The CFTC And Cryptocurrencies

The SEC and U.S. Commodity Futures Trading Commission (CFTC) have been actively policing the crypto or virtual currency space. Both regulators have filed multiple enforcement actions against companies and individuals for improper activities including fraud. On January 25, 2018, SEC Chairman Jay Clayton and CFTC Chairman J. Christopher Giancarlo published a joint op-ed piece in the Wall Street Journal on the topic.

Backing up a little, on October 17, 2017, the LabCFTC office of the CFTC published “A CFTC Primer on Virtual Currencies” in which it defines virtual currencies and outlines the uses and risks of virtual currencies and the role of the CFTC. The CFTC first found that Bitcoin and other virtual currencies are properly defined as commodities in 2015. Accordingly, the CFTC has regulatory oversight over futures, options, and derivatives contracts on virtual currencies and has oversight to pursue claims of fraud or manipulation involving a virtual currency traded in interstate commerce. Beyond instances of fraud or manipulation, the CFTC generally does not oversee “spot” or cash market exchanges and transactions involving virtual currencies that do not utilize margin, leverage or financing. Rather, these “exchanges” are regulated as payment processors or money transmitters under state law.

The role of the CFTC is substantially similar to the SEC with a mission to “foster open, transparent, competitive and financially sound markets” and to “protect market users and their funds, consumers and the public from fraud, manipulation and abusive practices related to derivatives and other products subject to the Commodity Exchange Act (CEA).” The definition of a commodity under the CEA is as broad as the definition of a security under the Securities Act of 1933, including a physical commodity such as an agricultural product, a currency or interest rate or “all services, rights and interests in which the contracts for future delivery are presently or in the future dealt in” (i.e., futures, options and derivatives contracts).

Where the SEC regulates securities and securities markets, the CFTC does the same for commodities and commodity markets. At times the jurisdiction of the two regulators overlaps, such as related to swap transactions (see HERE). Furthermore, while there are no SEC licensed securities exchanges which trade virtual currencies or any tokens, there are several commodities exchanges that trade virtual currency products such as swaps and options, including the TeraExchange, North American Derivatives Exchange and LedgerX.

The Commodity Exchange Act would prohibit the trading of a virtual currency future, option or swap on a platform or facility not licensed by the CFTC. Moreover, the National Futures Association (NFA) is now requiring member commodity pool operators (CPO’s) and commodity trading advisors (CTA’s) to immediately notify the NFA if they operate a pool or manage an account that engaged in a transaction involving a virtual currency or virtual currency derivative.

The CFTC refers to the IRS’s definition of a “virtual currency” and in particular:

A virtual currency is a digital representation of value that functions as a medium of exchange, a unit of account, and/or a store of value. In some environments it operates like real currency but it does not have legal tender status in the U.S. Virtual currency that has an equivalent value in real currency, or that acts as a substitute for real currency, is referred to as a convertible virtual currency.  Bitcoin is one example of a convertible virtual currency.

I note that neither the CFTC’s definition of Bitcoin as a commodity, nor the IRS’s definition of a virtual currency, conflicts with the SEC’s position that most cryptocurrencies and initial cryptocurrency offerings today are securities requiring compliance with the federal securities laws. The SEC’s position is based on an analysis of the current market for ICO’s and the issuance of “coins” or “tokens” for capital raising transactions and as speculative investment contracts. In fact, a cryptocurrency which today may be an investment contract (security) can morph into a commodity (currency) or other type of digital asset. For example, an offering of XYZ token for the purpose of raising capital to build a software or blockchain platform or community where XYZ token can be used as a currency would rightfully be considered a securities offering that needs to comply with the federal securities laws. However, when the XYZ token is issued and can be used as a form of currency, it would become a commodity. Furthermore, the bundling of a token securities offering to include options or futures contracts may implicate both SEC and CFTC compliance requirements.

The CFTC primer gives a little background on Bitcoin, which was created in 2008 by a person or group using the pseudonym “Satoshi Nakamoto” as an electric payment system based on cryptographic proof allowing any two parties to transact directly without the need for a trusted third party, such as a bank or credit card company. Bitcoin is partially anonymous, with individuals being identified by an alphanumeric address. Bitcoin runs on a blockchain-decentralized network of computers and uses open-source software and “miners” to validate transactions through solving complex algorithmic mathematical equations.

A virtual currency can be used as a store of value; however, virtual currencies are not a yield asset in that they do not generate dividends or interest. Virtual currencies can generally be traded with resulting capital gains or losses. The CFTC, like all regulators, points out the significant speculation and volatility risk. The CFTC reiterates the large incidents of fraud involving crypto marketplaces. Furthermore, there is a significant cybersecurity risk. If a “wallet” holding cryptosecurities is hacked, they are likely gone without a chance of recovery.

Although many virtual currencies, including Bitcoin, market themselves as a payment method, the ability to utilize Bitcoin and other virtual currencies for everyday goods and services has not yet come to fruition. In fact, the trend toward Bitcoin being a regularly accepted payment has seemed to have gone the other way, with payment processor Stripe, tech giant Microsoft and gaming platform Steam discontinuing Bitcoin support due to lengthy transaction times and increased transaction failure rates.

Further Reading on DLT/Blockchain and ICO’s

For an introduction on distributed ledger technology, including a summary of FINRA’s Report on Distributed Ledger Technology and Implication of Blockchain for the Securities Industry, see HERE.

For a discussion on the Section 21(a) Report on the DAO investigation, statements by the Divisions of Corporation Finance and Enforcement related to the investigative report and the SEC’s Investor Bulletin on ICO’s, see HERE.

For a summary of SEC Chief Accountant Wesley R. Bricker’s statements on ICO’s and accounting implications, see HERE.

For an update on state distributed ledger technology and blockchain regulations, see HERE.

For a summary of the SEC and NASAA statements on ICO’s and updates on enforcement proceedings as of January 2018, see HERE.

To read about the SEC and CFTC joint statements and the Wall Street Journal op-ed article, see HERE.

Inquiries of a technical nature are always encouraged. Contact us now.

SEC Statements On Cybersecurity; An EDGAR Hacking

On September 20, 2017, SEC Chair Jay Clayton issued a statement on cybersecurity that included the astonishing revelation that the SEC Edgar system had been hacked in 2016. Since the original statement, the SEC has confirmed that personal information on at least two individuals was obtained in the incident. Following Jay Clayton’s initial statement, on September 25, 2017, the SEC announced two new cyber-based enforcement initiatives targeting the protection of retail investors, including protection related to distributed ledger technology (DLT) and initial coin or cryptocurrency offerings (ICO’s).

The issue of cybersecurity is at the forefront for the SEC, and Jay Clayton is asking the House Committee on Financial Services to increase the SEC’s budget by $100 million to enhance the SEC’s cybersecurity efforts.

This is the first in a two-part blog series summarizing Jay Clayton’s statement, the SEC EDGAR hacking and the new initiatives. My prior blog outlining SEC guidance on the disclosure of cybersecurity matters can be read HERE.

Chair Clayton’s Statement on Cybersecurity and the EDGAR Hacking

Upon taking office in May, 2017, Chair Clayton formed a senior-level cybersecurity working group to coordinate the sharing of information, risk monitoring and incident response efforts. Chair Clayton’s September 20, 2017 statement was part of the SEC’s ongoing initiatives and necessary to inform the public of the SEC’s own hacking incident. In addition to the revelation regarding the EDGAR hacking, Chair Jay Clayton’s statement emphasized the importance of cybersecurity to not only the SEC, but all market participants.

All market participants engage in data collection, storage, analysis, availability and protection to some extent, all of which are open to cybersecurity risks. Cyber attacks can be perpetrated by identity thieves, unscrupulous contractors and vendors, malicious employees, business competitors, prospective insider traders and market manipulators, hackers, terrorists, state-sponsored actors and others.  Furthermore, the effects of attacks can be significant, including loss or exposure of consumer data, theft or exposure of intellectual property, investor losses resulting from the theft of funds, market value declines in companies’ subject to cyber attacks, and regulatory, reputational and litigation risks.

Cybersecurity efforts must include, in addition to assessment, prevention and mitigation, resilience and recovery. Chair Clayton’s statement provides detail on the SEC’s approach to cybersecurity, including: (i) the types of data they collect, hold and make publicly available; (ii) how the SEC manages cybersecurity risks and responds to cyber events; (iii) how the SEC incorporates cybersecurity considerations in their risk-based supervision of entities they regulate; (iv) how the SEC coordinates with other regulators to identify and mitigate cybersecurity risks; and (v) how the SEC uses its oversight and enforcement authorities, including to pursue cyber threats.

EDGAR Hacking

Before summarizing the other components of Chair Clayton’s statement, I will jump right to the topic that has gained national attention: EDGAR was hacked!  Sometime in 2016, a software vulnerability in the test filing component of the EDGAR system was hacked. The opening was patched once discovered, but the hackers were able to obtain information through test filings that was used to make illicit trading gains. The hackers also obtained personal information, including names, dates of birth and Social Security numbers of at least two individuals. Chair Clayton was not informed of the hacking until August 2017.

The test filing system of EDGAR allows a company to make a non-public test filing of a registration statement or report (or any document that can be filed through the EDGAR system) to be sure the actual filing will be processed correctly. The test filing is usually made hours before the actual filing, but it can be made a day in advance. By having access to material information in filings prior to the marketplace, the hackers could trade on such information and make illegal profits.

When the SEC first announced the hacking on September 20, 2017, it stated that no personal information had been compromised but in a second press release issued on October 2, 2017, the SEC confirmed that forensic data analysis uncovered further depths to the intrusion.  In the October 2 press release, Chair Clayton outlined efforts to review and remediate the 2016 hacking, including:

  • A review of the 2016 EDGAR intrusion by the Office of Inspector General;
  • An investigation by the Division of Enforcement in the potential illicit trading resulting from the 2016 EDGAR intrusion (which seems to indicate that the perpetrator has been uncovered). Chair Clayton was first informed of the hacking in connection with this enforcement investigation;
  • A focused review and appropriate uplift of the EDGAR system with a concentration on cybersecurity matters, including its security systems, processes and controls. This review will include assessing the types of data that run through the EDGAR system and whether EDGAR is the appropriate mechanism to funnel such data;
  • A focused review and appropriate uplift of all systems that include the identification of sensitive data or personally identifiable information. This review will include assessing the types of data the SEC keeps and the related security systems, processes and control; and
  • The SEC’s internal review of the 2016 EDGAR hacking to determine, among other things, the procedures followed in response to the intrusion. This review is being overseen by the Office of the General Counsel and includes an interdisciplinary investigative team including outside technology consultants.  Related to this, the SEC will enhance protocols for cybersecurity incidents.

In furtherance of this review and plan, Chair Clayton authorized the immediate hiring of additional staff and outside technology consultants to protect the security of the SEC’s network, systems and data.

Based on the SEC’s statements and testimony on the matter, there still remains a lot of secrecy surrounding the incident. For instance, the date or dates of the hacking have not been made public. The hacking was reported to the Department of Homeland Security, but the SEC commissioners were not notified. Moreover, the SEC has not revealed the type of information that was accessed nor which companies were affected.

Collection and Use of Data by the SEC

The SEC collects, stores and transmits data in three broad categories, including: (i) public facing data through the EDGAR system; (ii) non-public information including personally identifiable information related to supervisory and enforcement functions; and (iii) non-public information including personally identifiable information related to the SEC’s internal operations.

The first category involves data provided to the SEC by companies (such as public reports under the Exchange Act, and notices of private offerings on Form D) and investors (such as Section 13 and Section 16 filings). The second category includes data on companies, broker-dealers, investment advisors, investment companies, self-regulatory organizations (including FINRA), alternative trading systems, clearing agencies, credit rating agencies, municipal advisors and other market participants. The third category of data includes personnel records, internal investigations and data related to risk management and internal control processes.

Management of Internal Cybersecurity Risks

Notably, Chair Clayton begins this part of his statement by disclosing that the SEC is “the subject of frequent attempts by unauthorized actors to disrupt access to our public-facing systems, access our data, or otherwise cause damage to our technology infrastructure, including through the use of phishing, malware and other attack vectors.” As did occur with the EDGAR hacking, attackers stand to profit from information through trading activities, identity theft and a myriad of other improper uses of the illegally obtained information.

In addition to outside attacks, the SEC monitors for unauthorized actions by personnel.  In 2014, an internal review uncovered that certain laptops with sensitive information could not be located. There have also been instances where SEC personnel have used non-secure personal email accounts to transmit nonpublic information. The SEC mitigates the internal risk by requiring all personnel to complete privacy and security training.

To protect against all of its cyber-related threats, the SEC employs an agency-wide cybersecurity detection, protection and prevention program. The program includes cybersecurity protocols and controls, network protections, system monitoring and detection processes, vendor risk management processes, and regular cybersecurity and privacy training for employees. However, in light of current and changing technological advancements, the SEC intends to step up its efforts overall. As mentioned earlier, in that regard, the SEC is seeking an increase in its annual budget, and a lift on its current hiring limitations.

Just as the SEC expects public companies to maintain internal controls, including from the top down, on cybersecurity matters, so the SEC has internal policies and procedures requiring senior management to maintain policies, and to coordinate with other offices and divisions with respect to cybersecurity efforts, including risk reporting and testing.

Although all offices have responsibilities, the SEC Office of Information Technology has overall management and responsibility for the agency’s cybersecurity. The SEC’s cybersecurity program is subject to review from internal and external independent auditors, including to ensure compliance with the Federal Information Security Modernization Act of 2014 (“FISMA”).

The SEC also must report cybersecurity matters to outside agencies, including the Office of Management and Budget and the Department of Homeland Security, and has established information-sharing relationships with the National Cybersecurity and Communications Integration Center (“NCCIC”), the Financial and Banking Information Infrastructure Committee (“FBIIC”), and the Financial Services Information Sharing and Analysis Center (“FS-ISAC”).

Incorporation of Cybersecurity Considerations in the SEC’s Disclosure-Based and Supervisory Efforts

The SEC incorporates cybersecurity considerations in its disclosure and supervisory programs, including in the context of the Commission’s review of public company disclosures, its oversight of critical market technology infrastructure, and its oversight of other regulated entities, including broker-dealers, investment advisors and investment companies. Related to public company disclosures, Chair Clayton referred to the SEC guidance summarized HERE.

Related to the SEC’s oversight of market infrastructure, including regulation of exchanges and clearing agencies, the SEC adopted Regulation Systems Compliance and Integrity in 2014. Regulation SCI was proposed and adopted to require key market participants to have comprehensive written policies and procedures to ensure the security and resilience of their technological systems, to ensure systems operate in compliance with federal securities laws, to provide for review and testing of such systems and to provide for notices and reports to the SEC. Key market participants generally include national securities exchanges and associations, significant alternative trading systems (such as OTC Markets, which has confirmed it is in compliance with the Regulation), clearing agencies, and plan processors. For a review of Regulation SCI, see HERE.

Furthermore, certain SEC rules and regulations governing broker-dealers, investment advisors and investment companies directly implicate information security practices. For example, Regulation S-P requires registered broker-dealers, investment companies and investment advisors to adopt written policies and procedures governing safeguards for the protection of customer information and records. Regulation S-ID requires these firms, to the extent they maintain certain types of covered accounts, to establish programs addressing how to identify, detect and respond to potential identity theft red flags.

Coordination with Other Governmental Entities

Effective cybersecurity programs require cooperation among government agencies. The SEC shares oversight responsibility on some matters with other agencies, including the Board of Governors of the Federal Reserve System, the Commodity Futures Trading Commission, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation. Furthermore, the SEC often coordinates with other agencies, such as the Federal Trade Commission and the Consumer Financial Protection Bureau. The SEC coordinates cybersecurity efforts with each of these agencies, and more.

Enforcement of the Federal Securities Laws

The SEC is committed to enforcing compliance with the cybersecurity disclosure obligations of reporting companies, and in enforcement proceedings against those that purse cyber threats. Part of these efforts include using advanced technology to monitor suspicious trading activity across companies, traders and geographic regions.

Chair Clayton sets out examples of enforcement actions, such as a case in 2016 against three traders for allegedly participating in a scheme to hack into two prominent New York-based law firms to steal information pertaining to clients that were considering mergers or acquisitions, which the hackers then used to trade. In another case, defendants allegedly hacked into newswire services to obtain non-public information about corporate earnings announcements. These are just two examples among dozens of cases.

Inquiries of a technical nature are always encouraged. Contact us now.