CURRENT MONTH (April 2018)
SEC Action Highlights Importance of Specific Language in Directors and Officers Insurance for Fintech and Other Startup Companies
By Heather Howell Wright, Bradley Arant Boult Cummings LLP
The founder of Mozido, the fintech startup once claimed to be valued at $5.6 billion, has been named as a defendant in a civil lawsuit filed by the Securities and Exchange Commission (SEC). The complaint names Michael Liberty (and others) individually and also names corporate entities related to Mozido as defendants. The SEC asserts that the defendants engaged in a “long-running fraudulent scheme using multiple fraudulent securities offerings” that “tricked investors into believing they were funding fast-growing startup companies.” This action by the SEC highlights the importance of ensuring adequate directors and officers (D&O) insurance for startup fintech entities and for their directors and officers. In addition, the fraud allegation illustrates the significance of negotiating specific language in the standard D&O fraud exclusion.
The insuring agreement of most D&O policies will provide coverage for “loss” that is incurred as a result of a “claim” made for a “wrongful act.” While the specific language of D&O policies varies, the term “claim” typically refers to an assertion of a legal right or demand for payment by a third party against the insured, and the term “wrongful act” generally is defined as “actual or alleged act, error, misstatement, misleading statement, omission or breach of duty.” Importantly, the term “loss” usually includes defense costs; the value of the D&O policy in providing coverage in response to claims such as the SEC complaint is that the insurer should advance defense costs to an individual, or corporation, accused of offenses.
In addition, most D&O policies will include a “fraud exclusion,” which excludes coverage for claims based on an insured’s fraudulent act. A policyholder may incorrectly assume that a claim alleging a “long-running fraudulent scheme,” such as the SEC complaint, is excluded by a D&O policy. It is important to understand, however, that under the fraud exclusion language found in many D&O policies, allegations of fraud alone are insufficient to trigger the exclusion. For example, the fraud exclusion may apply only when there is an “actual finding of dishonesty or fraud,” a “final adjudication of fraud,” or better yet, fraud that is “established by a final and non-appealable adjudication.” Courts interpreting such narrow fraud exclusions, which are construed against the insurer, have generally found that “actual finding” requires a finding of fraud by a court. When such language is included in the fraud exclusion, the D&O insurer should provide coverage for claims such as the SEC complaint, unless and until a court finds the defendant has committed fraud.
Any fintech startup should work with coverage counsel and an experienced broker to identify risks and consider procurement of insurance to offset those risks. Counsel and the broker can help ensure that policy language, such as a narrow fraud exclusion, will maximize coverage to the insured in the event of a claim.
SEC Proposes a “Best Interest” Standard for Broker-Dealers
On April 18, 2018, the Securities and Exchange Commission proposed a set of rules and interpretations regarding the standard of conduct that broker-dealers owe to their investing customers, and reaffirming and clarifying the standard of conduct owed to customers by investment advisers. The SEC’s proposal is the newest development in an ongoing effort to clearly define and determine the standards to which financial professionals are held. In 2010, the Dodd-Frank Act delegated authority to the SEC to propose a uniform fiduciary standard across all retail investment professionals. Rather than wait for the SEC to do so, however, in 2016 the Department of Labor (DOL) promulgated its own fiduciary rule. Because the U.S. Court of Appeals for the Fifth Circuit recently vacated the rule in litigation brought by the U.S. Chamber of Commerce, the regulatory coast is clear (at least temporarily) for the SEC.
The SEC’s proposal, spanning over 1,000 pages, has three main components:
Regulation Best Interest: First and foremost, the SEC proposal includes a new standard of conduct for broker-dealers that would be enacted through a set of regulations entitled, “Regulation Best Interest.” Although the term “Best Interest” is not defined in the proposal, the regulations would require a broker-dealer to act in the best interest of its retail customers when making investment recommendations, and prohibit it from putting its own financial interests first.
Guidance for Investment Advisers: In addition to enhancing the standard of conduct for broker-dealers, the SEC reaffirmed its view that investment advisers owe their clients fiduciary duties. The SEC’s proposal seeks to gather, summarize and reaffirm existing guidance in one place. [Editors’ Note: For additional insights into the SEC’s thinking, see this speech delivered on April 30, 2018, by SEC Division of Investment Management Director Dalia Blass.] -
Form CRS: The Commission also proposed a new disclosure document, Form CRS (Client or Customer Relationship Summary), which would provide retail investors with information regarding the nature of their relationship with their investment professional. The proposed Form CRS would be a standardized, short-form disclosure highlighting services offered, legal standards of conduct, possible customer fees, and certain conflicts of interest. In addition, the proposal limits a broker-dealer’s ability to identify itself as an “adviser” unless it is registered with the SEC as an investment adviser, so as not to cause confusion among investors.
In the wake of the controversy launched by Dodd-Frank and the DOL rule, and on the heels of the Fifth Circuit’s rejection of that rule, the SEC has taken a bold step in the direction of increased regulation of broker-dealers. The SEC’s proposal will undoubtedly impact the way broker-dealers make recommendations to their customers, although to what extent may depend on whether broker-dealers were already adapting to the DOL rule before it was overturned by the Fifth Circuit. The SEC will seek public comment on its proposal over the next 90 days, giving interested parties time to dig into the extensive materials.
SEC Announces Its First Enforcement Action Over Cyber-related Disclosures
By Cara M. Peterman, Alston & Bird
The Securities and Exchange Commission (SEC) announced on Tuesday that it has brought an enforcement action and reached a $35 million settlement with Altaba Inc., the successor in interest to Yahoo! Inc. The civil penalty against Altaba is the first of its kind and—following closely on the heels of the SEC’s recent interpretive guidance—is further confirmation of the agency’s increasing focus on public companies’ cybersecurity disclosure obligations.
The enforcement action arises out of a December 2014 breach in which third-party criminals associated with the Russian Federation stole data associated with hundreds of millions of Yahoo user accounts. Even though the breach was reported to members of Yahoo’s senior management and its legal department, Yahoo did not publicly disclose the breach until September 2016, shortly before the anticipated close of Verizon’s acquisition of the company. Yahoo’s stock price dropped approximately 3% following the announcement, and Verizon thereafter renegotiated the acquisition, reducing the purchase price by $350 million, or 7.25%.
The SEC’s order instituting cease-and-desist proceedings against the company finds that Yahoo made several materially misleading statements and/or omissions following the data breach, including in its risk factor disclosures that “claimed the company only faced the risk of potential future data breaches that might expose the company to loss of its users’ personal information … without disclosing that a massive data breach had in fact already occurred.” The order also highlights Yahoo’s statements in the publicly filed stock purchase agreement with Verizon, which contained “representations denying the existence of any significant data breaches.”
The order further finds that—although Yahoo senior management and legal staff were aware of the intrusion—they failed to “properly assess the scope, business impact, or legal implications of the breach, including how and where [it] should have been disclosed in Yahoo’s public filings or whether the fact of the breach rendered, or would render, any statements made by Yahoo in its public filings misleading.” The SEC notes in particular that management did not share information about the breach with the company’s auditors or outside counsel. Nor did Yahoo apparently disclose the breach to Verizon in a timely manner, affirmatively representing in the stock purchase agreement (attached to a Yahoo Form 8-K filed with the SEC in July 2016) that it was unaware of any “Security Breaches” that “could reasonably be expected to have a ‘Business Material Adverse Effect.’” The order concludes that the company failed to maintain sufficient controls and procedures to ensure that reports from the company’s internal information security team were properly assessed to determine whether and how a cybersecurity incident should be publicly disclosed.
The SEC’s message in this watershed release is clear: while the agency maintains that it will not “second-guess good faith exercises of judgment about cyber-incident disclosure,” public companies “should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.” Absent those controls and procedures, public companies remain vulnerable to future enforcement actions.