Editors’ Note: This is the fifth in our third annual series examining important trends in data privacy and cybersecurity during the new year. Our previous entries were on emerging threats, state law trends, comparing the GDPR with COPPA, and energy and security. Up next: political advertising.
In our 2018 SEC year in preview post, we called attention to an expected increase in SEC cybersecurity enforcement action. The SEC has certainly lived up to the billing throughout 2018, which was the first full year in existence for the SEC’s new Cyber Unit. In particular, the Cyber Unit and the SEC’s Enforcement Division focused on three types of enforcement actions: (1) stopping unregistered and/or fraudulent trading of digital assets, including initial coin offerings (ICOs); (2) the safeguarding of customer information by registered entities; and (3) public company disclosures and controls.
Digital Assets/Initial Coin Offerings
The SEC made clear in 2018 that one of its top priorities is stopping the unlawful sales of unregistered digital assets. In mid-November, the SEC Divisions of Corporation Finance, Investment Management, and Trading and Markets jointly released a statement highlighting enforcement actions “involving the intersection of long-standing applications of our federal securities laws and new technologies.” The release covered three types of issues that have been top of mind for the SEC in 2018: (1) initial offers and sales of digital asset securities (including ICOs); (2) investment vehicles investing in digital asset securities and those who advise others about such investments; and (3) secondary marketing trading of digital asset securities.
While one purpose of the release was to highlight areas of concern for the SEC, the Commission also made clear that it is willing to permit previously unregistered issuers to register under the appropriate circumstances. In this regard, the SEC settled two matters involving unregistered offerings of tokens on the same day it issued the release. In both cases, the issuers agreed to pay a $250,000 civil penalty, but also agreed to register with the SEC so that they could continue operating. The SEC intended these matters to demonstrate that there is a path of compliance going forward, even where issuers have already violated the law by conducting an unregistered offering of digital asset securities.
The SEC has also targeted investment vehicles that improperly fail to register as an investment company. Crypto Asset Management LP offered an unregistered hedge fund that the SEC claimed was falsely marketed as the “first regulated crypto asset fund in the United States.” The fund also claimed, according to the SEC, that it was regulated by the SEC and had filed a registration statement with the SEC. However, by engaging in a non-exempt public offering and investing more than 40 percent of the fund’s assets in digital asset securities, the SEC claimed that CAM caused the fund to operate as an unregistered investment company. The SEC also found that the fund’s manager was an investment adviser, and had violated the antifraud provisions of the Investment Advisers Act of 1940 by making misleading statements to investors in the fund.
Third, the SEC has made clear that a platform that offers trading in digital asset securities and operates as an “exchange” must either register with the SEC as a national securities exchange or qualify for an exemption from registration. Under Exchange Act Rule 3b-16, the SEC uses a functional approach to determine whether a system constitutes an exchange, regardless of how an entity may characterize itself. The analysis focusses on an assessment of the totality of the activities and technology used to bring together orders of multiple buyers and sellers for securities using “established non-discretionary methods” under which such orders interact. This area has become a primary concern for the SEC as advancements in blockchain and distributed ledger technology have led to new methods for facilitating electronic trading in digital asset securities. These concerns led to the SEC’s first case based on findings that a digital token trading platform, EtherDelta, operated as an unregistered national securities exchange. EtherDelta operated as an online platform for secondary market trading of ERC20 tokens, which is a type of blockchain-based token commonly issued in ICOs. Because EtherDelta’s platform offered trading of securities, the SEC stated that it was required to register as an exchange or operate pursuant to an exemption, which it failed to do.
In addition to the types of enforcement actions highlighted in the release, the SEC continued to focus on the making of false representations in the sale of digital asset securities. For example, the SEC halted an ICO run by Dallas-based AriseBank, which claimed to be the world’s first “decentralized bank.” AriseBank allegedly used other common tactics, including social media and a celebrity endorsement to raise what it claims to be $600 million of their $1 billion goal in just two months. The SEC claimed that it also falsely stated that it purchased an FDIC-insured bank, which allowed it to offer customers FDIC-insured accounts. Additionally, in May 2018, the SEC obtained a court order halting an ICO run by a self-described “blockchain evangelist.” Titanium Blockchain Infrastructure Services, Inc. allegedly lied about business relationships with the Federal Reserve, PayPal, Verizon, Boeing and The Walt Disney Company, among others.
One of the key underpinnings of the SEC’s digital asset securities enforcement activity is that digital tokens do in fact qualify as “securities” under the federal securities laws. The SEC, applying the traditional “Howey test,” has readily concluded that they do. This view dates back at least to 2017 when the SEC issued an investigative report, known as the DAO Report, which concluded that that issuers of distributed ledger or blockchain technology-based securities must register offers and sales of such securities unless a valid exemption applies. This view, which is of course fundamental to much of the SEC’s enforcement activity in this area, took a bit of a hit in late 2017 when a federal judge in the Southern District of California denied an SEC request for a preliminary injunction to stop an ICO because the court could not determine whether certain tokens qualified as securities. While the decision did not go so far as to conclude that the tokens are not securities, it paused to consider the issue in a way that the SEC’s internal administrative decisions have not. It also signals a willingness of federal courts to consider that some token offerings may not involve a “security.” This issue will merit close watching by industry participants in 2019.
Safeguarding Customer Information
The maintenance of appropriate cybersecurity policies and procedures also continues to be a top SEC priority. In September 2018, the SEC fined a broker-dealer and investment adviser $1 million related to a cyber intrusion that compromised personal information of thousands of customers. In doing so, the SEC charged Voya Financial Advisors Inc. with violating both the Safeguards Rule and Identity Theft Red Flags Rule. The Safeguards Rule, which is Rule 30(a) of Regulation S-P, requires every broker-dealer and investment adviser registered with the SEC to adopt written policies and procedures that address safeguards for the protection of customer records and information. The Identity Theft Red Flags Rule, which is Rule 201 of Regulation S-ID, requires broker-dealers and investment advisers registered with the SEC to develop and implement a written Identify Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of certain covered accounts.
In the VFA case, cyber intruders impersonated contractors employed by VFA over six days by calling VFA’s support line and requesting that contractors’ passwords be reset. The intruders used the new passwords to access the contractors’ accounts and gain access to personal information of 5,600 VFA customers. The intrusion continued for several days, and the SEC claimed that VFA’s security staff failed to take action such as blocking the intruders’ IP addresses or freezing the compromised representatives’ work sessions.
This marked the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule. While VFA had a written Identity Theft Prevention Program pursuant to the rule, it did not review or update the program in response to changes in risks to its customers or provide adequate training to its employees. The SEC has repeatedly emphasized the importance of maintaining adequate cybersecurity policies and procedures, both through examinations and enforcement actions, and this is yet another reminder that simply having policies in place is not good enough. The policies must regularly reviewed and adhered to, and employees must be trained on them.
Public Company Disclosures
In 2017, the SEC previewed that the failure of a public company to make appropriate disclosures about a cyber event could lead to an enforcement action. In 2018, it followed through on the warning, assessing Altaba (formerly known as Yahoo!) a $35 million penalty based on its alleged failure to disclose a massive data breach in which hackers obtained personal data relating to hundreds of millions of user accounts. According to the SEC, within days of a 2014 intrusion, Yahoo’s information security team knew that hackers had stolen personal data of millions of customers that Yahoo internally referred to as the company’s “crown jewels.” However, according to the SEC, the breach was not disclosed to the public until more than two years later when Yahoo was in the process of closing the acquisition of its operating business by Verizon. During these two years, Yahoo’s SEC filings stated that it faced the risk of data breaches, but from the SEC’s perspective never disclosed that a large breach had occurred.
The SEC has also attempted to provide the market with guidance on when an issuer should disclose a data breach. The Commission’s February 2018 guidance was its second effort (its first was in 2011) in this regard. The guidance focused on the materiality of a particular cyber risk or breach, and stressed that the need to make a disclosure must be analyzed on a case-by-case basis, depending on the nature, extent and potential magnitude of the risk or breach. In assessing whether disclosure is required, a company should consider the range of harm that an incident could cause, including to a company’s reputation, financial performance, and customer or vendor relationships, along with the possibility of litigation or regulatory actions. By and large, this guidance did not provide much clarity beyond what the SEC had previously advised. In a new twist, however, the guidance also touched on insider trading and made clear that material, non-public information regarding cyber events should be treated no differently than any other material, non-public information. Officers, directors and other executives cannot trade on such information, and companies should have policies and procedures in place to guard against them doing so and also to help ensure the company makes timely disclosure of such information.