Longtime colleagues at the SEC's Division of Enforcement, Skadden PartnersAnita Bandy and Dan Michael provide an insider's look at what the SEC's new Crypto Assets and Cyber Unit means for companies. The unit is part of SEC Chair Gary Gensler's larger effort to regulate the crypto markets and protect investors.
At the SEC, Ms. Bandy supervised, investigated and brought actions covering the entire breadth of the agency's enforcement authority. She held numerous leadership roles in the Enforcement Division, including most recently serving as an associate director in the agency’s Washington, D.C. headquarters, where she oversaw a vast docket of enforcement matters.
As the former chief of the SEC's Complex Financial Instruments Unit, Mr. Michael oversaw a nationwide team of attorneys responsible for many of the Enforcement Division’s most programmatically significant cases, including a broad range of actions against financial institutions, hedge funds, mutual funds, issuers, credit rating agencies, fintech companies and other market participants.
Anita Bandy (00:13):
Hi everyone. I’m Anita Bandy, and I’m here with Dan Michael. We’re both Skadden Partnersin Skadden’s White Collar and SEC Enforcement practice. We also happen to be close friends and share a very long history of working together at the SEC’s Enforcement Division prior to joining the firm. Today, we’ll be talking about the SEC’s newly branded Crypto Assets and Cyber Unit, which is the specialized unit of the SEC that’s charged with investigating and bringing cases in the cyber and digital asset space. A rapidly evolving area, and it’s also a high priority area for the current SEC chairman, Gary Gensler, who also used to teach a class on this topic before coming to the SEC. I would love to get your thoughts on what this signals, and what was your reaction to this announcement?
Daniel Michael (01:04):
Yeah, I think by all measures, it’s a pretty significant step. I think it’s Gensler really putting his money where his mouth is. Obviously he’s outspoken in the area of digital assets. I think his views are very, very well known, and here he already had a group existing to focus on it, but now he has a group of size. I think they’re now the second biggest unit right behind the Asset Management unit in terms of size. So, definitely a very substantial increase. I also thought what was notable is a number of the spots, I think seven, were for trial counsel, which I thought, to my knowledge, is the first time that’s happened to where a unit has its own dedicated trial counsel. Anita, what are your thoughts?
Anita Bandy (01:46):
I also think that it signals that the SEC’s enforcement staff may be more aggressive when it comes to settlements, insisting on admissions, higher penalties, as we saw in the BlockFi case, and uniquely tailored undertakings that’s commensurate with the enforcement staff’s view of the misconduct. What do you think this all means for crypto assets, in terms of where the enforcement focus is going to be?
Daniel Michael (02:13):
That’s kind of the big question, and I think it’s a really good one. It’s a really interesting time right now in the digital asset space. I referred before to Gensler’s priorities and his vision, all of which is very well known just based on his public statements and the cases that have been coming out of the division during his tenure as chair, even recently just given the recent downturn in the crypto markets. Definitely see him seizing on that, highlighting that as a need for regulation, speaking not just about market risk, but also raising the prospect of counterparty risk. The Office of the Chief Accountant just worked on SAB 121, which provided some guidance along those lines. I think there was a recent speech he gave about a week or so ago. Just mentioned in passing that the SEC’s working with the CFTC on a memo that’s laying out respective jurisdictions in the digital asset space.
Daniel Michael (03:06):
I thought that was a very notable and also a very shrewd move on his part, and on the part of the agency generally. We’re at a point in time where jurisdiction isn’t completely clear. There’s a lot of proposals being considered in Congress, some of which give the SEC more authority, some of which give it less, some of which transfer it elsewhere, but I think if you have an agreed-upon framework by the two agencies who are the primary players and are the two agencies with expertise in the space, that’s a document that’ll definitely be persuasive in Congress. So, I thought the move in terms of building out the Cyber Unit I saw is somehow, or in some way, possibly connected to that, because, as I said earlier, he is putting his money where his mouth is. He’s committing the resources. He says he not only has the desire to regulate the space, but he’s willing to commit the resources to doing so. I see the two working together, in almost as can be seen as say, a bid for jurisdiction. So, we’ll see how that plays out.
Anita Bandy (04:06):
Yeah, I think that’s a very fair assessment. The way I was also thinking about enforcement was really focused more on settlements, given that most of the cases in the division do settle. In terms of settlements in this space, one theme that may remain unchanged from the time that you and I were both there is the SEC’s focus on not allowing conduct to continue once there is a view that there is a registration violation under Section 5, and how settlements are structured to prevent the SEC’s view of creating a new class of harmed investors from secondary market trading. One of the observations early on in the program that I think will continue, is looking for creative ways and undertakings to prevent that kind of perception of preventing secondary market harm.
Anita Bandy (05:03):
I think it’s interesting that under the current administration in the BlockFi settlement, once the Section 5 registration violation was established, as part of the settlement, BlockFi agreed to register. Where you don’t see parties willing to register, you see undertakings, for example, in the Wireline case, one that I oversaw, that included notifying investors of the SEC’s order that lays out the charges, and making sure that tokens would not be redistributed. Other undertakings have included directing exchanges not to trade the token, or disabling the token. I think in another recent case under the Gensler administration in the Tierion matter, the entity compensated investors who bought in the secondary market. So, I think that we’re going to continue to see a lot of the resources be directed at unique undertakings based on this concern. I don’t see that going away.
Daniel Michael (05:58):
I totally agree with that. I think there’s much more of a push, and again, it just dovetails very nicely with statements Gensler’s been making, which is if you’re in this space, you need to be registered. One case that comes to mind is the Poloniex case in which it was an exchange for digital assets. There, Poloniex, this case was about a little over a year old now, was charged, paid a penalty, but wasn’t required to register, just had to have better controls to ensure that the digital assets on its platform were not securities. Now, we’re seeing a lot of statements by Gensler that if you’re a platform, odds are, you have securities, therefore you need to register.
Daniel Michael (06:37):
You also have a lot of cases out there where registration is a required component. To switch gears slightly to focus on the other piece of the name, Crypto Assets and Cyber. So it looks like clearly there’s a lot of emphasis on cybersecurity. There’s a good bit of proposed rulemaking. Obviously that’s a significant part of the remit of this unit, which historically was also part of it before, so not a big change there. But just based on all this attention and focus, Anita, what are your thoughts in terms of what public companies should be thinking about?
Anita Bandy (07:07):
Yeah, it’s a very good question, especially in light of the new rulemaking. It’s an expansive regime in terms of putting the onus on companies to report material cybersecurity incidents within four business days of discovery. Although the rulemaking leaves it up to the issuer to decide on issues of materiality, the period of reporting is very limited. It’s four days, and that’s part of the rule that has raised a lot of concerns and dissent in the rulemaking, because it could really come into tension with ongoing law enforcement efforts. If there’s an incident, a hacking, some kind of a legal encroachment into the company’s systems, there could be an ongoing FBI investigation. There could be national security issues. So, there’s a real tension that I hope is reconciled through the comment period, and before this kind of rule gets finalized.
Anita Bandy (08:00):
I think that we’re awaiting further guidance from the SEC on that particular point, but I think that there’s a whole host of corporate governance and controls that companies would have to put in place in terms of how it’s monitoring risks, how it’s documenting those risks, whether companies have board-level controls that manages cybersecurity issues, and so those are all things that companies need to start considering. I think another really intriguing and expansive part of the new rulemaking is that the rules, cybersecurity systems that they’re responsible for, aren’t just limited to what the company owns, but it also includes third-party systems. If the rule, again, becomes final, the companies would have to go into their chain of distribution and look into third-party systems, because those could trigger violations.
Daniel Michael (08:51):
What do you see the focus of that group as it relates to cyber issues and public companies?
Anita Bandy (08:57):
My first observation is that I think enforcement’s going to use their existing enforcement authority under the existing statutes to pursue conduct and disclosures that it believes fit under the current statutory regime. The enforcement program certainly hasn’t waited to bring cybersecurity cases. Two recent cases that come to mind include the Pearson plc matter, and the First American matter. Pearson involved a disclosure violation where the company made the disclosure as a hypothetical risk of a cybersecurity incident, when there was an actual risk. So, that’s more your traditional disclosure violation type of matter that’s not uncommon to the program. But I thought First American was really interesting because that related to a vulnerability of a cybersecurity incident, and the company was charged for not having controls that enabled management and executives to be informed of that vulnerability, even though the vulnerability was not exploited. Both of those cases signal the SEC’s continued focus on not just disclosures and holding companies accountable to the disclosures that it voluntarily makes, assuming they’re material, but also the control surrounding disclosure violations.
Anita Bandy (10:15):
I also think it’s not just a public company problem. The SEC has also pursued cases in the registered space, and we saw that earlier where the SEC brought a sweep, and charged eight registered firms for not having appropriate policies and procedures that manage the risk of account takeovers and email takeovers. In those cases, Advisers Act 206(4)-7 was also charged, an area that both you and I are very familiar with, that requires policies and procedures for registered entities. Then finally, a case that I just found fascinating that the SEC just brought in the last several weeks was the NVIDIA Corp. Matter. In that particular case, it was a first-of-its-kind case, first of all, where the company was charged for essentially not making proper disclosures in the MD&A portion of its filing, and omitting the fact that their very significant revenue growth was more related to crypto mining as part of its gaming business, which is much more volatile, subject to risk and created uncertainties surrounding future growth.
Anita Bandy (11:31):
Interestingly, no individuals were charged. So, I thought that was also a very interesting expansion of how enforcement’s looking at these cases. The other fascinating part of that case is that the revenue growth for that company was accurate. There were no accounting violations alleged, and the company’s high degree of revenue growth was all true and appropriately disclosed. It’s the fact that the revenue growth was related to a risky part of the business that created the problem. So, I think we can expect enforcement to really focus heavily on disclosures, not just misstatements in terms of what’s voluntarily on file, but also omissions and particular focus on trends, risks and uncertainties in the management discussion and analysis part of financial reporting.
Daniel Michael (12:19): I definitely think that’s, I think, across areas, not just in the cyber area, a big focus and will continue to be just given its importance, obviously.