On April 16, 2019, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert addressing all registered broker-dealers and investment advisers’ (together, “Firms”)[1] privacy-related obligations under Regulation S-P (“Reg S-P”).  The Risk Alert set out the most frequent Reg S-P deficiencies OCIE identified during examinations over the past two years, and encouraged registrants to review their written privacy policies and procedures as well as the consistency with which these policies and procedures have been implemented.  The Alert is the latest in a series of recent privacy and cybersecurity guidance documents issued by the SEC, including the February 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures and October 2018 Report of Investigation on cyber-related frauds and public company accounting controls.

This Risk Alert is consistent with the SEC’s approach of seeking to influence the conduct of registrants by providing guidance on specific compliance issues, followed by Risk Alerts noting common exam deficiencies, prior to pursuing enforcement actions.  Investment advisers and broker-dealers should  take this as a prompt to review their relevant policies and procedures to ensure they are appropriate and being followed in practice.
Continue Reading

At the end of January, partners Daniel Ilan and Alexis Collins participated in a panel co-hosted by The Conference Board and Cleary Gottlieb to discuss cybersecurity and board oversight.

Moderator Doug Chia, executive director of The Conference Board, Nick Mankovich, Vice President and Chief Information Security Officer (“CISO”) at medical technology firm Becton Dickinson, Daniel, and Alexis discussed current cybersecurity risks, how cyber-attacks are changing, and the role that management and the board should play in ensuring that companies are prepared.
Continue Reading

Nearly a decade ago, WikiLeaks ushered in the age of mass leaks.  Since then, corporations, governments, public figures and private entities have increasingly had to reckon with a new reality: that vigilantes, activists, extortionists and even state actors can silently steal and rapidly disseminate proprietary information, including customer data and other sensitive information.  Last month, the Department of Justice (“DOJ”) indicted four individuals based on information first revealed in the “Panama Papers” leak.  This marks a significant milestone in law enforcement’s reliance on evidence based on an unauthorized mass leak of information.  While leaks and hacks are not a novel phenomenon—in 1971, the New York Times published top secret documents on the Vietnam War and, in 1994, a paralegal leaked tobacco industry documents that ultimately cost the industry billions of dollars in litigation and settlement costs—the frequency, scale and ease of dissemination of leaked information today presents a difference not only of degree, but of kind.  The new Panama Papers-based criminal case will likely raise a host of novel legal issues based on legal challenges to the DOJ’s reliance on information illegally obtained by a third party, as well as information that would ordinarily be protected by the attorney-client privilege.  In this memorandum, we discuss the potential issues raised by the prosecution and their implications.

Continue Reading

On December 20, 2018, the U.S. Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released its 2019 Examination Priorities.  The six themes for this year’s priorities are:  retail investors (including seniors and those saving for retirement), compliance and risk in registrants responsible for critical market infrastructure (clearing agencies, transfer agents, national securities exchanges and Regulation SCI entities), oversight of the Financial Industry Regulatory Authority and Municipal Securities Rulemaking Board, digital assets, cybersecurity and anti-money laundering.  The only new theme for 2019 compared to 2018 is digital assets, which we take to imply a plan to more closely—and substantively—regulate investment advisers and broker-dealers involved with this asset class.  The 2019 priorities also more explicitly than the 2018 priorities describe specific practices that OCIE found concerning in examinations of those entities, many of which involved failure to adequately safeguard client assets and the adequacy of disclosures of conflicts of interest.  We expect to see a corresponding focus in Enforcement Division investigations and cases on these issues as a result.
Continue Reading

On November 16, 2018, the U.S. Securities and Exchange Commission (“SEC”) Division of Corporation Finance (“Corp. Fin.”), Division of Investment Management, and Division of Trading and Markets issued a joint public statement on “Digital Asset Securities Issuance and Trading.”  The public statement is the latest in the Divisions’—and the Commission’s—steady efforts to publicly outline and develop its analysis on the application of the federal securities laws to initial coin offerings (“ICOs”) and certain digital tokens.  These efforts have combined a series of enforcement proceedings with public statements by Chairman Jay Clayton and staff, including a more detailed statement of the SEC’s analytical approach in Corp. Fin. Director William Hinman’s speech on digital assets in June 2018.
Continue Reading

On November 8, the Securities and Exchange Commission (“SEC”) imposed a cease-and-desist order against Zachary Coburn for causing his former company, EtherDelta, to operate as an unregistered securities exchange in violation of Section 5 of the Securities Exchange Act of 1934 (“Exchange Act”).  Notably, EtherDelta, a trading platform specializing in digital assets known as Ether and ERC20 tokens,[1] was not operated like a traditional exchange with centralized operations, as there was no ongoing, active management of the platform’s order taking and execution functions. Instead, EtherDelta was “decentralized,” in that it connected buyers and sellers through a pre-established smart contract protocol upon which all operational decisions were carried out.

In the SEC’s view, EtherDelta met Exchange Act Rule 3b-16(a)’s definition of an exchange notwithstanding the lack of ongoing centralized management of order taking and execution.  Robert Cohen, the Chief of the SEC’s Cyber Unit within the Division of Enforcement stated after the order’s release, “The focus is not on the label you put on something . . . The focus is on the function . . . whether it’s decentralized or not, whether it’s on a smart contract or not, what matters is it’s an exchange.” This functional approach echoes prior SEC guidance and enforcement actions in the digital asset securities markets in emphasizing that the Commission will look to the substance and not the form of a market participants’ operations in evaluating their effective compliance with U.S. securities laws.
Continue Reading

On November 2, the SEC’s Enforcement Division released its annual report detailing the facts and figures of its enforcement efforts in fiscal year 2018.  At first blush, this year’s report looks strikingly similar to those from recent years, as the headline numbers in most categories are nearly indistinguishable from 2015, 2016, and 2017.  This consistency may be surprising given that 2018 is the first such report reflecting exclusively the enforcement priorities of the Commission since it was reconstituted under Chair Jay Clayton.

But a closer examination of the report, including the components feeding into the top-line facts and figures and commentary by Division co-directors Stephanie Avakian and Steven Peikin, reveals a clear shift in priorities by the Division.  These range from a philosophical shift in its mission to the reallocation of resources during a hiring freeze.  We address here the most notable of these subtle but important changes. 
Continue Reading

On October 15, 2018, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a $16 million settlement with Anthem, Inc. over alleged violations of federal privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA).  The settlement resolves an investigation following a data breach that exposed protected health information of nearly 79 million people.  According to OCR, the incident is the largest health data breach to date in the United States and Anthem’s payment similarly represents the largest HIPAA settlement to date.  The settlement is consistent with OCR’s recent focus on enforcing regulatory requirements to conduct an accurate and thorough risk analysis and maintain appropriate mechanisms to monitor systems that contain protected health information and to control access to that information. It also highlights the agency’s distinct cybersecurity remediation approach.
Continue Reading

The £16.4 million fine imposed by the UK Financial Conduct Authority on Tesco Personal Finance plc provides a salutary lesson on the regulatory exposure associated with failing adequately to prepare for and respond to a cyber-attack – one of the FCA’s stated regulatory priorities.

The episode illustrates how cybersecurity failures can expose a business not

On September 27, 2018, the Commodity Futures Trading Commission (CFTC) and Securities and Exchange Commission (SEC) filed parallel actions in federal court against an internet dealer that sold “contracts for difference” (CFD) based on securities and commodities margined with bitcoin.  The actions, which were assisted by the Federal Bureau of Investigation and the Department of Justice, signal continued coordination among federal agencies to police market activity involving financial transactions in cryptocurrencies.
Continue Reading