Key Takeaways:
- The U.S. Securities and Exchange Commission’s (SEC’s) Division of Enforcement (Enforcement) announced that it will nearly double the size of its Crypto Assets and Cyber Unit, making the Unit one of the largest within Enforcement.
- The decision reflects the SEC’s increasing prioritization of cryptocurrency and cybersecurity enforcement.
- Issuers of digital assets, crypto exchanges and lending platforms, and other industry participants should expect more frequent investigations and enforcement actions.
- Public companies and investment advisers should anticipate heightened Enforcement scrutiny of their cybersecurity controls and disclosures, and an increase in charged violations for alleged shortcomings in these areas.
______________________________________________________________________
In a move that further executes upon the SEC’s increasingly tough rhetoric on cryptocurrency and cybersecurity, SEC Enforcement recently announced that it will nearly double the size of its newly-renamed Crypto Assets and Cyber Unit, the specialized unit that focuses on enforcement in those areas. This development is remarkable for the dramatic expansion of what was already one of Enforcement’s most high-profile units.
While cryptocurrency and cybersecurity have been stated priorities for Enforcement since the Unit’s establishment in 2017, the SEC’s decision to allocate its limited resources to increase the Unit’s headcount almost twofold signals unambiguously that Enforcement intends to ramp up the number of investigations and enforcement actions against players in the cryptocurrency space, as well as public companies and investment advisers that the SEC deems to have taken inadequate steps to prevent and disclose cybersecurity breaches. The announcement also makes clear that the SEC intends to play a leading—if not the leading—role among regulators and law enforcement agencies in these areas, including the U.S. Department of Justice, the Commodity Futures Trading Commission, and state regulators, among others.
Crypto Enforcement Front and Center
According to the SEC’s announcement, the agency will assign 20 additional positions to the Unit, which will grow to 50 dedicated positions, making it one of the largest units within Enforcement. The SEC also specified that the enlarged Unit “will leverage the agency’s expertise to ensure investors are protected in the crypto markets,” with a particular focus on investigating violations related to:
- crypto asset offerings;
- crypto asset exchanges;
- crypto asset lending and staking products;
- decentralized finance (DeFi) platforms;
- non-fungible tokens (NFTs); and
- stablecoins.
The expansion comes against the backdrop of already vigorous crypto enforcement and a series of public statements by SEC Chair Gary Gensler pointing to a need for tighter regulation of industry participants. As the SEC’s press release notes, since its creation, the Unit has brought more than 80 enforcement actions related to allegedly fraudulent and unregistered crypto asset offerings and platforms, and obtained more than $2 billion in monetary relief.
Gensler’s recent comments make clear that the SEC remains highly concerned about what it perceives as a continuing lack of protection for crypto investors. In a September 2021 interview with the Washington Post, for instance, he likened stablecoins to “poker chips at the casino” and signaled his intention to deploy the SEC’s “robust authorities” to reign in both stablecoins specifically and cryptocurrency markets more generally. Gensler reiterated that view at the Penn Law Capital Markets Association Annual Conference in April of this year, noting that stablecoins in particular “raise three important sets of policy issues” warranting further scrutiny by the SEC: (1) “public policy considerations around financial stability and monetary policy”; (2) “issues on how they potentially can be used for illicit activity”; and (3) “issues for investor protection.” When describing the third policy consideration, Gensler expressed concern that “the three largest stablecoins were created by trading or lending platforms themselves,” which, in his view, poses “conflicts of interest and market integrity questions that would benefit from more oversight.”
The agency’s focus on crypto can be expected to intensify even further in the wake of the May 2022 meltdown of the cryptocurrency stablecoin TerraUSD and its sister token, Luna—an event that wiped out nearly the entire $40 billion market capitalization of Luna and accelerated the loss of $500 billion of value in the cryptocurrency economy. Unsurprisingly, Gensler and his colleagues have doubled down on their aggressive rhetoric since the Luna and TerraUSD crash. Speaking at a FINRA conference in Washington, D.C. on May 16, 2022, Gensler characterized cryptocurrency as a “highly speculative asset class,” given what he perceives as its lack of transparency in the marketplace, and advocated for basic investor protections against front-running customers, manipulation, and fraud. Just a few days before those remarks, SEC Commissioner Hester Peirce (despite her vocal and repeated criticism of what she perceives as the SEC’s excessive regulation of the industry) hinted that “one place we might see some movement” with regards to tougher regulations “is around stablecoins.”
These remarks have coincided with a broader effort by the SEC to expand its enforcement activity beyond issuance of crypto assets. In February of this year, for example, Enforcement brought its first action against a crypto lending platform, obtaining $100 million in penalties against BlockFi Lending LLC for its allegedly unregistered offering and sale of retail crypto lending products. In May, the SEC brought a settled action against NVIDIA Corporation for NVIDIA’s alleged failure to disclose that cryptomining was a significant element of its material revenue growth from the sale of its graphics processing units designed and marketed for gaming, with the company agreeing to a $5.5 million penalty. More recently, the SEC has reportedly been conducting an inquiry into safeguards against insider trading at one or more major crypto exchanges.
Though a recently-introduced Senate bill would narrow the SEC’s jurisdiction over crypto, it does not appear that the measure will advance in the near future. In the meantime, with the expansion of the Crypto Asset and Cyber Unit, we expect that the agency will continue to broaden the scope of its enforcement activity.
Cybersecurity Also in Focus
The uptick in SEC enforcement in the cryptocurrency space has been accompanied by a flurry of enforcement and rulemaking activity in the cybersecurity realm, particularly as it relates to the issue of data breaches. In the latter half of 2021, the SEC charged two companies—Pearson plc and First American Financial Corporation—respectively, for failing to make adequate disclosures regarding cybersecurity breaches and failing to maintain adequate cybersecurity disclosure controls and procedures. The SEC also obtained penalties in three coordinated actions against registered broker-dealers and investment advisers for alleged failures in their cybersecurity policies and procedures, which the SEC found to have resulted in email account takeovers that exposed the personal information of thousands of customers.
In addition, the SEC earlier this year proposed significant new rules for public companies and investment advisers with respect to cybersecurity controls and disclosures. In February, the agency proposed rules and amendments for investment advisers, registered investment companies and business development companies that would, among other things: require advisers and funds to adopt written policies and procedures that include specific elements set forth in the proposed rule in order to address cybersecurity risks; require advisers to report significant cybersecurity incidents to the SEC on a new Form ADV-C; and enhance cybersecurity incident and risk disclosures by advisers and funds to prospective and current investors.
The SEC followed up in March with proposed rule amendments for public companies that would, among other things, require issuers to disclose information about cybersecurity incidents within four business days after a determination that the company has experienced a “material cybersecurity incident,” and require updated disclosures concerning previously disclosed cyber incidents. The proposed rules and amendments would thus provide the strengthened Crypto Assets and Cyber Unit with an even broader arsenal for pursuing issuers and advisers.
We will continue to provide updates on this rapidly evolving regulatory landscape.
___
This post was originally published on the Foley Hoag blog.
