling $4.949 billion, down from $6.439 billion the year before;
    • Obtained officer and director bars against 133 individuals, the highest number in more than a decade; and
    • Continued to focus on gatekeepers.

The Press Release highlights that 2023 was a record year for the Whistleblower Program with awards of almost $600 million, a record annual total.  Even more dramatically, the number of whistleblower tips increased from 12,300 in 2022 to 16,000 in 2023.  You can read more about the Whistleblower Program 2023 results in its separate annual report.

As always, your thoughts and comments are welcome.

Self-Reporting to and Cooperation with Enforcement Do Make a Difference

On September 25, 2023, the SEC announced a settled enforcement action against GTT Communications, Inc.  GTT grew rapidly, primarily through acquisitions.  This growth created challenges and disruption that eventually resulted in material problems in two of GTT’s key operational and reporting systems.  The two systems were used to track elements of expenses, and over time they began reporting diverging amounts. Though the company tried, the systems could not be reconciled.  As a result, the company could not reasonably determine amounts to record for certain expenses, including its cost of revenue (COR).  Without solving this identified problem, company personnel made large, unsupported adjustments to its accounting records.  When this situation came to light, the company commenced an internal investigation and ultimately filed this Item 4.02 Form 8-K to inform investors that its previously issued financial statements should not be relied upon.

It is difficult to appreciate the magnitude of GTT’s reporting problems.  The company spent more than a year and tens of millions of dollars trying to build the information required to restate its financial statements. Ultimately, the company abandoned these efforts.  It eventually filed for bankruptcy, emerging as a privately-owned company.  Because the company’s historical records could not be reconstructed, upon emerging from bankruptcy, the company used fresh-start accounting.

Early in its process the company self-reported its problems to the SEC.  It also “cooperated extensively with the SEC staff during its investigation.”  The company’s remedial measures included “attempting to rebuild its COR accounts, replacing certain members of management, its board of directors, and its auditor, and overhauling its accounting function, including its policies and procedures relating to COR.”

The company entered into a cease-and-desist order, but as a result of self-reporting, cooperating and taking strong remedial steps, there was no monetary penalty against the company.  You can read more in this Press Release and the related SEC Order.

This case presents a favorable outcome, but self-reporting and cooperation present several complex questions.  When companies find a problem, they must consider whether to self-report, when to self-report, how to approach the staff, and what information to share.  For an in-depth discussion of these and a number of related issues, you can listen to this episode of PLI’s inSecurities podcast.  Host Kurt Wolf and Miller & Chevalier Partner Sandra Hanna discuss a variety of issues including considerations for self-reporting.

As always, your thoughts and comments are welcome.

The Complicated and Far-Reaching Consequences of Fraudulent Financial Reporting

On August 28, 2023, the SEC announced an Order of Suspension Pursuant to Rule 102(e) barring Peter Armbruster, CPA, former CFO of Roadrunner Transportation Systems, Inc. (“Roadrunner”), from appearing or practicing before the Commission.  The bar was based on Armbruster’s 2021 conviction for committing:

    • One count of acts to fraudulently influence accountants;
    • Two counts of false entries in a public company’s books, records, and accounts; and
    • One count of securities fraud.

He was sentenced to 24 months imprisonment in a federal penitentiary to be followed by one year of supervised release and ordered to pay restitution of $1,142,597.50.  All of this, of course, in addition to his permanent bar from appearing before the SEC.

While this announcement about a single individual seems like a discrete event, a deeper look into the events at Roadrunner leading up to Armbruster’s bar provides insight into the dramatic costs and consequences of manipulating financial statements and reporting fraudulent information.

Roadrunner, a trucking and transportation company, had grown dramatically between 2010 and 2017, largely through acquisitions.  As a NYSE listed company, there was pressure to show successful results from this strategy.  Unfortunately, Roadrunner’s results were falling short of expectations, and this pressure caused people and the company to break financial reporting rules.  The chronology of events and related consequences in this case are long and complicated.

January 30, 2017 – First Public Announcement

The first publicly disclosed information about financial reporting problems was this January 30, 2017 Form 8-K.  In the Form 8-K, the company stated:

Item 4.02(a).  Non-Reliance on Previously Issued Financial Statements or a Related Audit Report or Completed Interim Review

In November 2016, we were made aware of various potential accounting discrepancies at our Morgan Southern and Bruenger operating subsidiaries. In response, our Board of Directors immediately commenced an investigation of the discrepancies with the assistance of Greenberg Traurig, LLP, as outside counsel, and RubinBrown LLP, as forensic accountants. Our investigation into these discrepancies is still ongoing; however, based on the investigation to date, and as described in further detail below, we have identified various accounting errors that we currently estimate will require prior period adjustments to our results of operations of between $20 million and $25 million. These errors principally relate to unrecorded expenses from unreconciled balance sheet accounts including cash, driver and other receivables, and linehaul and other driver payables. As the investigation is ongoing, the estimated amount is preliminary and could change materially.

The Form 8-K also included details indicating that several years of financial statements would likely be restated.

March 29, 2017 – Termination of CFO

In this Form 8-K, filed on April 3, 2017, Roadrunner announced:

Item 5.02.  Departure of Directors or Certain Officers; Election of Directors; Appointment of Certain Officers; Compensatory Arrangements of Certain Officers.

On March 29, 2017, Mr. Peter Armbruster was terminated from his positions as the Company’s principal financial officer and principal accounting officer.

Interestingly, just a few weeks earlier, on February 28, 2017, the CFO was included in the company’s incentive compensation plans announced in this Form 8-K.

January 31, 2018 – Form 10-K/A Filing

A year after the initial announcement Roadrunner filed a Form 10-K/A to restate several years of financial statements.  In the Form 10-K/A, the company stated:

Restatement Background 

In November 2016, we commenced an internal investigation into certain accounting discrepancies at our Morgan Southern and Bruenger operating companies. Subsequently, an independent internal investigation was undertaken by the Audit Committee of our Board of Directors (the “Audit Committee”), with assistance from outside counsel and outside consultants to provide forensic and investigative support (the “Audit Committee Investigation”). The expanded Audit Committee Investigation included detailed reviews of financial records at other operating companies and at our corporate headquarters. The Audit Committee Investigation identified material accounting errors that impacted substantially all financial statement line items and disclosures.

……

Based on the Audit Committee Investigation, current management determined that there were deficiencies in the design and/or execution of internal controls that constituted material weaknesses. Current management determined that structural and environmental factors, including the increased size and complexity arising from the acquisition of 25 non-public companies between February 2011 and September 2015, the inconsistency of our accounting systems, policies and procedures, and management override of internal controls contributed to the material weaknesses and resulting material accounting errors. Our internal controls failed to prevent or were overridden by management in certain instances to allow recording accounting entries without appropriate support, recording accounting entries that were inconsistent with information known by management at the time, not communicating relevant information within our organization and, in some cases, withholding information from our independent directors, our Audit Committee, and our independent auditors, which resulted in material accounting errors. 

March 12, 2018 – Consolidated Amended Class Action Complaint Filed

As expected in cases like this, class action litigation resulted.  You can find a detailed list of developments at Roadrunner and related assertions by the plaintiffs in this Consolidated Amended Class Action Complaint. The time and costs involved in this kind of litigation are substantial.

April 1, 2019 – Stipulation and Agreement of Settlement Filed for Class Action Litigation

In a step towards ending the class action litigation, plaintiffs and defendants entered into this Stipulation and Agreement of Settlement.  As you review the details you will find the amount of the Settlement was $20 Million.  There were several steps in the process to have the agreement approved by the court.  The company announced preliminary approval on this June 26, 2019 Form 8-K.

April 6, 2020 – Roadrunner Delists from the NYSE and Withdraws its 1934 Act Registration

On April 6, 2020, Roadrunner filed a Form 25 to end its listing on the NYSE, and on April 17, 2020, the company filed a Form 15-12B to terminate its 1934 Act registration.

February 14, 2023 – SEC Announces Cease and Desist Order Against Roadrunner

As you can read in this AAER, the company entered into a Cease and Desist Order with the SEC in February 2023, well after the end of its 1934 Act registration.  The Order includes a summary of the various accounting misstatements that impacted the company’s reported results.  Interestingly, the settlement that Roadrunner paid in the related class action litigation was deemed to satisfy the SEC’s disgorgement principles.

August 28, 2023 – Former CFO Is Barred by the SEC

As described above and as you can read in this AAER, the former CFO, based on his conviction, was barred from SEC practice.

September 7, 2023 – Former Segment Controller and Director of Accounting Barred by the SEC

As you can read in this AAER, a former controller of the Truckload Logistics segment of Roadrunner was also barred by the SEC.

In addition, as you can read in this AAER, the Director of Accounting for Truckload was also barred.

These cases, if we are drawn into them, have a long and complex path with dramatic costs, financial and otherwise, for individuals and companies.  The above summary does not include several officer and director changes, including two CFO changes.  Nor does it include the details of how the company ended up delisting and going dark, or a settled action against a former officer for insider trading charges during the period of the financial reporting fraud.

As always, your thoughts and comments are welcome.

Yet One More Violation of Whistleblower Protection Rules

In two recent posts we discussed enforcement actions against Monolith Resources and CBRE, Inc. for violating the SEC’s whistleblower protection rules.  On September 29, 2023, the SEC announced its latest such case, this one against D.E.Shaw and Co. L.P., for using employment agreements that violated the whistleblower protection rules.  This violation resulted in a $10,000,000 civil penalty along with a cease-and-desist order.

You can read more details in the related Order.

All these cases send direct and clear reminders to proactively review employment, termination and similar agreements to assure they do not run afoul of the whistleblower protection rules.

As always, your thoughts and comments are welcome!

Enforcement Sends an Emphatic Section 16 Reporting Reminder

On September 27, 2023, the Enforcement Division announced settled enforcement orders against six individuals and five companies based on Section 16 and Forms 13D and 13G reporting failures.  The individuals and  companies paid fines ranging from $115,000 to $200,000.  Sanja Wadhwa, Deputy Director of the SEC’s Division of Enforcement, said:

“Today’s enforcement action should serve to remind SEC filers that reporting obligations under the securities laws are not optional, and there are consequences for failing to file required forms in a timely manner.”

This enforcement sweep is very similar to a September 2014 sweep.  You can read more in this Press Release, where you can find links to the individual orders.

As always, your thoughts and comments are welcome!

Yes, Violating Whistleblower Protection Rules Is an Enforcement Hot Topic!

In a prior blog post, we reviewed a September 8, 2023, Enforcement Order against Monolith Resources, LLC based on the company violating the SEC’s whistleblower protection rules.

Less than two weeks later, on September 19, 2023, the Enforcement Division added to the growing list of these cases with an announcement that CBRE, Inc., a wholly-owned subsidiary of NYSE-listed CBRE Group, Inc., had also violated the whistleblower protection rules.   In its separation agreements CBRE Inc. had included language requiring employees to attest “that they had not filed a complaint against CBRE with any federal agency.”  After the SEC commenced its investigation, the company took strong remedial steps.  In settling the case CBRE, Inc. paid a civil penalty of $375,000.

You can read more in the related SEC Order.

As always, your thoughts and comments are welcome!