Securities Industry Commentator by Bill Singer Esq

From approximately 2012 to mid-2015, TYURIN engaged in an extensive computer hacking campaign targeting financial institutions, brokerage firms, and financial news publishers in the U.S., including the theft of personal information of over 100 million customers of the victim companies.  TYURIN's hack of one financial institution headquartered in Manhattan resulted in the theft of personal information of over 80 million customers, making it one of the largest theft of customer data from a U.S. financial institution in history.  TYURIN engaged in these crimes at the direction of Shalon and in furtherance of other criminal schemes overseen and operated by Shalon and his co-conspirators, including securities fraud schemes in the United States.  For example, in an effort to artificially inflate the price of certain stocks publicly traded in the U.S., Shalon and his co-conspirators marketed the stocks in a deceptive and misleading manner to customers of the victim companies whose contact information TYURIN stole in the intrusions.

In addition to the U.S. financial sector hacks, TYURIN also conducted cyberattacks against numerous U.S. and foreign companies in furtherance of various criminal enterprises operated by Shalon and his co-conspirators, including unlawful internet gambling businesses and international payment processors.  Nearly all of these illegal businesses, like the securities market manipulation schemes, exploited the fruits of TYURIN's computer hacking campaigns.  Through these various criminal schemes, TYURIN, Shalon, and their co-conspirators obtained hundreds of millions of dollars in illicit proceeds.

The SEC's order finds that PwC violated the SEC's auditor independence rules by performing prohibited non-audit services during an audit engagement, including exercising decision-making authority in the design and implementation of software relating to an audit client's financial reporting, and engaging in management functions. In connection with performing non-audit services for 15 SEC-registered audit clients, the order states that PwC violated Public Company Accounting Oversight Board (PCAOB) Rule 3525, which requires an auditor to describe in writing to the audit committee the scope of work, discuss with the audit committee the potential effects of the work on independence, and document the substance of the independence discussion. According to the order, PwC's actions deprived numerous issuers' audit committees of information necessary to assess PwC's independence. As further detailed in the order, the violations occurred due to breakdowns in PwC's independence-related quality controls, which resulted in the firm's failure to properly review and monitor whether non-audit services for audit clients were permissible and approved by clients' audit committees.

[B]eginning in 2004 Nissan's board delegated to Ghosn the authority to set individual director and executive compensation levels, including his own. From 2009 until his arrest in Tokyo in November 2018, Ghosn, with substantial assistance from Kelly and subordinates at Nissan, engaged in a scheme to conceal more than $90 million of compensation from public disclosure, while also taking steps to increase Ghosn's retirement allowance by more than $50 million. Each year, Ghosn fixed a total amount of compensation for himself, with a certain amount paid and disclosed and an additional amount that was unpaid and undisclosed. Ghosn and his subordinates, including Kelly, crafted various ways to structure payment of the undisclosed compensation after Ghosn's retirement, such as entering into secret contracts, backdating letters to grant Ghosn interests in Nissan's Long Term Incentive Plan, and changing the calculation of Ghosn's pension allowance to provide more than $50 million in additional benefits. Kelly and Ghosn's Nissan subordinates misled Nissan's CFO and Nissan issued a misleading disclosure in connection with the increased pension allowance. The $140 million in undisclosed compensation and retirement benefits was never paid out to Ghosn.

[B]eginning in August 2017, Lucas raised approximately $63,000 in cryptocurrency from more than 100 investors through the fraudulent offer and sale of unregistered digital securities of Fantasy Market. As alleged in the complaint, Lucas made numerous materially false statements in a whitepaper and online to induce investors to participate in the ICO. Among other alleged misstatements, Lucas claimed that a "working-beta" version of the company's adult-entertainment platform existed when one did not, presented a fictitious management team, and misrepresented his own experience. After garnering media attention over investor complaints, the complaint states, Lucas returned the funds raised to investors.

[K]ubiak worked as a financial advisor through Freedom Investors Corp, and Calton & Associates, Inc.  In that role, Kubiak arranged to have funds withdrawn from several elderly clients' investment accounts and mailed to their homes or wired to their bank accounts.  Kubiak falsely told the clients that the funds were bonuses or dividends that he would reinvest for them.  He solicited personal checks from the clients, but rather than reinvesting the money as promised, Kubiak deposited the funds into his own checking account and used the money for gambling and other personal expenses.  The scheme spanned a period of five years and was ultimately discovered by a victim's relative, who reported Kubiak to authorities.

Speaking for one of the victims, a relative described the debilitating emotional and mental distress suffered by her loved one who had long known and trusted Kubiak to grow her small nest egg.  In sentencing Kubiak, the Court emphasized the need for punishment and deterrence, both for Kubiak and for others who might be similarly tempted to prey upon the elderly.           

cold-called investors, including many elderly retirees, and solicited investments in a number of private companies, some of which he claimed were about to substantially increase in value following initial public offerings. In truth, the SEC alleges, defendants never invested the money in the manner represented; instead, Fulco used the money to fund his lifestyle, gamble at casinos, take vacations, and purchase luxury goods. Fulco also allegedly transferred almost $100,000 of investor money to his ex-fiancé, whom the SEC has named as a relief defendant. Throughout the three-year offering fraud, the SEC alleges that Fulco used a series of aliases to conceal his true identity from investors and created fictitious documents to induce investors to transfer money to JM Capital.

In early 2011, SEAN STEWART, who at the time held the position of Vice President in the Healthcare Investment Banking Group of a global bank headquartered in Manhattan ("Investment Bank A"), began tipping his father, Robert Stewart, with nonpublic information about upcoming mergers and acquisitions.  The first of these tips related to the acquisition of Kendle International Inc. by INC Research, LLC, which was announced publicly on May 4, 2011.  SEAN STEWART represented Kendle in the confidential negotiations that led to the deal announcement.  Based on inside information from SEAN STEWART, Robert Stewart purchased Kendle stock and passed the information to another individual to trade on his behalf, and earned several thousand dollars in profits after the acquisition of Kendle was publicly announced. 

The second deal about which SEAN STEWART tipped Robert Stewart was the acquisition of Kinetic Concepts, Inc. ("KCI") by Apax Partners, announced on July 13, 2011.  Robert Stewart passed the inside information to another co-conspirator, Richard Cunniffe, to trade on Robert's behalf.  Robert Stewart and Cunniffe earned more than $100,000 in profits after the acquisition was publicly announced. 

In the summer of 2011, SEAN STEWART learned that the Financial Industry Regulatory Authority ("FINRA") was conducting an inquiry into suspicious trading in Kendle securities, including trading by Robert Stewart.  SEAN STEWART at first falsely claimed to compliance officials at Investment Bank A that he did not recognize his father's name on a list of individuals who traded prior to the public announcement of Kendle's acquisition.  After FINRA and compliance officials at Investment Bank A recognized the connection between SEAN STEWART and his father, SEAN STEWART told a series of lies to those compliance officials, to make it seem as if Robert Stewart had decided on his own initiative to invest in Kendle without the benefit of inside information. 

In October 2011, Sean Stewart joined an investment banking advisory firm headquartered in Manhattan ("Investment Bank B") and was later promoted to Managing Director.  During his tenure with Investment Bank B, SEAN STEWART provided his father with tips concerning non-public acquisition negotiations involving three more public companies:  (1) the acquisition of Gen-Probe Inc. by Hologic, Inc., announced on April 30, 2012; (2) the acquisition, by tender offer, of Lincare Holdings Inc. by Linde AG, announced on July 1, 2012; and (3) the acquisition of CareFusion Corp. by Becton, Dickinson & Co. ("Becton"), announced October 4, 2014.  Investment Bank B represented Hologic in connection with its acquisition of Gen-Probe; Linde in connection with its acquisition of Lincare; and CareFusion in connection with its acquisition by Becton.  As before, Robert Stewart passed the information to Cunniffe in order to place trades for the two of them. 

During the course of the scheme, SEAN STEWART became aware that his father was having financial problems.  Rather than loan his father money, SEAN STEWART gave his father stock tips so that his father could profit from the information that STEWART stole from Investment Bank A and Investment Bank B and their clients.  In total, with respect to all five deals, Robert Stewart and Cunniffe earned profits of more than $1.1 million.

What We Found 

We determined that the SEC increased its funding for IT initiatives over the FY 2017 level as required by the Consolidated Appropriations Act, 2018. In addition, the agency used funds allocated to the 11 IT investments we judgmentally selected for review for their intended purposes. 

However, the SEC's management of steady state investments (investments to maintain and operate IT assets in a production environment) needs improvement, because the SEC's Office of Information Technology (OIT) did not view such investments as IT investments for the purposes of capital planning and investment control. The SEC's spending on steady state investments has gradually increased in recent years and, in FY 2018, steady state investments represented 71 percent of the agency's total IT investment expenditures (that is, $217 million of the $307 million spent that year). Improving agency management of steady state investments could promote more effective decision-making and provide greater assurance that such investments (1) deliver value, (2) do not unnecessarily duplicate or overlap with other investments, and (3) continue to meet the SEC's needs. 

In addition, the SEC can better manage and document deviations from approved plans for investments to develop, modernize, and enhance IT assets (referred to as DME investments). Five of the six DME investments we reviewed were rebaselined in FY 2018; however, we could not always determine compliance with aspects of the SEC's capital planning and investment control policy that address managing and documenting deviations from approved investment plans. This occurred because OIT had not established detailed formal rebaselining procedures. Without procedures that ensure a complete and accessible audit trail of each investment's lifecycle, the SEC's rebaselining processes may lack the transparency needed to ensure effective oversight of its DME investments. 

Also, 5 of the 11 IT investments we reviewed involved purchases of hardware assets. We found that OIT needs to improve the documentation of hardware assets investment planning and to demonstrate investment outcomes because OIT had not established processes to do so. Without such processes, the SEC risks hardware assets in use reaching their end-of-life/end-of-service, thereby increasing the risk of equipment failure and the potential for data loss. 

Finally, the SEC's Office of Acquisitions extended on a sole-source basis two contracts for IT acquisitions we reviewed without adequate documentation to support independent government cost estimates used for the estimated extension prices. This occurred, in part, because guidance that urged personnel to document any and all methods used to complete independent government cost estimates was "for informational purposes" and contracting officials did not use it. 

During our audit, two other matters of interest that did not warrant recommendations came to our attention. These matters related to the SEC's selection of its enterprise IT project and portfolio management system, and contract actions impacting the SEC's data centers. We discussed these matters with agency management for their consideration. 

• Securities Industry Commentator
• Bill Singer