The Cyberfraud Prevention Fraud, The Impeded Whistleblowing, and The Dissenting SEC Commissioner

November 4, 2022

Today's blog is a grab bag of a hodge-podge of a mishmash. We got a company supposedly preventing cyberfraud but for the fact that one of its C-Suiters criminally defrauded investors. Then we got another of the company's C-Suiters who entered into an SEC settlement by which he agreed to cease and desist from further efforts to impede an individual from communicating directly with the SEC. In response to that settlement, we have a dissenting SEC Commissioner, who doesn't see efforts to impede, but, rather, views the conduct as the company's keen interest in protecting its data. Fall is in the air and the sweet smell of irony abounds in Wall Street regulation!

2020 Rogas Criminal Complaint 

Our journey begins back on September 17, 2020, when a Complaint was unsealed and filed in the United States District Court for the Southern District of New York ("SDNY") against Adam Rogas, who was the Co-Founder/Former Chief Executive Officer/Chief Financial Officer/Board Member of NS8, Inc. United States of America v. Adam Rogas, Defendant (Sealed Compliant / September 14, 2020) https://www.justice.gov/usao-sdny/press-release/file/1317641/download Rogas was charged with one count of securities fraud, one count of fraud in the offer or sale of securities, and one count of wire fraud.  Let's consider some of the allegations in the Complaint by Federal Bureau of Investigation Special Agent Nicholas Kroll:

Summary of the Fraudulent Scheme 

6. As set forth below, ADAM ROGAS, the defendant, was a founder and the CEO, CFO, and a member of the Board of Directors of NS8, a cyberfraud prevention company. ROGAS exercised control over the books and records of NS8, and also maintained control over the bank accounts where NS8's revenue was purportedly deposited. From at least in or about 2019 through in or about September 2020, ROGAS operated a fraudulent scheme to deceive NS8's investors by falsely inflating the company's reported revenue and assets by substantial amounts. As part of his fraudulent scheme, ROGAS used falsified bank statements to cause material misrepresentations to be made to investors regarding NS8's assets and revenue, including by showing tens of millions of dollars in assets and revenue that did not exist. Through those material misrepresentations, ROGAS enticed investors to purchase securities in two fundraising rounds which provided NS8 with at least approximately $123 million in funds. ROGAS subsequently tendered NS8 shares he owned and otherwise controlled, obtaining at least approximately $17.5 million as a result.

Talk about irony! NSQ is a cyberfraud prevention company. As in, preventing fraud. Alas, from 2019 to late 2020, Rogas, the founder, CEO, CFO, and Director of NSQ was allegedly un-preventing fraud. That's a lot of hats on one head. Now, mind you, I ain't sayin' that there's anything wrong with piling all of those hats atop one head. Fact is, for many start-ups, that's just how it is. Be that as it may, it still gets my attention. 

2022: Rogas Sentenced

Fast forward about two years and Rogas, 45, pled guilty and was sentenced to five years in prison plus three years of supervised release and ordered to forfeit $17,542,259. As more fully explained in 

[I]n the fall of 2019 and the spring of 2020, NS8 engaged in fundraising rounds through which it issued Series A Preferred Shares and obtained approximately $123 million in investor funds.  ROGAS used the materially misleading financial statements to raise those funds.

Specifically, ROGAS maintained control over a bank account into which NS8 received revenue from its customers and periodically provided monthly statements from that account to NS8's finance department so that NS8's financial statements could be created.  ROGAS also maintained control over spreadsheets that purportedly tracked customer revenue, which were also used to generate NS8's financial statements.

During the fundraising process in the fall of 2019 and spring of 2020, ROGAS altered the bank statements before providing them to NS8's finance department to show tens of millions of dollars in both customer revenue and bank balances that did not exist.  In the period from January 2019 through February 2020, between at least approximately 40% and 95% of the purported total assets on NS8's balance sheet were fictitious.  In that same period, the bank statements that ROGAS altered reflected over $40 million in fictitious revenue.  ROGAS also falsified nearly all of NS8's purported customers on internal tracking spreadsheets.

Additionally, ROGAS provided the falsified bank records he had created to auditors who were conducting due diligence on behalf of potential investors.  After these fundraising rounds concluded, NS8 conducted a tender offer with the funds raised from investors, and ROGAS received $17.5 million in proceeds from that tender offer, personally and through a company he controlled.  After ROGAS's fraud was uncovered, NS8 ultimately entered bankruptcy proceedings.  ROGAS used his fraudulent proceeds to purchase, among other things, luxury goods and a residence in the Dominican Republic.

2022: Hansen Settles SEC Charges

Setting aside all of Rogas' ironical misdeeds, we would be remiss if we did not consider In the Matter of David Hansen, Respondent (Order Instituting Cease-and-Desist Proceedings, '34 Act Rel. No. 94703, Admin. Proc. File. No. 3-20820 / April 12, 2022)
https://www.sec.gov/litigation/admin/2022/34-94703.pdfHansen  was a co-founder of NS8, Inc. and at various points served as its Managing Director of Technical Operations and Strategy, Chief of Staff, and Chief Information Officer. Hansen resigned from NS8, Inc. in February 2020. Without admitting or denying the findings in the SEC Hansen Order, Respondent Hansen consented to cease and desist from committing or causing any violations and any future violations of Rule 21F-17(a), and he agreed to pay a $97,523 civil money penalty.  As to what brought Hansen under the SEC's crosshairs, in part, the SEC Hansen Order alleged that:

B. Hansen's Actions to Impede 

5. In 2018 and 2019, an NS8 employee (the "NS8 Employee") raised concerns internally that NS8 was overstating its number of paying customers, including that the customer data (including purported customer numbers and monthly revenue) used to formulate external communications-including to potential and existing investors-was false. During this period, the NS8 Employee also raised his concerns about NS8's customer numbers directly to Respondent- although the NS8 Employee never directly or indirectly reported to Respondent. 

6. In July 2019, through counsel, the NS8 Employee submitted a tip to the SEC. 

7. In August 2019, the NS8 Employee raised his concerns directly to Respondent that NS8 may have falsely inflated customer counts. During the course of the conversation, the NS8 Employee told Respondent that unless NS8 addressed this inflated customer data, he would reveal his allegations to NS8's customers, investors, and any other interested parties. Respondent suggested that the NS8 employee raise his concerns directly to his supervisor or the CEO.

8. Later that day, in a phone call with his supervisor, the NS8 Employee reiterated his concerns that NS8 may be falsely inflating customer counts. In that conversation, the NS8 Employee again stated that he could reveal his allegations to NS8's customers, investors, and any other interested parties. The supervisor then called Respondent and indicated that he had a conversation with the NS8 Employee about the allegations. 

9. Shortly after, Respondent messaged the CEO, "[P]lease call me ASAP. This is EXTREMELY URGENT." Respondent and the CEO then spoke. Respondent understood that the NS8 Employee's concerns involved a possible securities law violation, including potential fraud against NS8's investors. 

10. After Respondent spoke to the CEO, both took steps to remove the NS8 Employee's access to NS8's IT systems. At one point, the CEO told Respondent that he removed NS8 Employee's administrator privileges to one system but kept read-only access "so it looks like an error." 

11. The CEO also asked if Respondent had "agent on [the NS8 Employee's company] laptop." "Agent" referred to a tool that permitted NS8 IT, including Respondent, to remotely access NS8-issued laptops and provide IT support-including viewing what was happening on a laptop screen in real time. Respondent replied, "I can watch what he is doing if we care." 

12. Respondent messaged the CEO: "I want to give you a password to login his laptop. . . [f]rom there, I'm hoping he is dumb enough to have his Keeper password memorized and see what's in there." "Keeper" referred to a password management system that NS8 employees used to save passwords to various NS8-related applications. The NS8 Employee also chose to save passwords for his personal email and other applications in his Keeper. 

13. The next day, Respondent met the CEO at NS8's office. Respondent used NS8's administrative account to access the NS8 Employee's company computer. Respondent then left the NS8 Employee's computer and password in the CEO's office. 

14. That same day, the NS8 Employee's saved "Keeper" personal passwords were used to access his Hotmail, Dropbox, Facebook, Glassdoor, and Google accounts on his NS8-issued laptop.

15. Later that week, the CEO fired the NS8 Employee.

Betcha didn't see that nasty turn of events!  On top of Rogas' fraud, we got Hansen running afoul of the Dodd-Frank Wall Street Reform and Consumer Protection Act, Section 21F, "Securities Whistleblower Incentives and Protection" and SEC Rule 21F-17, which provides in relevant part: 

(a) No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications.

SEC Commissioner Peirce Dissents: An undisciplined interpretation . . . unnecessary legal risk

Going from Rogas' ironical criminal case to Hansen's attempts to impede a whistleblower, we come upon this regulatory curio: Statement in the Matter of David Hansen by SEC Commissioner Hester M. Peirce (April 12, 2022)
https://www.sec.gov/news/statement/peirce-statement-david-hansen-041222
SEC Commissioner Peirce dissented from the SEC's Hansen Order, and offered this rationale:

Exchange Act Rule 21F-17(a), adopted in 2011 as part of the whistleblower program mandated by the Dodd-Frank Act, prohibits taking "any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications." The Commission's Order concludes that David Hansen, a co-founder of NS8, Inc. who held various positions in the company, including Chief Information Officer, violated Rule 21F-17(a). The alleged violation related to Mr. Hansen's response to concerns raised with him by an NS8 Employee that the company was overstating the number of paying customers. The Order does not explain what, precisely, Mr. Hansen did to hinder or obstruct[1] direct communication between the NS8 Employee and the Commission. Accordingly, I dissent from instituting the action and accepting the settlement.

The Order states that the NS8 Employee was concerned that "NS8 was overstating its number of paying customers, including that the customer data . . . used to formulate external communications-including to potential and existing investors-was false." After submitting a tip to the Commission, the NS8 Employee raised these concerns with Mr. Hansen and told Mr. Hansen "that unless NS8 addressed this inflated customer data, he would reveal his allegations to NS8's customers, investors, and any other interested parties." Mr. Hansen, who "understood that the . . . concerns involved a possible securities law violation," suggested to the NS8 employee that he raise his concerns to his supervisor or to NS8's CEO, and the employee conveyed his concerns to his supervisor later that same day. The supervisor then called Mr. Hansen, who then called NS8's CEO.

The Order has several sentences describing interactions between Mr. Hansen and the CEO and their subsequent actions, but the salient facts, as I see them,[2] are:

  • The "CEO told Respondent that he [the CEO] removed NS8 Employee's administrator privileges to one system but kept read-only access 'so it looks like an error.'"
  • Mr. Hansen told the CEO that the NS8 Employee's company-issued computer had a tool that permitted remote access, and that Mr. Hansen could " 'watch what [the NS8 Employee] is doing [on his company-issued computer] if we care.' "[3]
  • Mr. Hansen "used NS8's administrative account to access the NS8 Employee's company computer" and "then left the NS8 Employee's computer and password in the CEO's office."
  • The CEO fired the NS8 Employee later in the week.

Although the Order states that "both took steps to remove the NS8 Employee's access to NS8's IT systems," the above list includes only two concrete actions by Mr. Hansen: (1) accessing the NS8 Employee's computer and (2) leaving the computer and password in the CEO's office. How did Hansen's actions as set forth in the Order remove the NS8 Employee's access to the IT systems, let alone stand in the way of the NS8 Employee's direct communication with the Commission? In my view, they quite plainly did not.

At most, these actions affected the content of what the NS8 Employee could communicate, not whether he could communicate. Rule 21F-17(a) ensures the whistleblower's entitlement to speak directly to the Commission, and NS8 did not prevent the NS8 Employee from doing so. Actions that limit access to company data do not necessarily limit access to the Commission. Mr. Hansen's actions, as reported in the Order, did not hinder the NS8 Employee's communications with the Commission regarding his already-submitted tip.[4] Furthermore, the Order does not state that Mr. Hansen knew about the tip. If there were evidence that he knew of the tip, then his actions may have implicated Rule 21F-17(a) or the anti-retaliation rules.

A broad interpretation of Rule 21F-17(a) could prohibit companies from limiting employees' access to data. Limiting access to sensitive data is a common element in cybersecurity programs.[5] A plausible inference, based on the facts recited in the Order, is that Mr. Hansen was concerned about the NS8 Employee's threat to disclose confidential company data "to NS8's customers, investors, and any other interested parties." Rule 21F-17(a) by its plain terms applies only to communications with the Commission. We should not read it in a manner that complicates a company's ability to act to protect its data in the face of sweeping disclosure threats, even well-intentioned ones by concerned employees. Companies hold troves of data about their customers, assets, and business practices. They and their customers have a keen interest in protecting those data. We should not engage in an undisciplined interpretation and application of Rule 21F-17(a) that adds unnecessary legal risk to that burden.

I respectfully dissent.

= = = = =

[1] Impede means "to retard in progress or action by putting obstacles in the way; to obstruct; to hinder; to stand in the way of." Oxford English Dictionary (1971).

[2] The Order also states that the NS8 Employee used a password management system installed on his NS8-issued computer to save passwords both "to various NS8-related applications" and to "his personal email and other applications." Additionally, the Order states that the saved passwords were used to access his personal accounts "on his NS8-issued laptop" the same day Mr. Hansen left the computer in the CEO's office. Because the Order does not identify who accessed what personal accounts, the relevance of these facts is not clear.

[3] The Order does not state that Mr. Hansen (or anyone else) in fact watched.

[4] The Order states that it was the CEO who limited the NS8 Employee's "privileges to one system" to "read-only access" and later fired the NS8 Employee, and does not state that Mr. Hansen had any role in either action.

[5] See, e.g., Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, Rel. No. 34-94197, https://www.sec.gov/rules/proposed/2022/33-11028.pdf (proposing rule § 275.206(4)-9(a)(2)(4) to require as "an element of an adviser's or fund's reasonably designed policies and procedures . . . [r]estricting access to specific adviser or fund information systems or components thereof and adviser or fund information residing therein solely to individuals requiring access to such systems and information as is necessary for them to perform their responsibilities and functions on behalf of the adviser or fund").


The Cyberfraud Prevention Fraud, The Impeded Whistleblowing, and The Dissenting SEC Commissioner (BrokeAndBroker.com Blog)

FINRA Cites RBC Capital Market's Supervisory Review, Personnel Turnover, and Outdated Tech (BrokeAndBroker.com Blog)

DOJ RELEASES

Florida Man Sentenced to 45 Months in Prison for Laundering Funds Related to $50 Million Wire and Securities Fraud Scheme (DOJ Release)

Concord Man Pleads Guilty to Defrauding Investor (DOJ Release)

Instagram Personality Known as "Jay Mazini" Pleads Guilty to Wire Fraud, Wire Fraud Conspiracy and Money Laundering / Defendant Admits Perpetrating Fraudulent Schemes, Including Investment Scheme that Bilked Muslim-American Community Out of Over $8 Million (DOJ Release)

Band Of Cybercriminals Responsible For Computer Intrusions Nationwide Indicted For Rico Conspiracy That Netted Millions (DOJ Release)

Burlington County Man Admits Bank Fraud (DOJ Release)

Former New Jersey Man Sentenced to Federal Prison for Role in Scheme to Defraud Elderly Oregonian (DOJ Release)

Rhode Island Man Pleads Guilty to Charges for Swindling Victims Who Thought They Were Investing in 'Magic Mike' Stage Show (DOJ Release)

SEC RELEASES

SEC Charges Promoter for Role in Fictitious Crypto Trading Program (SEC Release)

SEC Charges Halal Capital Founder with Multimillion Dollar Fraudulent Scheme that Targeted Muslim Community (SEC Release)

SEC Charges Incarcerated Felon and Five Friends in $2 Million Fraud Scheme (SEC Release)

SEC Orders $2 million and $500,00 Whistleblower Awards to Two Claimants 
Order Determining Whistleblower Award Claims

SEC Order $10 Million Whistleblower Award to Claimant 
Order Determining Whistleblower Award Claims

SEC Adopts Rules to Enhance Proxy Voting Disclosure by Registered Investment Funds and Require Disclosure of "Say-on-Pay" Votes for Institutional Investment Managers / Rules and form amendments will enhance transparency of fund and institutional investment manager proxy voting records (SEC Release)

Statement on Final Amendments to Form N-PX by SEC Chair Gary Gensler

Statement on Enhanced Reporting of Proxy Votes by SEC Commissioner Caroline A. Crenshaw

Enhancing Fund Voting Reporting by SEC Commissioner Jaime Lizárraga

Voting Obsession: Statement on Final Enhanced Reporting of Proxy Votes by Registered Management Investment Companies; Reporting of Executive Compensation Votes by Institutional Investment Managers by SEC Commissioner Hester M. Peirce

Statement on the Final Rule: Enhanced Reporting of Proxy Votes by Registered Management Investment Companies; Reporting of Executive Compensation Votes by Institutional Investment Managers by SEC Commissioner Mark T. Uyeda

SEC Proposes Enhancements to Open-End Fund Liquidity Framework

Statement on Open-End Funds by SEC Chair Gary Gensler

Learning from History: Statement on Open-End Fund Liquidity Risk Management Programs and Swing Pricing by SEC Commissioner Caroline A. Crenshaw

Strengthening Open-End Fund Resiliency and Liquidity in Stressed Markets by SEC Commissioner Jaime Lizárraga

Closing Act: Statement on Proposed Open-End Fund Liquidity Risk Management Programs and Swing Pricing; Form N-PORT Reporting by SEC Commissioner Hester M. Peirce

Statement on Proposed Rule: Open-End Fund Liquidity Programs and Swing Pricing; Form N-PORT Reporting by SEC Commissioner Mark T. Uyeda

"This Law and Its Effective Administration" Remarks Before the Practising Law Institute's 54th Annual Institute on Securities Regulation by SEC Chair Gary Gensler

CFTC RELEASES


Statement of Commissioner Kristin N. Johnson Regarding CFTC Order Finding That Jeremy Rounsville of Hunt County Texas, Defrauded Customers in Digital Asset Arbitrage Scheme

FINRA RELEASES

FINRA Censures and Fines Vanguard Marketing for Option Exercise After Cut-Off Time
In the Matter of Vanguard Marketing Corporation, Respondent (FINRA AWC)

FINRA Censures and Fines Member Firm for Misrepresentations on Monthly Statements
In the Matter of Wedbush Securities Inc., Respondent (FINRA AWC)

FINRA Fines (but does not Censure) Member Firm for Unreasonable AML Testing
In the Matter of Superior Financial Services, Inc., Respondent (FINRA AWC)

FINRA Fines and Suspends Rep for Excessive/Unsuitable Trading 
In the Matter of Christopher Alexander Polinaire, Respondent (FINRA AWC)

FINRA Bars Rep Who Believed Transferred Funds Were Proceeds Of Illegal Activities
FINRA Department of Enforcement, Complainant, v. Yoon Sik Chung, Respondent (FINRA Offer of Settlement)

FINRA Censures, Fines, and Orders Restitution for Western International Securities, Inc.'s Non-Traded REITs Supervision 
In the Matter of Western International Securities, Inc, Respondent (FINRA AWC)

FINRA Fines and Suspends Rep for Discretionary Trading 
In the Matter of M B Schreiber, Respondent (FINRA AWC)

FINRA Fines and Suspends Rep for Providing Letters of Credit to Raymond James' Customer
In the Matter of Scott G. Warnock, Respondent (FINRA AWC)

FINRA Fines and Suspends Rep for Cutting and Pasting Customer Signatures
In the Matter of Trent J. Davis, Respondent (FINRA AWC)

FINRA Fines and Suspends Rep for OBA
In the Matter of Penny S. Morgan, Respondent (FINRA AWC)

Membership Application Program: Reviewing and Approving Digital Asset Firms (FINRA UnScripted)