By Amy Leisinger, J.D.
In an SEC Historical Society Spotlight, Enforcement Associate Director and acting Cyber Unit Chief Carolyn Welshhans discussed emerging cyber issues with Morgan Lewis partner Ivan Harris. Among other things, the pair considered initial coin offerings, hacking and account intrusions, and cybersecurity controls. According to Welshhans, as ICOs and digital assets garner increased attention, cyber expertise is developing across the Commission. While the existing rules governing fraud and the goals underlying registration continue to apply, additional efforts to understand and analyze blockchain issues, virtual currencies, and cybersecurity concerns are being undertaken, she said.
ICOs and enforcement. Welshhans noted that the Cyber Unit was formed two years ago to provide for a more direct focus on cyber issues. With regard to potential violations in connection with ICOs and digital assets, the threshold inquiry is whether the platform, asset, or offer involves a security. According to the associate director, it is a mistake to think the Exchange Act and Securities Act and older regulations and case law cannot still apply to evolving products. The question of whether there a fraudulent activity has been committed and whether something is a security are still crucial to enforcement assessments, Welshhans said. Further, she explained, the need for registration and disclosure remains the same, particularly as part of the SEC’s mission to protect investors.
Harris asked Welshhans why many of the enforcement action brought in connection with ICOs involve only charges of registration failures under Section 5 and not fraud charges under Section 10(b). She responded that a variety of considerations go into how to bring these matters and that, sometimes, it can be difficult to trace digital assets. Further, she explained, several matters have involved ICOs where activity was ceased when the SEC became involved and money was returned investors. Collaboration with other Commission divisions and offices has been helpful in making enforcement determinations, Welshhans noted.
Cybersecurity. Cybersecurity is the responsibility of both government agencies and market participants, the associate director stated. Companies need to consider cyber threats when implementing controls and identifying cyber incidents, and the need to report under the internal controls provisions has not changed, Welshhans explained. The SEC may step in when a company does not have controls and policies and procedures in place to protect data, especially when the data goes to the heart of the business, she noted.
The SEC and its staff will not second guess good faith efforts to disclose and respond to events, according to the associate director, but the agency does need to ensure that the controls in place, as well as the timing and content of the response, were truly reasonable, Welshhans said. In some cases, controls and responses can be so ineffectual as to warrant enforcement, she opined. Ongoing investigations will not excuse nondisclosure, she concluded.