When it comes to settlements with the SEC’s Division of Enforcement (“Enforcement Division”), a question respondents often ask is how the SEC arrives at a given penalty amount? This blog post will discuss the SEC’s current approach to determining penalty amounts, as recently articulated by Gurbir Grewal, the Director of the SEC’s Enforcement Division, and also considers how the SEC’s recent settlement with Global Infrastructure Management, LLC (“Global”) may be indicative of the SEC’s new approach to penalties.
Last summer, Representative Alexandria Ocasio-Cortez (D-NY) introduced bill H.R. 4620 to limit the exemption from registration requirements applicable to certain family offices under the Investment Advisers Act of 1940 (the “Advisers Act”). If the bill becomes law, among other things, a family office with $750,000,000 or more in assets under management will no longer be exempt from registration under the Advisers Act.
Last month, we wrote about three actions taken by the SEC signaling a renewed interest in cybersecurity disclosure enforcement. In keeping with this theme, the SEC announced a number of significant new cybersecurity actions just last week. On August 30, the SEC disclosed enforcement actions against eight brokerage firms for failing to implement adequate cybersecurity policies and procedures, as required by the SEC’s “Safeguards Rule.” All eight firms agreed to settle with the SEC and will collectively pay hundreds of thousands of dollars in fines. These most recent actions underscore that companies should be mindful of whether their cybersecurity policies and procedures comply with SEC requirements and expectations.
The SEC is ramping up its cybersecurity disclosure enforcement. While the agency had made significant efforts relating to cybersecurity disclosure previously, there has been surprisingly little SEC activity in this area since 2018—even though the last three years has seen an explosion of high-profile data security incidents. That changed in June of this year, however, with the SEC taking three major actions that demonstrate a renewed interest in such enforcement. First, the SEC announced its intention to issue a new rule regulating cybersecurity risk governance disclosure. Second, it announced its first charges and settlement for cybersecurity disclosure violations since 2018. And third, it revealed a significant cybersecurity disclosure investigation relating to the recent SolarWinds supply-chain attack. In light of these developments, now would be a good time for issuers and registered entities to review the SEC’s expectations for cybersecurity disclosure, and implement any necessary changes to their respective policies and procedures, and disclosure practices.