On September 25, 2017, the Securities and Exchange Commission (SEC) announced the launch of its new Cyber Unit. Drawing on the existing cyber experience of the SEC’s Enforcement Division, and including personnel from around the country, the Cyber Unit will target cyber-related misconduct in the following areas identified by the SEC:
- Market manipulation schemes involving false information spread through electronic and social media
- Hacking to obtain material nonpublic information
- Violations involving distributed ledger technology (DLT) and initial coin offerings (ICOs)
- Misconduct perpetrated using the dark web
- Intrusions into retail brokerage accounts
- Cyber-related threats to trading platforms and other critical market infrastructure
The SEC’s focus on most of these areas of cyber misconduct should come as no surprise. However, on the heels of issuing its DAO Report, which analyzed the features of an ICO that could cause it to be a securities offering, the SEC is sending a clear message that it is committed to pursuing violations of the U.S. federal securities laws relating to DLT and ICOs. In the DAO Report, the SEC stated that “[t]he automation of certain functions through this new technology, ‘smart contracts,’ or computer code, does not remove conduct from the purview of the U.S. federal securities laws.” We expect the Cyber Unit to be on the lookout for offerings of tokens that fit within the definition of “security” under applicable securities law and common law.
In particular, the Cyber Unit will likely set its sights on ICOs of the type that, because of their terms, constitute unregistered securities offerings (absent an exemption) and on platforms or systems that facilitate secondary market trading of tokens deemed to be securities, for potential failure to register as a national securities exchange or Alternative Trading System (ATS). While transactions involving fraud or investment losses are likely to remain enforcement priorities, the SEC can also take enforcement action for failure to register securities or intermediaries in the absence of those elements.
The SEC chose not to pursue enforcement action related to the offering discussed in the DAO Report. However, that involved offshore principals and was likely passed on, in part, due to potential arguments about regulatory uncertainty in this area. Now this industry has been put on notice of the securities law requirements that may apply to ICOs and other new initiatives utilizing DLT. Participants in these initiatives should be mindful of the attendant regulatory risks and would be wise to conduct a pre-launch analysis of their status under the U.S. federal securities laws and applicable SEC rules and regulations. Depending on the circumstances, these initiatives may also fall within the jurisdiction of the U.S. Commodity Futures Trading Commission (CFTC), which, in September 2015, formally announced its view that virtual currencies are properly defined as commodities. While the CFTC does not regulate the sale of commodities directly, it does regulate certain contracts involving commodities, including futures and swaps.