Proposed Rules On Cybersecurity Disclosure
Earlier this year, the SEC published proposed rules on cybersecurity risk management, strategy, governance and incident disclosure by public companies. Although the comment period has passed, a final rule has not yet been issued. As of now, cybersecurity disclosures are encompassed within the general anti-fraud provisions including the requirement to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading” as well SEC guidance last updated in 2018 (see HERE).
The proposed amendments would require, among other things, current reporting about material cybersecurity incidents and updates about previously reported cybersecurity incidents. The proposal also would require periodic reporting about a company’s policies and procedures to identify and manage cybersecurity risks; the company’s board of directors’ oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. The proposal would further
Proposed 2021 U.S. Budget
In February, the Office of Management and Budget released the proposed fiscal 2021 United States government budget. The beginning of the Budget contains a message from President Trump delineating a list of key priorities of the administration including better trade deals, preserving peace through strength, overcoming the opioid crisis, regulation relief and American energy independence. The budget has some notable aspects that directly relate to the capital markets and its participants.
As the federal government has been doing for all agencies, the 2021 Budget seeks to eliminate agency reserve funds. Specifically regarding the SEC, the Budget cuts the SEC reserve by $50 million. The reduction in reserve fund is thought to increase overall accountability as the SEC would need to go to Congress to ask for additional funds if needed, with an explanation, instead of just accessing a reserve account. Reserve fund cuts are sent to the U.S. Treasury for deficit reduction.
However, the Budget also increases the
Division of Enforcement 2019 Annual Report
As my firm does not practice in the enforcement arena, it is not an area I always write about, but this year I found a few trends that are interesting. In particular, just by following published enforcement matters on the SEC’s website, I’ve noticed a large uptick in actions to suspend the trading in, or otherwise take action against, micro- and small-cap companies, especially delinquent filers. I’ve also noticed a large uptick of actions against smaller public and private companies that use misleading means to raise capital from retail investors, and the concurrent use of unlicensed broker-dealers. Of course, there have always been a significant number of actions involving cryptocurrencies. In light of my own observations, I decided to review and report on the SEC’s view of its actions.
As an aside, before discussing the report, I note that the Government Accountability Office (GAO) has raised concerns about the quality of record keeping and documentation maintained by the
SEC Strategic Plan
On June 19, 2018, the SEC published a draft Strategic Plan and requested public comment on the Plan. The Strategic Plan would guide the SEC’s priorities through fiscal year 2022. The Plan reiterates the theme of serving the interests of Main Street investors, but also recognizes the changing technological world with a priority of becoming more innovative, responsive and resilient to market developments and trends. The Plan also broadly focuses on improving SEC staff’s performance using data and analytics.
The Strategic Plan begins with a broad overview about the SEC itself, a topic I go back to and reiterate on occasion, such as HERE. The SEC’s mission has remained unchanged over the years, including to protect investors, maintain fair, orderly and efficient markets, and facilitate capital formation. In addition, according to the Strategic Plan, the SEC:
- Engages and interacts with the investing public directly on a daily basis through a variety of channels, including investor roundtables and education
The SEC Has Provided Guidance On Ether and Bitcoin, Sort Of
On June 14, 2018, William Hinman, the Director of the SEC Division of Corporation Finance, gave a speech at Yahoo Finance’s All Markets Summit in which he made two huge revelations for the crypto marketplace. The first is that he believes a cryptocurrency issued in a securities offering could later be purchased and sold in transactions not subject to the securities laws. The second is that Ether and Bitcoin are not currently securities. Also, for the first time, Hinman gives the marketplace guidance on how to structure a token or coin such that it might not be a security.
While this gives the marketplace much-needed guidance on the topic, a speech by an executive with the SEC has no legal force. As a result, the blogs and press responding to Mr. Hinman’s speech have been mixed. Personally, I think it is a significant advancement in the regulatory uncertainty surrounding the crypto space and a signal that more constructive guidance
The SEC Has Issued New Guidance On Cybersecurity Disclosures
On February 20, 2018, the SEC issued new interpretative guidance on public company disclosures related to cybersecurity risks and incidents. In addition to addressing public company disclosures, the new guidance reminds companies of the importance of maintaining disclosure controls and procedures to address cyber-risks and incidents and reminds insiders that trading while having non-public information related to cyber-matters could violate federal insider-trading laws.
The prior SEC guidance on the topic was dated, having been issued on October 13, 2011. For a review of this prior guidance, see HERE. The new guidance is not dramatically different from the 2011 guidance.
The topic of cybersecurity has been in the forefront in recent years, with the SEC issuing a series of statements and creating two new cyber-based enforcement initiatives targeting the protection of retail investors, including protection related to distributed ledger technology (DLT) and initial coin or cryptocurrency offerings (ICO’s). Moreover, the SEC has asked the House Committee on Financial
The Senate Banking Committee’s Hearing On Cryptocurrencies
On February 6, 2018, the United States Senate Committee on Banking Housing and Urban Affairs (“Banking Committee”) held a hearing on “Virtual Currencies: The Oversight Role of the U.S. Securities and Exchange Commission and the U.S. Commodity Futures Trading Commission.” Both SEC Chairman Jay Clayton and CFTC Chairman J. Christopher Giancarlo testified and provided written testimony. The marketplace as a whole had a positive reaction to the testimony, with Bitcoin prices immediately jumping up by over $1600. This blog reviews the testimony and provides my usual commentary.
The SEC and CFTC Share Joint Regulatory Oversight
The Banking Committee hearing follows SEC and CFTC joint statements on January 19, 2018 and a joint op-ed piece in the Wall Street Journal published on January 25, 2018 (see HERE). As with other areas in capital markets, such as swaps, the SEC and CFTC have joint regulatory oversight over cryptocurrencies. Where the SEC regulates securities and securities markets, the CFTC
SEC Statements On Cybersecurity – Part 2
On September 20, 2017, SEC Chair Jay Clayton issued a statement on cybersecurity that included the astonishing revelation that the SEC Edgar system had been hacked in 2016. Since the original statement, the SEC has confirmed that personal information on at least two individuals was obtained in the incident. Following Jay Clayton’s initial statement, on September 25, 2017, the SEC announced two new cyber-based enforcement initiatives targeting the protection of retail investors, including protection related to distributed ledger technology (DLT) and initial coin or cryptocurrency offerings (ICO’s).
The issue of cybersecurity is at the forefront for the SEC, and Jay Clayton is asking the House Committee on Financial Services to increase the SEC’s budget by $100 million to enhance the SEC’s cybersecurity efforts.
This is the second in a two-part blog series summarizing Jay Clayton’s statement, the SEC EDGAR hacking and the new initiatives. Part I of this blog, which outlined Chair Clayton’s statement on cybersecurity and the EDGAR
SEC Chair Jay Clayton Discusses Direction Of SEC
In a much talked about speech to the Economic Club of New York on July 12, 2017, SEC Chairman Jay Clayton set forth his thoughts on SEC policy, including a list of guiding principles for his tenure. Chair Clayton’s underlying theme is the furtherance of opportunities and protection of Main Street investors, a welcome viewpoint from the securities markets’ top regulator. This was Chair Clayton’s first public speech in his new role and follows Commissioner Michael Piwowar’s recent remarks to the SEC-NYU Dialogue on Securities Market Regulation largely related to the U.S. IPO market. For a summary of Commissioner Piwowar’s speech, read HERE.
Chair Clayton outlined a list of eight guiding principles for the SEC.
#1: The SEC’s Mission is its touchstone
As described by Chair Clayton, the SEC has a three part mission: (i) to protect investors; (ii) to maintain fair, orderly and efficient markets, and (iii) to facilitate capital formation. Chair Clayton stresses that it
Yahoo Hacking Scandal And Obligations Related To Cybersecurity
On September 26, 2016, Senator Mark R. Warner (D-VA), a member of the Senate Intelligence and Banking Committees and cofounder of the bipartisan Senate Cybersecurity Caucus, wrote a letter to the SEC requesting that they investigate whether Yahoo, Inc., fulfilled its disclosure obligations under the federal securities laws related to a security breach that affected more than 500 million accounts. Senator Warner also requested that the SEC re-examine its guidance and requirements related to the disclosure of cybersecurity matters in general.
The letter was precipitated by a September 22, 2016, 8-K and press release issued by Yahoo disclosing the theft of certain user account information that occurred in late 2014. The press release referred to a “recent investigation” confirming the theft of user account information associated with at least 500 million accounts that was stolen in late 2014. Just 13 days prior to the 8-K and press release, on September 9, 2016, Yahoo filed a preliminary 14A filing with