Partners Peter Baldwin and Bob Mancuso published “Cybersecurity Enforcement Trends: A Fraught New Reality for ‘Victims’ of Cyberattacks.” This article in the New York Law Journal discusses how regulators have shifted their focus from data breach notifications to overall cybersecurity preparedness.
On January 8, 2021, Judge Richard Seeborg of the United States District Court for the Northern District of California issued an Order denying a motion to dismiss in S.E.C. v. NAC Foundation, LLC, et al. The U.S. Securities & Exchange Commission (SEC) had previously filed a civil complaint against blockchain development company NAC Foundation, LLC (NAC) and NAC’s CEO, Marcus Rowland, alleging that NAC’s and Rowland’s sale of “stand-in” digital tokens constituted a fraudulent and unregistered sale of digital securities. The Department of Justice (DOJ) brought a parallel criminal proceeding, alleging violations of federal wire fraud and money laundering statutes. DOJ also filed a separate criminal case against former high-profile lobbyist Jack Abramoff in connection with his role in the promotion of NAC’s digital assets.
Earlier this year, the U.S. Department of Justice (“DOJ”) released its highly anticipated Cryptocurrency Enforcement Framework (the “Framework”). The Framework was developed as part of the Attorney General’s Cyber-Digital Task Force, and contains three sections: (1) Threat Overview; (2) Law and Regulations; and (3) Ongoing Challenges and Future Strategies.
On December 1, 2020, the U.S. Commodity Futures Trading Commission (“CFTC”) Division of Enforcement released its Annual Report, which details a “record-breaking” fiscal year 2020 (“FY 2020”), despite the challenges presented by the COVID-19 pandemic.
Notably, the CFTC filed a historic 113 enforcement actions—up from 69 filed in FY 2019, 83 filed in FY 2018, and an increase over the previous high of 102 filed in FY 2012. The chart below shows the breakdown of enforcement actions by category, and Appendix B of the Annual Report provides individual case citations.
Weeks after touting its record-breaking enforcement haul, the Commodity Futures Trading Commission (“CFTC”) Enforcement Division issued a memorandum providing guidance for enforcement staff to use when recommending the recognition of cooperation, self-reporting and remediation during the enforcement process. The historic enforcement performance demonstrated that the CFTC can wield a large stick, but the latest guidance is aimed at recognizing efforts in resolving violations.
On September 17, 2020, the SEC announced the imposition of a cease-and-desist order against private equity firm Welsh, Carson, Anderson & Stowe (Welsh Carson), an SEC-registered investment manager, in connection with alleged violations of reporting obligations under Section 13(d) of the Securities Exchange Act of 1934 (Exchange Act). The SEC alleged that Welsh Carson had failed to timely amend a Schedule 13D report – commonly known as a beneficial ownership statement – after its investment position changed from an intent to acquire and restructure a company to an intent to liquidate its entire position in the company. In connection with the entry of the SEC’s cease-and-desist order, Welsh Carson agreed to pay a civil penalty of $100,000.
On September 15, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert highlighting the recent uptick in “credential stuffing” cyber-attacks against SEC-registered investment advisors and broker dealers.
Credential stuffing is an automated cyber-attack on Internet-based user accounts and firm networks. Attackers obtain usernames and passwords from the dark web and then employ automated scripts utilizing the compromised information to attempt to log in and gain unauthorized access to other customer accounts and firm networks. Credential stuffing has proven to be a more effective way for hackers to gain access to accounts and firm systems than traditional brute force password attacks have been. If the credential stuffing attack is successful, attackers can gain access to and control over customer assets and confidential information.
The SEC, through its Office of Compliance Inspections and Examinations (“OCIE”), recently issued its most detailed cyber guidance to date. OCIE had previously issued several cybersecurity risk alerts over the past few years. This most recent release, however, offers much more than a risk alert. OCIE’s “Cybersecurity and Resiliency Observations” goes into significantly more detail than OCIE’s prior risk alerts in this area and is fashioned in a vastly different and more user-friendly format. Thus, it is required reading for SEC regulated entities because, rest assured, it will be closely followed and applied by OCIE staff conducting cyber examinations, as well as by the Division of Enforcement’s “Cyber Unit.”