Top 5 SEC Enforcement Developments for December 2024

Each month, we publish a roundup of the most important SEC enforcement developments for busy in-house lawyers and compliance professionals. This month, we examine:

• Insider trading charges against a professor overseeing clinical trials;
• A resolution without a monetary penalty for a retailer’s failure to disclose executive perks;
• A settlement with a medical company over alleged misrepresentations concerning one of its key products;
• A settlement with a bank addressing allegedly misleading cybersecurity disclosures; and
• A financial services firm’s failure to prevent the theft of client funds.       

1. Clinical Trial Investigator Pays $3 Million over Alleged Insider Trading Scheme

On December 18, 2024, the SEC filed a federal court complaint against Dr. Sai-Hong Ignatius Ou (“Dr. Ou”), a clinical professor at the University of California, Irvine, alleging insider trading of shares of Nuvalent Inc. (“Nuvalent”). The complaint claims that Dr. Ou, through confidential emails, learned of positive results from a cancer drug trial where he was a principal investigator and privy to material nonpublic information or “MNPI.” Before the results of the trial were made public, Dr. Ou allegedly acquired more than 80,000 shares of Nuvalent stock during a series of trades between June and October 2022.

Two days after Dr. Ou’s last purchase, Nuvalent disclosed positive trial results, and its stock price rose 60%. Although the SEC did not allege that Dr. Ou sold any shares, the complaint alleges that Dr. Ou’s position was worth more than $2.8 million, with profits of over $1.5 million. The SEC contends that although Dr. Ou was not a Nuvalent employee, he still had access to material nonpublic information by virtue of his role as a clinical investigator and had an obligation to keep such information confidential.

Accordingly, the SEC found Dr. Ou violated Section 10(b) of the Exchange Act and Rule 10b-5 thereunder. Without admitting or denying the SEC’s findings, Dr. Ou agreed to pay $3 million—$1.5 million in disgorgement fees and $1.5 million in civil penalties—and consented to an injunction and a five-year officer and director bar.

2. Express Resolves Executive Perks Disclosure Case Without Penalty

On December 17, 2024, Express, Inc. (“Express”) resolved SEC charges, on a neither admit nor deny basis, that it failed to disclose nearly $1 million in perquisites and personal benefits provided to its former CEO between 2019 and 2021, and failed to maintain adequate disclosure controls and procedures to identify perks that should be identified in the company’s definitive proxy statements. Among other benefits, Express authorized, but failed to identify as executive compensation, the CEO’s use of chartered private aircraft for personal purposes, hotels, and meals. According to the SEC, Express’s failure to include the CEO’s compensation caused the “All Other Compensation” section of its Named Executive Officers’ compensation to be understated by an average of 94% over three fiscal years.

Express discovered the errors during an internal review and promptly self-reported its findings to the SEC, cooperating fully with the SEC’s investigation. Express, which filed for bankruptcy in early 2024, implemented remedial measures and updated its executive compensation policies to ensure better identification and disclosure of perquisites in the future. Additionally, the former CEO voluntarily reimbursed Express around $454,000 in travel expenses.

In light of these mitigating factors, the SEC decided not to impose a monetary penalty; instead, the SEC issued a cease-and-desist order that addressed the alleged disclosure and internal controls violations.

3. Medical Device Manufacturer Pays $175 Million over Alleged Misrepresentation of Infusion Pump

On December 16, 2024, the SEC charged a medical device manufacturer (“MDM”), for allegedly misstating the commercial viability and safety profile of an infusion pump sold by the company. The SEC also alleged MDM materially overstated its operating income by understating remediation costs in its financial reports, failed to maintain sufficient accounting controls, and lacked disclosure controls and procedures needed to file annual reports.

According to the SEC, MDM made materially misleading statements and omissions from 2016 to early 2020 about the regulatory status of the infusion pump—a device contributing 10% of MDM’s overall profits. MDM purportedly failed to disclose that the pump required new clearance from the Food and Drug Administration (“FDA”) to address multiple changes and flaws in the pump’s software that posed a safety risk to patients.

The Order details how, in 2016, MDM’s regulatory experts allegedly determined that the pump required new FDA clearance due to software changes. MDM initially worked to obtain this clearance but allegedly changed course when it realized it lacked the necessary documentation. MDM allegedly sought narrower approval for only certain features but was ultimately unsuccessful.

By January 2019, MDM had allegedly identified over 25 flaws in the pump’s software. According to the SEC, in October 2019, MDM informed the FDA of additional flaws and proposed that the FDA allow MDM to continue selling the pump while it addressed the issues; the FDA rejected MDM’s proposal. MDM also allegedly overstated its operating income by failing to properly account for and disclose estimated recall costs relating to issues with the pump of $50 million. When the FDA raised concerns in 2019 that the pump was “violative” with “defects and safety issues,” MDM continued to describe the situation to investors as making “improvements” and “upgrades.” The SEC found that MDM’s statements during investor calls and in its SEC filings materially misled investors about the nature and extent of the regulatory issues. 

Accordingly, the SEC found MDM violated Sections 17(a)(2) and (3) of the Securities Act and Sections 13(a) and 13(b)(2)(A) of the Exchange Act. Without admitting or denying the SEC’s findings, MDM agreed to pay a $175 million civil penalty and consented to a cease-and-desist order and to retain an independent compliance consultant to review its disclosure controls and procedures.

4.  SEC Fines Flagstar Financial, Inc. $3.55 Million over Alleged Cyber Breach

On December 16, 2024, Flagstar Financial, Inc. (“Flagstar”) agreed to pay a $3.55 million civil penalty to settle SEC claims that it negligently provided misleading disclosures about a cybersecurity breach between November and December 2021. Flagstar resolved this matter on a neither admit nor deny basis. The SEC alleged that unauthorized access by hackers resulted in the encryption of about 30% of the company’s network and the exfiltration of personal data from approximately 1.5 million individuals.

According to the SEC, Flagstar’s risk and other public disclosures improperly framed cybersecurity incidents only a hypothetical risk, omitting that such an attack had already occurred, and minimizing the scope of a breach by representing “that there was unauthorized access to Flagstar’s network when, in fact, Flagstar was aware that the threat actor exfiltrated the PII of approximately 1.5 million individuals.” The SEC found that Flagstar violated Section 17(a)(2) of the Securities Act and Section 13(a) of the Exchange Act. Flagstar agreed to implement enhanced disclosure practices in addition to paying the aforementioned civil penalty. As discussed in our January 2025 client alert, the SEC continues to leave its mark as a federal cybersecurity enforcer.

5. Financial Services Firm Pays $15 Million over Failure to Detect and Prevent Theft of Client Funds

On December 9, 2024, a Financial Services Firm (“FSF”) agreed to pay a $15 million penalty to resolve SEC charges that the firm failed to adopt and implement reasonable policies and procedures to prevent theft of client funds by four investment advisors and registered representatives and failed reasonably to supervise those individuals. According to the SEC, four of the firm’s registered representatives misappropriated funds from client and customer accounts while employed at the firm using externally initiated Automated Clearing House (“ACH”) payments and wire transfers.

In October 2015, FSF allegedly began using third-party software to detect fraudulent wires to external accounts, and FSF believed the software would detect suspicious cash transfers. According to the SEC, however, the FSF’s software was not calibrated to monitor certain externally initiated ACH payments and detect instances when a FSF advisor assigned to the account was listed as a beneficiary. This alleged deficiency, which FSF reported to the SEC in 2021, led to three of the four named advisors misappropriating over $1.7 million through hundreds of unauthorized ACH transfers. Additionally, the SEC alleges that from October 2015 to February 2021, FSF failed to adequately monitor suspicious cash wire transfers to external third-party accounts from unrelated client accounts managed by the advisors. This failure allowed two of the four named advisors to misappropriate millions of dollars.

According to the SEC, FSF learned of the misappropriation in 2019 after a relative of an advisory client raised questions about the client’s account. FSF allegedly terminated the responsible advisor, reported the misappropriation to the Commission staff and law enforcement, and settled with the clients to compensate for their losses.

The SEC found that FSF willfully violated Section 206(4) of the Investment Advisers Act and Rule 206(4)-7 thereunder, which require registered investment advisers to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act. The SEC also found that FSF failed to supervise the four financial advisors within the meaning of Section 203(e)(6) of the Advisers Act and/or Section 15(b)(4)(E) of the Exchange Act. Without admitting or denying fault, FSF consented to a cease-and-desist order, a censure, retention of a compliance consultant, and the aforementioned civil penalty.