backIntroduction
On Thursday, February 20, the U.S. Securities and Exchange Commission (“SEC”) announced that it created a Cyber and Emerging Technologies Unit (“CETU”) to combat cyber-focused financial misconduct. 1SEC Announces Cyber and Emerging Technologies Unit to Protect Retail Investors, SEC.Gov (Feb. 20, 2025), https://www.sec.gov/newsroom/press-releases/2025-42. The announcement reflects a (re)rebranding of the unit and forecasts a shift in the SEC’s overall regulatory and enforcement priorities. The Cyber Unit, originally established by the SEC in 2017, was renamed in May 2022 under Chair Gary Gensler as the Crypto Assets and Cyber Unit and expanded to include 50 positions. 2SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors, SEC.Gov (Sept. 25, 2017), https://www.sec.gov/newsroom/press-releases/2017-176; SEC Nearly Doubles Size of Enforcement’s Crypto Assets and Cyber Unit, SEC.Gov (May 3, 2022), https://www.sec.gov/newsroom/press-releases/2022-78. And, as has been exhaustively discussed, during Chair Gensler’s tenure, the SEC instituted numerous enforcement actions against participants in the cryptocurrency industry, many of which did not include allegations that the defendants engaged in fraudulent conduct.
In its most recent redesign, the SEC did not disband the Unit altogether, and it is notable that Laura D’Allaird – a former counsel to a Democratic Commissioner who had been named co-head of the Crypto Assets and Cyber Unit in December – will remain as the head of the CETU. 3Aislinn Keely, SEC Taps New Co-Leaders For Crypto Enforcement Unit, Law360.com (Dec. 4, 2024), https://www.law360.com/pulse/articles/2269188/sec-taps-new-co-leaders-for-crypto-enforcement-unit. Instead, as emphasized in the SEC’s press release, the CETU now will focus on fraud and other clearcut instances of cyber-related misconduct, particularly fraud that impacts retail investors. These “new” priorities greatly parallel those announced by the SEC with the initial iteration of the Cyber Unit under then Chairman Jay Clayton in 2017. 4SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors, SEC.Gov (Sep. 25, 2017), https://www.sec.gov/newsroom/press-releases/2017-176. The CETU will work alongside the Commission’s newly formed Crypto Task Force launched by Acting Chairman Mark Uyeda and led by Commissioner Hester Peirce. 5SEC Crypto 2.0: Acting Chairman Uyeda Announces Formation of New Crypto Task Force, SEC.Gov (Jan. 21, 2025), https://www.sec.gov/newsroom/press-releases/2025-30.
Biden Administration Policies and Enforcement
Although crypto enforcement received much of the attention under the prior administration, the SEC was also very active in the area of cybersecurity. This included not only the promulgation of extensive new disclosure requirements for public companies, but also multiple enforcement actions against public companies for allegedly making misleading disclosures regarding cybersecurity risks and incidents and failing to have adequate disclosure controls, as well as against regulated entities such as broker-dealers and investment advisers.
In July 2023, the SEC adopted final rules on cybersecurity risk management, strategy, governance, and incident disclosure by a split vote of 3-2. 6See King & Spalding, SEC Adopts Final Cybersecurity Disclosure Rules (July 31, 2023), https://www.kslaw.com/news-and-insights/sec-adopts-final-cybersecurity-disclosure-rules.Commissioners Uyeda and Peirce dissented from the final rules (“the 2023 Cybersecurity Rule”), criticizing them as overly prescriptive and costly, and denounced the Commission’s expansive view of its authority and its effort to “create new disclosure obligations for cybersecurity matters that do not exist for any other topic.” 7Hester M. Peirce, SEC Comm’r, Harming Investors and Helping Hackers: Statement on Cybersecurity Risk Management, Strategy, Governance, and Incidence Disclosure, SEC.Gov (July 26, 2023), https://www.sec.gov/newsroom/speeches-statements/peirce-statement-cybersecurity-072623; Mark T. Uyeda, SEC Chairman, Statement on the Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, SEC.Gov (July 26, 2023), https://www.sec.gov/newsroom/speeches-statements/uyeda-statement-cybersecurity-072623#_ftn6.
In the litigated arena, the SEC suffered a significant defeat in July 2024 when much of its case against SolarWinds and its CISO Timothy Brown was dismissed. The SEC complaint alleged that (1) SolarWinds and Brown defrauded investors and customers through misstatements and omissions that concealed SolarWinds’ known cybersecurity risks, and (2) SolarWinds failed to maintain adequate internal accounting and disclosure controls. The Court dismissed claims based on the company’s disclosures concerning a significant cyberattack as “rely[ing] on hindsight and speculation,” 8SEC v. SolarWinds Corp., 741 F.Supp.3d 37, 50 (S.D.N.Y. 2024). and also dismissed the SEC’s internal accounting controls and disclosure controls claims. The accounting controls ruling was significant because the SEC had overreached in recent years by claiming that multiple types of conduct involving an entity’s governance (e.g., management of cybersecurity risks) fit within the internal accounting controls provision. The SEC’s claims based on certain statements in a Security Statement posted on the Company’s website survived, and the litigation remains pending.
In addition, the SEC brought a number of other settled actions against public companies for cybersecurity-related violations, prompting strong dissents from Commissioners Uyeda and Peirce. In June 2024, Commissioners Uyeda and Peirce dissented from a settled action against R.R. Donnelley & Sons Company for alleged insufficiencies in its internal accounting and disclosures controls related to a 2021 ransomware attack. 9SEC Charges R.R. Donnelley & Sons Co. With Cybersecurity-Related Controls Violations, SEC.Gov (July 2, 2024), https://www.sec.gov/newsroom/press-releases/2024-75.Commissioners Peirce and Uyeda expressed concern over the Commission’s plans to “dictate public company cybersecurity practices indirectly using its ever-flexible Section 13(b)(2)(B) tool” and its “decision to stretch the law to punish a company that was the victim of a cyberattack,” noting that “such an action inappropriately amplifies a company’s harm from a cyberattack.” 10Hester M. Peirce and Mark T. Uyeda, SEC Comm’rs, Hey, look, there’s a hoof cleaner! Statement on R.R. Donnelley & Sons, Co., SEC.Gov (June 18, 2024), https://www.sec.gov/newsroom/speeches-statements/peirce-uyeda-statement-rr-donnelley-061824. And then in October 2024, Commissioners Uyeda and Peirce dissented from settled actions against four customers of SolarWinds, which allegedly made materially misleading disclosures about the impact of the cyberattack against SolarWinds on their operations. Commissioners Uyeda and Peirce criticized the Commission for engaging in “hindsight review” and stated that “aggressive enforcement by the Commission may cause companies to fill their risk disclosures with occurrences of immaterial events, for fear of being second-guessed by the Commission” and then “the benefits and underlying rationale used to support the 2023 Cybersecurity Rule may be undermined.” 11Hester M. Peirce and Mark T. Uyeda, SEC Comm’rs, Statement Regarding Administrative Proceedings Against SolarWinds Customers, SEC.Gov (Oct. 22, 2024), https://www.sec.gov/newsroom/speeches-statements/peirce-uyeda-statement-solarwinds-102224.
The New SEC’s Cybersecurity Enforcement Priorities
Now that Commissioners Uyeda and Peirce comprise a majority of the Commission, with Commissioner Uyeda as the Acting Chair, we expect to see an approach to cybersecurity enforcement that more closely aligns with their dissents in these cases, and those priorities are reflected in the stated priority areas of the CETU, which include:
- Fraud committed using emerging technologies, such as artificial intelligence and machine learning
- Use of social media, the dark web, or false websites to perpetrate fraud
- Hacking to obtain material nonpublic information
- Takeovers of retail brokerage accounts
- Fraud involving blockchain technology and crypto assets
- Regulated entities’ compliance with cybersecurity rules and regulations
- Public issuer fraudulent disclosure relating to cybersecurity 12SEC Announces Cyber and Emerging Technologies Unit to Protect Retail Investors, SEC.Gov (Feb. 20, 2025), https://www.sec.gov/newsroom/press-releases/2025-42.
These priorities reflect a return to a focus on clearly fraudulent conduct and violations that impact retail investors, which typically are SEC enforcement priorities during Republican administrations. These newly announced bullets describing the CETU’s priorities are incredibly consistent with the priorities announced when the Cyber specialized enforcement unit was first created under the most recent previous Republican administration in 2017. 13SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors, SEC.Gov (Sep. 25, 2017), https://www.sec.gov/newsroom/press-releases/2017-176.They are also consistent with many of the public statements of former Commissioner and now SEC Chair nominee Paul Atkins, who has commented in the past that the SEC should not be “devising new legal theories that reach behavior that does not clearly violate an existing rule” or playing “gotcha” with its enforcement powers, but rather should pursue enforcement when “fraud and deception have taken place.” 14Paul Atkins, SEC Comm’r, Remarks Before the U.S. Chamber of Commerce Mid-Market Elite Series, SEC.Gov (July 8, 2008), https://www.sec.gov/news/speech/2008/spch070808psa.htm.
As a result, while public company disclosures and regulated entities’ compliance with cybersecurity rules will remain areas of focus, we expect that cases in those areas will focus on clearcut violations where there is evidence of scienter, rather than instances where the SEC is second-guessing language choices or materiality judgments with the benefit of hindsight.
In 2024, King & Spalding won the Innovation in Digital Legal Products Award from the Financial Times, which recognized the firm for its work leveraging Generative AI to enhance cybersecurity risk assessments for clients.
