On October 26, 2017, Stephanie Avakian, Co-Director of the SEC’s Division of Enforcement gave a speech regarding Enforcement’s initiatives, in particular, regarding cybersecurity.

Ms. Avakian identified cybersecurity as one of the SEC’s “key priorities” necessitating a strategic focus and allocation of resources in order to fulfil the SEC’s “investor protection mission.”[1]  In order to effectuate these initiatives, the SEC created a Cyber Unit to combat cyber-related misconduct.[2]  According to Ms. Avakian, the increasing frequency coupled with the increasing complexity of these matters is what fueled the creation of the Cyber Unit.

The SEC identified three types of cases that have caught Enforcement’s interest:

Hacking to access material, nonpublic information in order to trade in advance of some announcement or event, or to manipulate the market for a particular security or group of securities;

Account intrusions in order to conduct manipulative trading using hacked brokerage accounts; and

Disseminating false information through electronic publication, such as SEC EDGAR filings and social media, in order to manipulate stock prices.[3]

Specifically addressing the second area of Enforcement’s interest, Ms. Avakian identified specific SEC Rules—Regulations S-P, S-ID, SCI, among others—which are risk based and, notably, flexible, that apply to failures by registered entities to take the necessary precautions to safeguard information.  These situations often involve coordination with OCIE, where the SEC will consult with OCIE at the outset in order to determine which entity is better suited to lead an investigation.

Interestingly, in efforts to combat the third area of Enforcement’s interest, the SEC  has not yet brought a case.  Despite identifying the importance of the disclosure requirements, Ms. Avakian states that “[w]e recognize this is a complex area subject to significant judgment, and we are not looking to second-guess reasonable, good faith disclosure decisions, though we can certainly envision a case where enforcement action would be appropriate”—seemingly indicating that of the three areas of interest, cyber-fraud in disclosures and the like may be of the least importance in Enforcement’s new cyber-initiatives.

The Cyber Unit will also spearhead the blockchain technology investigations, as the emerging issues in this area necessitate a “consistent, thoughtful approach.”  Although Initial Coin Offerings and Token Sales may be a new and legitimate platform to raise capital, this virtual currencies and offerings may also serve as “an attractive vehicle for fraudulent conduct.”[4]

Prior to the creation of the Cyber Unit, much of the cyber-related investigations have been led by the Market Abuse Unit, as there is a significant overlap between insider trading schemes and cyber-related schemes.  The risk, however, that cyber-related incidents pose is too great and, according to the SEC, warrants its own investigative unit.

[1] Stephanie Avakian, The SEC Enforcement Division’s Initiatives Regarding Retail Investor Protection and Cybersecurity, U.S. Securities and Exchange Commission (Oct. 26, 2017), https://www.sec.gov/news/speech/speech-avakian-2017-10-26#_edn2.

[2] Press Release 2017-176, SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors (Sept. 25, 2017), available at https://www.sec.gov/news/press-release/2017-176.

[3] Avakian, supra note 1.

[4] Avakian, supra note 1.

Tags: Cybersecurity, Jack Hewitt, Julie Blake