Shifting Crypto and Cyber Priorities In SEC Enforcement

Cryptocurrency

On Feb. 20, SEC announced that it created a Cyber and Emerging Technologies Unit (CETU) to combat cyber-focused financial misconduct. See, “SEC Announces Cyber and Emerging Technologies Unit to Protect Retail Investors,” SEC.Gov (Feb. 20, 2025).
The announcement reflects a (re)rebranding of the unit and a tangible shift in the SEC’s overall regulatory and enforcement priorities. The Cyber Unit, originally established by the SEC in 2017, was renamed in May 2022 under Chair Gensler as the Crypto Assets and Cyber Unit and expanded to include 50 positions. See, “SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors,” SEC.Gov (Sept. 25, 2017); “SEC Nearly Doubles Size of Enforcement’s Crypto Assets and Cyber Unit,” SEC.Gov (May 3, 2022).
In its most recent redesign, the SEC did not disband the Unit altogether, and it is notable that Laura D’Allaird — a former counsel to a Democratic Commissioner who had been named co-head of the Crypto Assets and Cyber Unit in December 2024 — will remain as the head of the CETU. See, Aislinn Keely, “SEC Taps New Co-Leaders For Crypto Enforcement Unit,” Law360.com (Dec. 4, 2024). Instead, as emphasized in the SEC’s press release, the CETU now will focus on fraud and other clearcut instances of cyber-related misconduct, particularly fraud that impacts retail investors. These “new” priorities greatly parallel those announced by the SEC with the initial iteration of the Cyber Unit under then Chairman Jay Clayton in 2017. See, “SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors,” SEC.Gov (Sep. 25, 2017). The CETU will work alongside the Commission’s newly formed Crypto Task Force launched by Acting Chair Uyeda and led by Commissioner Hester Peirce. See, “SEC Crypto 2.0: Acting Chairman Uyeda Announces Formation of New Crypto Task Force,” SEC.Gov (Jan. 21, 2025).

Cybersecurity

Although crypto enforcement received much of the attention under the prior administration, the SEC was also very active in the area of cybersecurity. This included not only the promulgation of extensive new disclosure requirements for public companies, but also multiple enforcement actions against public companies for allegedly making misleading disclosures regarding cybersecurity risks and incidents and failing to have adequate disclosure controls, as well as against regulated entities such as broker-dealers and investment advisers.
In July 2023, the SEC adopted final rules on cybersecurity risk management, strategy, governance, and incident disclosure by a split vote of 3-2. See, King & Spalding, “SEC Adopts Final Cybersecurity Disclosure Rules” (July 31, 2023). Commissioners Uyeda and Peirce dissented from the final rules (the 2023 Cybersecurity Rule), criticizing them as overly prescriptive and costly, and denounced the Commission’s expansive view of its authority and its effort to “create new disclosure obligations for cybersecurity matters that do not exist for any other topic.” Hester M. Peirce, SEC Comm’r, “Harming Investors and Helping Hackers: Statement on Cybersecurity Risk Management, Strategy, Governance, and Incidence Disclosure,” SEC.Gov (July 26, 2023); Mark T. Uyeda, SEC Chairman, “Statement on the Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,” FN 6, SEC.Gov (July 26, 2023).
In the litigated arena, the SEC suffered a significant defeat in July 2024 when much of its case against SolarWinds and its CISO Timothy Brown was dismissed. The SEC complaint alleged that: 1) SolarWinds and Brown defrauded investors and customers through misstatements and omissions that concealed SolarWinds’ known cybersecurity risks; and 2) SolarWinds failed to maintain adequate internal accounting and disclosure controls. The court dismissed claims based on the company’s disclosures concerning a significant cyberattack as “rely[ing] on hindsight and speculation,” and also dismissed the SEC’s internal accounting controls and disclosure controls claims. See, SEC v. SolarWinds Corp., 741 F.Supp.3d 37, 50 (S.D.N.Y. 2024). The accounting controls ruling was significant because the SEC had overreached in recent years by claiming that multiple types of conduct involving an entity’s governance (e.g., management of cybersecurity risks) fit within the internal accounting controls provision. The SEC’s claims based on certain statements in a Security Statement posted on the Company’s website survived, and the litigation remains pending.
In addition, the SEC brought a number of other settled actions against public companies for cybersecurity-related violations, prompting strong dissents from Commissioners Uyeda and Peirce. In June 2024, Commissioners Uyeda and Peirce dissented from a settled action against R.R. Donnelley & Sons Company for alleged insufficiencies in its internal accounting and disclosures controls related to a 2021 ransomware attack. See, “SEC Charges R.R. Donnelley & Sons Co. With Cybersecurity-Related Controls Violations,” SEC.Gov (July 2, 2024). Commissioners Peirce and Uyeda expressed concern over the Commission’s plans to “dictate public company cybersecurity practices indirectly using its ever-flexible Section 13(b)(2)(B) tool” and its “decision to stretch the law to punish a company that was the victim of a cyberattack,” noting that “such an action inappropriately amplifies a company’s harm from a cyberattack.” Hester M. Peirce and Mark T. Uyeda, SEC Comm’rs, “Hey, look, there’s a hoof cleaner! Statement on R.R. Donnelley & Sons, Co.,” SEC.Gov (June 18, 2024).
And then in October 2024, Commissioners Uyeda and Peirce dissented from settled actions against four customers of SolarWinds, which allegedly made materially misleading disclosures about the impact of the cyberattack against SolarWinds on their operations. Commissioners Uyeda and Peirce criticized the Commission for engaging in “hindsight review” and stated that “aggressive enforcement by the Commission may cause companies to fill their risk disclosures with occurrences of immaterial events, for fear of being second-guessed by the Commission” and then “the benefits and underlying rationale used to support the 2023 Cybersecurity Rule may be undermined.” Peirce and Uyeda, SEC Comm’rs, “Statement Regarding Administrative Proceedings Against SolarWinds Customers,” SEC.Gov (Oct. 22, 2024).
Now that Commissioners Uyeda and Peirce comprise a majority of the Commission, with Commissioner Uyeda as the Acting Chair, we expect to see an approach to cybersecurity enforcement that more closely aligns with their dissents in these cases, and those priorities are reflected in the stated priority areas of the CETU, which include: