On April 18, 2018, government officials and cyber industry experts gathered in Washington, D.C., for the 2018 Incident Response Forum addressing legal and compliance challenges that arise following a data breach.  At the conference, representatives from the SEC, DOJ, FTC, and other federal and state enforcement agencies discussed their top data breach-related concerns and enforcement priorities.  Representatives spoke in their own capacity and were not making official agency statements, but their opinions can provide useful insight into agencies’ decision making processes and substantive views. Continue Reading Regulators and Law Enforcement Discuss Cyber Enforcement Priorities and Urge Cooperation Following Data Breaches

In September 2017, the SEC announced the creation of a new Cyber Unit within the Enforcement Division. Commenting on the launch of the new unit, Enforcement Division Co-Director Stephanie Avakian described “[c]yber-related threats and misconduct” as “among the greatest risks facing investors and the securities industry.” This alert memorandum takes stock of the SEC’s cyber enforcement actions since the Cyber Unit was formed as well as other recent SEC enforcement actions, guidelines, and public comments that shed light on potential future SEC cyber-enforcement in areas such as insider trading, cryptocurrencies and ICOs, cyber-related disclosures and policies, and cybersecurity safeguards.

Please click here to read the full alert memorandum.

Following on the heels of the SEC’s updated interpretive guidance on cybersecurity disclosure, SEC Chairman Jay Clayton and SEC Commissioner Robert Jackson each recently made public statements underscoring the agency’s increasing focus on cybersecurity.

On March 12, 2018, Chairman Clayton stated that the SEC will closely monitor how corporations respond to the new interpretive guidance at a conference held by the Council of Institutional Investors.  During an interview conducted by former Chairwoman Elisse Walter, Chairman Clayton said implementation of the interpretive guidance “will be a focal point for staff review” and that companies should work to determine their disclosure obligations under the current rules.[1]  Reiterating the interpretive guidance’s statement that the SEC expects companies to make disclosures “tailored” to their particular cybersecurity risks and incidents, Chairman Clayton stated that companies must put significant effort into determining their individual disclosure obligations under the current rules, meaning that “[r]eally good lawyering and governance is necessary.”[2]  Chairman Clayton also alluded to calls by certain SEC Commissioners for rulemaking requiring the disclosure of cybersecurity incidents in 8-K filings:  “In terms of writing a rule, if you wanted to make it a specific 8-K requirement, the issue there is whether something is material,” said Chairman Clayton, adding “[i]t’s really a facts and circumstances situation, and it can vary from industry to industry and company to company.”[3]    Continue Reading SEC Officials Emphasize Close Monitoring of Cybersecurity Disclosures Following Release of Interpretive Guidance

In the first criminal charges brought in connection with the Equifax data breach, the United States Attorney for the Northern District of Georgia announced yesterday the indictment of Jun Ying, a former Chief Information Officer of a U.S. business division of Equifax, on charges of insider trading in violation of federal securities laws.  At the same time, the SEC announced parallel civil charges against Ying.  Both the indictment and the SEC complaint allege that Ying was not specifically informed that Equifax had been breached, but, as a result of his position, was made aware of enough confidential information to—according to his own contemporaneous text messages—“put 2 and 2 together” to infer that “[w]e may be the one breached.”  After deducing this material information, Ying allegedly conducted internet research on the 2015 data breach of Experian, another major credit bureau, and its negative impact on Experian’s stock price.  Immediately following his internet search, Ying allegedly exercised all of his vested stock options and sold those Equifax shares for a total of $950,000 in proceeds, avoiding more than $117,000 in losses that he would have incurred had he still been holding the shares at the time the data breach was publicly announced more than a week later.  The SEC is seeking disgorgement of an amount equal to the losses Ying allegedly avoided, civil monetary penalties, an order barring Ying from ever serving as an officer or director of a public company, and an injunction enjoining Ying from further violating the federal securities laws.  The indictment charges Ying with two counts of criminal securities fraud, which, if he is convicted, carry a maximum sentence of 45 years.  Continue Reading DOJ And SEC Charge Former Equifax Executive With Insider Trading

On February 21, 2018, the Securities and Exchange Commission (the “Commission”) published interpretive guidance to assist public companies when considering, drafting and issuing disclosure about cybersecurity risks and incidents (the “interpretive guidance”). The interpretive guidance became effective immediately upon issuance.

The Commission’s interpretive guidance reaffirms and expands upon guidance issued by the Division of Corporation Finance in 2011 (the “Division guidance”) relating to the disclosure of cyber-related matters. The interpretive guidance also addresses two additional topics not covered in the Division guidance, specifically that a company’s disclosure controls and procedures need to cover cyber-related matters and that compliance with insider trading prohibitions must take into account cybersecurity incidents. The Commission’s issuance of interpretive guidance underscores the Commission’s increased focus on cybersecurity and follows on the establishment of the Commission’s Cyber Unit in 2017 to target cyber-related misconduct and repeated statements by Chairman Jay Clayton and other Commission officials that cybersecurity is a priority area for the agency.

Please click here to read the full alert memorandum.

On January 30, 2018, the U.S. Securities and Exchange Commission (SEC) announced[1] that it had obtained an order from a U.S. District Court in Dallas, Texas, halting an allegedly fraudulent initial coin offering scheme.  The SEC’s complaint alleges that defendants AriseBank and AriseBank founders Jared Rice Sr. and Stanley Ford violated the anti-fraud and registration provisions of the U.S. federal securities laws, including by falsely claiming that AriseBank’s customers’ accounts and transactions were FDIC insured, falsely claiming that AriseBank’s customers could spend 700 different virtual currencies using AriseBank’s Visa card, and failing to disclose the criminal history of two of AriseBank’s officers.  Among other relief, the district court has granted the SEC’s request to freeze the defendants’ assets, and for the first time in a cryptocurrency enforcement case has appointed a receiver over those assets, including the cryptocurrencies purportedly held by AriseBank. Continue Reading SEC Freezes Allegedly Fraudulent “Decentralized Bank” ICO

On Monday, December 11, 2017, SEC Chairman Jay Clayton waded into the ongoing debate surrounding cryptocurrencies, initial coin offerings, and the regulation of both.  In a statement urging potential investors to exercise caution and market professionals to focus on their responsibility to help protect investors, the Chairman warned of the susceptibility of the burgeoning crypto markets to manipulation and fraud. Continue Reading SEC Chairman Offers Views on Initial Coin Offerings

The SEC has recently signaled an increased concern with the offerings and marketing of Initial Coin Offerings (“ICOs”),[1] which should be of interest to companies and institutions involved with ICOs.  On November 1, 2017, the SEC Division of Enforcement and Office of Compliance Inspections and Examinations (“OCIE”) jointly issued a public statement warning celebrities and other influencers promoting Initial Coin Offerings (“ICOs”) about potential violations of a host of federal securities laws, including the anti-touting and anti-fraud provisions of the federal securities laws.  Specifically, the public statement noted that endorsements may be unlawful if they do not “disclose the nature, source, and amount of any compensation paid, directly or indirectly . . . in exchange for the endorsement.,” and that endorsers may also face liability for potential violations of the anti-fraud provisions, for participation in an unregistered securities offering, and for acting as unregistered brokers.  The public statement also noted that investment decisions should not be based solely on an endorsement and cautioned that “celebrity endorsement may appear unbiased, but instead be part of a paid promotion.”  The public statement follows an investigative report issued by the Division of Enforcement on July 25, 2017, which announced that blockchain technology-based coins or tokens sold in an ICO may be a form of security under the Securities Act of 1933 and the Securities Exchange Act of 1934. Continue Reading The SEC Warns That Celebrity Endorsements of Virtual Currency May Violate Federal Securities Laws

On Monday, December 4, 2017, the U.S. Securities and Exchange Commission (SEC) obtained an emergency order from a U.S. District Court in New York to enjoin an allegedly fraudulent initial coin offering scheme.  The SEC’s complaint alleges that Dominic Lacroix, a recidivist securities law violator, and his company PlexCorps violated the anti-fraud and registration provisions of the U.S. federal securities laws in collecting up to $15 million in investor funds purportedly in exchange for digital tokens and promised returns in excess of 1,000% in 29 days.  The complaint also charges Lacroix’s partner Sabrina Paradis-Royer with securities fraud.  Among other relief, the district court has granted the SEC’s request to freeze the defendants’ assets.

Continue Reading Newly Created SEC Cyber Unit Takes First Action Against Allegedly Fraudulent ICO

The Securities Exchange Commission (“SEC”), Office of Compliance Inspections and Examinations (the “OCIE”), published a Risk Alert describing its findings from its second cybersecurity survey of regulated entities (the “Cybersecurity 2 Initiative”).

The survey covered 75 registered broker-dealers, investment advisers, and investment companies and built upon OCIE’s prior round of cybersecurity examinations in 2014 (the “Cybersecurity 1 Initiative”).

While OCIE found improvements in cybersecurity preparedness since the Cybersecurity 1 Initiative, it also identified areas for improvement. Among other things, OCIE concluded that it is not sufficient for firms to simply establish written cybersecurity policies and procedures—such policies must also be maintained, sensibly enforced, and capable of addressing cybersecurity deficiencies as they arise.

Click here, to continue reading.