Tag: Cryptocurrency Securities

The SEC Has Issued New Guidance On Cybersecurity Disclosures

Posted on by Laura Anthony, Esq.

On February 20, 2018, the SEC issued new interpretative guidance on public company disclosures related to cybersecurity risks and incidents. In addition to addressing public company disclosures, the new guidance reminds companies of the importance of maintaining disclosure controls and procedures to address cyber-risks and incidents and reminds insiders that trading while having non-public information related to cyber-matters could violate federal insider-trading laws.

The prior SEC guidance on the topic was dated, having been issued on October 13, 2011. For a review of this prior guidance, see HERE. The new guidance is not dramatically different from the 2011 guidance.

Introduction

The topic of cybersecurity has been in the forefront in recent years, with the SEC issuing a series of statements and creating two new cyber-based enforcement initiatives targeting the protection of retail investors, including protection related to distributed ledger technology (DLT) and initial coin or cryptocurrency offerings (ICO’s). Moreover, the SEC has asked the House Committee on Financial Services to increase the SEC’s budget by $100 million to enhance the SEC’s cybersecurity efforts. See my two-part blog series, including a summary of the recent speeches and initiatives, HERE and HERE.

The SEC incorporates cybersecurity considerations in its disclosure and supervisory programs, including in the context of its review of public company disclosures, its oversight of critical market technology infrastructure, and its oversight of other regulated entities, including broker-dealers, investment advisors and investment companies. Considering rapidly changing technology and the proliferation of cybersecurity incidents affecting both private and public companies (including a hacking of the SEC’s own EDGAR system and a hacking of Equifax causing a loss of $5 billion in market cap upon disclosure), threats and risks, public companies have been anticipating a needed update on the SEC disclosure-related guidance.

SEC Commissioner Kara Stein’s statement on the new guidance is grim on the subject, pointing out that the risks and costs of cyberattacks have been growing and could result in devastating and long-lasting collateral affects. Commissioner Stein cites a Forbes article estimating that cyber-crime will cost businesses approximately $6 trillion per year on average through 2021 and an Accenture article citing a 62% increase in such costs over the last five years.

Commissioner Stein also discusses the inadequacy of the 2011 guidance in practice and her pessimism that the new guidance will properly fix the issue.  She notes that most disclosures are boilerplate and do not provide meaningful information to investors despite the large increase in the number and sophistication of, and damaged caused by, cyberattacks on public companies in recent years. Commissioner Stein includes a list of requirements that she would have liked to see in the new guidance, including, for example, a discussion of the value to investors of disclosing whether any member of a company’s board of directors has experience, education, expertise or familiarity with cybersecurity matters or risks.

I have read numerous media articles and blogs related to the disclosure of cyber-matters in SEC reports. One such blog was written by Kevin LaCroix and published in the D&O Diary. Mr. LaCroix’s blog points out that according to a September 19, 2016, Wall Street Journal article, cyber-attacks are occurring more frequently than ever but are rarely reported. The article cites a report that reviewed the filings of 9,000 public companies from 2010 to the present and found that only 95 of these companies had informed the SEC of a data breach.

As reported in a blog published by Debevoise and Plimpton, dated September 12, 2016, (thank you, thecorporatecounsel.net), a review of Fortune 100 cyber-reporting practices revealed that most disclosures are contained in the risk-factor section of regular periodic reports such as Forms 10-Q and 10-K, as opposed to interim disclosures in a Form 8-K. Moreover, only 20 incidents were reported at all in the period from January 2013 through the third quarter of 2015.

However, as Commissioner Stein notes, the SEC only has so much authority or power through guidance, as opposed to rulemaking.  Commissioner Stein strongly advocates for new rulemaking in this regard. I do not think in the current environment advocating for fewer rules, that rulemaking related to cybersecurity disclosure will be made a priority. Moreover, I would not advocate for in-depth or robust further rules.  Disclosure is based on materiality, and a company has an ongoing obligation to disclose any material information, including that which is related to cybersecurity matters. I think the SEC can question principals-based specific disclosures, and whether they are robust enough, through review and comment on public company filings.  Certainly, the SEC staff, who reviews thousands of filings, has the knowledge of a lack of cybersecurity disclosure and can comment. In fact, if the SEC wrote a few standard cybersecurity-related disclosure comments and included them in a lot of comment letters, the marketplace would respond accordingly and beef up disclosure to avoid the comments.

Although I do not generally advocate for additional rules, Commissioner Stein makes one suggestion that I would support and that is adding the disclosure of cybersecurity event to the Form 8-K filing requirements. Although the new SEC guidance does not specifically require a Form 8-K, in light of the importance of these events, it seems it would be appropriate and the guidance itself requires “timely disclosure.”  However, without a specific requirement, a company could elect to disclose via a press release and/or the filing of a Form 8-K under Item 7.01 Regulation FD disclosure. When disclosing using a press release and Regulation FD item in a Form 8-K, a company may elect for the information to be “furnished, not filed.” Section 18 of the Exchange Act imposes liability for material misstatements or omissions contained in reports and other information filed with the SEC. However, reports and other information that are “furnished” to the SEC do not impose liability under Section 18. The antifraud provisions under Rule 10b-5 would still apply to the disclosure, but the stricter Section 18 liability would not.

New Guidance on Public Company Cybersecurity Disclosures

The new guidance begins with an introduction describing the importance of cybersecurity in today’s business world, driving the point home by comparing it to the importance of electricity. Cyber-incidents can take many forms, both intentional and unintentional, and commonly include the unauthorized access of information, including personal information related to customers’ accounts or credit information, data corruption, misappropriating assets or sensitive information or causing operational disruption. Attacks use increasingly complex methods, including malware, ransomware, phishing, structured query language injections and distributed denial-of-service attacks. A cyber-attack can be in the form of unauthorized access or a blocking of authorized access.

The purpose of a cyber-attack can vary as much as the methodology used, including for financial gain such as the theft of financial assets, intellectual property or sensitive personal information on the one hand, to a vengeful or terrorist motive through business disruption on the other hand. Perpetrators may be insiders and affiliates, or third parties including cybercriminals, competitors, nation-states and “hacktivists.”

When victim to a cyber-attack or incident, a company will have direct financial and indirect negative consequences, including but not limited to:

  • Remediation costs, including liability for stolen assets, costs of repairing system damage, and incentives or other costs associated with repairing customer and business relationships;
  • Increased cybersecurity protection costs to prevent both future attacks and the potential damage caused by same. These costs include organizational changes, employee training and engaging third-party experts and consultants;
  • Lost revenues from unauthorized use of proprietary information and lost customers;
  • Litigation;
  • Increased insurance premiums;
  • Damage to the company’s competitiveness, stock price and long-term shareholder value; and
  • Reputational damage.

Whereas the 2011 disclosure guidance was conservative in its tone, trying to strike a balance between satisfying the disclosure mandates of providing material information related to risks to the investing community with a company’s need to refrain from providing disclosure that could, in and of itself, provide a road map to the very breaches a company attempts to prevent, the new guidance is more blunt in the critical need to inform investors about material cybersecurity risks and incidents when they occur.

A company’s ability to timely and properly make any required disclosure of cybersecurity risks and incidents requires the company to implement and maintain disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.

Insider Trading

It is also important that public company officers, directors and other insiders respect the importance and materiality of cybersecurity risk and incident knowledge and not trade a company’s security when in possession of non-public information related to cybersecurity matters.  In that regard, companies should include cybersecurity matters in their insider trading policies and procedures. These insider trading policies should (i) guard against trading in the period between when a company learns of a cybersecurity incident and the time it is made public; and (ii) require the timely disclosure of such non-public information.

Guidance

Public companies have many disclosure requirements, including through periodic reports on Forms 10-K, 10-Q and 8-K, through Securities Act registration statements such as on Forms S-1 and S-3 and generally through the antifraud provisions of both the Exchange Act and Securities Act, which requires a company to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading.” The SEC considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.

As with all disclosure requirements, the disclosure of cybersecurity risk and incidents requires a materiality analysis. Although there continues to be no specific disclosure requirement or rule under either Regulation S-K or S-X that addresses cybersecurity risks, attacks or other incidents, many of the disclosure rules encompass these disclosures indirectly, such as risk factors, internal control assessments, management discussion and analysis, legal proceedings, disclosure controls and procedures, corporate governance and financial statements. As mentioned, as with all other disclosure requirements, an obligation to disclose cybersecurity risks, attacks or other incidents may be triggered to make other required disclosures not misleading considering the circumstances.

A company has two levels of cybersecurity disclosure to consider. The first is its controls and procedures and corporate governance to both address cybersecurity matters themselves and to address the timely and thorough reporting of same. The second is the reporting of actual incidents.  In determining the materiality of a particular cybersecurity incident, a company should consider (i) the importance of any compromised information; (ii) the impact of an incident on company operations; (iii) the nature, extent and potential magnitude of the event; and (iv) the range of harm such incident can cause, including to reputation, financial performance, customer and vendor relationships, litigation or regulatory investigations.

Of course, the new guidance is also clear that a company would not need to disclose the depth of information that could, in and of itself, provide information necessary to breach cyber-defenses. A company would not need to disclose specific technical information about cybersecurity systems, related networks or devices or specific devices and networks that may be more susceptible to attack due to weaker systems.

The new guidance also reminds companies that they have a duty to correct prior disclosures that the company determines were untrue at the time material information was made or omitted, and to update disclosures that become inaccurate after the fact.

Like the prior guidance, the new guidance provides specific input into areas of disclosure.

Risk Factors

Obviously, where appropriate, cybersecurity risks need to be included in risk factor disclosures. The SEC guidance in this regard is very common-sense. Companies should evaluate their cybersecurity risks and take into account all available relevant information, including prior cyber-incidents and the severity and frequency of those incidents. Companies should consider the probability of an incident and the quantitative and qualitative magnitude of the risk, including potential costs and other consequences of an attack or other incident.  Consideration should be given to the potential impact of the misappropriation of assets or sensitive information, corruption of data or operational disruptions. A company should also consider the adequacy of preventative processes and plans in place should an attack occur.  Actual threatened attacks may be material and require disclosure.

As with all risk-factor disclosures, the company must adequately describe the nature of the material risks and how such risks affect the company. Likewise, generic risk factors that could apply to all companies should not be included. Risk factor disclosure may include:

  • Discussion of the company’s business operations that give rise to material cybersecurity risks and the potential costs and consequences, including industry specific risks and third-party and service-provider risks;
  • The costs associated with maintaining cybersecurity protections, including insurance coverage;
  • The probability of an occurrence and its potential magnitude;
  • Potential for reputational harm;
  • Description of past incidents, including their severity and frequency;
  • The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including any limits on the company’s ability to prevent or mitigate risks;
  • Existing and pending laws and regulations that may affect the companies cybersecurity requirements and the associated costs; and
  • Litigation, regulatory investigation and remediation costs associated with cybersecurity incidents.

Management Discussion and Analysis (MD&A)

In MD&A a company should consider all the same factors that it would consider in its risk factors.  A company would need to include discussion of cybersecurity risks and incidents in its MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential future incidents result in a material event, trend or uncertainty that is reasonably likely to have a material effect on the company’s results of operations, liquidity or financial condition, or could impact previously reported financial statements. The discussion should include any material realized or potential reduction in revenues, loss of intellectual property, remediation efforts, maintaining insurance, increase in cybersecurity protection costs, addressing harm to reputation and litigation and regulatory investigations.  Furthermore, even if an attack did not result in direct losses, such as in the case of a failed attempted attack, but does result in other consequences, such as a material increase in cybersecurity expenses, disclosure would be appropriate.

Business Description; Legal Proceedings

Disclosure of cyber-related matters may be required in a company’s business description where they affect a company’s products, services, relationships with customers and suppliers or competitive conditions. Likewise, material litigation would need to be included in the “legal proceedings” section of a periodic report or registration statement. The litigation disclosure should include any proceedings that relate to cybersecurity issues.

Financial Statements

Cyber-matters may need to be included in a company’s financial statements prior to, during and/or after an incident. Costs to prevent cyber-incidents are generally capitalized and included on the balance sheet as an asset. GAAP provides for specific recognition, measurement and classification treatment for the payment of incentives to customers or business relations, including after a cyber-attack.  Cyber-incidents can also result in direct losses or the necessity to account for loss contingencies, including those related to warranties, direct loss of revenue, providing customers with incentives, breach of contract, product recall and replacement, indemnification or remediation. Incidents can result in loss of, and therefore accounting impairment to, goodwill, intangible assets, trademarks, patents, capitalized software and even inventory.  Financial statement disclosure may also include expenses related to investigation, breach notification, remediation and litigation, including the costs of legal and other professional service providers.

Broad Risk Oversight

A company must disclose the extent of its board of directors’ role in the risk oversight of the company, such as how the board administers its oversight function and the effect this has on the board’s leadership structure. To the extent cybersecurity risks are material to a company’s business, this discussion should include the nature of the board’s role in overseeing the management of that risk. Information should also be included on how the board engages with management on cybersecurity risk management.

Controls and Procedures

The new guidance clearly provides that companies should adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including policy/procedure compliance related to the sufficiency of disclosure controls and procedures.  Procedures must address a company’s ability to record, process, summarize and report financial and other information in SEC filings.  Additionally, any deficiency in these controls and procedures should be reported.

The SEC reminds companies that their principal executive officer and principal financial officer must make individual certifications regarding the design and effectiveness of disclosure controls and procedures. These certifications should take into account cybersecurity-related controls and procedures.

Furthermore, as discussed above, a company should have proper policies and procedures preventing officers, directors and other insiders from trading on material nonpublic information related to cybersecurity risks and incidents.

Regulation FD and Selective Disclosure

Companies may have disclosure obligations under Regulation FD related to cybersecurity matters. Under Regulation FD, “when an issuer, or person acting on its behalf, discloses material nonpublic information to certain enumerated persons it must make public disclosure of that information.” The SEC reminds companies that these requirements also relate to cybersecurity matters and that, along with all the other disclosure requirements, policies and procedures should specifically address any disclosures of material non-public information related to cybersecurity.

SEC Issues Report on Initial Coin Offerings (ICOs)

Posted on by Laura Anthony, Esq.

On July 25, 2017, the SEC issued a report on an investigation related to an initial coin offering (ICO) by the DAO and statements by the Divisions of Corporation Finance and Enforcement related to the investigative report (the “Report”). On the same day, the SEC issued an Investor Bulletin related to ICO’s. Offers and sales of digital coins, cryptocurrencies or tokens using distributed ledger technology (DLT) or blockchain have become widely known as ICO’s. For an introduction on DLT and blockchain, see HERE.

The basis of the report is that offers and sales of digital assets, including cryptocurrencies, are subject to the federal (and state) securities laws. From the highest level, the nature of a digital asset must be examined to determine if it meets the definition of a security using established principles (see HERE). In addition, all offers and sales of securities must either be registered with the SEC or there must be an available exemption from such registration. This statement applies to cryptocurrency securities in the same manner it applies to all other securities. In addition, participants in ICO’s are subject to federal securities laws to the same extent they are in other securities offerings, including broker-dealer registration requirements. Securities exchanges providing for trading must register unless an exemption applies.

Despite the SEC findings, it declined to pursue an enforcement action but rather used the opportunity to inform the public on its views and, in particular, that “the federal securities laws apply to those who offer and sell securities in the United States, regardless whether the issuing entity is a traditional company or a decentralized autonomous organization, regardless whether those securities are purchased using U.S. dollars or virtual currencies, and regardless whether they are distributed in certificated form or through distributed ledger technology.”

In the press release announcing the investigative findings, SEC Chair Jay Clayton stated, “[T]he SEC is studying the effects of distributed ledger and other innovative technologies and encourages market participants to engage with us. We seek to foster innovative and beneficial ways to raise capital, while ensuring – first and foremost – that investors and our markets are protected.”

This is not the first time the SEC has addressed registration and exemption requirements associated with cryptocurrencies. There have been several other cases. For example, in December 2014 the SEC settled charges against BTC Virtual Stock Exchange and LTC Global Virtual Stock Exchange related to violations of both the broker-dealer registration requirements and the securities offer and sale registration requirements. For more information on that case, see HERE.

This blog will summarize the SEC Report of Investigation, statements by the Divisions of Corporation Finance and Enforcement and the Investor Bulletin on Initial Coin Offerings.

SEC Report of Investigation on an ICO

On July 25, 2017, the SEC issued its Report on an investigation into an ICO and related activities by the DAO, an unincorporated entity, Slock.it UG (“Slock.it”), a German corporation, and various principals and participants. As mentioned earlier, although the report provides a platform for which the SEC can educate the marketplace, it did not pursue enforcement actions against the targets of the investigation.

The “DAO” stands for a decentralized autonomous organization, or a virtual network embodied in computer code on a on a DLT or blockchain. The DAO was created by Slock.it to sell tokens to investors, which proceeds would be used to fund for-profit projects. The token holders would share in the profits and, as such, had an expectation of a return on investment. The DAO tokens were also transferable and available for secondary trading on different web-based platforms.  After the ICO, but before projects were funded, the DAO was hacked and approximately one-third of its assets stolen. Fortunately the DAO was able to come up with a plan that caused the return of ETGH raised from the DAO back to their original Ethereum address and thus return investments to the original investors.

The SEC opened an investigation as to whether the offer and sale of the DAO Tokens invoked federal securities laws, whether the DAO Tokens were securities and whether the platforms for the secondary trading of the Tokens required registration as a securities exchange.  The answer to each of these questions, under the facts and circumstances presented, was in the affirmative. Since the DAO had not yet commenced operations, the SEC did not review whether the DAO was acting as an “investment company” under the Investment Company Act of 1940, but noted that had they begun operations, such an analysis would have been appropriate.

The Report begins with the conclusion.  Whether or not a particular transaction involves the offer and sale of a security depends on an analysis of the facts and circumstances, regardless of terminology or technology used or employed. All persons or entities that use a Decentralized Autonomous Organization (DAO Entity), DLT or other blockchain-based technology as a means to raise capital in the U.S. are subject to the U.S. federal securities laws. All securities offered and sold in the U.S. must be registered or must qualify for an exemption from registration. Moreover, any entities or platforms that allow for the secondary trading of securities must either be registered as a national securities exchange or operate pursuant to a registration exemption. The automation of functions, computer code, smart contracts, and decentralization does not change the obligations under the federal securities laws.

Background and Facts

In a one-month period from April 30, 2016, through May 28, 2016, the DAO offered and sold 1.15 billion DAO Tokens in exchange for 12 million Ether (“ETH”) valued at approximately $150 million USD. ETH is a virtual currency. The Financial Action Task Force defines a “virtual currency” as:

a digital representation of value that can be digitally traded and functions as: (1) a medium of exchange; and/or (2) a unit of account; and/or (3) a store of value, but does not have legal tender status (i.e., when tendered to a creditor, is a valid and legal offer of payment) in any jurisdiction. It is not issued or guaranteed by any jurisdiction, and fulfils the above functions only by agreement within the community of users of the virtual currency. Virtual currency is distinguished from fiat currency (a.k.a. “real currency,” “real money,” or “national currency”), which is the coin and paper money of a country that is designated as its legal tender; circulates; and is customarily used and accepted as a medium of exchange in the issuing country. It is distinct from e-money, which is a digital representation of fiat currency used to electronically transfer value denominated in fiat currency.

The DAO itself was created by the founders of Slock.it as a type of alternative corporation with all corporate functions and governance automated using blockchain and smart contracts. The DAO was the “first generation” of its kind. Participants sent in ETH in exchange for DAO Tokens. DAO Token holders could vote on projects to be used with the DAO assets (ETH, which could be exchanged for fiat currency and other physical or digital assets) and participate in rewards such as profit distributions and dividends. The entire DAO was intended to be autonomous such that project proposals were in the form of smart contracts and voting administered by computer code. The DAO code was launched on the Ethereum blockchain.

The DAO promoted itself through a website which described its purpose (“[T]o blaze a new path in business for the betterment of its members, existing simultaneously nowhere and everywhere and operating solely with the steadfast iron will of unstoppable code”), how it operated, its source code, and a link to buy the DAO Tokens. The DAO was also promoted through media attention and numerous social media channels.

Anyone was eligible to purchase DAO Tokens as long as they paid in ETH and there were no limitations on the number of DAO Tokens offered for sale or the number that could be purchased by any purchaser. There were no parameters set on the accreditation or sophistication level of a purchaser. Anyone with ETH and an ETH blockchain address could participate. All ETH from DAO Token sales were aggregated in the DAO’s Ethereum blockchain address.

Only DAO Token holders could submit proposed projects in which the DAO might participate, and each proposal would have to involve a smart contract and comply with the preset DAO Token holders voting code. Projects would be approved by a majority vote of DAO Token holders. Before being submitted for a vote, projects were to be reviewed by human curators. Although beyond the scope of this blog, there appeared to be many issues with the system, including the programming for voting.

The DAO Tokens were unrestricted and there were several platforms that allowed for the immediate secondary trading of the DAO Tokens.  The secondary market trading platforms were registered with the Federal Crimes Enforcement Network (FinCEN) as Money Services Businesses. For more on FinCEN, see HERE. The DAO Tokens were in fact actively traded on various platforms.

SEC Regulatory Analysis

Section 5 of the Securities Act of 1933, as amended (“Securities Act”) requires the registration of all offers and sales of securities unless there is an available exemption. The registration provisions are based on “full and fair disclosure” of all material information for an investor to make an informed investment decision, including detailed information about the issuer’s financial condition, identity and background of management and the price and amount of securities to be offered.

Section 5 of the Securities Act, like many provisions in the securities laws, is written in the inclusive, such that all offers and sales are covered unless an exemption is available pursuant to statute or case law. Section 5 states that “unless a registration statement is in effect as to a security, it is unlawful for any person, directly or indirectly, to engage in the offer or sale of securities in interstate commerce.” A violation of Section 5 does not require intent.

The SEC begins its analysis of the DAO Tokens by reference to the definitions of a security found in both Section 2(a)(1) of the Securities Act and Section 3(a)(10) of the Securities Exchange Act. Both definitions include the term “investment contract,” which has been famously defined by the U.S. Supreme Court as an investment of money in a common enterprise with a reasonable expectation of profits to be derived from the entrepreneurial or managerial efforts of others. For an in-depth discussion on the definition of a security in SEC v. W. J. Howey Co., 328 U.S. 293 (1946) (the “Howey Test”), see HERE.

Under the Howey Test, whether an investment instrument is a security requires a substance-over-form analysis. The Howey Test defines an investment contract as follows:

“… an investment contract for purposes of the Securities Act means a contract, transaction or scheme whereby a person invests his money in a common enterprise and is led to expect profits solely from the efforts of the promoter or a third party…. Such a definition… permits the fulfillment of the statutory purpose of compelling full and fair disclosure relative to the issuance of the many types of instruments that in our commercial world fall within the ordinary concept of a security…. It embodies a flexible rather than a static principle, one that is capable of adaptation to meet the countless and variable schemes devised by those who seek the use of the money of others on the promise of profits.”

Applying the Howey Test, courts have interpreted a security to include such diverse items as citrus groves, warehouse receipts, chinchillas, minks, diamonds, bullion, pay phones, real estate and equipment, and condominium units, when they were offered or sold under circumstances involving the investment of money and an expectation of a return through the efforts of others.

Applying the Howey Test to the DAO Tokens, the SEC notes that “money” need not include cash, but rather can be anything of value. A contribution of ETH is an investment as considered by the Howey Test. Investors in the DAO were investing in a common enterprise with the expectation of profits, including dividends and increased value. The SEC also found that the profits were to be derived from the efforts of others, including Slock.it, its founders and the DAO curators.

In its analysis of whether the DAO was a security, the SEC spent the most discussion on the “from the efforts of others” factor. Presumably this is because the DAO was established as an autonomous organization with participants voting on all projects. However, the Slock.it team, through its curators, and management of the DAO website and participation in online forums, “led investors to believe that they could be relied on to provide the significant managerial efforts required to make the DAO a success.” Moreover, in fact, the curators and Slock.it team did exercise significant control over proposals and operations of the DAO and were responsible for stopping the hacking attack and coming up with a plan to rectify the situation.

The SEC also noted that the DAO Token holders voting rights were limited. The DAO Token holders could only vote within the rules (code) established by the Slock.it management team. The SEC points to case law related to multi-level marketing schemes which were securities despite the labor put forth by the investors because the promoter dictated the terms and controlled the scheme itself. The SEC stated that “[T]he voting rights afforded DAO Token holders did not provide them with meaningful control over the enterprise, because (1) DAO Token holders’ ability to vote for contracts was a largely perfunctory one; and (2) DAO Token holders were widely dispersed and limited in their ability to communicate with one another.” Furthermore, the SEC questioned the level of disclosure on projects, believing that such disclosure was not “full and fair” such as to allow an informed investment decision.

Upon concluding that the DAO Tokens were securities, the SEC also concluded that the DAO needed to register their issuance, or satisfy a registration exemption, regardless of whether the DAO was incorporated or an unincorporated organization. Issuers, like securities, are broadly defined to include any sponsor or organization that is primarily responsible for the success or failure of the venture. Participants in an offering are also subject to Section 5 obligations and liability. Accordingly, this included the Slock.it founders and principals.

The secondary trading platforms also required registration, or the availability of an exemption, under the federal securities laws. Section 5 of the Exchange Act makes it unlawful for any broker, dealer or exchange to directly or indirectly affect any transaction in a security or report such transaction unless the exchange is registered as a national exchange or exempted from such registration. Section 3(a)(1) of the Exchange Act defines an “exchange” as “any organization, association, or group of persons, whether incorporated or unincorporated, which constitutes, maintains, or provides a market place or facilities for bringing together purchasers and sellers of securities or for otherwise performing with respect to securities the functions commonly performed by a stock exchange as that term is generally understood …”

The functions of a stock exchange generally include: (i) bringing together orders for securities of multiple buyers and sellers; and (ii) using established, non-discretionary methods under which such orders interact with each other, and the buyers and sellers entering such orders agree to the terms of the trade. A frequent exemption to the definition of an exchange is an Alternative Trading System (ATS) that complies with Regulation ATS. Regulation ATS requires, among others, registration as a broker-dealer. The OTC Markets is an ATS, as is t0 Technologies. The platforms that traded the DAO Tokens fit within the definition of an exchange and did not satisfy any available registration exemptions.

Statement by the Divisions of Corporation Finance and Enforcement on the Report of Investigation on the DAO

On the same day that the SEC issued its investigative Report, the Divisions of Corporation Finance and Enforcement issued a statement on the Report. Off the top I notice that the SEC, under Chair Jay Clayton, Commissioner Michael Piwowar and the numerous new executive members, has a decidedly more positive attitude towards business and capital raising overall, than the prior regime. I also notice, through review of enforcement proceedings, that the new regime has not been deterred at all from its mission to detect and prosecute fraud, including micro-cap and penny-stock-related schemes.

To begin its statement, the Divisions noted that DLT, blockchain and other emerging technologies have the potential to influence and improve capital markets and the financial services industry. The Divisions “welcome and encourage the appropriate use of technology to facilitate capital formation and provide investors with new investment opportunities,” and are “hopeful that innovation in this area will facilitate fair and efficient capital raisings for small businesses.” However, new technologies also offer new opportunities for misconduct and abuse.

The Divisions reiterate the SEC Report’s assertion that an offer and sale of securities must comply with the federal securities laws and that determining whether a particular investment opportunity involves a security involves a facts and circumstances analysis, including economic realities and underlying structure, regardless of the terminology or technology used.

Noting that the SEC Report had found that the DAO Tokens were securities, the Divisions caution sponsors and other participants in offerings of digital or other novel forms of value to consider whether they involve a security and thus their obligations under the federal securities laws, including registration or meeting the qualifications for a registration exemption. Market participants that operate a web or other platform that facilitates transactions in securities must also consider whether they need to be registered as a broker-dealer or an exchange, or if there is an available exemption.

Although the Divisions statement does not mention it, keeping in line with the fundamental view that basic securities laws apply, a web platform that meets the criteria set out in Section 4(b) of the Securities Act, as created by the JOBS Act, should qualify for a broker-dealer exemption when hosting digital coin or token offerings. See HERE for details on this exemption.

Furthermore, the Divisions caution that sponsors and other market participants should consider whether their business model results in an entity that needs to be registered as an investment company and whether anyone providing advice about an investment in the security could be an investment advisor.

The Divisions also caution against bad actors and fraud, again using the same principles and tenets that have always applied to economies.  Investors should watch for red flags, including deals that sound too good to be true, promises of high returns with little or no risk, high-pressure sales tactics, and working with unregistered or unlicensed persons.

A fundamental message that I always try to deliver is that anyone engaging in any activity that could invoke the securities laws, should consult with competent securities counsel. The Divisions statement relays the same message, and in particular, that “market participants who are employing new technologies to form investment vehicles or distribute investment opportunities to consult with securities counsel to aid in their analysis of these issues.” The SEC staff also encourages direct communication with the SEC and has set up an email address for communications related to these matters.

Investor Bulletin on Initial Coin Offerings

In addition to its Report and statement of the Divisions of Corporation Finance and Enforcement, on July 25, 2017, the SEC’s Office of Investor Education and Advocacy issued an Investor Bulletin on Initial Coin Offerings (ICO’s). The Investor Bulletin is written in a simple format and helps to inform the public on the basics of ICO’s.

As noted throughout this blog, virtual coins or tokens are created using DLT or blockchain and can be sold in exchange for other virtual coins (such as Bitcoin or Ethereum) or for fiat currency such as U.S. dollars. Generally tokens sold entitle the purchaser to some return on investment or participation in a project and also may be resold or traded on secondary markets, such as virtual currency exchanges. The Investor Bulletin informs the public that these virtual coin or token offerings can invoke the federal securities laws.

The Investor Bulletin provides some basic information on blockchain and virtual currencies. In particular, taken from the Investor Bulletin:

What is a blockchain?

blockchain is an electronic distributed ledger or list of entries – much like a stock ledger – that is maintained by various participants in a network of computers. Blockchains use cryptography to process and verify transactions on the ledger, providing comfort to users and potential users of the blockchain that entries are secure. Some examples of blockchain are the Bitcoin and Ethereum blockchains, which are used to create and track transactions in Bitcoin and Ether, respectively.

What is a virtual currency or virtual token or coin?

virtual currency is a digital representation of value that can be digitally traded and functions as a medium of exchange, unit of account, or store of value.  Virtual tokens or coins may represent other rights, as well. Accordingly, in certain cases, the tokens or coins will be securities and may not be lawfully sold without registration with the SEC or pursuant to an exemption from registration.

What is a virtual currency exchange?

A virtual currency exchange is a person or entity that exchanges virtual currency for fiat currency, funds, or other forms of virtual currency. Virtual currency exchanges typically charge fees for these services. Secondary market trading of virtual tokens or coins may also occur on an exchange. These exchanges may not be registered securities exchanges or alternative trading systems regulated under the federal securities laws. Accordingly, in purchasing and selling virtual coins and tokens, you may not have the same protections that would apply in the case of stocks listed on an exchange.

Who issues virtual tokens or coins?

Virtual tokens or coins may be issued by a virtual organization or other capital-raising entity. A virtual organization is an organization embodied in computer code and executed on a distributed ledger or blockchain. The code, often called a “smart contract,” serves to automate certain functions of the organization, which may include the issuance of certain virtual coins or tokens. The DAO, which was a decentralized autonomous organization, is an example of a virtual organization.

The Investor Bulletin continues with warnings to potential investors, including to be aware that the federal securities laws require either registration or an exemption from registration for an offer and sale of securities. The Investor Bulletin points potential investors to the EDGAR database to find registration statements, and reminds investors that exemptions usually are limited to accredited investors.

Further, the Investor Bulletin discusses disclosure obligations and sets forth key information that an investor should be informed of, such as use of proceeds, management and business plans.

The Investor Bulletin points out that even if there has been a fraud or theft, their rights may be limited do to the nature of ICO’s in general, including that they can be autonomous, the inability to trace money, the international scope of offerings, that there is no central controlling authority and that there is no method to freeze or secure virtual currency.  Finally, the Investor Bulletin points to the usual red flags, including “guaranteed” high returns or low risk, unsolicited offers, sounds too good to be true, buying pressure, no net worth or other investor requirements and unlicensed sellers.

Inquiries of a technical nature are always encouraged. Contact us now.