2019 for ICOs and Cybersecurity were addressed in the December 6, 2018, speech by Chairman Jay Clayton, “SEC Rulemaking Over the Past Year, the Road Ahead and Challenges Posed by Brexit, LIBOR Transition and Cybersecurity Risks“:

Chairman Clayton first reviewed the extensive 2018-2019 SEC regulatory agenda and projects presented in Appendices A and B, including improving the regulation of investment professionals, facilitating capital formation, monitoring evolving securities markets, and encouraging long term investment.

Distributed Ledger Technology, Digital Assets and Initial Coin Offerings (ICOs)

SEC 2018 Statement on Digital Assets

In regard to prior statements regarding digital assets, on November 16, 2018, the SEC issued a paper entitled, “Statement on Digital Asset Securities Issuance and Trading,” by the Division of Corporate Finance, Division of Investment Management and Division of Trading and Markets.

SEC FinHub

In this current speech, Chairman Clayton added that there is substantially less investor protection at this time with digital assets than with traditional equities and fixed income markets.  In response to industry interest and inquiries, in 2018 the SEC established “FinHub“, their Strategic Hub for Innovation and Financial Technology, for fintech related issues.

ICO Fundraising

In regard to fund raising by ICOs, he stated:

“I believe that ICOs can be effective ways for entrepreneurs and others to raise capital. However, the novel technological nature of an ICO does not change the fundamental point that, when a security is being offered, our securities laws must be followed.”

This conclusion directly corresponds to his informal remarks on the same topic at the November 27, 2018, Coinbase Consensys meeting.  And the Consensys remarks can find their origin articulated in the July 27, 2017, SEC DAO report.

Cybersecurity Cyber Risk Management

The SEC is broadly involved with cybersecurity in a number of ways:

• Issuer Disclosures
• Market Oversight
• Enforcement
• Investor Education
• SEC Cybersecurity Risk Profile

Issuer Disclosures:

On February 21, 2018, the “Statement on Cybersecurity Interpretive Guidance” from Chairman Clayton was published.  On February 26, 2018, the “Commission Statement and Guidance on Public Company Cybersecurity Disclosures” was published in the Federal Register to assist public companies in preparing disclosures about cybersecurity risks and incidents. (83 Fed. Reg. 38, p. 8166) It emphasized that public companies are to make:

• accurate and timely cybersecurity event disclosures, and
• disclosures of insider trading in advance of such disclosures.

Market Oversight:

The SEC will continue to provide support to and guidance for:

• examination of broker-dealers, investment advisers and market infrastructure utilities,
• cybersecurity event preparations including safe guarding customer information, identity theft protections,
• risk governance, control of access to information, data loss prevention, third party training.

Enforcement:

In addition to the matters already described, the SEC may investigate:

• attacks on retail brokerage accounts – see SEC v Voya Financial Advisers, below;
• attacks to gain proprietary information, and
• false regulatory findings – see SEC v Altaba Inc f/d/b/a Yahoo! Inc., below.

Investor Education:

The SEC maintains a terrific online resource for investor education at “Investor.gov”. On April 26, 2017, they updated an investor bulletin, “Protecting Your Online Investment Accounts from Fraud“, which can be described as series of ‘Best Practices’ for online financial health. The main concerns are password protection, phishing attempts by email and phone, protecting your mobile devices, and knowing what to do if you suspect identity theft.

SEC Risk Profile

Cognizant of their own broad exposure to cyber attack, the SEC has positioned specific trained personnel throughout their departments, and prioritized internal data security to all SEC staff.

SEC Cybersecurity Enforcements

SEC v Altaba Inc f/d/b/a Yahoo! Inc, Adm. Proc. 3-18448:

On April 24, 2018, the SEC issued a Cease and Desist Order against Altaba Inc, formerly known as Yahoo!, for the massive 2014 data breach affecting more than 500 million users.  Not only did they have inadequate data safeguards, but they failed to disclose the attack in the July 23, 2016, purchase agreement with Verizon which accompanied their Form 8-K filed with the SEC on July 25, 2016. Two months later they disclosed the data breach to Verizon and the SEC, with an amendment to the Form 8-K. The subsequent renegotiated purchase price dropped by $350M!  The SEC alleged violations of the 1933 Securities Act and the 1934 Securities Exchange Act, and the respondent (1) agreed to pay a $35,000,000.00 civil fine, fully cooperate with the SEC in any subsequent matters, and that the civil fine may not be used as an offset against any future monetary penalties.

SEC v Voya Financial Advisers, Adm. Proc. 3-18840: 

On September 26, 2018, the SEC issued a Cease and Desist Order against Voya Financial Advisors Inc (VFA), a registered broker-dealer and investment adviser, including a $1,000,000.00 civil fine. The respondent had failed to implement and manage an adequate cybersecurity program to protect personally identifiable information, an especially egregious act since it was not the first such intrusion.

Commentary by Attorney Timothy F. Mills, Editor / Action Cyber Times™ © 2019 All Rights Reserved.

Action Cyber Times™ provides resources for cybersecurity, data privacy, compliance, breach reporting and risk management, intellectual property theft, and the utilization of emerging technologies such as artificial intelligence, machine learning, blockchain DLT, advances in cryptographic applications, and more.

Disclaimer: The content available on the web site and in the blog posts is for informational purposes only and is not intended to, and does not, provide legal advice. Contact and retain an appropriate professional for legal advice. Use of this content or any of the links contained within the site do not create an attorney-client relationship. The opinions expressed are the opinions of the author.