On October 16, 2018, the U.S. Securities and Exchange Commission (SEC) took the unusual step of issuing a Report of Investigation cautioning public companies that they should consider cyber threats and related human vulnerabilities when designing and implementing their internal accounting controls. The report is an outgrowth of an investigation conducted by the SEC’s Enforcement Division into whether certain public companies that were victims of cyber fraud complied with the federal securities laws requiring public companies to implement and maintain internal accounting controls. The controls provided by these provisions must be sufficient to provide reasonable assurances that transactions occur (e.g., purchasing equipment), and access to assets is permitted (e.g., checking accounts, warehouses), only in accordance with management’s authorization.
On September 11, the Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) separately announced three “first of their kind” enforcement actions against participants in the digital asset (or “token”) market:
- In the Matter of TokenLot LLC. The SEC took action against a token sale website for operating as an unregistered broker-dealer in violation of the federal securities laws.
- In the Matter of Crypto Asset Management, LP. The SEC entered an order against a digital asset hedge fund manager for failing to register its fund as an investment company and offering and selling its fund’s securities in an unregistered offering.
- Department of Enforcement vs. Timothy Tilton Ayre. In its first disciplinary action involving digital assets, FINRA filed a complaint alleging that a registered person of a member firm violated federal securities laws and FINRA rules in its offering of a blockchain token as an unregistered security.
In the months following director William Hinman’s noteworthy speech on whether and when a digital asset is subject to securities laws, U.S. regulators have continued their stern warnings regarding the importance of compliance with the securities laws. This post highlights three important regulatory updates:
- On August 14, 2018, the Securities and Exchange Commission (SEC or Commission) issued an administrative order, In the Matter of Tomahawk Exploration LLC and David Thompson Laurance, taking action against an unregistered and fraudulent initial coin offering (ICO).
- On August 28, the North American Securities Administrators Association (NASAA) released an update on the progress of its ongoing Operation Cryptosweep.
- The Financial Industry Regulatory Authority (FINRA) issued two investor alerts, on July 27 and August 16, regarding blockchain tokens and ICOs.
*This article first appeared in In-House Defense Quarterly on April 3, 2018
The growing volume and severity of cyber-attacks directed against public companies has caught the attention of federal regulators and investors. Recent guidance from the Securities and Exchange Commission (SEC) on disclosure and enforcement actions by the Federal Trade Commission (FTC) make clear that cybersecurity is no longer a niche topic, but a concern significant enough to warrant the oversight of corporate boards of directors. A high-profile cyber incident may cause substantial financial and reputational losses to an organization, including the disruption of corporate business processes, destruction or theft of critical data assets, loss of goodwill, and shareholder and consumer litigation. More and more, directors are viewing cyber-risk under the broader umbrella of corporate strategy and searching for ways to help mitigate that risk. Increasingly, thought leaders, professional organizations, and government agencies are beginning to provide answers. (more…)
On February 21, 2018, the U.S. Securities and Exchange Commission issued interpretive guidance (the Guidance) to assist public companies in drafting their cybersecuritydisclosures in SEC filings. See 83 FR 8166 (Feb. 26, 2018). In his public statement accompanying the issuance of this guidance, SEC Chairman Jay Clayton said he believed that “providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.”1 In this new guidance, the SEC is likely intending to signal how it may focus future enforcement concerning the cybersecurity disclosure obligations of public companies, and their underlying disclosure controls, procedures and certifications. (more…)
On February 7, 2018, the SEC’s Office of Compliance Inspections and Examinations (OCIE) released its 2018 National Exam Program Examination Priorities (2018 Exam Priorities) and, once again, identified cybersecurity as one of its main areas of focus. According to OCIE, each of its examination programs will prioritize cybersecurity. The 2018 Exam Priorities include five main focus areas: (1) cybersecurity; (2) compliance and risks in critical market infrastructure; (3) matters of importance to retail investors, including seniors and those saving for retirement; (4) oversight of the Financial Industry Regulatory Authority (FINRA) and Municipal Securities Rulemaking Board (MSRB); and (5) anti-money laundering programs. For an in-depth discussion regarding the entirety of the 2018 Exam Priorities, see Sidley’s previous analysis here. (more…)
On February 7, 2018, the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (the Commission) released its annual National Exam Program Examination Priorities (Exam Priorities).1 As has been widely reported, the Exam Priorities’ general focus areas include:
- retail investors
- compliance and risks in critical market infrastructure
- oversight of the Financial Industry Regulatory Authority (FINRA) and Municipal Securities Rulemaking Board (MSRB)
- anti-money laundering (AML) programs
The majority of these Exam Priorities are not surprising because they reflect the Commission’s continued focus on retail investors, conflicts of interest, fee disclosure, cybersecurity, cryptocurrency and AML programs.2 The Exam Priorities can serve as a roadmap for firms to assess their policies, procedures and compliance programs, and to prepare for OCIE exams. This post outlines and elaborates on each of the Exam Priorities. (more…)
This past year was marked by ever more significant data breaches, growing cybersecurity regulatory requirements at the state and federal levels and continued challenges in harmonizing international privacy and cybersecurity regulations. We expect each of these trends to continue in 2018.
As we begin this New Year, here is list of the top 10 privacy and cybersecurity issues for 2018: (more…)
On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a cybersecurity Risk Alert summarizing its observations from its second cybersecurity survey of financial services firms. Overall, OCIE observed increased cybersecurity preparedness since its first 2014 “Cybersecurity 1” Initiative, but also the SEC noted a number of areas where compliance and oversight merit attention. Perhaps the most general observation from the “Cybersecurity 2” risk alert is that, while the OCIE noted that most firms now have written policies and procedures, the message was clear that simply having a generic policy is not adequate. Firms must instead have policies that are adapted to their actual operations as well as procedures that demonstrate the implementation of these policies and documented results of compliance with those procedures. (more…)
On May 17, 2017, the SEC’s Office of Compliance Inspections and Enforcement (OCIE) issued a cybersecurity alert to the securities firms it regulates. OCIE advised broker-dealers and investment companies to take certain actions in connection with the recent WannaCry and Wanna Decryptor ransomware attacks that affected numerous organizations in over one hundred countries. Specifically, OCIE encouraged firms as follows: (more…)