Stephanie Avakian and Steven Peikin
Co-Directors, Division of Enforcement
May 16, 2018
United States House of Representatives
Committee on Financial Services
Subcommittee on Capital Markets, Securities, and Investment
Holding Individuals Accountable
Another core pillar of a strong and effective enforcement program is individual accountability. To have a strong deterrent effect on market participants, it is critical to hold individuals responsible in appropriate cases and to pursue wrongdoing at the highest corporate levels supported by the evidence.
Individual accountability has long been a priority of the Enforcement program, and recent efforts show that our commitment to this key concept has not flagged. Since May 2017, a significant number of the Commission’s enforcement actions have also involved charges against one or more individuals. These actions have involved charges against the senior-most executives of large companies and firms, including CEOs, CFOs, presidents, and senior partners. The Commission also has charged individuals in several cyber-related matters.
To be sure, our focus on individual accountability consumes more of our limited resources; with much to lose, individuals may be more likely to litigate with the Commission. But that price is worth paying. We will continue to hold individuals accountable where warranted by the facts and the law.
Keeping Pace with Technological Change: Combatting Emerging Cyber-Related Threats
One important area where we are focusing the Division’s enforcement efforts and resources is combatting emerging cyber-related threats to investors and the financial markets. These threats are among the greatest risks facing investors and our securities markets today, and the Division has been working to further develop its already substantial expertise and proficiency in the tools and investigative techniques needed to address these issues. We remain committed to ensuring that the Division continues to keep pace with the technological changes that continually transform our markets.
We formalized our work in this area in FY 2017 by forming a Cyber Unit. The creation of the Cyber Unit, which is the first new unit that the Division has created since specialized units were first formed in 2010, demonstrates the priority that we place on combatting cyber-related threats to investors and our markets. The Cyber Unit focuses its efforts on the following key areas:
- Market manipulation schemes involving false information spread through electronic and social media;
- Hacking to obtain material, nonpublic information and trading on that information;
- Violations involving distributed ledger technology and initial coin offerings (“ICOs”);
- Misconduct perpetrated using the dark web;
- Intrusions into online retail brokerage accounts; and
- Cyber-related threats to trading platforms and other critical market infrastructure.
Enforcement has been focused on many of these issues for some time, and the Cyber Unit centralizes, leverages, and builds upon the considerable expertise that the Commission has developed in this rapidly developing area.
Cyber-related matters are an area where we have sought to utilize the full range of tools and remedies available to the Commission. Our work in this field reflects a careful balancing of the need to protect investors from risks inherent in new technologies against the need to allow innovation to take place. For instance, the Commission has provided clarity for market participants in new or developing areas, starting with a Section 21(a) report (the “Report”) regarding ICOs issued last July. The Report concerns the application of the federal securities laws to the offer and sale of virtual tokens that were created and distributed on a blockchain by an entity called “The DAO.” In the Report, the Commission applied longstanding securities law principles to conclude that this virtual token constituted an investment contract and therefore was a security, and to reiterate the fundamental principal that the federal securities laws apply—including to those relating to offers, sales, and trading—regardless of whether the security is certificated or issued on a blockchain.
The Division has continued to take other actions to address ICOs and cryptocurrencies following publication of the Report. For example, in November 2017, the Division, along with OCIE, issued a joint statement regarding the potentially unlawful promotion of ICOs by celebrities and others. In January 2018, we issued a joint statement with the Director of the Commodity Futures Trading Commission’s (“CFTC”) Division of Enforcement regarding virtual currency actions. We advised market participants that when they engage in fraud under the guise of offering digital instruments—whether characterized as virtual currencies, coins, tokens, or the like—the SEC and the CFTC will look beyond form, examine the substance of the activity, and prosecute violations of the federal securities and commodities laws. In March, the Division of Enforcement and the Division of Trading and Markets issued a joint statement alerting investors that if they use online trading platforms for trading digital assets they may not have the protections provided by the federal securities laws and SEC oversight. And, we continue to encourage parties to contact Commission staff who specialize in these issues for assistance.
And, since the issuance of the Report, the Commission has brought a number of enforcement actions for alleged ICO-related violations of the registration requirements of the federal securities laws. In one case, after being contacted by the Division, a company halted its ICO to raise capital for a blockchain-based food review service, and then settled proceedings in which we determined that the company’s ICO was an unregistered offering and sale of securities in violation of the federal securities laws. As a result of the SEC’s intervention, the company refunded investor proceeds before any tokens were distributed.
Finally, in cases where the technology is merely a veneer for an alleged fraud, we have recommended enforcement actions. To take one example, the Commission recently charged the co-founders of a purported financial services start-up with orchestrating a fraudulent ICO that raised more than $32 million from thousands of investors. In another recent case, the Commission obtained a court order freezing more than $27 million in trading proceeds from allegedly illegal distributions and insider sales of restricted shares of a NASDAQ-listed company purporting to be in the cryptocurrency business. Since the beginning of 2017, the Commission has also sought to protect investors by utilizing its authority to suspend trading in the stock of 13 publicly traded issuers because of questions concerning, among other things, the accuracy of assertions regarding their investments in ICOs and operation of cryptocurrency platforms. As these cases show, the Division will not hesitate to take appropriate action where technology is used to defraud investors.
Beyond ICOs and cryptocurrencies, the Commission has prioritized the adequacy of companies’ cyber-related disclosures. In February, the Commission issued a Statement and Guidance on Public Company Cybersecurity Disclosures to assist public companies in preparing their disclosures about cybersecurity. This guidance provides the Commission’s views about the public companies’ obligations under our laws and regulations with respect to matters involving cybersecurity risk and incidents and describes the importance of comprehensive policies and procedures related to cybersecurity events, including appropriate disclosure controls, and the need to have policies and procedures in place to guard against corporate insiders trading on the basis of material nonpublic information about cybersecurity risk and incidents. The Commission also recently announced settled charges against a major technology company for misleading investors by failing to disclose what was, at the time, the world’s largest known data breach. The case is the first that the Commission has brought against a company for failing to adequately disclose a cyber incident. We are aware of the challenges companies face when it comes to disclosing cyber attacks, and we will not seek to second-guess good-faith disclosure decisions. But, as this recent case reflects, there will be circumstances in which a company’s procedures, controls, and response to a cyber incident warrant an enforcement action.