Rules Navigator

SEC has new Cyber and Emerging Technologies Unit, targets priority areas

Image of people with laptops in their laps.
Photo: Mark Wilson/Getty Images

Julie DiMauro

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

The new unit will harness fintech and cyber-related experience to combat misconduct as it relates to certain securities transactions.

The SEC just announced the creation of the Cyber and Emerging Technologies Unit (CETU) to focus on combatting cyber-related misconduct and to protect retail investors from bad actors in the emerging technologies space.

This unit will be led by Laura D’Allaird, and it replaces the Crypto Assets and Cyber Unit at the agency – a unit D’Allaird co-led at the SEC after serving as counsel to Commissioner Jaime Lizarraga.

It is comprised of approximately 30 fraud specialists and attorneys across multiple SEC offices who will use their substantial fintech and cyber-related experience to combat misconduct as it relates to securities transactions.

“Under Laura’s leadership, this new unit will complement the work of the Crypto Task Force led by Commissioner Hester Peirce. Importantly, the new unit will also allow the SEC to deploy enforcement resources judiciously,” said Acting Chairman Mark Uyeda.

“The unit will not only protect investors but will also facilitate capital formation and market efficiency by clearing the way for innovation to grow. It will root out those seeking to misuse innovation to harm investors and diminish confidence in new technologies,” he added.

Specifically, the CETU will focus on securities transactions in the following priority areas:

  • fraud committed using emerging technologies, such as artificial intelligence and machine learning;
  • use of social media, the dark web, or false websites to perpetrate fraud;
  • hacking to obtain material nonpublic information;
  • takeovers of retail brokerage accounts;
  • fraud involving blockchain technology and crypto assets;
  • regulated entities’ compliance with cybersecurity rules and regulations; and
  • public issuer fraudulent disclosure relating to cybersecurity.

SEC and cybersecurity

The SEC pursued multiple cybersecurity-focused enforcement actions in 2024, alongside issuing additional guidance around compliance with the new cybersecurity disclosure rules, showcasing a continued focus on robust disclosure frameworks for cybersecurity incidents.

September 5 marked the effective date of a new mandate for publicly traded companies to notify the SEC of a cyberattack within four days of a material cybersecurity incident. And December 15 was when companies were required to notify investors. 

Under the new rule, registrants must disclose material cybersecurity incidents they experience, and disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. As part of the new rule, the SEC also adopted a requirement for foreign private issuers to make comparable disclosures.

Last spring, the nation’s healthcare industry was plagued by a cyber disruption affecting thousands of pharmacies and providers across the US, which needed to implemented workarounds to service patients. The victim of the ransomware attack – Change Healthcare – struggled to bring services back online, knowing the reach of the disruption to its many business partners and patients, and hackers stole sensitive data from Medicare and a host of other major insurance and pharmacy networks in the process.

And last July, businesses large and small around the globe experienced prolonged interruptions in their computer systems; the issue was pegged to a security update pushed out by CrowdStrike, a cybersecurity company, causing the Microsoft Windows operating system to crash.

These incidents and others just reinforced the fact that cyber risk is the biggest type of risk facing governments, corporates and (to an extent) consumers now. Continuity of service is essential for efficient operations, and whatever is within our control needs to be insulated, tested, and provided contingency measures for.

Trump administration and cybersecurity

The Trump administration has fired roughly 130 employees at the Cybersecurity and Infrastructure Security Agency (CISA) – the nation’s civilian cyber defense agency – as part of a broad push to slash the federal workforce. Employees at multiple federal government agencies received virtually identical letters informing them they were being terminated from their positions in his administration’s broad push to slash the federal workforce.

While there are legitimate places to cut costs at CISA, employees told one news source, the administration appears to be acting without sufficient regard for who holds highly specialized national security posts or how hard it would be to find people to replace those specifically skilled people in an emergency.

, ,

You may also like