On May 3, 2022 the Securities and Exchange Commission (the “SEC”) announced the addition of 20 new positions to the Division of Enforcement’s newly renamed Crypto Assets and Cyber Unit (formerly known as the Cyber Unit), expanding the Crypto Assets and Cyber Unit to 50 positions (the “Announcement”).[i] With its expanded numbers, the Crypto Assets and Cyber Unit will continue to identify cybersecurity disclosure and control issues and will focus on investigating:
· Crypto asset offerings;
· Crypto asset exchanges;
· Crypto asset lending and staking products;
· Decentralized finance (“DeFi”) platforms;
· Non-fungible tokens (“NFTs”); and
· Stablecoins.[ii]
This Announcement is the latest in a string of SEC initiatives aimed at policing the use of crypto assets and bolstering market participants’ cybersecurity measures. In 2022 alone, the SEC has proposed rules on cybersecurity preparation and disclosure (the “Proposal”),[iii] highlighted cybersecurity and crypto-assets in the Division of Examination’s Examination Priorities (the “Examination Priorities”),[iv] and issued at least four press releases in 2022 touting crypto-related enforcement actions.[v] We discussed the proposed rules and Examination Priorities in our blog posts, SEC’s Division of Examinations Releases 2022 Examination Priorities and Man the Cyber Forts! – SEC Proposes New Cybersecurity Regulations for RIAs and Funds.
The Announcement, combined with the SEC’s crypto-related enforcement actions, has sowed concern within the industry (and among the SEC commissioners) that the SEC is taking a “regulation by enforcement” approach to crypto assets.[vi] Voicing this concern and responding to the Announcement, SEC Commissioner Hester Pierce tweeted “The SEC is a regulatory agency with an enforcement division, not an enforcement agency. Why are we leading with enforcement in crypto?”[vii] Regulation by enforcement often leaves market participants facing the threat of enforcement action while lacking appropriate SEC guidance. Market participants involved in crypto assets should carefully review their policies and procedures in light of the Crypto Assets and Cyber Unit’s focus areas (listed above) and the Examination Priorities.
Further, the Announcement crystalizes what was already quite clear – cybersecurity is a top priority for the SEC. Accordingly, we suggest that all market participants review and test their cybersecurity policies, procedures, and practices in light of the Proposal and Examination Priorities. Even though the Proposal is still pending, market participants should review its contents for insights into the SEC’s cybersecurity priorities.
[iii] SEC Proposed Rules, Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, SEC Release Nos. 33-11028; 34-94197; IA-5956; IC-34497, available at https://www.sec.gov/rules/proposed/2022/33-11028.pdf; SEC Press Release, SEC Proposes Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds, February 9, 2022, available at https://www.sec.gov/news/press-release/2022-20.
[iv] SEC, Division of Examinations, 2022 Examinations Priorities, (March 30, 2022), https://www.sec.gov/files/2022-exam-priorities.pdf at 15–16.