We wrote a few months back about the creation of the Cyber Unit and Retail Strategy Task Force at the SEC. In the Keynote Speech at the Securities Enforcement Forum, Co-Director of the SEC’s Division of Enforcement Stephanie Avakian provided additional information about the priorities of these units and the need for them to exist.
The SEC made these changes in order to align and focus resources in these key priorities in order to better fulfill the agency’s investor protection mission.
According to Avakian, the Cyber Unit was added because of the increased frequency of these securities violations and their increasing complexity. She identified three areas of misconduct that will be at the heart of this division. Previously, a large part of this expertise was gathered in the Market Abuse Unit during the investigation of serial insider trading schemes.
We’ve mentioned these areas here before in our discussions of cybersecurity, but they are worth mentioning again since they were explicitly laid out in the speech. First, they involve cyber-related misconduct that is used to gain an unlawful market advantage. Second, they include cases involving failures of a registered entity to take appropriate steps to safeguard information or maintain system integrity. Finally, they involve potential enforcement against a public company for failure to disclose cyber risks or incidents.
The SEC has already brought “a number of significant cases” involving cyber-related misconduct that has been used to gain an unlawful market advantage. These types of cases include (1) hacking to access material, nonpublic information in advance of an event, or to manipulate the market in a security (or group of securities); (2) account intrusions to conduct manipulative trading; and (3) disseminating false information online (EDGAR, twitter, etc.) to manipulate stock prices.
The SEC has already brought several cases in the second area, resulting from violations of Regulations S-P, S-ID, SCI and others. These regulations are designed to ensure system integrity and the appropriate safeguarding of information. In these cases, they often consider whether an examination by OCIE is more appropriate or whether an enforcement inquiry should be opened. This would obviously
Avakian noted specifically that there has yet to be a prosecution for a public company’s failure to disclose a cyber risk. However, she says that they can envision a case here enforcement would be appropriate. They just aren’t trying to “second-guess reasonable, good faith good faith disclosure decisions ….”
The new area that has been added to the Cyber Unit is responsibility for distributed ledger technology. The popularity of virtual currency and blockchain technology could “be an attractive vehicle for fraudulent conduct,” according to Avakian. The SEC has recently reminded companies and investors that Initial Coin Offerings are subject to the federal securities laws. Separately, CFTC Commissioner Brian Quintenz spoke at Georgetown University’s Fintech Week in mid-October and explained that ICO tokens could be a commodity subject to regulation by the CFTC.
Retail Strategy Task Force
This Task Force will be a dedicated staff that develops ideas and strategies for protecting retail investors through data analytics and machine learning. The staff will work closely with the Office of Compliance, Inspections and Examinations (OCIE) and will refer investigative work to other Enforcement Division staff.
Avakian provided a number of specific examples of the types of conduct where they will focus, including (1) investment professionals steering customers to higher fees; (2) abuses in wrap-fee accounts such as failing to disclose costs of trading through unaffiliated brokers; (3) buying and holding inverse exchange-traded funds (ETFs), especially in retirement accounts; (4) failure to fully and clearly disclose fees in structured products sold to retail investors; and (5) churning trading accounts to generate commissions.
The Co-Director of Enforcement specifically denied that the creation of this unit showed diminished focus or resources on policing Wall Street and fighting financial fraud.
The Task Force will also be focused on investor outreach, working with other areas of the SEC to identify areas where targeted education would benefit investors and empower them to make informed decisions about investments.
Impact on Whistleblowers
The dedication of these areas to groups of SEC staff demonstrate once again that credible whistleblower tips in these areas will be strongly considered. The SEC has already rewarded several whistleblowers for providing information against misconduct that would be difficult to detect and was adversely harming investors. And given statements concerning the potential harm from hacking and cybersecurity misconduct, it seems likely that rewards will follow in this area as well.
If you have evidence of a violation of federal securities laws or SEC regulations, call 1-800-590-4116 to get a confidential consultation with a McEldrew Young whistleblower attorney representing SEC whistleblowers.