Is the SEC trying to regulate cybersecurity and innovative financial products through easy enforcements? And is a leanly-staffed SEC prepared for robust pushback from defendants? Partners Ken Herzinger and Eric Sibbit join host Wayne Stacey of the Berkeley Center for Law and Technology to discuss how federal regulators are addressing technology issues.

---

 

Transcript:

Wayne Stacy 0:00 Welcome, everyone to today's expert series podcast from the Berkeley Center for Law and Technology. I'm your host, Wayne Stacey. And today we're going to talk about federal regulators and their activity in the tech space, in particular, how our federal regulators addressing technology issues, and is there an increased appetite for enforcement. To help guide this discussion today, we have two of the nation's leading experts from Paul Hastings. Well, first we have Ken Herzinger and Eric Sibbtt. So welcome to both of you. And thank you for joining us

Ken Herzinger 0:41 Thanks a lot, Wayne.

Eric Sibbitt 0:42 Thanks for having us.

Wayne Stacy 0:44 So let me just kick off with the first piece of this. And we're going to focus really on the the SEC. So on August 30, the SEC announced actions against eight firms for violation of the safeguards rule related to cyber security. What are the main findings of those actions that attorneys need to know about?

Ken Herzinger 1:06 Yeah, so these cases, were actually the last three of a string of cases that have been charged since May 2021. And a real uptick. And these cases were interesting, because the SEC, charged these firms under the safeguards rule, which applies to broker dealers, and requires them to protect investor data by putting in controls and policies and procedures. And well, the SEC found, for example, is with respect to sutera. That the the entities cloud based email accounts of over 60 personnel had been taken over by unauthorized third parties, and resulted in exposure of their personal information PII of roughly 4388 customers and clients. And what the SEC said both in in the various orders they charged as well as the press release is, it's not enough to have policies and procedures to protect identifying information held by investors on your platforms. But you need to actually go out and put teeth to those policies and procedures and enforce them. And when you see red flags, you need to go out and, and stop the activity. The kind of the high level takeaway that I thought was most interesting is one, it showed that there's a real tight working relationship right now between the OC formerly OC now the examination staff and the enforcement staff. So this one bubbled up out of a, all of these actually bubbled up out of examinations. And then the other piece is that this shows the staff is getting more aggressive, not just about SEC regulation, but about protested protecting customer data itself, which is a little bit of an extension, really beyond the rule and overall securities laws, if you think about it, sort of starting to sway a little bit into the dotnet data privacy area. But that's kind of my overall take on these cases.

Wayne Stacy 3:19 Well, I mean, I think that's a that's a great point that when people think about the SEC, data privacy doesn't automatically pop to mind is something that they're interested in. I mean, are they just trying to get people in line? Or do you see this as a long term enforcement mechanism for them?

Ken Herzinger 3:37 Well, I think under the current new administration, so at least for the next three or so years, I think this is a longer term extension. I think it's a signal more to come. We'll see, you know, what the next administration has to hold, but I do see them. And this is just one area of where the staff seems to be pushing the envelope on the regulatory authority.

Wayne Stacy 4:03 Is there enough guidance from them right now for the typical corporate attorney to understand how to advise their client?

Ken Herzinger 4:12 That's a great question. You know, I think this guidance, that particular guidance, you know, reg SP, has been out for a while. But the enforcement staff is enforcing it in new and unique ways. So I think, you know, it's not something that's been up writing on the wall for for a long time. And I think, you know, most of the defense lawyers in this space, see changes afoot, and I think are going to need to adapt to it. Because I don't think the guidance has been crystal clear in the last couple of years on this sort of an issue.

Wayne Stacy 4:52 Well, if you were going to going to talk to companies about what they need to do with regard to cybersecurity at this point, what are some of the foundational pieces you would recommend they put in place?

Ken Herzinger 5:06 So, with respect to publicly traded companies, I think they definitely need to take a hard look at not just their disclosures surrounding, you know, potential incidents, but they need to take a real deep dive into their internal processes and procedures. And the SEC has made it clear that they expect there to be coordination, no siloing, between various different departments. And they also expect there to be escalation of potentially material incidents, up through leadership, to the audit committee to the risk committee, and then, you know, also disclosure committee, and that this all be embodied within a company's policies or procedures. I think companies also should be looking at their insider trading policies and procedures, and making sure that there's sufficient language with respect to potential reg FD violations, insider trading violations, and then taking a look at their their trading blackout policies. And they should be incorporating a potential hold within the blackout period for matters that rise to a significant enough level where they could be, you know, material, and at least make a you know, a determination of whether or not the hold should go in place. But I think those are some of the things that the staff is looking at when they start to do their investigation. And really probing beyond disclosures and looking beyond whether or not there was intentional wrongdoing. Some of these cases reflect that they've charged companies for internal control violations, even where they find intentional, reckless wrongdoing. And so that that to me is a shift.

Wayne Stacy 6:59 So if the SEC is shifting or expanding, depending on what word you want to use there, are they really stepping on the toes of any other federal agencies?

Ken Herzinger 7:17 Well, it's interesting, this whole area, is kind of unique in that all of these companies are victims when you think about it. So I think to the extent they're stepping on toes, they did that a long time ago when they threw their hat in the ring. But, but yeah, there sometimes is conflict between a company that's cooperating with the FBI, for example, to catch bad threat actors, you know, international threat actors, and then yet at the same time responding to a subpoena from the SEC, with respect to the same incident.

Wayne Stacy 7:53 And I guess, going forward, how do you see the interplay between these agencies?

Ken Herzinger 8:02 I do think that there will be more coordination. And there has been in the past, but I think there'll be more information sharing and more coordination because of the national security risk that goes on. And some of it will be geared at just solely protecting the client or the information holder. But I do think that there will be cases where the SEC, for example, will get leads on cases that may funnel in from other governmental agencies that they didn't previously have access to. And that the SEC themselves will start looking for leads off of other incidents. And one real good example which has caught the press recently is the solar winds incident. So you know, that started out, you know, a true overseas international hack to steal government secrets, and then private company secrets. And now it's become a pretty massive SEC sweep. And so I think we're gonna likely see more in future.

Wayne Stacy 9:18 So for the company that's participators, working both with the the FBI and then looking at the potential problem with the SEC. What do they need to be thinking about in terms of not becoming their own worst enemy?

Ken Herzinger 9:34 I think you always just need to be cognizant that the information you're providing, the data and the witnesses that you may be producing, you know, as is often disclosed to them and provides a stat information may be used or accessed by other governmental agencies, including the SEC. And so I think as you're preparing to respond to the other agencies or bringing in witnesses, you just always need to have that in mind that the statements they're making could end up in some other type of proceeding, including one, ultimately against the company.

Wayne Stacy 10:11 Well, Eric, as we shift to a different area of the SEC. Now they're looking into the decentralized finance issues. It seems fairly aggressively. Can you tell us what's been going on there? I mean, I think there was a case and August 2021, that got a lot of press. But where do we stand on that right now?

Eric Sibbitt 10:36 Yeah, absolutely. DeFi or decentralized finances is interesting, from a government perspective, because it poses some special challenges. I think where you kind of take out the financial intermediary, it presents a lot of regulatory questions. Who do you regulate? How do you regulate? Right? And so there's been a lot of chatter from different federal regulators about how do we look at this DeFi phenomenon, which has grown explosively. And in August, we did see one case, which the SEC brought, or an enforcement action, which was settled, and was pitched as the first really the first enforcement action involving DeFi, which is interesting, less about the, you know, the specifics of the case and more about the desire to send a message. So a couple interesting things about I think one is it was settled relatively quickly. So a lot of these enforcement actions are years in the works, right. And this is one that the relevant activity ended in February 2021 of this year. So this came out relatively quickly, which is lightspeed by typical enforcement standards. And, you know, it's interesting, mostly in the messaging by the, I think, the desire to get this out, get it out there. And then the facts of the case, there are a lot of things. If you look at the specific fact pattern, which we would distinguish from, I think a lot of the DeFi projects out there would distinguish from the way their particular projects look.

Wayne Stacy 12:05 The Pollenex case itself, you mean, you said that a lot of people will try to distinguish on the facts. And as I look at that case, it seemed to have, you know, maybe a stereotypical bad actor in it, look in the standard, DeFi, offer, learn from the Pollenex case?

Eric Sibbitt 12:25 Well, I think this this is actually the DeFi money market case, which is the the DeFi case? And, you know, there were allegations of fraud, right. And whenever there are allegations of fraud,, you know, the SEC, and courts, to some extent, are pretty aggressive in how they interpret and apply rules, as opposed to some situations like the Pollenex case, where there wasn't really an allegation of fraud. Right. But where, you know, certainly more you consider a technical violation, right, where there's not necessarily an indication that someone has been harmed. But there are rules which the SEC expects to be comply with which they alleged to haven't been complied with.

Wayne Stacy 13:03 So when you when you look at the the SEC going forward? Are they going to devote significant assets to getting involved in this space? Or is this kind of a short term attention span issue?

Eric Sibbitt 13:18 So I think the signaling from the SEC, and now we have a lot of congressional interest in this area as well, is that they will continue to be fairly active. You know, obviously, the SEC has a very busy plate busy agenda. I think from some of the speeches and things we've seen out of the SEC recently. I think this will continue to be a very active area of inquiry. But it's interesting in that there's a lot of unsettled issues here. Right. So one of the fundamental questions in regulating the space are like, how do you characterize these assets? Right, so you mentioned the Pollenex case where it was alleged that, you know, at least some of these assets were securities without ever specifying which assets were securities. Right. And this is kind of a common thing where they're saying, at least some of these must be securities, because there's so many of them, but there's never an indication of which specific assets or securities. And if you've followed some of the testimony with the Senate Banking Committee, including yesterday, you still see a lot of you know, what uncertainty out there about, you know, guidance in terms of, you know, when is something of security, when is it not? And then derivative of that is how you regulate?

Wayne Stacy 14:36 Well, so then this question goes to both of you, the SEC seems to have, like you said a lot on its plate and may be expanding in new areas. Do they have the personnel to keep up with both of these in their normal day jobs?

Eric Sibbitt 14:55 But actually, in fact, that was one of the questions that came up in the congressional testimony yesterday. I think the indication was that they could use a lot more financial resources to really pursue everything that's on their agenda.

Wayne Stacy 15:08 Which that may or may not becoming majorly important may not be coming. So, you know, if they don't get the extra money, where do they put their? What do they put their time into?

Ken Herzinger 15:20 That's a great question. Having worked at the SEC, many years ago, myself, it's a very lean organization, always has been. And frankly, I've been pretty surprised and impressed at how many cases they've been bringing in so many different areas lately. I just don't know that they could keep up that pace, you know, for the long haul without hiring a significant amount of staff. So I do think if they're going to keep up this sort of pace, they're going to need to increase their budget. And I do think if they're going to continue to take such a hard line across the board on cases, and then, you know, start going after individuals, they're going to have to be prepared to actually litigate and try cases, which is going to have just yet a greater strain on the resources. But for now, they're doing it, which, like I said, I think based on their their structure is is actually pretty impressive.

Wayne Stacy 16:25 Eric, I'll give you the last word here, where do you think the SEC goes next with these kind of unique and evolving issues.

Eric Sibbitt 16:37 So I think now that the profile in this area has risen, including with a lot of, you know, attention at the federal government level, I think you're gonna see a combination of things, I think the SEC is going to continue to be very active. And, you know, given limited resources, it will make examples of certain people and projects and certainly put those out there and to some degree regulation by enforcement. I think even the SEC chair suggests they don't have all the tools to fill in some of the necessary some of the regulatory gaps here. And I think there's been some increased interest in Congress in rulemaking or new legislation potentially. So I think there'll be a combination of things. And what I hope is that, you know, the there's attention paid to, you know, making sure that we we address legitimate policy concerns and prevent harms, but that it doesn't stifle innovation, right. And the ability of people to kind of leverage some of the new things this technology is enabling, you know, when it's not exactly clear how it applies, you know, against the backdrop of legacy regulation.

Wayne Stacy 17:48 So how do you how do we keep that discussion going front and center because the cases that grab the headlines are the ones where you've got fraud or something, something a little bit salacious, but people don't want to read articles about policy. So how do you make sure that these bad actors don't overwhelm the policy foundations?

Ken Herzinger 18:17 It's interesting. I think Eric and I probably come from at this a little bit differently. But as a litigator, I think the defense bar needs to win a few cases, they need to lose a few big cases. And I think that will change some of the original balls.

Wayne Stacy 18:32 I always like it when lawyers bring it back to the salvation for everything is more lawyers.

Ken Herzinger 18:40 Well, I do think in this scenario, unfortunately, because as Eric said, The staff is not currently sitting down, actually trying to, to work with their partners and make policy and our regulating through enforcement. It's really difficult to see any other path other than litigating some of these matters. Unless, of course, they you know, they change their tune, in which case, I think the industry would be more than happy to sit down and broker policy.

Eric Sibbitt 19:14 So yeah, and I would add that, you know, and none of us may be salacious, right. But rather than you've got two ends of the spectrum, one where the SEC takes a very broad view of its authorities and what it's able to do. And then the other end, you may have many in the cryptocurrency industry, for example, where they view nothing should be regulated, right. And so I think there's a role for those two voices come together and determine what is actually meaningful in this context. Because just taking the existing legacy regime and applying it as it is to a completely new class of assets and technologies doesn't lead to the best results from either perspective.

Wayne Stacy 19:55 I think it's a great viewpoint, something to remember if the SEC just gets to pick up cases that settle quickly. They will go down a particular path they they need to be need to be pressed. And that's the defense bars go. So when I say salacious, I mean relatively salacious for SEC matters. So that's still a low bar. Well thank you both for your time. I appreciate it today. And I'm sure there'll be some more interesting things come out of this and we'll get a chance to talk again soon.

Eric Sibbitt 20:30 Thank you.

Ken Herzinger 20:31 Thanks, Wayne.