SEC Issues First ICO Enforcement Action Against a Self-Reporting Token Issuer

By Pamela L. MarcoglieseAlexander Janghorbani & Jim Wintering on February 28, 2019

POSTED IN ICOSSEC GUIDANCEUNITED STATES

On February 20, the Securities and Exchange Commission (the “SEC” or “Commission”) issued a cease-and-desist order against Gladius Network LLC (“Gladius”) concerning its 2017 initial coin offering (“ICO”).  The SEC found that the Gladius ICO violated the Securities Act of 1933’s (“Securities Act”) prohibition against the public offer or sale of any securities not made pursuant to either an effective registration statement on file with the SEC or under an exemption from registration.[1]  While this is far from the first time that the SEC has found that a particular ICO token meets the definition of a “security” under the Securities Act,[2] this is notably the first action involving an ICO token issuer that self-reported its potential violation.  Due to this, and Gladius’s cooperation throughout the investigation, the SEC stopped short of imposing any civil monetary penalties among its ordered remedial measures. Continue Reading

SEC Investigative Report on Cybersecurity Emphasizes Internal Controls

On October 16, 2018, the Securities and Exchange Commission (SEC) issued a Report of Investigation (Report) detailing an investigation by the SEC’s Enforcement Division into the internal accounting controls of nine issuers that were victims of “business email compromises,” a form of cyberfraud.1 The SEC issued the Report pursuant to Section 21(a) of the Securities Exchange Act, forgoing a traditional enforcement action, to communicate the SEC’s view that this issue is problematic and to put issuers and individuals on notice that the SEC intends to pursue enforcement actions concerning similar conduct in the future.

In the Report, the SEC cautioned issuers that they should consider cyberthreats when implementing internal accounting controls. This follows recent SEC guidance2 and an enforcement action highlighting the need for prompt disclosure of data breaches and other cybersecurity incidents as well as the creation of the Cyber Unit, a unit within the SEC’s Enforcement Division focused on targeting cyber-related misconduct. In releasing the Report, the SEC is sending a clear message that it expects issuers to not only act responsibly in the event of a cybersecurity incident but also to institute appropriate controls to mitigate the risks of cyber-related threats and safeguard company assets from those risks.

Key Takeaways

  • As “every type of business is a potential target of cyber-related fraud,” according to the Report, every issuer, regardless of sophistication or size, should prioritize cybersecurity.

  • Issuers are expected to evaluate the cybersecurity risks facing their particular business models and implement internal controls tailored to address those risks.

  • After implementation, issuers should continually assess the cybersecurity risks they face and calibrate their internal controls accordingly.

  • Issuers should maintain policies and procedures that ensure relevant information regarding cybersecurity risks and incidents is collected, processed and escalated on a timely basis, and issuers should prioritize the training of employees on those policies and procedures.

  • In disclosing cybersecurity risks and incidents, issuers should avoid boilerplate language and tailor disclosures to their specific business and industry.

  • Issuers should consider whether their insider trading policies are designed to prevent trading on material nonpublic information related to cybersecurity risks and incidents.

Investigative Report

The SEC’s investigation concerned whether nine issuers complied with federal securities laws, including Section 13(b)(2)(B) of the Exchange Act, by designing and maintaining internal accounting controls that reasonably safeguarded the issuers from cyber-related risks. Section 13(b)(2)(B) requires certain issuers to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that,” among other things, “transactions are executed in accordance with management’s general or specific authorization” and “access to assets is permitted only in accordance with management’s general or specific authorization.” The issuers described in the Report lost a combined $100 million after their internal accounting controls failed to protect against two types of fraudulent email schemes.

In the first type of scheme, a person not affiliated with an issuer allegedly sent an email to a finance employee at an issuer using a spoofed email domain and address — which mimicked the email account of one of the issuer’s executives — directing the employee to wire funds in connection with a certain transaction. The email allegedly directed the employee to work with a purported outside attorney, who then asked the employee to transfer the funds to a foreign bank account controlled by the alleged perpetrators. The SEC noted that this type of fraud is unsophisticated from a technological standpoint — it requires only the creation of an email address that seemingly belongs to an executive of an issuer.

The second more technologically complex type of fraudulent scheme is one in which the alleged perpetrators hacked the email accounts of issuers’ foreign vendors and sent payment requests to employees at the issuers for services rendered. The alleged perpetrators provided the employees with revised banking information and wire instructions that were linked to foreign accounts that the perpetrators controlled. Issuer employees allegedly transferred funds to the foreign accounts, only discovering the fraud months later when the actual vendors sought payment on their outstanding invoices.

The Report highlights the need for issuers to design and maintain internal accounting control systems that adequately address the cybersecurity risks they face. The persons undertaking the alleged cyber-related frauds were able to identify vulnerabilities in the issuers’ controls over, for instance, payment authorization and verification procedures. Issuers need to ensure that their internal accounting controls are tailored to address, among other things, human vulnerabilities with respect to cyber-related risks. The Report explains that the alleged perpetrators succeeded in the frauds in large part because employees were unaware of, or did not understand, the internal controls of their employers and failed to recognize multiple red flags indicating that a fraudulent scheme was underway.

The SEC’s Heightened Interest in Cybersecurity

The Report comes just over a year after the SEC announced the creation of its Cyber Unit in September 2017.3 The Cyber Unit was formed to consolidate the expertise of the SEC’s Division of Enforcement and enhance its ability to identify and investigate cyber-related threats. In commenting on the Cyber Unit’s launch, Stephanie Avakian, co-director of the SEC’s Enforcement Division, identified cyber-related threats as “among the greatest risks facing investors and the securities industry.”

The Cyber Unit complements the cybersecurity working group, an initiative of SEC Chairman Jay Clayton, to coordinate information sharing, risk monitoring and incident response throughout the SEC. In establishing the working group, Chairman Clayton announced the SEC’s focus “on identifying and managing cybersecurity risks and ensuring that market participants — including issuers, intermediaries, investors and government authorities — are actively engaged in this effort and are appropriately informing investors and other market participants of these risks.”4

In April 2018, the Cyber Unit was involved in bringing a cyber-related enforcement action against a technology company for allegedly misleading shareholders by not disclosing a data breach in its public filings for nearly two years.5 The $35 million settlement was the first SEC enforcement action against a public company relating to the disclosure of a data breach. According to the SEC, the company failed to establish or implement internal controls around the evaluation and disclosure of cyber incidents. The SEC alleged that the company’s senior management and legal staff “did not properly assess the scope, business impact, or legal implications of the breach, including how and where the breach should have been disclosed in [its] public filings or whether the breach rendered, or would render, any statements made by [it] in its public filings misleading.”

The SEC noted that the company’s disclosures in its public filings were misleading to the extent they omitted known trends or uncertainties presented by the data breach. In addition, the SEC alleged the risk factor disclosures in the company’s public filings were misleading in that they claimed the company only faced the risk of potential future data breaches without disclosing that a data breach had in fact already occurred. The SEC noted that while immediate disclosure (such as in a Form 8-K) is not always necessary in the event of a data breach, in this case, the breach should have been disclosed in the company’s regular periodic reports.

Prior Interpretive Guidance

In February 2018, the SEC issued interpretative guidance regarding disclosures concerning cybersecurity risks and incidents.6 The SEC’s guidance provides that, in disclosing cybersecurity risks and incidents, issuers should avoid boilerplate language and tailor disclosures to their specific businesses and industries, including disclosing the potential financial, legal or reputational impacts of cybersecurity risks or incidents. The disclosures should not be so detailed, however, that they compromise companies’ cybersecurity efforts.

The guidance also advises issuers to evaluate their cybersecurity policies and procedures, and ensure that relevant information pertaining to cybersecurity risks and incidents is collected, processed and escalated on a timely basis so management can assess and analyze whether disclosure is required. The guidance encourages issuers to evaluate whether their insider trading policies are designed to prevent insider trading on the basis of material nonpublic information relating to cybersecurity incidents and risks. The guidance notes that issuers should consider restrictions on trading during periods when issuers are investigating and assessing the significance of a cybersecurity incident.

Associate Sydney P. Sgambato assisted in the preparation of this alert.

 ________________

1 “Report of Investigation Pursuant to 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements,” SEC Release No. 34-84429 (Oct. 16, 2018).

2 See our February 23, 2018, client alert, “SEC Issues Interpretive Guidance on Cybersecurity Disclosures.”

3SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors,” SEC Press Release No. 2017-176 (Sept. 25, 2017).

4Statement on Cybersecurity,” SEC Chairman Jay Clayton (Sept. 20, 2017).

5 “Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cyber Security Breach; Agrees to Pay $35 Million,” SEC Press Release No. 2018-71 (Apr. 24, 2018).

6Commission Statement and Guidance on Public Company Cybersecurity Disclosures,” SEC Release Nos. 33-10459; 34-82746 (Feb. 26, 2018).

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

Lax Cyber Security Could Be Federal Law Violation, SEC Warns

Public companies that fail to tighten their cyber security controls could be violating federal law, the U.S. Securities and Exchange Commission (SEC) said on Tuesday.

The regulator’s warning came in the form of a report on its investigation to assess whether nine companies that had been victims of cyber-related frauds had sufficient internal accounting controls in place as required by law.

It focused on so-called “business email compromises” in which cyber criminals pose as company executives to dupe staff into sending company funds to bank accounts controlled by the hackers. The Federal Bureau of Investigation estimates such scams had led to $5 billion in losses since 2013, the SEC said.

The fraud did not include any sophisticated design, but rather used technology to detect the human vulnerabilities in the control system, the report said.

“We did not charge the nine companies we investigated, but our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations,” Stephanie Avakian, Co-Director of the SEC Enforcement Division, said in a statement.

The SEC did not identify the companies but said the failings of internal controls were only discovered when vendors told authorities of nonpayment on a number of outstanding invoices.

Regulators and lawmakers are increasingly focused on the risks cyber criminals pose to companies and their customers following a series of high-profile incidents. They included the theft by hackers last year at credit reference company Equifax of personal information of more than 145 million people.

Last week, Facebook Inc. said hackers stole data from 29 million Facebook accounts, adding to concerns among users and investors about the company that has been through a series of cyber scandals.

Following the Equifax breach, the SEC issued updated guidance on how and when companies should disclose cyber security risks and breaches, including potential weaknesses that have not yet been targeted by hackers but could constitute inside information.

(Reporting by Katanga Johnson; Editing by Michelle Price and Grant McCool)

Statement on EDGAR Hacking Enforcement Action

Public Statement

Statement on EDGAR Hacking Enforcement Action

Chairman Jay Clayton

Jan. 15, 2019

In August 2017, shortly after my arrival at the Commission, I was informed that an intrusion into the SEC's Electronic Data Gathering, Analysis, and Retrieval ("EDGAR") system took place in 2016.   We immediately initiated a series of review and response initiatives, including promptly disclosing the incident and our anticipated response to the public and to Congress.[1] 

In the subsequent months, we have pursued various review and uplift efforts around the EDGAR system and the SEC's information technology systems more broadly.  These efforts are discussed in more detail in my Congressional testimony and our agency financial report.[2]

Importantly, one of the agency's principal efforts around the EDGAR intrusion has been the Division of Enforcement's investigation into potentially illicit trading related to information that was stolen from the SEC. We have conducted our investigative efforts in valuable partnership with law enforcement.  

Earlier today, we announced charges against several defendants for their participation in a fraudulent scheme centered on the EDGAR intrusion.[3]  Our complaint alleges that certain individuals hacked into EDGAR and accessed test filings, including test filings containing material nonpublic information pertaining to earnings announcements of publicly-traded companies.  We allege that certain defendants then traded based on the hacked information and profited once the information became public. The defendants in this action include a Ukrainian hacker, six individual traders in California, Ukraine, and Russia, and two entities.  

I commend the Division of Enforcement, and in particular the Cyber Unit and the Market Abuse Unit, for their thoughtful work on this matter.  As in other actions, they have done an admirable job responding to cyber threats in order to protect American markets and investors.  I also want to note my appreciation for the assistance provided by the SEC's Office of Information Technology and Division of Economic and Risk Analysis for their significant contributions.   Similarly, I appreciate the constructive collaboration with our law enforcement partners at the U.S. Attorney's Office for the District of New Jersey, the Federal Bureau of Investigations and the U.S. Secret Service. 

This action illustrates that the SEC faces many of the same cybersecurity threats that confront exchange-listed companies, other SEC-registered entities and market participants of all types.  These threats to our marketplace are significant and ongoing and often involve threats from actors outside our borders.  No system can be entirely safe from a cyber intrusion.  Here at the SEC, we recognize that we must continuously use the resources available to us efficiently and effectively to bolster our cybersecurity defenses and reduce our cyber risk profile.  Our recent and ongoing work on both enhanced security and risk reduction has involved many of our divisions and offices as well as external consultants and government partners. I appreciate the significant contributions from the Office of the General Counsel, Office of Inspector General, Office of the Chief Operating Officer, and the Office of Information Technology to these efforts.  

Today's enforcement action reinforces our dedication to protecting our markets and the over 50 million households invested in those markets. Speaking more broadly, I believe that our exchange-listed companies and other market participants should continue to improve their disclosure of cyber risks and cyber incidents as well as their individual and collective efforts to combat cyber risk.[4]

[1] See Press Release 2017-170, SEC Chairman Clayton Issues Statement on Cybersecurity:  Discloses the Commission's Cyber Risk Profile, Discusses Intrusions at the Commission, and Reviews the Commission's Approach to Oversight and Enforcement (Sept. 20, 2017), available at https://www.sec.gov/news/press-release/2017-170; Statement on Cybersecurity (Sept. 20, 2017), available at https://www.sec.gov/news/public-statement/statement-clayton-2017-09-20; Testimony on "Oversight of the U.S. Securities and Exchange Commission" (Sept. 26, 2017), available at https://www.sec.gov/news/testimony/testimony-clayton-2017-09-26; Testimony on "Examining the SEC's Agenda, Operation, and Budget" (Oct. 4, 2017), available at https://www.sec.gov/news/testimony/testimony-examining-secs-agenda-operation-and-budget.

[2] See, e.g., Testimony on "Examining the SEC's Agenda, Operation, and Budget" (Oct. 4, 2017), supranote 1; Testimony before the Financial Services and General Government Subcommittee of the Senate Committee on Appropriations (June 5, 2018), available athttps://www.sec.gov/news/testimony/testimony-financial-services-and-general-government-subcommittee-senate-committee;  Testimony on "Oversight of the U.S. Securities and Exchange Commission" (June 21, 2018), available at https://www.sec.gov/news/testimony/testimony-oversight-us-securities-and-exchange-commission; Testimony on "Oversight of the U.S. Securities and Exchange Commission" (Dec. 11, 2018), available at https://www.sec.gov/news/testimony/testimony-oversight-us-securities-and-exchange-commission-0; Fiscal Year 2018 Agency Financial Report, available at https://www.sec.gov/files/sec-2018-agency-financial-report.pdf.

[3] See Press Release 2019-1, SEC Brings Charges in Edgar Hacking Case (Jan. 15, 2019), available at https://www.sec.gov/news/press-release/2019-1  

[4]S ee Press Release 2018-22, SEC Adopts Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures (Feb. 21, 2018), available at https://www.sec.gov/news/press-release/2018-22.

FINRA Releases 2019 Risk Monitoring and Examination Priorities Letter

WASHINGTON — FINRA today released its 2019 Risk Monitoring and Examination Priorities Letter, highlighting new priorities as well as identifying areas of ongoing concern that FINRA will continue to review in the coming year. This year’s letter’s focus on materially new issues may help firms better identify those priorities that are relevant to their business.

Among the emerging issues identified in the letter as areas of focus in 2019 are:

  • online distribution platforms;

  • firms’ compliance with FinCEN’s Customer Due Diligence (CDD) rule; and

  • firms’ compliance with their mark-up or mark-down disclosure obligations on fixed income transactions with customers.

In addition, FINRA will continue to review for firms’ compliance in important areas of focus identified in prior years, including sales practice risks; hiring and supervision of associated persons with a problematic regulatory history; cybersecurity; and fraud, insider trading and manipulation across markets and products.

FINRA may update its view on risks throughout the year, as well as provide observations on both concerns and effective practices relevant to some of these areas.

“This year’s Priorities Letter takes a new approach by highlighting those topics that will be materially new areas of focus for our risk monitoring and examination programs in the coming year,” FINRA CEO Robert Cook stated. “While we will continue to review and examine for longstanding priorities discussed in greater detail in past letters, we agree with the suggestion from many of our member firms that a sharper focus on emerging issues will help them better determine whether those issues are relevant to their businesses and how they should be addressed.”

FINRA is a not-for-profit organization dedicated to investor protection and market integrity. It regulates one critical part of the securities industry – brokerage firms doing business with the public in the United States. FINRA, overseen by the SEC, writes rules, examines for and enforces compliance with FINRA rules and federal securities laws, registers broker-dealer personnel and offers them education and training, and informs the investing public. In addition, FINRA provides surveillance and other regulatory services for equities and options markets, as well as trade reporting and other industry utilities. FINRA also administers a dispute resolution forum for investors and brokerage firms and their registered employees. For more information, visit www.finra.org.

SEC Names Gabriel Benincasa As Its First Chief Risk Officer

Original Article

Press Release

FOR IMMEDIATE RELEASE
2019-24

Washington D.C., Feb. 28, 2019 —

The Securities and Exchange Commission today announced that Gabriel Benincasa has been named the Commission’s first Chief Risk Officer.  This position was created by SEC Chairman Jay Clayton to strengthen the agency’s risk management and cybersecurity efforts.

As Chief Risk Officer, Mr. Benincasa will coordinate the SEC’s continued efforts to identify, monitor, and mitigate key risks facing the Commission.  Working within the SEC’s Office of the Chief Operating Officer, he will also serve as a key adviser on other matters related to enterprise risks and controls.  Julie Erhardt, who had been serving as Acting Chief Risk Officer while the SEC completed its recruitment efforts, will return to her role as Deputy Chief Accountant for Technology and Innovation in the Commission’s Office of the Chief Accountant.

“Establishing the Chief Risk Officer position at the SEC is an important step forward in our continuing efforts to strengthen the agency’s risk management program,” said Chairman Jay Clayton.  “Gabe is an experienced senior leader with deep risk, legal, compliance, and financial markets expertise.  I am certain we will benefit from his advice and insights.  I also want to thank Julie for giving us a running start on this initiative.”

“I look forward to working with Gabe to maintain a robust risk management program at the agency,” said Ken Johnson, the SEC’s Chief Operating Officer.  “Gabe’s strong background in risk management positions him well to help the SEC continue to evaluate a wide range of current and emerging challenges, whether related to our markets, cybersecurity, or our own operations.”

Mr. Benincasa added, “It is an honor to serve America’s investors and markets as the SEC’s first Chief Risk Officer.  I look forward to joining the team and building upon existing programs to help the agency tackle current and future challenges.”

Mr. Benincasa brings to the SEC significant experience in senior leadership roles in risk and compliance in the financial sector. He began his legal career as an attorney at Davis Polk & Wardwell before working for Morgan Stanley and other financial firms. He has served in roles including as Director of Enterprise Risk Management and Vice Chair of the Risk Control Committee for a financial services holding company; Deputy Global Head of Operational Risk Management for an investment bank; General Counsel and Chief Compliance Officer for an institutional asset management company; and Global Head of Compliance for a financial technology company.

Mr. Benincasa is an attorney and a Certified Public Accountant. He earned his J.D. from Fordham Law School and a Bachelor’s in Business Administration from Baruch College.