An abstract design of a terminal display, warning about a cyber attack.

2018 arrived in the wake of big changes at the U.S. Securities and Exchange Commission (“the SEC”).  Jay Clayton was sworn in as Chairman of the Commission in May, naming Steve Peikin and Stephanie Avakian as Co-Directors of the Enforcement Division (the “Division”) in June.  As many do for the start of a new year, they have evaluated the Division’s priorities and promised a new focus.  According to a speech by Ms. Avakian late last year, we can expect the Division to direct its resources and attention to two priorities going forward:  the protection of retail investors and cybersecurity.

Retail Investors

In her speech, Ms. Avakian made clear that the Division’s resources will be allocated first and foremost to the protection of retail investors.  Retail investors are vulnerable to a wide range of risks, including Ponzi schemes and other offering frauds, as well as misconduct by investment professionals.  Such misconduct can include, for example, steering customers to high-cost mutual funds when lower-cost alternatives are readily available, failing to disclose relevant costs and fees that can hurt performance, buying and holding products that are unsuitable for long-term investment, and excessive churning of customer brokerage accounts.

The protection of retail investors is, of course, not a new priority, but Ms. Avakian’s statements suggest that the Division will bring new strategies to bear in 2018.  Ms. Avakian described the Division’s plan to more effectively combat retail investor issues with the use of technology and investor education.  Intra-agency cooperation among the Division, the Office of Market Intelligence, the Center for Risk and Quantitative Analytics, and the Office of Compliance, Inspections and Examinations will be a key element of these strategies.

Coordinating these efforts will be the responsibility of the new Retail Strategy Task Force (the “Task Force”).  Formed in late 2017, the Task Force will investigate ways to utilize data analytics and other technology—including text analytics and machine learning—to identify widespread abuses that threaten retail investors more efficiently.  While Ms. Avakian characterized the Task Force as performing a more “strategic” than investigative, she noted it will refer matters that warrant investigation to the Division.

The Task Force will also focus on investor outreach to help retail investors protect themselves.  With the aid of regional offices, it will educate retail investors on the information it collects in order to empower them to make informed investment decisions.

Recent cases illustrate the Division’s renewed focus on protecting retail investors.  For example, the Division recently announced charges against an insurance executive and his companies for fraudulently raising funds from retail investors and a settled enforcement action against an investment adviser who failed to disclose his managerial interests in funds he sold to clients.

Cybersecurity Threats

The Division also anticipates that the increasing number and impact of cyber-related issues will bring cybersecurity to the forefront of its priorities.  In late 2017, the SEC announced the formation of a new Cyber Unit to deal with the increasingly complex nature of cyber threats from foreign and domestic actors, such as traders in stolen market-moving information, market manipulators, and state-sponsored hackers.  Ms. Avakian described these threats as “so serious” as to require a dedicated group of personnel and resources devoted to their pursuit.

According to Ms. Avakian’s speech, the Cyber Unit, with the help of the SEC’s Office of Compliance, Inspections and Examinations, will focus on three main enforcement areas:

(i) hacking to access information, access brokerage accounts, or disseminate false information;

(ii) failures by investment advisers and broker dealers to reasonably safeguard information and system integrity; and

(iii) failures by public companies to timely disclose material cyber risks and incidents.

With respect to this third area, Ms. Avakian directed public companies to CF Disclosure Guidance: Topic No. 2 which was issued by the Division of Corporation Finance in 2011. Although Ms. Avakian acknowledged that the Commission has yet to bring a cybersecurity disclosure case against a public company and said she does not expect the Division to second-guess reasonable, good faith disclosure decisions, she also made clear that she “can certainly envision a case where enforcement action would be appropriate.”

Another focus of the Cyber Unit will be blockchain technology.  According to an SEC Report of Investigation issued in July 2017, federal securities laws may apply to the offer, sale, and trading of interests in digital assets, which rely upon such technology.  While Ms. Avakian acknowledged that blockchain technology can be a legitimate means of raising capital, she noted that it also may be an attractive vehicle for fraud.

Conclusion

While the Division no doubt will continue to bring cases in other bread-and-butter areas, like financial reporting and insider trading, it is clear that the protection of “Main Street” investors and cybersecurity will be at the top of the Division’s priorities list in 2018.  Compliance professionals and others in the securities industry will want to keep those priorities in mind as they evaluate their own risks, policies, and procedures in the year ahead.