SEC Creates Cyber Enforcement Unit

The Enforcement Division of the U.S. Securities and Exchange Commission recently announced the formation of a dedicated “Cyber Unit” that will focus on detecting and prosecuting cyber-related misconduct. (1)

The announcement follows several statements by high-ranking SEC officials that stress the programmatic importance of cyber enforcement. For example, in a recent interview with Reuters, Stephanie Avakian, one of the SEC’s co-directors of enforcement, highlighted an “uptick” in the number of SEC investigations involving cyber misconduct, including investigations into attempted market manipulation, so-called “hacking and trading” schemes, and online theft of brokerage account information. Similarly, during a recent NYU panel discussion, SEC Chairman Jay Clayton insisted that cyber security will be “one of the top enforcement issues during his tenure [as Chairman].” The formation of a dedicated Cyber Unit would seem to substantiate this assertion.

The SEC’s new Cyber Unit becomes the sixth so-called “specialized unit” (2) within the Enforcement Division. According to the Commission, the Cyber Unit will focus on:

• market manipulation schemes involving false information spread through electronic and social media;

• market manipulation schemes involving false information spread through electronic and social media;

• hacking to obtain material nonpublic information;

• violations involving distributed ledger technology (e.g., “blockchain” technology) and initial coin offerings (“ICOs”) (3);

• misconduct perpetrated using the “dark web”;

• intrusions into retail brokerage accounts; and

• cyber-related threats to trading platforms and other critical market infrastructure.

The Cyber Unit will be headed by Robert A. Cohen, an SEC veteran who was previously co-head of the Enforcement Division’s Market Abuse Unit. In that capacity, Mr. Cohen oversaw a number of high-profile and complex cyber-related cases, including an enforcement action against a Bulgarian trader who manipulated stock prices through false SEC EDGAR filings and multiple actions relating to a scheme to trade on nonpublic information hacked from newswire services.

In addition to Mr. Cohen’s substantial experience, the Cyber Unit will benefit from legacy systems and institutional expertise developed through the Enforcement Division’s former Office of Internet Enforcement (“OIE”), which operated from 1998-2010, as well as the division’s Office of Market Intelligence (“OMI”), both of which were responsible for investigating potential fraudulent schemes carried out on the internet or via email. (4)

While the formation of a dedicated Cyber Unit signals a reallocation of enforcement resources, it is unlikely to bring about directional change for the SEC’s enforcement program. The Enforcement Division has been focused on cyber misconduct—and has been actively investigating and prosecuting cases involving cyber misconduct—for years. The creation of a “specialized unit,” however, formalizes the SEC’s plan to “provide the additional structure, resources, and expertise necessary for enforcement staff to keep pace with ever-changing markets and more comprehensively investigate [cyber] cases.”

The SEC’s previous reallocation of enforcement resources to specialized units has been largely successful. Giving an unit “chief” ownership of a programmatically significant area, and assembling a supporting cast of “experts” in that discipline, led to better investigations that enabled the units to bring enforcement actions involving particularly complex or hard-to-discover misconduct. We anticipate similar successes for the Cyber Unit.

In the near term, we expect to see the Cyber Unit investigating and bringing actions involving attempted market manipulation, “hacking and trading,” and account intrusion. To date, these types of cases have formed the core of the SEC’s cyber-related enforcement actions, and there are reportedly more cases like these in the pipeline.

For now, we do not expect to see actions against entities whose systems are breached or compromised. Although Ms. Avakian has stated that she will not “rule out” an action against an organization that was hacked—especially if it knew about and ignored cybersecurity vulnerabilities—she has acknowledged that the Enforcement Division generally views compromised entities as “victims of the attack” that should not be charged. Chairman Clayton has echoed this view, stressing that the Enforcement Division will be “cautious about punishing responsible companies who nevertheless are victims of sophisticated cyber penetrations.”

The Enforcement Division has acknowledged that cyber enforcement is a developing area and the staff is watching it closely, perhaps, to determine the efficacy of bringing certain types of actions—particularly, actions against issuers who were the victims of cyber-attacks and whose investors may bear the brunt of outsized enforcement penalties. At present, it seems that the staff will only consider bringing actions against the “victims” of cyber-attacks in extraordinary circumstances. For example, where an organization failed to adequately prepare for cyber events (which could result in a supervision or controls case) or where an issuer knew about vulnerabilities in its systems and failed to disclose them to the investing public (a disclosure case, perhaps).

In keeping with the Commission’s focus on investor protection, disclosure cases seem to be the most likely in the near term. And while disclosure cases are not strictly within the Cyber Unit’s mandate, issuers would be well advised to study available SEC Guidance for Public Companies and review related disclosures.

(1) The timing of the announcement is somewhat interesting. While the SEC says the creation of a Cyber Unit “has been in the planning stages for months”—and it undoubtedly has—it is curious that the press release came only five days after the SEC announced that hackers had accessed nonpublic information on its EDGAR database, and the night before SEC Chairman Jay Clayton appeared before a Senate committee to provide information about the cybersecurity breach.

(2) In 2010, the Enforcement Division created five “specialized units” dedicated to “particular highly specialized and complex areas of securities law.” The Enforcement Division’s specialized units include the Asset Management Unit (focusing on investment advisors, investment companies, hedge funds, and private equity funds), the Market Abuse Unit (focusing on large-scale market abuses and complex manipulation schemes by institutional traders, market professionals, and others), the Structured and New Products Unit (focusing on complex derivatives and financial products, including credit default swaps, collateralized debt obligations, and securitized products), the Foreign Corrupt Practices Unit (focusing on violations of the Foreign Corrupt Practices Act), and the Municipal Securities and Public Pensions Unit (focusing on misconduct involving the municipal securities market and public pension funds, such as offering and disclosure fraud, pay-to-play and public corruption violations, accounting and disclosure violations, and valuation and pricing fraud).

(3) The SEC recently announced its first-ever enforcement action involving ICOs. In it, the SEC alleged that issuers defrauded investors in a pair of ICOs purportedly backed by investments in real estate and diamonds. According to the SEC, the digital tokens investors purportedly acquired in exchange for their investment do not really exist, and the issuers had not, in fact, invested in real estate or diamonds. The enforcement action was not a product of the new Cyber Unit, but is likely an example of the kinds of cases we’ll see in the ICO space. A&O recently circulated a helpful client alert on the SEC’s first enforcement action against sponsors of ICOs.

(4) The OIE was responsible for triaging tips that the Commission received online and through email; developing internet investigative techniques; scouring the internet to identify potential fraudulent schemes; and investigating and prosecuting actions involving online securities fraud. In 2010, the OIE combined with the Office of Market Surveillance to form the OMI.