Tuesday, May 15, 2018

Cybersecurity, retail investor protection are hot topics at PLI’s enforcement conference

By Amanda Maine, J.D.

Officials from the SEC, DOJ, and other agencies gave their views on the enforcement landscape at the Practising Law Institute’s Enforcement 2018 conference on regulatory perspectives. Overlapping themes on two panels in particular included cybersecurity and the protection of retail investors. SEC initiatives highlighting these issues were put in place in September 2017, reflecting Chairman Jay Clayton’s emphasis on these areas as Commission priorities.

The cybersecurity landscape. Richard T. Jacobs of the FBI’s Cyber Branch remarked that the FBI is not a regulatory entity, so when a company experiences a cyber breach, the FBI’s only mission is to find out who did it and go after those actors. A company’s internal controls in detecting cyberattacks are not the FBI’s concern, he said.

Jacobs also advised that, when it comes to disclosing a cyber breach, a company is worse off if it holds off reporting it. That strategy might make it appear to the public that the company is hiding something. In addition, he explained that the FBI may have information that is not available to the company that experienced a cyberattack, such as if the perpetrator was a nation-state. Companies should also keep in mind that if enforcement agencies are not told about a cyberattack, they are unable to pursue the perpetrators who will continue to engage in this misconduct, he noted.

Robert Cohen, chief of the SEC’s Cyber Unit in the Division of Enforcement, said that the agency recognizes that companies are the victims of cyber breaches. He assured that the SEC is not looking to second-guess good faith, reasonable decisions. As an example, Cohen cited the SEC’s recent enforcement action brought against the company formerly known as Yahoo!, which did not disclose a record data breach two years after it was discovered. Cohen noted that the Yahoo! case was not a close call; senior management knew about the theft of what it called its “crown jewels”—i.e., usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts—and sat on that information for years without telling the public, he explained.

Cohen also advised that there are different legal issues depending on whether the data breach involves a public company, to which disclosure obligations apply, or a financial services regulated entity, such as a broker-dealer or investment adviser, which has an obligation to protect their customers’ information. For regulated entities, the SEC will look at how well the controls were designed in the first place.

Distinct from data breach issues involving regulated entries, Cohen said, for public companies the SEC will examine whether the company failed to disclose material information to investors. He drew attention to the Commission’s recently updated guidance regarding cybersecurity issues. These issues are increasingly a material issue for investors, he explained.

Enforcement and retail investors. Mentioning Chairman Clayton’s focus on retail investors, Charu Chandrasekhar noted that the Commission had recently announced the formation of a Retail Strategy Task Force within the Enforcement Division. Chandrasekhar, who heads the task force, said it is taking a look at widespread abuses impacting retail fraud. The task force will continue the Division’s efforts regarding more traditional retail frauds, but is also examining the more sophisticated frauds. The goal of the task force, she said, is to take a strategic and data-driven look at retail investor protection by harnessing the Commission’s access to volumes of trading data to determine what are the real risk areas impacting these investors. The task force hopes to translate the findings obtained from the data into the design and prosecution of enforcement cases, Chandrasekhar explained.

On the criminal side, Alixandra Smith, deputy chief of the business and securities fraud section in the U.S. Attorney’s Office in the Eastern District of New York, said that many of her office’s cases related to retail investors involve cryptocurrency. Retail investors are often targeted by cryptocurrency fraudsters because many regular investors do not understand how these kinds of currencies work, Smith said. Many of these cases involve what looks like a classic pump-and-dump fraud, except with cryptocurrency. These cryptocurrencies can be very thinly traded, resulting in an opportunity for fraudsters to pump up a cryptocurrency and then sell it, Smith said.

Smith also noted that an emerging area of fraud includes fraud in connection with initial coin offerings (ICOs). The U.S. Attorney’s Office is working with the SEC on whether certain ICOs are actually securities that can be regulated. Social media has been used to further both these kind of schemes, Smith said. Fraudsters use social media platforms to put out false information about a cryptocurrency to generate interest in it. When it comes to ICOs, social media has been used to recruit investors by reaching out to certain targeted populations, Smith advised.