Weekend Reading: Countdown to Zero Day

coutdown to zero dayWe were in a cyber war with Iran. Kim Zetter unravels the story of Stuxnet, the US computer attack on Iran’s nuclear program in Countdown to Zero Day.

A few months ago, I read A Time to Attack urging a US military attack on Iran. That book highlighted how Iran had been building a nuclear program for several years. That included several years of centrifuges spinning to extract enriched uranium.

It has taken so long to extract uranium because, according to Zetter, the United States has been running a sophisticated attack on the computer systems that run those centrifuges. The United States and Israel planted sophisticated tools on those computers designed to alter the speeds of the centrifuges and the flow of gas into and out of them.

We have entered an age where warfare can been broken into digital attacks and kinetic attacks. Computer geeks and fighter jocks can both engage with the enemy. Stuxnet was a replacement for dropping bombs on the enrichment facilities.

Zero day refers to an attack using a previously unknown computer security vulnerability. One attack detailed in Countdown to Zero Day used a “god-mode exploit” that was even more potent. For anyone involved in cybersecurity, the book may make you want to curl up in a ball and hide in the corner.

The book is well-written and well-researched. It’s always great to grab a book like this that is enjoyable to read and able to explain complicated situations.

There is a compliance and ethics side to the book and the story of stuxnet. The US government has been touting the importance of securing critical infrastructure. The Securities and Exchange Commission has firing a warning that it takes cybersecurity very seriously. But according to Zetter, the government also has a stockpile of cyber weapons designed to attack those systems. Late in the book it raises the issue of whether cyber attacks should be treated as an act of war. Should Iran be able to retaliate with conventional weapons to protect itself from cyber attacks?

The publisher kindly sent me an advance reader copy of the book in hopes of me writing a review. Countdown to Zero Day goes on sale on November 11.

Compliance Bricks and Mortar for October 24

bricks 40

These are some of the compliance-related stories that recently caught my attention.

SEC Charges Athena Capital in First HFT Case in the Corporate Crime Reporter

The Securities and Exchange Commission (SEC) has sanctioned a New York City-based high frequency trading firm for placing a large number of aggressive, rapid-fire trades in the final two seconds of almost every trading day during a six-month period to manipulate the closing prices of thousands of NASDAQ-listed stocks.

Why High-Frequency Trading Is So Hard to Regulate by Peter J. Henning in DealBook

The challenge in pursuing charges against these firms is that they are taking advantage of changes in the technology underpinning the markets to profit from quick trades, which is not illegal. But regulators can find it difficult to draw the line between acceptable trading strategies and manipulation because of the complexity of the strategies.

SEC Breaks Down FY 2014 Enforcement Results, Highlights by Bruce Carton in Compliance Week

Late last week, the SEC issued a press release summarizing its enforcement results for the agency’s fiscal year 2014, which ended September 30, 2014. The SEC emphasized that it filed a record 755 enforcement actions in FY 2014, and that these cases “included a number of first-ever cases, including actions involving the market access rule, the ‘pay-to-play’ rule for investment advisers, an emergency action to halt a municipal bond offering, and an action for whistleblower retaliation.”

Fighting Against the SEC’s Administrative Hearings

SEC Seal 2

Prior to the Dodd-Frank Wall Street Reform and Consumer Protection Act, the Securities and Exchange Commission’s authority to impose penalties in a case brought as an administrative proceeding was restricted to regulated entities. The SEC could not impose a significant civil penalty in an administrative proceeding. That limited administrative proceedings to cease-and-desist proceedings against broker-dealers, investment advisers, and mutual funds. The alternative to the administrative brought before an SEC administrative law judge was a lawsuit brought in federal court.

Dodd-Frank changed that with its Section 929P. The SEC may now impose a civil penalty in an administrative proceeding against any person or company.

Administrative proceedings have many built-in advantages for the SEC: limited discovery, no right to a jury trial, an inherently biased administrative law judge, and a biased appeal to the SEC commissioners. The SEC has the “home court” advantage. According to a Wall Street Journal story, in the 12 months through September, the SEC won all six contested administrative hearings where verdicts were issued, but only 11 out of 18 federal-court trials.

There is an upside to the administrative proceeding. Some defendants will see it as a quicker or less costly proceeding.

One defendant thinks otherwise and has filed suit against the SEC in defense of an upcoming administrative proceeding. Joseph Stillwell runs an investment fund that is under investigation by the SEC. He received a Wells Notice and is expecting his case to end up as administrative proceeding after settlement talks have stalled.

A second defendant in a separate case also challenged an administrative proceeding. Jordan Peixoto was accused by the SEC of insider trading, but the SEC decided to use its new administrative proceeding alternative to federal court. Unlike Stillwell, Peixoto was not subject to SEC registration. The only other time the SEC has acted in this manner was with Rajat Gupta.

There is a constitutional question raised by each case. Each raises concerns about due process and presidential appointment powers. Since the SEC is an independent agency, the SEC commissioners can only be removed for good cause. The administrative judges also have tenure and can only be removed for cause. Prior federal cases have only permitted one level of tenure, not the two levels for the SEC administrative judges.

There is an ethical question. The administrative judges are appointed by the SEC and any appeal of the judges decision is appealed to the SEC commissioners. Since it takes a vote of the SEC commissioners to proceed with an enforcement action, those commissioners are hearing the appeal of the case they authorized to proceed in the first place. The judges are not held to any code of conduct or code of ethics. In the Peixoto complaint, the proceeding is called a “star chamber” where the accused is defenseless.

He also pulled up a statement by the SEC’s general counsel that called into question the adequacy of the administrative process for insider trading cases.

Sources:

Association for Corporate Growth’s Compliance & Regulatory Survey

association of corporate growth

The Association for Corporate Growth released a report identifying the top compliance and regulatory concerns impacting small and midsize private equity firms. The results are unsurprising, but reinforce concerns.

The top five regulatory issues were found to be:

  • SEC Examinations (75%)
  • Investment Adviser Act Compliance (66%)
  • Valuation Issues (58%)
  • General Solicitation rules (54%)
  • Legislation (tax reform, carried interest) (50%)
  • Allocation of Fees and Expenses (50%)

The Investment Adviser Act compliance item included custody, recordkeeping and reporting. I’m not sure if that includes marketing limitations.

I was surprised that political contributions and the pay-to-play regulations only gathered 24.6%. That’s the one that keeps me up at night.

I was not surprised that SEC examination was the top vote-getter. An exam is a pain in the neck and there can only be bad things from it. No investor is going to make a decision because the firm had a positive exam. But you may lose a potential investor if you have a bad exam.

ACG also probed deeper on SEC examinations. Of the 158 votes for that concern, 57 had been examined. Many of the firms who indicated they were examined in 2012 and early 2013 indicated that their examiners were not familiar with the private equity business model. Those firms examined in 2014 generally indicated that their examination was conducted efficiently, and/or they comment that the examiners appeared familiar with private equity. Only one person commented that the examiners were more combative than necessary.

Sources:

Compliance and Ebola

ebola and compliance

There is clearly an Ebola scare happening in the United States. It’s a nasty disease and that has attracted widespread media attention. Is there anything your compliance team should do about Ebola?

I’ll assume that your firm does not have operations or personnel in West Africa. If it does, then yes, you should be concerned about Ebola and contacting professionals.

For the rest of us, there is little to worry about.

There have been three confirmed cases of Ebola in the United States and one death. Those are tragic. But very small. If your compliance program is so robust that you can worry about such infinitesimal risks, I congratulate you.

Let’s put the Ebola risk in perspective.

Influenza, the seasonal flu, typically kills between 3,000 and 49,000 people each year according to the CDC. Influenza is much more contagious and can spread through the air in the workplace. (Ebola cannot.) It sounds like your compliance team should spend much more time making sure all employees get their flu shots than to worry about Ebola.

There were 4,405 fatal workplace injuries in 2013. Nine percent of those were homicides. It sounds like you should be more worried about an active shooter than Ebola.

There were three workplace deaths attributed to lightning in 2013. You are three time more likely to die from a lightning strike at work as you are to catch Ebola in the United States. How is your lightning compliance program?

Sources:

Kleptocracy Asset Recovery Initiative

glove

Last week, the son and heir-apparent to the president of Equatorial Guinea agreed to give up $34 million in assets as part of a settlement with the U.S. government over corruption claims. This was the latest attack by the Department of Justice’s Kleptocracy Asset Recovery Initiative.

According to the Wall Street Journal, the Kleptocracy Asset Recovery Initiative has collected about $600 million out of the $1.2 billion pursued from 15 cases against current or former officials and businessmen.

The government accused Second Vice President Teodoro Obiang Nguema Mangue of amassing assets worth $300 million on an annual salary of less than $100,000.

He has agreed to sell a Malibu mansion, a Ferrari and six life-size Michael Jackson statues. He gets to keep a Gulfstream jet, a luxury boat and most of his collection of Michael Jackson memorabilia, including the crystal-encrusted glove from the late singer’s ‘Bad’ tour (At least for now). If you want to see an incredible collection of Michael Jackson memorabilia, you can find it at the Equatoguinean Cultural Center in Malabo.

Mr. Obiang’s father is still in power, so the government of Equatorial Guinea didn’t cooperate with the U.S. government’s investigation. There are obvious signs of corruption, but the US government faced an uphill battle trying to trace Mr. Obiang’s US based assets back to corruption in his native country.

The main link was the anti-Money laundering failures of Riggs Bank. Starting in the mid-1990s, Riggs Bank opened dozens of accounts for the government of Equatorial Guinea, as well as senior government officials. By 2003 those accounts were worth almost $700 million.

Sources:

Weekend Reading: The Skies Belong To Us

skies belong to us

It’s hard to imagine in these days of TSA security, but over a five-year period starting in 1968, hijackers seized commercial jets nearly once a week. Brendan I. Koerner captures this piece of history in The Skies Belong to Us: Love and Terror in the Golden Age of Hijacking.

Mr. Koerner uses the hijacking of Western Airlines Flight 701 on June 2, 1972 as the centerpiece of his book, with other tales of hijackings wrapped around it. Roger Holder and Cathy Kerkow captured Flight 701 with a fake bomb. Neither had to pass through a metal detector or any security screening before boarding the plane.

Since Sept. 11 we have no sympathy for skyjackers. Mr. Koerner’s book returns us to the time of free love, the black panthers, and Vietnam War protests. In this golden age of of skyjacking you could walk through an airport “without encountering a single inconvenience — no X-ray machines, no metal detectors, no uniformed security personnel with grabby hands and bitter dispositions.”

Even as skyjackings became a weekly occurrence, the airline industry still opposed security screenings because of the inconvenience.

Unlike today’s fears of skyjackers being terrorists, the golden age skyjackers were more interested in fame, money and expressing displeasure with the government. A favorite destination was warm weather communist Cuba. Few actually wanted to harm anyone. The airline industry was convinced that enuring  periodic skyjackings was better financially than paying for invasive security measures at hundreds of airports.

Screening baggage with metal detectors at airports did not become mandatory until 1973. The airlines and their lobbyists fought security requirements. They thought costs would be prohibitive, and that passengers would rebel. Civil libertarians fought screening as a Constitutional violation.  (For a touch of cynicism, the automobile industry supported the screening requirements.)

Of course in this golden age, flying was much more enjoyable. “Decades have passed since coach-class passengers enjoyed luxuries that have since become inconceivable: lumps of Alaskan crabmeat served atop monogrammed china, generous pours of free liquor, leggy stewardesses who performed their duties with geisha-like courtesy.” I suppose it’s easier to tolerate a detour to Havana when you have room to stretch your legs, are well-fed and liquored-up.

It was the November 10, 1972 skyjacking of Southern Airlines Flight 49 that finally caused the government to implement mandatory screening, the airlines to concede, and passengers to accept security. Those skyjackers threatened to use the skyjacked plane as a weapon and crash it into the nuclear facility at Oak Ridge, Tennessee.

The golden age ended when skyjacking turned into a weapon.

Compliance Bricks and Mortar for October 17

compliance bricks and mortar

These are some of the compliance-related stories that recently caught my attention.

Mathew Martoma’s Wife Fights to Keep Couple’s Florida Home, Millions in Cashby Bruce Carton in Compliance Week

Martoma will begin serving his prison term next month, but his wife, Rosemary Martoma, is now challenging the $9.4 million forfeiture order. This week Rosemary Martoma asked the court to allow her to keep her share of the couple’s assets–including a $2.2 million home in Boca Raton, Florida and approximately $4.5 million in cash.

The New Vocabulary of Compliance Communications by Joel A. Rogers in Communicating Compliance

Every time there is a paradigm shift in any arena, a new vocabulary – either new words or new meanings to older words – emerges to account for a host of novel concepts. … The same thing is true in compliance, as I learned in the reader comments to my last blog post, in which I made reference to “low-bandwidth” compliance communications, a term which caused confusion for at least one reader. As the paradigm of compliance communications shifts away from long, burdensome elearning programs toward quick bursts of information delivered in an organized, structured fashion, a new vocabulary has emerged to account for its conceptual differences from “traditional” practices.

SEC Whistleblower Program Achieves Critical Mass by Matt T. Morley in the HLS Forum on Corporate Governance and Financial Regulation

Two recent Dodd-Frank whistleblower awards suggest that the program is becoming the kind of “game changer” for law enforcement that many had predicted. The program, which took effect in August 2011, mandates the payment of bounties to persons who voluntarily provide information leading to a successful securities enforcement action in which more than $1 million is recovered. Informants are entitled to receive between 10 and 30 percent of the amounts recovered, with the precise amount to be determined by the SEC.

Complicating Sanctions Compliance: OFAC Redefines 50 Percent Rule by Michael Volkov in Corruption, Crime & Compliance

OFAC’s revised policy addresses the ownership requirement under which a person related to an SDN has to be blocked under OFAC regulations. Going back around six years ago, OFAC adopted a policy that ownership for purposes of sanctions extends to any entity that is 50 percent or more owned by a single SDN.

The Second Time Around Analyst Is Charged With Insider Trading by Thomas O. Gordon in SEC Actions

The second time around proved to be the undoing of a senior financial analyst at a pharmaceutical company identified only as Pharma Co. Two years ago he supposedly furnished material non-public information about a proposed take-over to his longtime friend, identified as Trader. Trader traded and profited. No action was brought. In 2014 the analyst supposedly furnished the same friend inside information on another transaction. This time the SEC and the Manhattan U.S. Attorney filed civil and criminal charges against the analyst. SEC v. Zwerko, Civil Action No. CV 8181 (S.D.N.Y. Filed Oct. 10, 2014).

Don’t Forge Documents You Give to SEC Investigators

failure

You’re bound to make a mistake. Don’t make the mistake even worse by faking a document you submit to the Securities and Exchange Commission in order to cover your original mistake.

Back in 2012, the SEC brought charges against Waldyr Da Silva Prado Neto, a citizen of Brazil who was working for Wells Fargo in Miami. He was accused of illegally trading in the stock of Burger King after he learned of an impending private equity transaction.

Wells Fargo admitted to compliance weaknesses and paid a $5 million fine in connection with that supervision failure. In connection with that failure’s administrative order, the SEC expressed its displeasure with a delay in production of the documents and the state of the documents.

When the documents were produced, the firm failed to produce an accurate record of the review as it existed at the time of the staff’s request. Instead, the firm produced a document that had been altered by an employee after the Commission staff issued its follow up request. When questions arose surrounding the altered document, Wells Fargo Advisors placed the employee on administrative leave and eventually terminated this employee.
That failure probably resulted in the SEC enforcement action and a bigger fine for Wells Fargo.
The other shoe dropped. The SEC brought charges against Judy K. Wolf, the ex-Wells Fargo employee, for faking the document.
The SEC alleges that Wolf was responsible for reviewing  Waldyr Da Silva Prado Neto trading records in 2010 in connection with the Burger King trades. She reviewed the trading records and closed her review with no findings. The SEC alleges that Wolf altered her review report in 2012 after the insider trading charges were filed. She made it look like her review was more thorough than it actually was.
The Order notes some of the red flags according to the Wells Fargo “look back” policy:
  • Prado and his customers represented the top four positions in Burger King securities firm-wide;
  • Prado and his customers bought Burger King securities within 10 days before the acquisition announcement, including on the same days;
  • The profits by Prado and his customers each exceeded the $5,000 threshold specified in the look back review procedures;

What did her in was an additional note in the log:

“09/02/10 opened 24% higher@ $23.35 vs. previous close of $18.86. Rumors of acquisition by a
private equity group had been circulating for several weeks prior to the announcement. The
stock price was up 15% on 9/1/12, the day prior to the announcement.” (My emphasis)

Wolf made a typo on the announcement date. According to the order, she argued that it was merely a contemporaneous type, but admitted in later testimony that she had made that additional log note after the SEC investigation. Wells Fargo was able to produce earlier copies of the log that did not have those two sentences.

Wolf tried covering her mistake, but it blew up into a bigger problem. Wells Fargo fired her and the SEC brought charges against her personally.

Sources:

Can an ATM Machine Be a Security?

Woman Using Atm Machine

Nationwide Automated Systems offers turnkey ATM solutions. A turnkey ATM program addresses the need for ATM service, repair, system monitoring, and cash replenishment. Typically the ATM provide will split some of the fee income with the property owner where the ATM is located rather than pay a fixed rent.

To raise capital Nationwide create a sale-leaseback with third party investors. The investor buys the machine from Nationwide, then leases it back to Nationwide for ten years in return for rent. The rent is payable as $0.50 per approved transaction.

The Securities and Exchange Commission claims that Nationwide did not actually own the machines is was selling and was generating very little revenue from ATM transactions. The SEC is accusing Nationwide of using new investor investments to pay old investors’ guaranteed returns. The SEC slapped the Ponzi label on Nationwide.

According to the SEC complaint, there was fraud. Nationwide had entered into more than 31,000 ATM sale-leaseback transactions. The SEC investigator only found records of Nationwide owning a few hundred. The SEC also found records of Nationwide selling the sale ATM machine to multiple investors.

Even if there is fraud, the Securities and Exchange Commission can only get involved if there are securities. The SEC needs to prove that the sale-leaseback arrangement was essentially an investment contract. That leads back to some derivation of the Howey case to determine if there is an investment contract, and look at whether there is

  1. an investment of money,
  2. a common enterprise,
  3. a reasonable expectation of profits, and
  4. a reliance on the entrepreneurial or managerial efforts of others.

The SEC latched onto a non-interference provision in the leaseback. The ATM owners are prohibited from interfering with operations of the ATM or contacting the locations where ATM is located. That provision is to keep busybodies from showing up at the ATM location and making a nuisance of themselves.That didn’t prevent one suspicious investor from calling the location where her ATM was located, only to have the hotel manager tell her there was no ATM as the hotel.

For a legitimate arrangement that non-interference provision is a perfectly valid provision. The SEC is interpreting it as part of the fraud.

I think this case will hinge on the provisions in the ATM lease. If the investor has some right to end the lease and do something else with the machine, then this is a real estate transaction and not a securities transaction. That means the SEC is out of the picture and the California authorities would need to step in.

The big sign of fraud is the guaranteed return. No investment should have a guaranteed return of 20% per year over 10 years.

The other sign is the cost of the machine. You can buy a basic ATM machine for $2,000. Nationwide is getting a big markup on the sale part of the sale-leaseback.

Nationwide ran into trouble in August when it ran out of cash and bounced checks to investors.

According to the SEC complaint, from August 20 to September 8, 2014 Nationwide deposited almost $4 million into its bank account. Only $52,463 was from ATM transaction revenue. During that same time frame, Nationwide paid over $2 million in “guaranteed” lease payments to existing investors.

I’m impressed with how quickly the SEC brought this case one the checks starting bouncing.

Sources: