Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
At the end of each fiscal year, the U.S. Securities and Exchange Commission (SEC) issues its annual enforcement report. Within the report the SEC publishes its enforcement statistics for the year, categorizing each individual enforcement action the agency brings. The past several years, under Chair Gary Gensler’s leadership, saw a significant dedication of resources to investigating and charging participants in the cryptocurrency or digital assets space and the cybersecurity space. Within the annual enforcement report, there are no specific “crypto” or “cyber” categories, but these actions have taken up an outsized representation in the securities offering, broker-dealer, securities exchange, and public issuer reporting statistics. When the SEC issues the next annual enforcement report for fiscal year 2025, we expect a very different set of statistics. Securities offering actions (often corresponding to investment frauds such as Ponzi and pyramid schemes) and investment adviser actions (often corresponding to harms to retail advisory clients) will almost certainly be up, and the “crypto” and “cyber” cases — no matter what category they fit into — will almost certainly be down. Public statements by the new SEC administration under Acting Chair Mark Uyeda have said as much, but even more telling than public statements are the allocation of limited enforcement resources.
On Feb. 20, SEC announced that it created a Cyber and Emerging Technologies Unit (CETU) to combat cyber-focused financial misconduct. See, “SEC Announces Cyber and Emerging Technologies Unit to Protect Retail Investors,” SEC.Gov (Feb. 20, 2025).
The announcement reflects a (re)rebranding of the unit and a tangible shift in the SEC’s overall regulatory and enforcement priorities. The Cyber Unit, originally established by the SEC in 2017, was renamed in May 2022 under Chair Gensler as the Crypto Assets and Cyber Unit and expanded to include 50 positions. See, “SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors,” SEC.Gov (Sept. 25, 2017); “SEC Nearly Doubles Size of Enforcement’s Crypto Assets and Cyber Unit,” SEC.Gov (May 3, 2022).
In its most recent redesign, the SEC did not disband the Unit altogether, and it is notable that Laura D’Allaird — a former counsel to a Democratic Commissioner who had been named co-head of the Crypto Assets and Cyber Unit in December 2024 — will remain as the head of the CETU. See, Aislinn Keely, “SEC Taps New Co-Leaders For Crypto Enforcement Unit,” Law360.com (Dec. 4, 2024). Instead, as emphasized in the SEC’s press release, the CETU now will focus on fraud and other clearcut instances of cyber-related misconduct, particularly fraud that impacts retail investors. These “new” priorities greatly parallel those announced by the SEC with the initial iteration of the Cyber Unit under then Chairman Jay Clayton in 2017. See, “SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors,” SEC.Gov (Sep. 25, 2017). The CETU will work alongside the Commission’s newly formed Crypto Task Force launched by Acting Chair Uyeda and led by Commissioner Hester Peirce. See, “SEC Crypto 2.0: Acting Chairman Uyeda Announces Formation of New Crypto Task Force,” SEC.Gov (Jan. 21, 2025).
Although crypto enforcement received much of the attention under the prior administration, the SEC was also very active in the area of cybersecurity. This included not only the promulgation of extensive new disclosure requirements for public companies, but also multiple enforcement actions against public companies for allegedly making misleading disclosures regarding cybersecurity risks and incidents and failing to have adequate disclosure controls, as well as against regulated entities such as broker-dealers and investment advisers.
In July 2023, the SEC adopted final rules on cybersecurity risk management, strategy, governance, and incident disclosure by a split vote of 3-2. See, King & Spalding, “SEC Adopts Final Cybersecurity Disclosure Rules” (July 31, 2023). Commissioners Uyeda and Peirce dissented from the final rules (the 2023 Cybersecurity Rule), criticizing them as overly prescriptive and costly, and denounced the Commission’s expansive view of its authority and its effort to “create new disclosure obligations for cybersecurity matters that do not exist for any other topic.” Hester M. Peirce, SEC Comm’r, “Harming Investors and Helping Hackers: Statement on Cybersecurity Risk Management, Strategy, Governance, and Incidence Disclosure,” SEC.Gov (July 26, 2023); Mark T. Uyeda, SEC Chairman, “Statement on the Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,” FN 6, SEC.Gov (July 26, 2023).
In the litigated arena, the SEC suffered a significant defeat in July 2024 when much of its case against SolarWinds and its CISO Timothy Brown was dismissed. The SEC complaint alleged that: 1) SolarWinds and Brown defrauded investors and customers through misstatements and omissions that concealed SolarWinds’ known cybersecurity risks; and 2) SolarWinds failed to maintain adequate internal accounting and disclosure controls. The court dismissed claims based on the company’s disclosures concerning a significant cyberattack as “rely[ing] on hindsight and speculation,” and also dismissed the SEC’s internal accounting controls and disclosure controls claims. See, SEC v. SolarWinds Corp., 741 F.Supp.3d 37, 50 (S.D.N.Y. 2024). The accounting controls ruling was significant because the SEC had overreached in recent years by claiming that multiple types of conduct involving an entity’s governance (e.g., management of cybersecurity risks) fit within the internal accounting controls provision. The SEC’s claims based on certain statements in a Security Statement posted on the Company’s website survived, and the litigation remains pending.
In addition, the SEC brought a number of other settled actions against public companies for cybersecurity-related violations, prompting strong dissents from Commissioners Uyeda and Peirce. In June 2024, Commissioners Uyeda and Peirce dissented from a settled action against R.R. Donnelley & Sons Company for alleged insufficiencies in its internal accounting and disclosures controls related to a 2021 ransomware attack. See, “SEC Charges R.R. Donnelley & Sons Co. With Cybersecurity-Related Controls Violations,” SEC.Gov (July 2, 2024). Commissioners Peirce and Uyeda expressed concern over the Commission’s plans to “dictate public company cybersecurity practices indirectly using its ever-flexible Section 13(b)(2)(B) tool” and its “decision to stretch the law to punish a company that was the victim of a cyberattack,” noting that “such an action inappropriately amplifies a company’s harm from a cyberattack.” Hester M. Peirce and Mark T. Uyeda, SEC Comm’rs, “Hey, look, there’s a hoof cleaner! Statement on R.R. Donnelley & Sons, Co.,” SEC.Gov (June 18, 2024).
And then in October 2024, Commissioners Uyeda and Peirce dissented from settled actions against four customers of SolarWinds, which allegedly made materially misleading disclosures about the impact of the cyberattack against SolarWinds on their operations. Commissioners Uyeda and Peirce criticized the Commission for engaging in “hindsight review” and stated that “aggressive enforcement by the Commission may cause companies to fill their risk disclosures with occurrences of immaterial events, for fear of being second-guessed by the Commission” and then “the benefits and underlying rationale used to support the 2023 Cybersecurity Rule may be undermined.” Peirce and Uyeda, SEC Comm’rs, “Statement Regarding Administrative Proceedings Against SolarWinds Customers,” SEC.Gov (Oct. 22, 2024).
Now that Commissioners Uyeda and Peirce comprise a majority of the Commission, with Commissioner Uyeda as the Acting Chair, we expect to see an approach to cybersecurity enforcement that more closely aligns with their dissents in these cases, and those priorities are reflected in the stated priority areas of the CETU, which include:
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
This article highlights how copyright law in the United Kingdom differs from U.S. copyright law, and points out differences that may be crucial to entertainment and media businesses familiar with U.S law that are interested in operating in the United Kingdom or under UK law. The article also briefly addresses contrasts in UK and U.S. trademark law.
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.
In Rockwell v. Despart, the New York Supreme Court, Third Department, recently revisited a recurring question: When may a landowner seek judicial removal of a covenant restricting use of her land?