Davis Polk Discusses SEC's Crypto Assets and Cyber Unit

The U.S. Securities and Exchange Commission (SEC) has recently announced the creation of a new unit, the Cyber and Emerging Technologies Unit (CETU), which marks a significant shift in the agency's approach to crypto enforcement. The repurposed unit is a result of changes to the original Crypto Assets and Cyber Unit, which was established in 2017.

The announcement signals a reduced focus on non-fraud crypto cases and an increased prioritization of traditional cybersecurity issues, such as cybersecurity controls at regulated entities and different types of hacking cases. The unit will also focus on fraud involving emerging technologies, use of trendy industries and technology to attract retail investors in offering frauds, and blockchain technology and crypto assets.

Regulated entities' compliance with cybersecurity rules is another area of focus for the new unit. The SEC has brought several enforcement actions against broker-dealers and investment advisers in recent years and expanded the cybersecurity requirements of the Safeguards Rule. The amendments added requirements for incident response programs, customer notifications, and regulatory obligations.

The announcement suggests a return to traditional cybersecurity issues identified when the SEC created the unit in 2017. However, it also signals a change in approach, with a greater emphasis on protecting retail investors and fraud cases involving emerging technologies.

Key Priorities for the New Unit

Public company cybersecurity disclosures are another area of focus for the new unit. The SEC has recently introduced new cybersecurity disclosure rules, which may signal a focus on egregious misstatements and a reliance on more conventional theories of materiality.

The announcement also highlights the importance of regulated entities' compliance with cybersecurity rules and regulations. The SEC has brought several enforcement actions against broker-dealers and investment advisers in recent years and expanded the cybersecurity requirements of the Safeguards Rule.

Changes to the Unit's Size and Scope

The new unit will be significantly smaller than its predecessor, with approximately 30 staff members instead of 50. Some personnel have transferred back to general enforcement work, indicating a reallocation of resources towards identifying fraud that impacts retail investors.

This shift aligns with the SEC's recent announcement of a Crypto Task Force, which aims to develop a comprehensive and clear regulatory framework for crypto assets and foster a regulatory environment that supports innovation.

Additional Developments

The announcement comes at a time when a permanent Chairman is expected to be confirmed, and former Commissioner Paul Atkins has been nominated for the position. The nomination is awaiting a Senate hearing, which may bring additional developments in the future.

Overall, the creation of the Cyber and Emerging Technologies Unit marks a significant shift in the SEC's approach to crypto enforcement. As the agency continues to evolve its regulatory framework, it remains to be seen how this new unit will impact the industry and investors.