March 2023 in Brief: Securities Law

Securities Regulation

PCAOB Staff Warns Against Third-Party Crypto Asset Reserve Reports

By Thomas W. White, Retired Partner, WilmerHale

In an unusual action, on March 8, the Public Company Accounting Oversight Board’s Office of the Investor Advocate issued an investor advisory cautioning crypto asset investors against relying on so-called “proof of reserve” (PoRs) reports. According to the advisory, certain crypto entities such as exchanges or stablecoin issuers may engage third-party service providers to issue PoR reports in an attempt to reassure investors about existence and availability for withdrawal of a customer’s digital assets. The Office’s bottom-line, bold-face message: “Proof of reserve reports are inherently limited, and customers should exercise extreme caution when relying on them to conclude that there are sufficient asset to meet customer liabilities.”

The advisory states that PoR reports are not within the PCAOB’s regulatory authority. It emphasizes that PoR reports are not audits and that, “[d]espite any representations to the contrary,” the reports “are not equivalent or more rigorous than an audit, and they are not conducted in accordance with PCAOB auditing standards.” The engagements are not subject to PCAOB inspections.

The advisory also discusses why, in the Office’s view, PoR reports “do not provide any meaningful assurance to investors or the public.” Among other concerns, the PoR reports 1) do not address the crypto entity’s liabilities, the digital asset holders’ rights and obligations, or whether the assets have been borrowed by the crypto entity to make it appear that it has sufficient collateral or “reserves” in excess of customer demands; 2) concern digital assets at a point in time and provide no assurance about their availability after the issuance of the report; 3) provide no assurance regarding the effectiveness of internal controls or governance of the crypto entity; and 4) do not express an opinion on the adequacy of the “reserves,” the financial stability of the crypto entity, or management’s assertions. The advisory also explains that PoR engagements are not subject to uniform standards and, therefore, “yield different results based on the different standards selected by management and PoR service providers.”

Notably, the advisory was issued following criticism of the PCAOB for not having taken regulatory action against registered public accounting firms that audited crypto enterprises or provided PoR reports. The PCAOB’s authority under the Sarbanes-Oxley Act, however, extends only to audits of public companies and broker-dealers, not to non-public crypto entities. Nonetheless, the Office of the Investor Advocate undertook to inform investors and others about the limitations of PoR reports and the fact that investors do not have the protections of PCAOB regulation with respect to these reports.

SEC’s Reliance on the Reves Test in a Recent Enforcement Case Could Signal a Change in the Commission’s Approach to Labeling Crypto Assets as Securities

By Nicholas Martini, J.D. Candidate, Class of 2023, George Mason University - Antonin Scalia Law School

In its complaint alleging that Genesis Global Capital, LLC and Gemini Trust Company, LLC sold unregistered securities, the Securities and Exchange Commission (SEC) took a notably different approach than in previous crypto enforcement actions. Instead of leading with the Howey test, the SEC analysed the subject Gemini Earn Agreements as notes and led with the lesser-known Reves test. In Reves, the Supreme Court created a four-part “family resemblance” test for when a financial instrument constitutes a note under the ’33 Act and thus a security. The family resemblance test looks at (1) the motivation of the parties; (2) the plan of distribution; (3) investor expectations; and (4) alternative protections that render the application of the securities laws unnecessary.

The Commission argued that, under the Gemini Earn program, investors loaned their crypto assets to Genesis in exchange for a return, constituting an unregistered sale of securities. Applying Reves, the SEC alleges that the program was designed to generate a profit for Genesis and pay a return to investors, was publicly advertised across the internet to a broad segment of the investing public, was promoted as an investment by promising high “returns,” and, given the uncertainty surrounding crypto regulations, there is no alternative regulatory regime or risk-reducing factor that exists to protect investors. Consequently, the Gemini Earn program constituted a “note” under Reves and thus a security that had to be registered before being offered or sold.

The Howey test has long been the Commission’s legal-theory-of-choice for labeling crypto assets as securities, and it has been featured prominently in Commission reports, SEC Division Director speeches, and in the high-profile case against Ripple Labs, Inc. But given the Commission’s reliance on Reves in the Gemini/Genesis case, it could be looking to test alternative legal theories in its push to bring crypto assets under the regulation of the federal securities laws.

SEC Proposes Amendments to Regulation S-P

By Melissa Sanders, Fox Rothschild LLP

On March 15, 2023, the SEC proposed amendments to Regulation S-P to enhance protections for customers of certain covered firms with respect to those customers’ information. The current version of Regulation S-P requires broker-dealers, registered investment companies, and investment advisors to have policies in place to protect customer information. However, the current rule does not require that those firms have policies in place covering how they will respond to breaches or to give customers notification of breaches. The proposed regulations will require that covered firms put policies in place covering how they will respond to breaches, and notify customers “as soon as practicable” and no later than thirty days after the firm becomes aware of an incident. Chair Gary Gensler noted that the proposed regulations “would help customers maintain their privacy and protect themselves.” The proposed regulations would also apply to transfer agents, unlike the current version of Regulation S-P.

SEC Rulemaking Activities re: Cybersecurity

By Rani Doyle

On March 15, 2023, the SEC reopened for sixty days the comment period on cybersecurity risk management rules and related amendments proposed, in February 2022, under the Investment Advisers Act of 1940 and the Investment Company Act of 1940. The proposed rules would:

• Require advisers and funds to adopt and implement written policies and procedures that are reasonably designed to address cybersecurity risks;
• Require advisers report significant cybersecurity incidents to the Commission on proposed Form ADV-C;
• Expand adviser and fund disclosures related to cybersecurity risks and incidents; and
• Require advisers and fund to maintain, make, and retain certain cybersecurity-related books and records.

On the same day, the SEC proposed new requirements for broker dealers and other market participants (“Market Entities”) that would require Market Entities to establish, maintain, and enforce written policies and procedures that are reasonably designed to address their cybersecurity risks. All Market Entities also, at least annually, would be required to review and assess the design and effectiveness of their cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review. All Market Entities also would need to give the Commission immediate written electronic notice of a significant cybersecurity incident upon having a reasonable basis to conclude that the significant cybersecurity incident had occurred or is occurring.

These actions reflect the SEC’s continued focus on the cybersecurity risks, practices and disclosures of SEC-regulated entities, from issuers to broker-dealers and other market participants.

ISS ESG Launches “US Cyber Risk Index”

By Rani Doyle

Near the end of March, ISS ESG (the sustainable investment arm of ISS) announced the launch of its US Cyber Risk Index, which is intended to “support[] investors in identifying and tracking companies with low or negligible cyber-related risks based on the ISS ESG Cyber Risk Score (announced in January 2023), which signals the relative likelihood that an organization may suffer a material cybersecurity incident within the next 12 months, based on its external security posture.” ISS ESG notes in its press release that it “regularly collect[s] global risk indicators that reflect a company’s cyber security risk behaviors, incorporating elements indicative of organizational security posture on endpoints, software services, and infrastructure configuration. These are combined with historical data to inform [its] proprietary risk model that uses machine learning to identify patterns and signatures indicative of potential breach events.”

SEC Continues to Address Disclosure Issues and Disclosure Controls and Procedures

By Rani Doyle

On March 14, 2023, the SEC charged DXC Technology Company with making misleading disclosures about its non-GAAP financial performance in multiple reporting periods from 2018 to early 2020. In the related SEC order, DXC consented to a cease-and-desist order, to pay an $8 million fine, and undertook to develop and implement appropriate non-GAAP policies and disclosure controls and procedures. On March 9, 2023, the SEC entered an order in the matter of Blackbaud, Inc., finding that, due to the company’s failure to maintain “disclosure controls and procedures relating to cybersecurity risks or incidents”, it failed to disclose the “full impact” of a ransomware attack despite its personnel learning that its earlier public statements about the attack were incorrect. Blackbaud consented to a cease-and-desist order and to pay a $3 million fine.

These cases show the SEC’s continued focus on disclosure controls and procedures. SEC issuers should consider the efficacy and effectiveness of their disclosure committees and related policies and procedures and take steps as needed so that the relevant people and policies can confidently meet regulatory requirements and market demands for timely and accurate disclosures of material information.

Corporate Governance: New Guidelines from ISS; BlackRock and StateStreet Leaders Issue Annual Letters; Board Effectiveness Generally

By Rani Doyle

Throughout March 2023, many institutional investors and the proxy advisors updated their governance and/or stewardship priorities. Institutional investors have “bespoke” priorities that, along with the proxy advisor updates, may be relevant to their publicly traded portfolio companies. Here, we highlight just two institutional investor letters. StateStreet’s CEO letter stated that its 2023 stewardship priorities are to encourage transparency and disclosure in the areas of (1) effective board oversight, (2) climate risk management, (3) human capital management, and (4) diversity, equity and inclusion, as “[e]ach of these topics presents short- and long-term risks and opportunities to companies across our portfolio.” BlackRock’s Chairman letter, which came out late compared to prior years’ letters, emphasized the firm’s role as a fiduciary and addressed a wide range of topics, including: (1) climate risk and related transition risks, (2) rising inflation and related changes to the financial markets, (3) human engagement with their employers and governments and eroding trust and hope, (4) geopolitical matters, specifically the shift to “greater protectionism”, (5) digital assets, including the need for regulation, and (6) the role of BlackRock’s board in the company’s long term success.

ISS published U.S. Global Board-Aligned Proxy Voting Guidelines and International Global Board-Aligned Proxy Voting Guidelines on March 15, 2023. In a press release, ISS stated that the new policies are designed to enable their clients “to vote in a manner that upholds foundational corporate governance principles as a means of protecting and maximizing their investments, while generally aligning with the recommendations of company boards on proposals with an environmental or social focus.”

Commenters have suggested that the latest communications from the institutional investors and proxy advisors reflect political and other developments around ESG. Yet is also clear that sustainability and long-term value remain high priorities. Both BlackRock and StateStreet CEO letters reference board effectiveness. EY’s Center for Board Matters has issued reports on the evolution in recent years of SEC issuer practices and disclosures relating to board evaluation and effectiveness. EY’s CBM has also issued a report on board effectiveness. As SEC issuers continue to tackle new regulation, metamorphosizing market environments and stakeholder priorities, attention to board evaluation and effectiveness is growing.