Consulting Companies to Pay $11.3M for Failing to Comply with Cybersecurity Requirements in Federally Funded Contract

Monday, June 17, 2024 — The Office of Public Affairs has announced that Guidehouse Inc. and Nan McKay and Associates (Nan McKay) have agreed to pay a combined total of $11.3 million to resolve allegations of violating the False Claims Act. The violations stemmed from their failure to meet cybersecurity requirements in a contract aimed at securing a safe environment for low-income New Yorkers to apply online for federal rental assistance during the COVID-19 pandemic.

Background

In early 2021, Congress established the Emergency Rental Assistance Program (ERAP) to help eligible low-income households with rent, utilities, and other housing-related expenses during the COVID-19 pandemic. New York’s Office of Temporary and Disability Assistance (OTDA) was responsible for administering the ERAP in the state. Guidehouse Inc., headquartered in McLean, Virginia, was the prime contractor responsible for the ERAP technology and services in New York. Nan McKay, based in El Cajon, California, served as Guidehouse’s subcontractor and was tasked with delivering and maintaining the ERAP technology product for online applications.

Cybersecurity Failures and Data Breach

Guidehouse and Nan McKay were jointly responsible for ensuring that the ERAP Application underwent necessary cybersecurity testing before its public launch. However, both companies admitted to failing to complete the required pre-production cybersecurity testing. As a result, the ERAP website went live on June 1, 2021, but was shut down 12 hours later when it was discovered that applicants’ personally identifiable information (PII) had been compromised and was accessible on the internet. The companies acknowledged that proper cybersecurity testing could have detected and prevented the breach.

Additionally, Guidehouse admitted to using a third-party data cloud software program to store PII without obtaining OTDA’s permission, violating their contractual obligations.

Financial Penalties and Settlements

Guidehouse Inc. paid $7,600,000 to resolve the allegations.
Nan McKay and Associates paid $3,700,000 to resolve the allegations.

The settlements also provided for a whistleblower, Elevation 33 LLC, an entity owned by a former Guidehouse employee, to receive $1,949,250 of the settlement amounts for their role in uncovering the violations.

Statements from Officials

Principal Deputy Assistant Attorney General Brian M. Boynton emphasized the importance of complying with cybersecurity obligations tied to federal funding, stating, “The Justice Department will continue to pursue knowing violations of material cybersecurity requirements aimed at protecting sensitive personal information.”

U.S. Attorney Carla B. Freedman for the Northern District of New York added, “Contractors who receive federal funding must take their cybersecurity obligations seriously. We will continue to hold entities and individuals accountable when they knowingly fail to implement and follow cybersecurity requirements essential to protect sensitive information.”

Acting Inspector General Richard K. Delmar of the Department of the Treasury remarked on the critical nature of data integrity, especially in programs vital to government pandemic recovery efforts.

New York State Comptroller Thomas P. DiNapoli highlighted the importance of safeguarding personal information and maintaining the integrity of rental assistance programs.

Civil Cyber-Fraud Initiative

This case aligns with the Department of Justice’s Civil Cyber-Fraud Initiative, announced on October 6, 2021, which seeks to hold entities accountable for cybersecurity deficiencies that jeopardize sensitive information. The initiative focuses on ensuring that contractors and grantees uphold their cybersecurity commitments.

Conclusion

This settlement sends a clear message to contractors about the serious consequences of failing to meet cybersecurity requirements. It underscores the importance of maintaining rigorous cybersecurity practices, particularly when handling sensitive personal information in federally funded programs.

For more information on this case and to learn about how to report cyber fraud, visit the Department of Justice website.

Stay tuned to our blog for more updates on legal news and insights into cybersecurity and compliance.

Gayatri GuptaJune 17, 2024

Nasdaq Compliance

The Nasdaq Stock Market features three tiers of listed companies, namely: (1) The Nasdaq Global Select Market, (2) The Nasdaq Global Market, and (3) The Nasdaq Capital Market. These tiers are characterized by progressively stringent listing requirements, with the Nasdaq Global Select Market setting the highest standards for initial listings and the Nasdaq Capital Market serving as the entry-level tier, particularly suitable for most small-cap issuers.

To list securities on Nasdaq, a company must fulfill minimum listing requirements, encompassing defined criteria related to financial performance, liquidity, and corporate governance. Nasdaq retains extensive discretion in the listing process and reserves the right to reject an application, even if the technical prerequisites are satisfied, if it deems such denial essential to safeguard the interests of investors and the public.

After securing a listing on Nasdaq, a company is obligated to adhere to ongoing listing standards. To initiate the listing process, a company seeking inclusion on Nasdaq must diligently complete and submit a comprehensive listing application to Nasdaq. This application should include specific documents and information as outlined by Nasdaq's requirements.

Typically, the application process spans a duration of four to six weeks. Once the application is submitted, a Nasdaq analyst is designated as the primary liaison with the company. Within two to three weeks of submission, the company can expect to receive an initial comment letter. The comment and review process persists until a decision is reached on the approval or denial of the application. Similar to filing with the SEC, a meticulously prepared Nasdaq application tends to attract fewer comments and facilitates a more streamlined process. Generally, the company's securities counsel assumes a leading role, serving as the primary contact for preparing the application and engaging in communication with Nasdaq.

Similarly to the SEC review process, Nasdaq conducts a thorough examination of publicly accessible information pertaining to a company. This encompasses, but is not limited to, SEC filings, the company's website, management communications and speeches, as well as press releases. The iterative nature of the review process typically doesn't necessitate a formal protocol, and communication is commonly facilitated through email correspondence and phone calls.

Listing Criteria For Nasdaq
For a company to list its securities on Nasdaq, it must satisfy the following criteria:

Specific Initial Requirements:
- Quantitative Standards: Meeting defined thresholds for both quantitative and qualitative factors.
- Qualitative Standards: Fulfilling certain qualitative benchmarks.
Continuing Requirements:
- Quantitative Criteria: Adhering to ongoing quantitative benchmarks.
- Qualitative Criteria: Maintaining specified qualitative standards.

The initial quantitative thresholds are typically set at a higher level than those required for continued listing. This distinction aims to ensure that companies achieve a sufficient level of maturity before being listed. Additionally, Nasdaq imposes rigorous corporate governance standards that listed companies must adhere to throughout their tenure on the exchange.

Before formally submitting a comprehensive listing application, a company has the option to pursue a preliminary listing eligibility review. In this stage, the Listing Qualifications Staff conducts a thorough examination of the company's public filings to assess its compliance with numerical listing requirements. Additionally, the team evaluates the company's adherence to corporate governance requirements outlined in the Marketplace Rules ("Rules"). This preliminary review provides valuable insights into the company's eligibility for listing on Nasdaq before committing to the full application process.

Upon completion of the preliminary review, the Listing Qualifications Staff will make an assessment regarding whether the company meets the numerical listing criteria. Additionally, any corporate governance or regulatory concerns raised during this phase will be considered to determine their impact on the listing approval. It's important to note that while the preliminary review provides insights, final approval necessitates the submission of a formal listing application. This application undergoes a thorough examination by the NASDAQ Listing Qualifications Staff. Furthermore, the final approval process involves satisfactory compliance with specific qualitative reviews. This includes an examination of the regulatory history of the company's officers, directors, and significant shareholders. Meeting these criteria is integral to obtaining the final approval for listing on Nasdaq.

Financial And Liquidity Requirements

    Requirements

    Equity Standard
    Market Value of Listed Standard
    Net Income Standard

    Listing Rules

    5505(a)
and
5505(b)(1)
    5505(a)
and
5505(b)(2)
    5505(a)
and
5505(b)(3)
    
    Stockholders Equity

    	$5 million
    	$4 million
    	$4 million
    
    The market value of publicly held shares

    $15 million
    $15 million
    $
      5 million
    
    Operating History

    	Two years
    N/A
    N/A
    
    The market value of listed securities

    N/A
    $50 million
    N/A
    
    Net income from continuing operations (in the latest fiscal
a year or in two of the last three
fiscal years)

    N/A
    N/A
    $750,000
    
    Publicly held shares

    	1 million
    	1 million
    	1 million
    
    Bid Price

    	$4
    	$4
    	$4)
    
    Closing Price

    	$3
    	$2
    	$43
    
    Corporate Governance

    Yes
    Yes
    Yes
    
    Total Shareholders

    300
    300
    300

Requirements	Equity Standard	Market Value of Listed Standard	Net Income Standard
Listing Rules	5505(a) and 5505(b)(1)	5505(a) and 5505(b)(2)	5505(a) and 5505(b)(3)
Stockholders Equity	$5 million	$4 million	$4 million
The market value of publicly held shares	$15 million	$15 million	$ 5 million
Operating History	Two years	N/A	N/A
The market value of listed securities	N/A	$50 million	N/A
Net income from continuing operations (in the latest fiscal a year or in two of the last three fiscal years)	N/A	N/A	$750,000
Publicly held shares	1 million	1 million	1 million
Bid Price	$4	$4	$4)
Closing Price	$3	$2	$43
Corporate Governance	Yes	Yes	Yes
Total Shareholders	300	300	300

Corporate Governance Requirements

Across all three tiers of the Nasdaq Stock Market, corporate governance requirements remain largely consistent. The categories encompassing corporate governance standards include:

Distribution of Annual or Interim Reports
Independent Directors
Audit Committee
Compensation Committee
Nomination of Directors
Code of Conduct
Annual Meetings
Solicitation of Proxies
Quorum
Conflict of Interest
Shareholder Approval
Voting Rights

These governance elements play a crucial role in ensuring transparency, accountability, and ethical conduct within listed companies, irrespective of the specific tier within the Nasdaq Stock Market.

Companies seeking listing on Nasdaq must adhere to specific corporate governance standards, including the following:

Compensation Committee with Independent Directors:
- The company is required to establish a compensation committee comprised of independent directors.
- The committee must consist of at least two members.
- Rule 5605(d)(2)(A) introduces an additional independence test for compensation committee members.
Responsibility for Executive Compensation:
- The compensation committee is tasked with determining or recommending to the entire board the compensation of the chief executive officer (CEO) and all other executive officers.

These standards are designed to ensure a level of independence and scrutiny in the decision-making processes related to executive compensation within the company.

The Application And Documents

The Nasdaq application package encompasses several key components:

Symbol Reservation Form:
- Used to request the reservation of a specific trading symbol for the company.
Listing Application:
- Requires supplemental documents and details about the company's financials, operations, and other pertinent information.
Listing Agreement:
- A formal agreement outlining the terms and conditions of the listing on Nasdaq.
Corporate Governance Certification:
- A certification affirming the company's commitment to meeting Nasdaq's corporate governance standards.
Initial Application Fee:
- Payable via check or wire transfer, this fee is a prerequisite for initiating the listing process.
Logo Submission Form:
- Used for submitting the company's logo for use in Nasdaq's materials.

These application forms are completed through the Nasdaq website listing center, utilizing the online platform to facilitate the submission of supplemental and supporting documents. It is advisable to thoroughly review all required paperwork in advance, ensuring that the necessary information is readily available before initiating the application process.

Symbol Reservation Form

The symbol reservation form is a concise, one-page electronic form where applicants input information for Nasdaq's consideration. Nasdaq symbols, limited to 1-5 characters, adhere to guidelines established by the Intermarket Symbols Reservation Authority (ISRA). The ISRA system is designed to organize symbols efficiently, prevent duplication, and reduce programming and operational complexities. The ISRA operates within the framework of the NMS Symbology Plan, a plan utilized by Nasdaq.

Key details about the symbol reservation process:

Symbol Choices:
- The form allows applicants to propose three symbol choices in order of preference.
- While Nasdaq generally honors the first choice if available, it retains the authority to assign, rescind, or reassign a trading symbol at its discretion.
ISRA and Nasdaq Authority:
- The ISRA and Nasdaq have overarching authority in managing the assignment of symbols.
Additional Information:
- The form captures essential details about the issuer and the planned public offering.
- Information may include the name of the attorney, lead underwriter (if applicable), CEO and CFO names, yearly revenues, company website, and the sector in which the company operates.

Completion of this symbol reservation form initiates the process of securing a trading symbol on Nasdaq, and it's essential to provide accurate and comprehensive information to facilitate this stage of the listing application.

The Application

The Nasdaq listing application process is comprehensive and varies based on the circumstances surrounding the listing sought. There are twelve distinct listing applications catering to different situations, including changes of control, switches from other exchanges or markets, spin-offs, and initial public offerings (IPOs). Each application, spanning approximately seven pages, collects detailed information about the company, covering areas such as address, contact and billing details, securities attorney and auditor information, transfer agent particulars, and the company's officers and directors. Specific information on the company's securities, including type, par value, and cusip number, is also required.

Furthermore, the application mandates disclosure of legal proceedings involving the company, its officers or directors, or significant shareholders over the past ten years. This encompasses inquiries, investigations, lawsuits, litigation, arbitrations, and other legal and administrative proceedings. Documents supporting the backup and final disposition of these matters must be provided.

Regarding private offerings within the prior six months, including bridge financings, shelf registrations, and Regulation S offerings, the company is required to disclose such activities. Additionally, the application delves into the company's background, posing questions to ensure compliance with seasoning rules.

While Nasdaq retains the right to request relevant supporting documents, specific documents are mandatory based on the application type. For an uplisting from an existing U.S. market, the application must include letters from three market makers confirming their commitment to making a market in the subject securities. Other required documents include a listing agreement, a logo submission form, a corporate governance certification form, regulatory correspondence over the past 12 months, and shareholder confirmation documents. Nasdaq often seeks confirmation from the company's transfer agent regarding the eligibility of the security for the direct registration program (DRS).

During the review of an up listing application, Nasdaq may request additional information, such as a Broadridge share range analysis and NOBO list, a certified shareholder list, details about mitigating any going concerns or opinions, income statement and/or balance sheet projections for the next 12 months, and confirmation of Sarbanes Oxley Section 302 and 906 certifications by the company, among other inquiries related to compliance and financial matters.

The Listing Agreement

The Listing Agreement is a concise document, spanning two pages, serving as a formal affirmation of the company's commitment to adhere to all rules and regulations set forth by the Nasdaq Stock Market. It includes provisions for indemnifying and holding Nasdaq harmless from liability. Notable points in the agreement include:

Compliance Assurance:
- The company explicitly agrees to comply with all rules and regulations stipulated by the Nasdaq Stock Market.
Indemnification Clause:
- The company indemnifies Nasdaq, meaning it undertakes to compensate or reimburse Nasdaq for any losses or damages incurred. This includes harm resulting from third-party trademark infringement claims related to the company's symbol and logo, as well as Nasdaq's use of the same.
Disclaimer of Warranty and Liability:
- The agreement contains a disclaimer of warranty and liability against Nasdaq for trading issues, with the exception of those resulting from gross negligence or willful misconduct.

This agreement establishes a clear framework for the relationship between the listed company and Nasdaq, emphasizing the company's commitment to regulatory compliance while providing indemnification for certain specified matters and delineating the scope of Nasdaq's liability.

Corporate Governance Certification Form

The corporate governance certification form certifies compliance with the governance requirements related to an audit committee, director nomination process, compensation committee, board composition, executive sessions, quorum, and codes of conduct. Where an exemption applies, the form requires specification of the exemption terms. The document specifies the different rules and exceptions in a check-the-box format.

Logo Submission Form

The logo submission form contains the guidelines for the logo and affirms Nasdaq’s rights to use the same. Nasdaq uses company logos in its marketing materials, on the MarketSite Video Wall and Tower, and websites.

Fees

Entry fees are based upon the aggregate number of shares to be listed at the time of initial listing, regardless of class, with a maximum cap of $75,000. Fees are assessed on the entry date in The Nasdaq Capital Market, except for $5,000, representing a non-refundable application fee. This fee must be submitted with the company’s application.

Nasdaq does not charge application or entry fees for any securities transferred from a national securities exchange.

Benefits Of Trading On An Exchange

There are many benefits to trading on an exchange instead of the OTC Markets. The most significant benefits to a business are the ability to attract analyst coverage and institutional investors and the corresponding increase in liquidity that comes with both. Stocks that trade on Nasdaq tend to have a lower bid/offer spread — again encouraging trading volume and liquidity. Exchange-traded securities are exempt from the penny stock definition, allowing more market maker and broker-dealer participation. As further explained below, a broker-dealer cannot recommend a penny stock transaction to its retail clients. Therefore, no analysts, financial advisors, or institutional investors make recommendations for purchases of penny stocks.

As an aside, this is one of the reasons that OTC Markets created the OTCQX market tier, which does not list penny stocks. It is also why the small-cap industry is pushing for a supported valid venture exchange (for further reading.

In today’s world, depositing stock and/or trade-in non-exchange traded securities is increasingly difficult. Despite the congressional efforts and SEC rulemaking in support of small-cap capital formation (for example, the JOBS Act, including the emerging growth company regulations, new Regulation A+ and Title III Crowdfunding and the new FAST Act), through enforcement and investigative proceedings, both the SEC and FINRA continue to apply pressure on broker-dealers, clearing firms and transfer agents to reduce the secondary trading and free flow of penny stocks. For more information on difficulties in depositing stocks.

Further On Penny Stocks

NASDAQ and NYSE MKT traded securities are exempted from the definition of a “penny stock” due to the initial and ongoing listing standards. Penny stock rules focus on broker-dealers’ activity in effectuating trades in penny stocks. The Securities Enforcement Remedies and Penny Stock Reform Act of 1990 (the “Penny Stock Act”) prohibits broker-dealers from effecting transactions in penny stocks unless they comply with the requirements of Section 15(h) of the Securities Exchange Act of 1934, as amended (the “Exchange Act”). The rules promulgated thereunder, particularly Exchange Act rules 15g-1 through 15g-100 (the “penny stock rules”).

Section 15(h) of the Exchange Act provides that no broker or dealer may effectuate a customer’s purchase or sale of any penny stock unless such broker or dealer.

Approves the customer for the specific penny stock transaction and receives a written agreement to the transaction from the customer.
Furnishes the customer a risk disclosure document describing the risks of investing in penny stocks.
Discloses to the customer the current market quotation, if any, for the penny stock, including the bid and ask prices and the number of shares that apply to such bid and ask prices.
Discloses to the customer the amount of compensation the firm and its broker will receive for the trade.

In addition, after executing the sale, a broker-dealer must send its customer monthly account statements showing the market value of each penny stock held in the customer’s account.

Moreover, brokers and dealers subject to the penny stock rules are subject to additional disclosure requirements outlined in Rules 15g-2 through 15g-9. For my information on penny stocks and the rules affecting broker-dealer activity.

Securities Lawyer Blog