In a recent report, the U.S Securities and Exchange Commission (“SEC”) alleged that for several years, a financial services company failed to protect thepersonally identifiable information (“PII”) of millions of its customers. The company, without admitting or denying the findings, agreed to pay $35 million to the SEC to settle the charges.

According to the report, the company repeatedly hired a moving and storage company to decommission thousands of hard drives and servers. Many of those devices were then sold to a third party, who auctioned the devices online with the PII intact and unencrypted. The report also revealed that the company lost track of 42 servers containing PII during a hardware refresh program, with these servers lacking active encryption software.


After agreeing to the settlement, the company released a statement saying it was pleased to resolve the matter and confirmed it had previously notified affected clients of the issues. The company also stated it had not detected any unauthorized access to, or misuse of, the PII.

The Takeaway

Exceptionally poor security practices will draw the attention of federal regulators, regardless of whether confidential information ends up on the Dark Web. Coverage for regulatory proceedings under a cyber liability policy needs to be triggered by such investigations, and not be dependent upon whether a bad actor actually gains access to the sensitive data. 



The U.S. Securities and Exchange Commission (“SEC”) established its whistleblower program in 2010 to encourage individuals to report high-quality tips to help the agency detect wrongdoing and better protect investors and the marketplace. More recently, the SEC adopted two amendments to the rules governing its whistleblower program. The first rule change allows the SEC to pay whistleblowers for their information and assistance in connection with non-SEC actions in additional circumstances. The second rule affirms the SEC’s authority to consider the dollar amount of a potential award for the limited purpose of increasing an award but not to lower it.


In a statement, SEC Chair Gary Gensler noted these “amendments enact two changes to help enhance the whistleblower program. The first amendment expands the circumstances in which a whistleblower who assisted in a related action can receive an award from the commission for that related action rather than from the other agency’s whistleblower program. Under the second amendment, when the Commission considers the size of the would-be award as ground to change the award amount, it can do so only to increase the award, and not to decrease it. I think that these rules with strengthen our whistleblower program. That helps protect investors.”


Since the program’s inception, the SEC has awarded more than $1.3 billion to whistleblowers. The SEC awards whistleblowers who provide illegal information in a timely manner, and, with these new amendments, continues to prove their loyalty toward the program and the protection of investors.


After two separate crashes of an aircraft manufacturer’s jets killed 346 people, the manufacturer rushed to reassure the public and its investors about the design and engineering of the aircraft and its compliance with safety regulations. In reality, however, faulty sensor readings in the jets’ Maneuvering Characteristics Augmentation System (“MCAS”)—an automated system intended to activate only in high-speed turns—inadvertently triggered the flight control system and pushed the planes into a nosedive.


According to the U.S. Securities and Exchange Commission (“SEC”), the aircraft manufacturer realized MCAS was activating at lower speeds and that the system needed a software fix. Despite its knowledge of the faulty system, however, the SEC said the manufacturer failed to notify or provide proper training to its technical pilots. Instead, it limited the pilots to computer-based training that could be done remotely in an effort to keep the required training level at a lower, less expensive where stage simulations were not required.


The SEC investigation into the misleading public statements made by the manufacturer and its then-CEO after both crashes found they had negligently violated the anti-fraud provisions of federal securities laws. Without admitting or denying the findings, the aircraft manufacturer and the former CEO recently agreed to settle with the SEC and pay a $200 million civil penalty a $1 million civil penalty, respectively. In a statement about the settlement, SEC Chair Gary Gensler said “In times of crisis and tragedy, it is especially important that public companies and executives provide full, fair, and truthful disclosures to the markets. The [manufacturer] and its former CEO … failed in this most basic obligation.”


At the U.S. Security and Exchange Commission’s (“SEC”) latest conference, the agency advised they have adopted a “regulation by enforcement” agenda in an attempt to fill the gap between securities law and order. This newly adopted agenda will extend the SEC’s reach to include cryptocurrency and cybersecurity. These areas have garnered heightened focus from the SEC due to their increasing impact on investor confidence.
The SEC also made clear that the cryptocurrency market falls within the scope of SEC and its regulations, and thus is subject to the current securities law framework. By including the cryptocurrency market under the new agenda, the SEC stressed that cryptocurrency intermediaries need to be registered accordingly. The SEC added that participants in the industry seeking to avoid enforcement should closely monitor their registration obligations and even consider maintaining communication with the SEC about its expectations. To close out the conference, the SEC emphasized its focus on reducing problematic conduct on an individual level and noted there will be an increased frequency in the use of the Sarbanes-Oxley Act to allow the SEC to seek reimbursement from individuals who were compensated through misconduct.  
In addition to announcing its new agenda, the SEC proposed amendments to its rules regarding cybersecurity disclosures by public companies. The introduction of these amendments would expand the SEC’s scope as well as its ability to regulate and enforce securities law. If the amendments are finalized, they will require public companies to: 
  • make reasonable disclosures relating to the company’s risk management, governance, and incident reporting;
  • draft a report to the SEC of any material cyber incident within 4 business days following discovery;
  • make regular disclosures about the procedures put in place to properly identify and manage the company’s cyber risk; and
  • provide adequate guidance on the company’s management in their role in implementing the procedures put in place in the event of a cyber breach. 


A mobile app company based out of China was recently charged by the U.S. Securities and Exchange Commission (“SEC”) for insider trading. Rule 10b5-1 was adopted by the SEC in 2000 in order to provide companies, their directors and employees, and other corporate insiders with a potential affirmative defense to insider trading. According to the SEC’s findings, the company’s CEO and its former president jointly established a purported 10b5-1 trading plan after becoming aware of a significant drop-off in advertising revenues from the company’s largest advertising partner. The SEC’s order further detailed that the CEO and former president had previously sold 96,000 of the company’s Depository Shares under the trading plan and avoided losses totaling hundreds of thousands of dollars. Additionally, the CEO made materially misleading public statements about the company’s revenue trends during an earnings meeting and the company later failed to disclose a negative revenue trend in its annual report.

The SEC found that the CEO and former president both violated the antifraud provisions of the Securities Exchange Act of 1934, while the CEO violated the provisions of the Securities Act of 1933 and was a cause of the company’s violations of issuer reporting requirements under the Exchange Act. Without admitting or denying the SEC’s findings, both the CEO and former president agreed to cease-and-desist orders, undertakings relating to their future securities trading, and to pay civil penalties.

September 2022 Noteworthy Enforcement Actions Filed




 Kris A. Swaffer


 POHIH, Inc.

 Sean K. Williams


 POHIH, Inc.

 Scott Lindell

 Chief Risk Officer, Chief   Compliance Officer

 Infinity Q Capital Management   LLC

September 2022 Noteworthy Settlements and Judgments 





 $ 728,171.00

 Todd C. Doucette

 Vice President


 $ 150,000.00

 Dan Oran


 Profile Solutions, Inc.

 $ 50,000.00

 James R. Thompson


 Spyr, Inc.

 $ 75,000.00

 Barry D. Loveless


 Spyr, Inc.

 $ 10,000.00

 James A. Mylock, Jr.


 Spyr, Inc.

Source: U.S. Securities and Exchange Commission