On February 27, 2019, the Federal Trade Commission (“FTC”) announced a record-setting $5.7 million civil penalty against makers of the popular free video creation and sharing app, Musical.ly (now known as TikTok), for violations of U.S. children’s privacy rules. This is the largest civil penalty the FTC has issued concerning violations of the Children’s Online Privacy Protection Act (“COPPA”).
On February 8, 2019, U.S. Securities and Exchange (SEC) Commissioner Hester Peirce delivered a speech addressing the relationship between technological innovation and regulation, in particular addressing some of the pending regulatory challenges surrounding blockchain and digital assets.1 The key takeaways from Commissioner Peirce’s speech, titled “Regulation: A View From Inside the Machine,” 2 are these:
On December 20, 2018, the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (the SEC) released its report (the 2019 Report) setting forth its list of examination priorities for 2019 (the Exam Priorities).1 OCIE announces its exam priorities annually to provide insights into the areas it believes present potentially heightened risk to investors or the integrity of the U.S. capital markets.2 The Exam Priorities can serve as a roadmap to assist advisers in assessing their policies, procedures and compliance programs; testing for and remediating any suspected deficiencies related to the Exam Priorities; and preparing for OCIE exams. (more…)
On November 16, the U.S. Securities and Exchange Commission (SEC) announced its first enforcement actions against issuers of initial coin offerings solely for failing to register the offerings in violation of the federal securities laws since Munchee (i.e., without allegations of fraud). Unlike the Munchee order, these settlements impose penalties against the issuers and require certain undertakings, such as registering the digital assets as securities under the Exchange Act. The same day, the SEC’s Divisions of Corporation Finance, Investment Management and Trading and Markets released a joint statement reiterating the SEC’s lessons from recent enforcement actions related to digital assets. (more…)
On October 16, 2018, the U.S. Securities and Exchange Commission (SEC) took the unusual step of issuing a Report of Investigation cautioning public companies that they should consider cyber threats and related human vulnerabilities when designing and implementing their internal accounting controls. The report is an outgrowth of an investigation conducted by the SEC’s Enforcement Division into whether certain public companies that were victims of cyber fraud complied with the federal securities laws requiring public companies to implement and maintain internal accounting controls. The controls provided by these provisions must be sufficient to provide reasonable assurances that transactions occur (e.g., purchasing equipment), and access to assets is permitted (e.g., checking accounts, warehouses), only in accordance with management’s authorization.
On September 11, the Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) separately announced three “first of their kind” enforcement actions against participants in the digital asset (or “token”) market:
- In the Matter of TokenLot LLC. The SEC took action against a token sale website for operating as an unregistered broker-dealer in violation of the federal securities laws.
- In the Matter of Crypto Asset Management, LP. The SEC entered an order against a digital asset hedge fund manager for failing to register its fund as an investment company and offering and selling its fund’s securities in an unregistered offering.
- Department of Enforcement vs. Timothy Tilton Ayre. In its first disciplinary action involving digital assets, FINRA filed a complaint alleging that a registered person of a member firm violated federal securities laws and FINRA rules in its offering of a blockchain token as an unregistered security.
In the months following director William Hinman’s noteworthy speech on whether and when a digital asset is subject to securities laws, U.S. regulators have continued their stern warnings regarding the importance of compliance with the securities laws. This post highlights three important regulatory updates:
- On August 14, 2018, the Securities and Exchange Commission (SEC or Commission) issued an administrative order, In the Matter of Tomahawk Exploration LLC and David Thompson Laurance, taking action against an unregistered and fraudulent initial coin offering (ICO).
- On August 28, the North American Securities Administrators Association (NASAA) released an update on the progress of its ongoing Operation Cryptosweep.
- The Financial Industry Regulatory Authority (FINRA) issued two investor alerts, on July 27 and August 16, regarding blockchain tokens and ICOs.
*This article first appeared in In-House Defense Quarterly on April 3, 2018
The growing volume and severity of cyber-attacks directed against public companies has caught the attention of federal regulators and investors. Recent guidance from the Securities and Exchange Commission (SEC) on disclosure and enforcement actions by the Federal Trade Commission (FTC) make clear that cybersecurity is no longer a niche topic, but a concern significant enough to warrant the oversight of corporate boards of directors. A high-profile cyber incident may cause substantial financial and reputational losses to an organization, including the disruption of corporate business processes, destruction or theft of critical data assets, loss of goodwill, and shareholder and consumer litigation. More and more, directors are viewing cyber-risk under the broader umbrella of corporate strategy and searching for ways to help mitigate that risk. Increasingly, thought leaders, professional organizations, and government agencies are beginning to provide answers. (more…)
On February 21, 2018, the U.S. Securities and Exchange Commission issued interpretive guidance (the Guidance) to assist public companies in drafting their cybersecuritydisclosures in SEC filings. See 83 FR 8166 (Feb. 26, 2018). In his public statement accompanying the issuance of this guidance, SEC Chairman Jay Clayton said he believed that “providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.”1 In this new guidance, the SEC is likely intending to signal how it may focus future enforcement concerning the cybersecurity disclosure obligations of public companies, and their underlying disclosure controls, procedures and certifications. (more…)