SIFMA 2024: SEC’s Grewal talks about insider trading, fines, CISOs and AI washing

At SIFMA’s Annual Conference this week, regulators, industry practitioners and advisers gathered to discuss the state of compliance and the legal environment in 2024.

On Monday morning, Preet Bharara, partner at WilmerHale and former US Attorney for the Southern District of New York, interviewed the SEC’s Director of Enforcement, Gurbir Grewal.

The session started with a focus on the type of cases Bharara used to prosecute and Grewal’s agency has been focused on for many years – Insider trading cases. Recent developments have been very interesting.

Insider trading and breach of duty

Bharara referenced a case that originated in 2021 when the SEC brought insider trading charges against Matthew Panuwat, a business development executive at a biotech company, Medivation, Inc. 

The SEC alleged that Panuwat used confidential nonpublic information about a potential acquisition of Medivation by Pfizer to purchase call options in a second biotech company, Incyte Corporation, in the belief that Incyte’s stock price would materially increase following the announcement of the Pfizer deal.  

The case is scheduled to go to trial on March 25 and will be closely watched by practitioners to see how potent a weapon the “shadow trading” theory is likely to be in the SEC’s arsenal against insider trading.

The novelty of this case (and where the term “shadow trading” comes into play) is the lack of a commercial connection between the two companies and the fact that the confidential information involved a Medivation transaction in which Incyte was not involved. 

The connection between the two companies that served as the basis for the SEC’s insider trading charges was that they were both operating in a field where there was a scarcity of viable acquisition candidates, such that the announcement of the Medivation sale was almost inevitably going to drive up the stock price of Incyte.

“MNPI can be material not just to your business – it could be material to other businesses – but you have access the investing public does not have.”

Gurbir Grewal, Director of Enforcement, SEC

Grewal refuses to call the Panuwat case anything but insider trading. “There’s nothing novel here about his access to material, nonpublic information,” Grewal said. “MNPI can be material not just to your business – it could be material to other businesses – but you have access the investing public does not have.”

Grewal emphasized that the case revolves around Panuwat’s business having internal policies that forbade exactly the type of disclosure Panuwat made about another company’s stock. And he had a duty to keep MNPI protected at his business – a duty that arose from a relationship of trust and confidence, owed to the source of the information, Grewal said.

Insider trading is the action of taking advantage of asymmetries because of your access to MNPI, which means firms must create barriers against this type of trading, Grewal said.

He emphasized that insider trading is rampant, that the fact pattern in Panuwat is not unique (it’s just unique to seeing trial action) and that the SEC actively monitors for such trading practices in many different ways.

SolarWinds and the CISO role

Bharara brought up the SolarWinds case, which was a case premised on charges brought by the SEC in October 2023 against SolarWinds Corp. and its Chief Information Security Officer (CISO) in connection with the SEC’s investigation of a cyberattack.

The complaint alleged the company defrauded SolarWinds’ investors and customers through misstatements, omissions, and schemes that concealed the company’s poor cybersecurity practices and its increasing cybersecurity risks.

This lawsuit is considered notable as the first in which the SEC has leveled cybersecurity enforcement claims against an individual and the first time the SEC has brought intentional fraud charges in a cybersecurity disclosure case. Many information security officers rushed to the defense of the CISO charged in the case, Timothy Brown, as Bharara noted.

Grewal pointed out that while Brown had not been the CISO at the time of the violations, he had aided and abetted the company’s violations of certain reporting, disclosure and internal controls provisions of SEC regulations.

And Grewal said both the company and Brown violated the anti-fraud rules. “Their statements about the breaches were false, as they publicly phrased them like they were hypotheticals,” Grewal said. “You don’t have to give us a blueprint for exactly how the hackers got in – but you do need to be far more truthful than that!” he said.

“But will the decision disincentivize talented people from wanting to become a CISO?” Bharara pressed him.

“No,” said Grewal. “We heard this from CCOs when we brought some select cases against them individually. Truly, we are not second-guessing either one of them,” he said. “But if you’re lying or engaging in the fraud or totally fell down on the job, then we will hold you responsible, yes.”

“And if your firm underfunds these important roles, we will certainly blame the company for it,” he added.

Higher fines imposed

Bharara noted that the penalties against firms have increased in dollar value with 784 actions being brought in fiscal year 2023 – to a tune of almost $5b in fines levied.

Grewal said the higher fines represent a recalibration of prior penalties for the same actions to better increase the chances of them yielding a deterrent effect. He dismissed the idea they could be seen as arbitrary. “We don’t use formulas, and some cases saw a ratcheting down of penalty amounts.”

Grewal explained that he meant some actions had little or no penalty imposed, thanks to the company’s cooperation in the investigation and the prompt remediation of their compliance programs.

Grewal then referred to the 40+ cases the SEC has brought against financial services firms for their off-channel communication recordkeeping lapses as an example of the deterrence goal working.

“We’re seeing more self-reporting in this arena happening now. We are incentivizing change,” he said. “And more technology is being developed and existing technology enhanced to deal with this problem. This is a good area to look to when we talk about penalties working to deter violations and change behavior.”

AI and AI washing

Grewal told his audience to expect to see settled charges in two SEC actions drop that morning containing “AI washing” allegations. And so they did.

In the cases, two investment advisers agreed to pay penalties to settle charges that they made false and misleading statements about their purported use of AI and machine learning in their investment processes, the agency said.

Toronto-based Delphia Inc. and San Francisco-based Global Predictions Inc. agreed to pay (without admitting or denying the charges) a combined $400,000 in fines to settle the civil charges related to “AI washing,” the SEC said in a statement.

Issuing a statement about the cases, SEC Chair Gary Gensler said: “Public companies should make sure they have a reasonable basis for the claims they make and yes, the particular risks they face about their AI use, and investors should be told that basis.”

Grewal told Bharara that AI tools are totally welcome in the financial services sector. “You can use it to produce offering documents, etc., but just be honest about their use and capabilities,” he said.

They can be used to investors’ detriment when they operate (for example) in a way that puts the firm’s interests ahead of investors’ interests, he noted.

But he emphasized that using technology – like AI – is something the SEC expects of the firms it regulates, and that it is using such tools itself. “Our analytic tools are exemplary,” Grewal said. “They are now a big part of the Enforcement and Corporate Finance divisions’ resources,” he added.

Parting words

Bharara asked Grewal what compliance officers could be doing now to better prepare for the future regulatory landscape.

“They are doing it already by being here,” Grewal stated. “Know the risk areas. Look at our orders. Educate yourselves and work across your corporate departments to collaboratively reduce your business’s risk.”

Author’s note

The best line of the day about artificial intelligence technology goes to Mary Jo White, SEC chair from 2013 to 2017. Speaking at the Women’s Luncheon at the event, White said she thought compliance training would be a whole lot more effective “if we made an AI avatar of you to train you!” You’d be more likely to listen to that trainer, she argued wisely.