Author Archives: Michelle Louise Austin

Two Recent Cases Highlight the Insider Trading Risks Associated with Cyber Breaches

by Avi Gesser, James H.R. Windels, Joseph A. Hall, Laura Turano, and Zachary Shapiro

The recent convictions of two traders for using hacked press releases and the settlement of SEC insider trading charges against a former Equifax manager highlight the significant insider trading risks companies face when dealing with a cyber event. These risks come in two forms.

First, there is the risk that someone (either inside or outside the company) has gained unauthorized electronic access to material nonpublic information (“MNPI”) about the company or one of its business or transaction partners, and will use that information for illegal securities trading purposes. On July 6, a jury in Brooklyn convicted two traders for securities fraud, money laundering and computer intrusion for using hacked press releases to trade on MNPI. To reduce that risk, companies can adopt various cybersecurity measures such as two-factor authentication, access controls, encryption, phishing training, network segmentation, and system monitoring. Davis Polk’s Cyber Portal 2.0, which is now available to our clients, provides detailed checklists and other resources to help companies reduce cybersecurity risks. Continue reading →

To Disclose or Not to Disclose: Analyzing the Consequences of Voluntary Self-Disclosure for Financial Institutions

by F. Joseph Warin, M. Kendall Day, Stephanie L. Brooker, Adam M. Smith, Linda Noonan, Elissa N. Baur, Stephanie L. Connor, Alexander R. Moss, and Jaclyn M. Neely.

One of the most frequently discussed white collar issues of late has been the benefits of voluntarily self-disclosing to the U.S. Department of Justice (“DOJ”) allegations of misconduct involving a corporation. This is the beginning of periodic analyses of white collar issues unique to financial institutions, and in this issue we examine whether and to what extent a financial institution can expect a benefit from DOJ for a voluntary self-disclosure (“VSD”), especially with regard to money laundering or Bank Secrecy Act violations. Although the public discourse regarding VSDs tends to suggest that there are benefits to be gained, a close examination of the issue specifically with respect to financial institutions shows that the benefits that will confer in this area, if any, are neither easy to anticipate nor to quantify. A full consideration of whether to make a VSD to DOJ should include a host of factors beyond the quantifiable benefit, ranging from the likelihood of independent enforcer discovery; to the severity, duration, and evidentiary support for a potential violation; and to the expectations of prudential regulators and any associated licensing or regulatory consequences, as well as other factors. Continue reading →

Cyber-Attacks and Stock Market Activity

by Dr. Daniele Bianchi and Dr. Onur Tosun

Security breaches and hacking cost publicly traded companies billions of dollars annually in stolen assets, lost business, and damaged reputations. Although detailed data are difficult to collate, the 2017’s annual Cost of Data Breach Study run by the Ponemon Institute for IBM estimated that the average per-capita cost of data breaches reached an all-time high of $225 (a 60% increase over the last decade). This is as much of a concern for businesses as it is for regulators.

As a matter of fact, the knock-on effect of a data breach can substantially affect a company’s reputation, resulting in abnormal customer turnover and loss of goodwill, which in turn affect firms’ policies and ultimately revenues and profits. For this reason, companies are often reluctant to reveal information about security breaches due to fear of both short-term and long-term market reactions.

Continue reading →

UK Financial Conduct Authority Issues Near-Final Rules on Extension of Senior Managers and Certification Regime and Introduces New Financial Services Directory

by Karolos Seeger, Simon Witney, and Andrew Lee

Following the consultation papers published in July and December 2017, the UK Financial Conduct Authority (“FCA”) on 4 July 2018 provided responses to the industry feedback it received and issued near-final rules on extending the Senior Managers and Certification Regime (“SMCR”) to almost all FCA-regulated firms.[1] Notably, the FCA has confirmed that the new rules will apply from 9 December 2019. We summarise below the limited changes from the FCA’s initial SMCR proposals, the main features of which have been covered in our previous client updates.[2]

In addition, the FCA has published a consultation paper regarding the introduction of a new directory of financial services workers (the “Directory”).[3] This will be available from 10 December 2019 for banks, building societies, credit unions and insurers, and from 9 December 2020 for all other firms. The key aspects of the Directory and firms’ significant related notification obligations are outlined below. Continue reading →

PCCE Seeks A New Executive Director

After a wonderful and successful spring semester, PCCE’s current Executive Director, Pablo Quiñones, is transitioning out of that role to start his own law practice, Quiñones Law PLLC. Although brief, Pablo’s tenure as Executive Director was extraordinary. With his help, PCCE substantially increased its law blog readership and held four events, including a full day conference on cybersecurity and a fireside chat with the General Counsel and Solicitor of the SEC. The most recent event, “ICOs and Cryptocurrency: Innovation Meets Regulation,” was planned and executed entirely by Pablo and was held before a packed audience. While we will miss Pablo, he will continue to contribute to PCCE as a Senior Fellow and an Editor of the Compliance and Enforcement law blog, and plans to moderate a panel on compliance monitors at our annual fall conference on October 12, 2018. Please join us in recognizing Pablo’s accomplishments and in thanking him for his exemplary service as PCCE’s Executive Director.

It is time now to search for a new Executive Director. Continue reading →

Department of Justice Offers Incentive for Antitrust-Based Corporate Compliance

by Michael W. Peregrine and Mary N. Strimel

Board-level audit and compliance committees should support efforts to revise the organizational compliance plan to incorporate specific provisions focused on antitrust law-related guidelines. This is especially important given the Department of Justice’s (“DOJ”) plans to credit pre-existing compliance programs that incorporate such provisions. A company’s General Counsel, perhaps teaming with the Chief Compliance Officer, can support the committee in this initiative.

In a recent speech,[1] Principal Deputy Assistant Attorney General (“DAAG”) Andrew Finch stated that the Antitrust Division is examining whether, and to what extent, to recognize and credit pre-existing compliance programs, potentially during charging or at sentencing. This consideration might mirror the approach taken by the Canadian Competition Bureau, which announced last month that it would recommend fine discounts of up to 20% for companies that have a “credible and effective” compliance program.[2] Continue reading →

Finality on Insider Trading Law…Until The Next Challenge

by Gregory Morvillo

The Second Circuit has spoken…again. For what seems like the umpteenth time in three years, twice on the same case US v. Martoma, the Circuit put pen to paper to address the controversial personal benefit issue. To understand how we got here…here is a, sort of, brief recap.

Newman shook up the legal world. In US v. Newman, the Second Circuit held that personal benefit (and remember we are talking about it only in relation to a tipper making an improper gift of confidential information to a trading relative or friend) existed where there was a “meaningfully close personal relationship that generates an exchange that is objective, consequential, and represents at least a potential gain of a pecuniary or similarly valuable nature.” This raised all kinds of hullabaloo (yes, I just used the word hullabaloo). Some of us thought Newman was brilliant, some thought it was a disaster. Continue reading →

Supreme Court Tells SEC to Appoint ALJs (Even Though SEC Already Did)

by Gregory Morvillo

They say the third time’s a charm, whoever “they” are. If that’s the case, then this must be a most charming article because it is the third time I have had the opportunity to write about the battle over whether an SEC Administrative Law Judge is an inferior officer who the Commission must appoint to the position or a mere employee who the human resources department can simply hire to preside over cases. This will be the last time I write about this issue because the U.S. Supreme Court just weighed in and resolved the dispute. The answer is definitive but the impact, practically speaking, will not be far reaching. Nevertheless, the Supreme Court has held that SEC ALJs are inferior officers of the United States subject to the Appointments Clause of the Constitution. Continue reading →

Governance and Culture – The Conversation Boards are Having Now

by Ben Morgan and Holly Insley

Corporate governance has long been an area of focus for boards and recent proposals in the UK have ensured that this remains the case.

The Financial Reporting Council consulted in late 2017 on proposed changes to its Corporate Governance Code for quoted companies. The final text of the changes is expected to be published this summer, for introduction in 2019.

The focus on governance extends beyond the quoted company arena. Legislation laid before Parliament in June 2018 will, amongst other things, require large UK private companies to disclose in their annual directors’ report details of the corporate governance arrangements they have operated during the previous year. At the same time, a consultation has been launched on proposed corporate governance principles for large private companies, which the government hopes will be adopted by those companies as an appropriate framework when complying with the new governance-related reporting requirement. Continue reading →

FTC’s Cybersecurity Remedial Authority Limited

by David A. Katz, Marshall L. Miller, and Jonathan Siegel

The Eleventh Circuit Court of Appeals recently vacated a Federal Trade Commission cease-and-desist order that required a medical laboratory company to implement a “reasonably designed” cybersecurity program after customer data on the company’s systems were compromised. LabMD, Inc. v. Federal Trade Commission (PDF: 548 KB). The decision represents a judicial curb on FTC enforcement efforts seeking expansive cease-and-desist orders requiring companies to maintain “reasonable” or “appropriate” data security systems in the wake of cyber incidents. By limiting the FTC to orders that prohibit specific unfair conduct, or that require specific responsive remedial action, this ruling may alter the cyber enforcement landscape and affect the balance between the FTC and companies affected by cyber incidents. Continue reading →