China imposes controls on the inflow and outflow of foreign exchange. Given the involvement of State Administration of Foreign Exchange and various other governmental agencies in the process, repatriating funds from China can be a trap for the unwary. Foreign investors should familiarize themselves with the approval requirements and procedures.
The relentless attention being paid to cyber-attacks is driving companies to increase cyber security budgets and purchases. In turn, this has led institutional investors and asset managers to see potentially massive returns associated with companies in the cyber security market. Indeed a number of companies that have gone public have had phenomenal success, and the constantly morphing nature of cyber-attacks means that purchasing trends are not likely to slow down any time soon.
However, it is critical to keep in mind that just as cyber security capabilities can be a very attractive component in evaluating a potential investment; it also could lead to potentially negative consequences. Ignorance of some key legal and policy considerations could lead to an improper assessment of the value/future earnings potential of technology investments. These considerations are true regardless of whether or not the technology or service has a core “security” component.
Below are some key issues to consider when making cyber security investment decisions:
- Cyber security matters in every investment
- It is a simple fact that every company faces cyber threats. Multiple studies have demonstrated that essentially every company has been or is currently subject to cyber-attack and that most if not all have already been successfully penetrated at least once. This leads to a key consideration: every company’s cyber security posture should be considered when making investment decisions. For example, a company selling information technology that is less prone to cyber-attacks should be viewed as a better investment than competitors who pay little to no attention to how their products can be breached.
- Cybercrime is cheap
- The cost of conducting cyber-attacks is depressingly cheap: $2/hour to overload and shutdown websites, $30 to test whether malware will penetrate standard anti-virus systems, and $5,000 for an attack using newly designed methods to exploit previously undiscovered flaws. Indeed it is now so cheap to create malware that the majority of malicious programs are only used once – thereby defeating many existing cyber security systems which are designed to recognize existing threats. This all adds up to a cost/benefit analysis that is irresistible for cyber-attackers, and essentially guarantees that the pace and sophistication of attacks will not let up any time soon.
- Cyber security should be in the company’s DNA
- Whether a company is offering a service or a technology, a critical factor to consider is its approach to security. Companies that consider security a key functionality that needs to be integrated from the start of the design process are far more likely to go to market with an offering that has higher degree of security. Security as an afterthought is just that – an afterthought. Weaving security into the DNA of a service or technology will be extremely helpful in decreasing security risks. Just remember though that no security program or process is flawless, and no one should expect perfection.
- Is there a nation-state problem?
- An R&D or manufacturing connection to countries known for conducting large-scale cyber espionage causes heartburn for companies and governments alike. Too many instances have occurred where buying items from companies owned by or operated in problem nation states have resulted in cyber-attacks. In some cases, Federal agencies are prohibited from buying IT systems from companies with connections to specific governments. Investors and managers need to stay abreast of problem countries, and also examine whether the product or service has a connection to such countries. Failure to do so can lead to investments in companies that have limited market potential.
- Do your homework and forensic analyses
- There’s nothing like buying a trade secret only to find out it really isn’t a secret. Before investing in any company, conduct due diligence to determine how good the security of the company is and whether IP or trade secret information has been compromised.
- If the government cares, so should you
- The Federal government is stepping up its requirements regarding cyber security in procurements. That means that all federal contractors (not just defense contractors) are going to have to increase their internal cyber security programs if they want to win government contracts. Failure to have a good cyber security program could lead to lost contracts, and thus decreased growth.
- Words matter
- Companies have been too lax in negotiating terms that explicitly set forth security expectations for IT products as well as who will be liable should there be a breach/attack. Judicious reviews of terms and conditions can help avoid liability following a cyber-attack. For example, companies should not accept boilerplate language regarding the following of “industry standards” or “best practices” with respect to cyber security. Instead, specific obligations and benchmarks need to be agreed upon before signing any agreement. Further agreements should be drafted to that make clear that security measures are the obligation of the other party. That way the investor has set up a stronger argument for recovering losses as well as shifting liability away from itself.
- Insurance isn’t everything
- Companies may be tempted to think that if a company has a cyber-insurance policy, they are protected in the event of a cyber-attack. The reality is that there is an enormous chasm between buying coverage and having claims paid. Cyber policies are increasingly being written and interpreted to cover fewer types of attacks, and so do not be tempted to think that cyber insurance can fully protect an investment.
- SAFETY Act
- Under the Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act), cyber security services, policies, and technology providers are all eligible to receive either a damages cap or immunity from liability claims. The SAFETY Act also protects cyber security buyers, as they cannot be sued for using SAFETY Act approved items. Possessing SAFETY Act protections should be considered a positive sign and indicative of potential earnings growth.
There is no doubt about it; cyber risks are here to stay. Addressing those risks should be a core component of any business or investment strategy, because even if “today’s problem” is solved the introduction of new technologies will just mean a new threat vector for adversaries to exploit.
It is not all doom and gloom, however. Paying attention to cyber security trends and doing some simple due diligence will go far in minimizing digital risks. Make no mistake: defenses will always be incomplete and successful attacks will happen. However, with the right processes and approach, the bad outcomes can be minimized and investments will be protected.
At the Intersection of Faith and Illiteracy.
In what may have been one of the more interesting weeks this year for SEC enforcement actions, the Enforcement Division brought a number of actions last week, several of which will make you wonder if the warnings that we issued when the JOBS Act was passed are not coming to pass. Although none of these actions are based on 506(c) reliance, they do suggest that as capital finally starts to seek new opportunities outside the mainstream, it is necessary for investors to evaluate investment opportunities very carefully in order to avoid the scam artists who, like Jesse James, go where the money is.
On July 31, 2014, the SEC filed fraud charges and sought emergency relief against Thomas J. Lawler of Snellville, Georgia, a self-proclaimed minister, and his company, Freedom Foundation USA LLC for fraudulently offering and selling fictitious securities. With all due respect to Siskel and Ebert, this case is not to be missed. I laughed, I cried, if you only read one enforcement action this year, it has to be this one.
The SEC’s complaint filed in U.S. District Court for the Northern District of Georgia alleged that, since as early as 2004, the defendants Lawler and Freedom Foundation offered investors the opportunity to eliminate their debts and collect lucrative profits through the purchase of so called “administrative remedies” (“ARs”). Defendants told potential investors that every individual had funds established for them in an account at birth — where, by whom, and in what amount the supposed account is established are details Lawler does not provide. Defendants further told potential investors that the investors therefore did not owe their creditors for mortgage and other debts, and that Freedom Foundation would use its unique and proprietary process to create the ARs, which would eliminate the investors’ debt and provide a lucrative financial return. Does the Wesley Snipes tax case come to mind?
The SEC alleged that defendants told potential investors that a $1,000 AR would cancel the investor’s debt and return $325,000 to the investor, while a $10,000 investment would supposedly entitle the investor to receive $1 million when the AR funded. Freedom Foundation claimed it would fund the ARs through a mysterious process involving a Papal decree. What could possibly go wrong there? The SEC claims that Lawler sold approximately 2,000 ARs over ten years to investors throughout the country and that he was actively soliciting additional investors. This is not exactly one per minute, but it is impressive. And, as shocking as this may sound, the SEC found that not one investor in this scheme received any of the promised returns.
Freedom Club targeted our most ignorant and vulnerable citizens through an internet presentation that was designed to prey on the uninformed and easily swayed. Let’s hope that the SEC is not successful in shutting down the Freedom Club website before you have the opportunity to check it out: http://www.freedomclubusa.com/. Admit it, this case does raise the question of whether anyone who would fall for this scam should be allowed to handle money at all…ever.
Chief Compliance Officer/General Counsel Takes the Fall.
You may recall that we recently wrote about attorneys who seem to escape scrutiny by the SEC when they participate in illegal activities. There is an administrative remedy against attorneys who facilitate or promote wrongdoing, but the SEC has been slow to target ethically challenged attorneys. Well, wait no longer. Last month, a judgment was entered by consent against the general counsel and chief compliance officer of an investment adviser who was found to have aided and abetted fiduciary violations of the firm’s principal in the misappropriation of hedge fund client assets in contravention of the offering documents of the fund. What is the take away here? If you are a Chief Compliance Officer, I believe you know the answer to that one.
See, Securities and Exchange Commission v. Weston Capital Asset Management, LLC, et al., Civil Action Number 14-CV-80823-COHN, in the United States District Court for the Southern District of Florida.
Criminal Referrals Catching On.
Robert G. Bard was sentenced on July 31 by a U.S. District Court in Pennsylvania. Bard had been found guilty by a jury and convicted of 21 counts of securities fraud, mail fraud, wire fraud, bank fraud, and making false statements for defrauding his investment advisory clients between December 2004 and August 2009. The court sentenced Bard to 262 months imprisonment and ordered him to pay $4.2 million in restitution to 66 victims. If you do the math, this comes out to right around $200,000 per year sentence.
The criminal case arose out of the same facts that were the subject of a civil injunctive action filed by the SEC in 2009. The Commission’s complaint alleged that defendant Bard, an investment adviser, and his solely-owned company Vision Specialist Group LLC had violated the federal securities laws through fraudulent misrepresentations regarding client investments, account performance and advisory fees, and by Bard’s creation of false client account statements, forgery of client documents.
In a follow-on administrative proceeding to the SEC’s civil court action, an administrative law judge barred Bard from the securities industry in an initial decision.
Elder Abuse also Brings Criminal Action.
The SEC also brought charges against a broker based in Roanoke, Va., for allegedly defrauding elderly customers, including some who are legally blind, by stealing their funds for her personal use and falsifying their account statements to cover up her fraud.
According to the SEC’s complaint, Donna Jessee Tucker siphoned $730,289 from elderly customers and used the money to pay for such personal expenses as vacations, vehicles, clothes, and a country club membership. Tucker ensured that the customers received their monthly account statements electronically, knowing that they were unable or unwilling to access their statements in that format. The SEC further alleges that Tucker engaged in unauthorized trading and other financial transactions while making misrepresentations to customers about their investment accounts and forging brokerage, banking, and other documents.
In a parallel action, the U.S. Attorney’s Office for the Western District of Virginia announced criminal charges against Tucker.
The above cited actions represent just some of the more interesting enforcement actions brought by the SEC and the Department of Justice in recent days. The full list is more extensive.