Digital Assets - Pastore

SEC Proposes Change to Cybersecurity Reporting Requirements for Public Companies

Posted on September 22, 2022November 17, 2022 by Kelly Somers

With the threat of irrevocable reputational harm and damage to consumer trust brought on by data breaches to public companies, the United States Security and Exchange Commission (“SEC”) recently proposed new cybersecurity reporting requirements. In March, SEC Chair Gary Gensler noted these new amendments will, “strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.”[1] If the proposed amendments pass, it would impose new requirements on board of directors, including management reporting, organization, and board composition.[2]

The proposals aim to promote incident disclosure and increase risk management, strategy, and governance disclosure of data breaches.[3] One amendment would require a company to notify shareholders and the SEC within four business days when a material cybersecurity incident occurs.[4] The SEC would also require standardized disclosure of a company’s cybersecurity risk management and strategy, management’s role in implementing cybersecurity policies, and the board of directors’ cybersecurity expertise.[5]

As the SEC signals the necessity of new disclosure policies, companies should assess their current cyber reporting practices and procedures. The proposals aim to bridge the gap between business executives and security executives to ensure cybersecurity is included in their everyday business conversations and reporting practices.[6] In preparation of these proposals, companies can educate their board on their policies and procedures regarding cyber security risks. It is no longer the sole job of the chief information security officer to translate technology risk to business risk.[7]

[1] SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, SEC (Mar. 9, 2022), https://www.sec.gov/news/press-release/2022-39

[2] Id.

[3] Public Company Cybersecurity, Proposed Rules, https://www.sec.gov/files/33-11038-fact-sheet.pdf (last visited Sep. 22, 2022).

[4] Id.

[5] Id.

[6] Insight Report, World Economic Forum Global Cybersecurity Outlook (January 2022), https://www3.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2022.pdf.

[7] Bob Ackerman, New SEC Cybersecurity Reporting Requirements: Three Things Companies Need To Do Now, Forbes (May 25, 2022) https://www.forbes.com/sites/forbesfinancecouncil/2022/05/25/new-sec-cybersecurity-reporting-requirements-three-things-companies-need-to-do-now/?sh=2d78e01e6f05.

New York State Department of Financial Services Issues Consent Order Against Robinhood Crypto, LLC

Posted on September 21, 2022November 3, 2022 by Kelly Somers

As interest in cryptocurrencies (“crypto”) continues to rise, businesses and investors are left wondering what regulations they must follow. While a broad regulatory framework is still nonexistent for the crypto industry, the New York State Department of Financial Services (“DFS”) recently imposed a $30 million fine on Robinhood Crypto, LLC (“Robinhood”), a wholly-owned crypto trading unit of Robinhood Markets Incorporated, for failing to comply with New York anti-money laundering (“AML”) and cybersecurity regulations.[1] This is the first time DFS has taken enforcement action against a crypto company. In making the announcement, the Superintendent of DFS, Adrienne Harris, stated, “[a]ll virtual currency companies licensed in New York State are subject to the same anti-money laundering, consumer protection, and cybersecurity regulations as traditional financial services companies.”[2] Superintendent Harris made it clear that while this may be the first such action against a crypto company, it will not be the last.[3] DFS expects crypto companies to invest in compliance programs like traditional financial institutions.

In the DFS Consent Order, DFS took issue with several aspects of Robinhood’s compliance program[4] Specifically, Robinhood failed to devote sufficient funds and resources to its compliance program,[5] its Chief Compliance Officer lacked “commensurate experience to oversee a compliance program such as [Robinhood’s]” and did not participate adequately in the implementation of Robinhood’s automate software compliance program, [6] and Robinhood overly relied on the compliance program of its parent and affiliate despite those compliance programs were not compliant with New York State’s regulations.[7] Moreover, Robinhood failed to adequately evaluate “potentially suspicious transactions in order to determine whether a [Suspicious Activity Report] should be filed.”[8] DFS noted that as of October 26, 2020, Robinhood had a backlog of 4,378 potentially suspicious transaction alerts.[9]

While Robinhood may have had a compliance program on paper, DFS made it clear that it is focused on the execution of such programs. One thing is clear: the DFS Consent Order indicates that regulatory and enforcement agencies are starting to take action against the crypto industry. Common sense, sound legal advice, and diligence will help any business or investor navigate this market as state and federal agencies begin to enforce traditional financial services regulations on the industry.

[1] In the Matter of Robinhood Crypto, LLC, Dep’t of Fin. Servs. (Aug. 1, 2022), https://www.dfs.ny.gov/system/files/documents/2022/08/ea20220801_robinhood.pdf.

[2] DFS Superintendent Harris Announces $30 Million Penalty on Robinhood Crypto for Significant Anti-Money Laundering, Cybersecurity & Consumer Protection Violations, Dep’t of Fin. Servs., https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202208021 (last visited Sept. 19, 2022).

[3] Id.

[4] Id.

[5] Id. at ¶¶ 36-41.

[6] Id. at ¶ 36.

[7] Id. at ¶ 6.

[8] Id. at ¶ 37.

[9] Id.

Is the SEC kicking Crypto when it is down?

Posted on July 29, 2022August 1, 2022 by Kelly Somers

Coinbase Global Inc. (“Coinbase”) is facing an SEC probe into whether it improperly allowed trading of digital assets that should have been registered as securities. Although there have been several court rulings and position statements by the SEC regarding digital assets, it has not halted the trading on crypto exchanges. While the SEC scrutiny of Coinbase has increased since the platform expanded the number of tokens, in which it offers trading, no meaningful regulatory action has occurred with respect to Coinbase.

The drumbeat in Washington for US regulators to do more to oversee crypto has grown louder as digital currencies have tumbled from all-time highs, erasing hundreds of billions of dollars in market value. SEC Chair Gary Gensler has homed in on trading platforms and argued that the SEC should do more to protect “retail investors”.

To determine if a digital asset is a security, the SEC applies a legal test from the 1946 U.S. Supreme Court decision. Generally, the SEC considers monies under its purview if the funding is made with the intention of profiting from the efforts of the issuer. The SEC Commissioner has suggested publically that “many” cryptocurrencies come under the definition. The SEC has not indicated which “coins” are “securities”, and instead has allowed exchanges to decide for themselves.

In the absence of clear guidance this regulatory approach, seems like a game of “gotcha”. Crypto is a young industry and it deserves clear and accurate rules so that its participants can navigate the path forward. The SEC should either test its approach in court, and perhaps it is with Coinbase, or stand down. Ultimately, the U.S. Supreme Court will likely decide the question of how to determine whether crypto coins or tokens are securities. Either way, crypto can thrive if its coins generate enough investor interest, but the rules for regulation and investor protection should be made clear at this point.

Federal Jury Rules Four Cryptocurrency products are not Securities

Posted on November 17, 2021January 21, 2022 by Kelly Somers

A recent decision in the United States District Court for the District of Connecticut appears to be the first of its kind in the nation. In the case Audet et al v. Garza et al, a federal jury recently weighed in on whether cryptocurrency products were considered securities.^[1] The jury held that four digital-asset products linked to cryptocurrency were not securities.^[2]

In the case, a class of customers brought an action against GAW Miners LLC (“GAW Miners”) and ZenMiner LLC (“ZenMiner”) for running a cryptocurrency Ponzi scheme.^[3] When GAW Miners and ZenMiner were faced with demands from customers for the physical cryptocurrency mining equipment which they could not meet, GAW Miners and ZenMiner turned to Hashlets, Hashpoints, Paycoin and HashStakers (collectively the “Digital Assets”). ^[4] These Digital Assets provided customers with a portion of the computing power without owning the physical hardware.^[5] Moreover, the Digital Assets served as virtual wallets for the promissory notes and virtual currency of GAW Miners and ZenMiner.^[6] The plaintiffs argued that these Digital Assets were investment contracts and therefore were unregulated securities.^[7]

The plaintiffs asked Judge Michael Shea to rule as a matter of law that the Digital Assets were securities under the Howey test. ^[8] The Supreme Court in Howey stated an investment contract exists when “a person invests his money in a common enterprise and is led to expect profits solely from the efforts of the promoter or a third party.” ^[9] However, in an unusual decision, Judge Shea declined to rule as a matter of law that the Digital Assets were securities.^[10] Instead, the judge left the issue of how to classify the Digital Assets for the jury.^[11] Despite the SEC previously referring to one of the Digital Assets, Hashlets, as a security in a case against one of the former defendants in this case,^[12] the jury ruled that the Digital Assets were not investment contracts, and therefore, they were not securities.^[13]

The issue of how to define cryptocurrencies is an ongoing debate, and the federal jury’s ruling in this case does not settle it.

^{[1] Elise Hansen, Crypto Mining-Linked Products Weren’t Securities, Jury Finds, Law360 (Nov. 2, 2021), https://www.law360.com/articles/1436790/crypto-mining-linked-products-weren-t-securities-jury-finds.}

^{[2] Id.}

^{[3] HHR Wins Groundbreaking Jury Verdict in Crypto Fraud Trial, HHR (Nov. 3, 2021), https://www.hugheshubbard.com/news/hhr-wins-groundbreaking-jury-verdict-in-crypto-fraud-trial.}

^{[4] Id.}

^{[5] Hansen, supra note 1.}

^{[6] Id.}

^{[7] Id.}

^{[8] Alison Frankel, In apparent first, Conn. class action jury finds crypto products are not securities, Reuters (Nov. 3, 2021), https://www.reuters.com/legal/transactional/apparent-first-conn-class-action-jury-finds-crypto-products-are-not-securities-2021-11-03/.}

^{[9] SEC v. W. J. Howey Co., 328 U.S. 293, 298–99 (1946).}

^{[10] Id.}

^{[11] Id.}

^{[12] HRR, supra note 3.}

^{[13] Hansen, supra note 1.}