SEC enforcement against public companies – A recap of 2023

In 2023, the SEC brought several high-profile enforcement cases involving issues other than financial performance, including claims against public company executives who did not have responsibility for financial reporting. The SEC also asserted aggressive claims involving internal controls requirements and displayed its willingness to litigate, while also messaging the benefits of cooperation. We fully expect the SEC to continue its aggressive approach to issuer disclosure and accounting as we move into the final year of the current administration.

The SEC focused on corporate employees outside the financial reporting process.

The SEC continued a recent trend of asserting claims against corporate executives whose responsibilities did not include preparing financial statements or SEC filings. As a result of the SEC’s enforcement interest in issues beyond financial performance, the universe of individuals who face potential SEC exposure has expanded beyond the traditional group of CEOs, CFOs, Controllers and other accounting- or finance-related employees.

Perhaps the most striking example of this trend was the October 2023 litigated action filed against the Chief Information Security Officer (CISO) of SolarWinds Corp.[1] The SEC alleged that the CISO was responsible for disclosures made by the company about its cybersecurity risks and vulnerabilities that the SEC alleged were misleading. Much of the SEC’s complaint focused not on an SEC filing, but instead on a security statement on the company’s website that was intended for customers, not investors. The SEC also alleged that the CISO was involved in reviewing statements in SEC filings regarding the company’s cybersecurity risks and incidents that the SEC alleged were misleading. The SEC’s complaint cited internal emails by the CISO flagging cybersecurity risks and deficiencies as evidence that he was aware that the company’s public statements and disclosures were inaccurate. Notably absent was any allegation that the CISO had regular responsibility for preparing, reviewing or approving disclosures in the company’s SEC filings. Instead, the SEC highlighted that the CISO signed internal certifications attesting to the adequacy of the company’s cybersecurity controls as evidence that the CISO acted with scienter sufficient to support fraud charges under Section 10(b) of the Securities Exchange Act of 1934 (Exchange Act).

The SEC alleged controls violations even without an accounting or disclosure violation.

2023 saw the SEC double down on its view that the internal controls provisions applicable to public companies are tools to sanction corporate conduct even in the absence of an underlying accounting or disclosure violation. The SEC’s approach, which has triggered dissents from Republican commissioners for its expansive and untested reading of the provisions at issue, has resulted in several novel enforcement actions.

In November 2023, the SEC announced a settled action involving a $25 million penalty against Charter Communications relating to the company’s use of stock buybacks.[2] The company’s board had authorized a buyback and instructed that the buyback follow Rule 10b5-1, which provides an affirmative defense against insider trading. The SEC believed that company management misinterpreted the rule and did not satisfy Rule 10b5-1. The SEC did not allege any trading or disclosure violation; instead, its enforcement hook was the internal accounting controls provision of Section 13(b)(2)(B) of the Exchange Act. The SEC cited the requirement that companies have accounting controls to provide reasonable assurances that transactions are executed in accordance with management’s authorization. Because of the SEC’s disagreement with the company’s interpretation of Rule 10b5-1, the SEC alleged that the company acted inconsistently with the board authorization. The Charter action followed a similar 2020 SEC settlement with Andeavor LLC, which also alleged violations of this accounting controls provision in connection with a corporate buyback.[3]

Another example of a controls case with no underlying reporting violation was a February 2023 case imposing a $35 million penalty on a video game development company.[4] The SEC alleged that the company regularly disclosed in its SEC filings a risk factor tied to the importance of attracting, retaining and motivating a workforce with specialized skills. According to the SEC, however, the company allegedly lacked a process for collecting or analyzing employee complaints of workplace misconduct, which the SEC believed was necessary in light of the risk factor. There is no independent requirement for such a process and the SEC did not allege that the company’s risk factor disclosure or any other disclosure was in fact misleading. Instead, the SEC cited Exchange Act Rule 13a-15, which requires public companies to have disclosure controls related to their public filings. At the time, we wrote that the SEC’s theory—that companies should have specific controls around risk factor disclosures—could be used to impose sanctions on hot-button disclosure issues involving climate, cybersecurity and human capital that are far removed from a company’s typical business and financial performance traditionally at the heart of SEC disclosure rules.[5]

The SEC’s willingness to allege violations of the internal controls provisions, even in the absence of an underlying accounting or disclosure violation, significantly increases the enforcement risk faced by public companies. Issuers would do well to regularly review and update their internal accounting and disclosure controls in light of this scrutiny.

The SEC encouraged cooperation by public companies in SEC investigations but uncertainties remain.

In 2023, the SEC made an effort to highlight the benefits of cooperation by issuers in SEC investigations. In public speeches, Enforcement Director Gurbir Grewal spoke regularly about the benefits that companies could earn by prompt self-reporting of suspected misconduct, robust cooperation with the staff’s investigation and timely remediation of internal deficiencies.[6] And, the SEC announced several public company resolutions involving alleged accounting and disclosure-related violations where no civil penalty was imposed and/or reduced violations were alleged as a result of such cooperation.

For instance, in June 2023, the SEC filed a settled action against Stanley Black & Decker for allegedly failing to disclose perquisites that were provided to certain executives in violation of the reporting and proxy solicitation provisions of the securities laws.[7] In addition to not imposing a civil penalty, the SEC took the unusual step of publicly stating that it had declined to allege certain violations because the company had self-reported the alleged misconduct before its internal investigation had concluded and further provided significant assistance to the staff’s investigation. The SEC brought similar zero-penalty resolutions against several other issuers who also self-reported potential accounting and disclosure-related violations.[8]

Despite the public messaging by SEC leadership, significant uncertainties remain for issuers who are considering approaching the SEC with information about a potential violation. Given the lack of clear Commission guidelines, it is difficult to predict how SEC staff will exercise their discretion in any given matter, including whether and to what degree they might credit self-reporting and cooperation. To that end, just days before the Stanley Black & Decker settlement was announced, the SEC alleged that an issuer engaged in accounting-related misconduct and imposed a $1.5 million penalty, even though the SEC’s order specifically highlighted the company’s self-reporting, cooperation and timely remediation.[9]There was no explanation in the SEC’s order why this company, having checked the necessary boxes, still paid a penalty.[10]

The SEC continued to scrutinize practices that help companies meet internal and external targets.

In recent years, the SEC has brought a series of fraud actions against issuers employing undisclosed business practices that enabled them to meet or beat Wall Street estimates, management guidance or internal targets, even where there was no allegation that the companies’ reported metrics were inaccurate or inconsistent with GAAP. In the SEC’s view, the use of such business practices rendered existing public disclosures regarding a company’s financial performance as inaccurate because investors were misled as to how the company was able to meet or beat a particular financial or non-financial target.

For instance, in May 2023, the SEC asserted claims for disclosure fraud against an Internet streaming company for allegedly reporting inflated subscriber numbers in line with its previously disclosed subscriber target, a “key metric” tracked by Wall Street analysts.[11] The alleged conduct arose after the company’s transition to a new billing software appeared to have resulted in the loss of paying subscribers, thereby leaving the company short of its target. The SEC alleged that, after offering the affected subscribers a free month of service, the company included them in its overall subscriber count and thereby met its publicly disclosed target.

In September 2023, the SEC asserted violations by a consumer products company for allegedly misleading investors about a non-GAAP metric, known as core sales growth, that was tracked by market analysts and was the subject of guidance issued by the company.[12]In order to avoid missing internal targets, guidance to investors and analyst estimates, the SEC alleged that the company, among other things, relied on sales practices known as “pull forwards” to accelerate sales from future quarters to current quarters. By failing to disclose the use of these sales practices to make up shortfalls, the SEC alleged that the company created a misleading impression that it had achieved core sales growth in line with its targets, thereby depriving investors of relevant information to assess the company’s actual sales performance.[13]

Public companies achieved mixed resolutions after litigating against the SEC.

Although it is rare for public companies to litigate against the SEC in matters involving alleged accounting or disclosure fraud, 2023 saw several high-profile litigated actions reach settlements. In two, the issuers negotiated reduced violations as compared to those reflected in the SEC’s original complaints. In a third, the company settled after an unfavorable court ruling.

In November 2023, mining company Rio Tinto agreed to settle a case relating to the SEC’s allegation that it had disseminated misleading statements about the value of its Mozambican coal assets.[14] The SEC’s complaint, originally filed in 2017, had alleged a broad range of violations, including scienter-based violations of Section 10(b) of the Exchange Act. Rio Tinto successfully moved to dismiss most of the SEC’s claims in district court, including the SEC’s scheme liability claims under Section 10(b). After the SEC sought interlocutory review, the U.S. Court of Appeals for the Second Circuit issued an opinion rejecting the SEC’s view that scheme liability can be established through the existence of a false statement or omission, absent additional evidence of deceptive conduct. Perhaps as a result of the Second Circuit’s decision, the SEC agreed to drop all fraud-related claims against the company in a recent settlement. The settlement was thus limited to reporting and books-and-records violations that do not require any showing of intent or knowledge on the part of the company.

In March 2023, the SEC announced that it had reached a settlement with a mining company, Vale, S.A., over allegations that it had made misleading disclosures about the safety of its dams prior to the January 2019 collapse of one of its Brazilian dams.[15] The SEC’s action, initially filed in early 2022 and much publicized as the SEC’s first issuer ESG action, alleged that the company committed scienter-based violations tied to statements made in public filings and corporate sustainability reports. Eleven months into the case, however, the SEC reached a settlement in which the SEC agreed not to oppose dismissal of scienter-based claims under Section 10(b) and the company agreed to settle to negligence-based claims only.

Although Rio Tinto and Vale paid sizable monetary sanctions in each matter—Rio Tinto agreed to pay $28 million in penalties, while Vale agreed to pay $55 million in penalties and disgorgement—both companies were able to avoid the SEC’s most serious scienter-based violations. Rio Tinto also scored a significant appellate victory with broader implications for the SEC’s enforcement program.

However, in a third case that was resolved just before the beginning of 2023, AT&T settled an action shortly after an unfavorable district court ruling.[16] The SEC had alleged that the company and several investor relations employees violated Regulation FD by disclosing metrics about equipment upgrade rates and related revenue to certain analysts. AT&T argued that the trend had been disclosed and that the metrics were quantitatively insignificant. The district court disagreed, citing the company’s internal and external focus on these metrics in holding that the metrics were material despite a minor impact on earnings. The defendants settled a few months later, with AT&T agreeing to pay a $6.25 million penalty and the individuals each paying $25,000.

The Rio Tinto and Vale settlements are useful reminders that, in the right circumstances, there may be advantages for issuers to litigate against the SEC, including the ability to negotiate better settlement terms than what the staff otherwise may have been willing to consider during the investigative phase. In contrast, the AT&T case shows the risk inherent in any litigation, including against the SEC.

Takeaways

Overall, 2023 included examples of the SEC’s willingness to push the enforcement envelope by asserting claims against non-financial individuals at public companies, focusing on disclosures beyond financial performance, alleging accounting control violations in cases seemingly unrelated to accounting and alleging disclosure control violations even without an underlying false disclosure. The SEC also displayed its willingness to litigate against public companies and executives, including by alleging its most serious violation, Section 10(b) intentional fraud. We expect to see these trends continue in 2024.