What is Laura Deair's position?

She is the chief of the cyber and emerging technologies unit at the SEC.

What are the key priorities of the cyber and emerging technologies unit?

They focus on fraud in emerging technologies, cyber security compliance, and other cyber-related misconduct.

Claiming misuse of AI or misrepresenting its use in a way that harms investors.

What is the new SEC rule regarding cyber security disclosures?

Companies must disclose material cyber security incidents within four business days of determining their materiality.

What is the role of the SEC in cyber security?

The SEC focuses on ensuring that investors are provided with material information for informed decision-making.

What past positions did Laura Deair hold before becoming chief?

She worked as an attorney in the SEC and was previously part of the cyber unit under Rob Cohen.

What does the SEC mean by 'materiality' in these cases?

Whether a reasonable investor would find the information important to their decisions.

What approach does the SEC take towards informing public companies about their disclosures?

They encourage timely and accurate disclosures without unduly delaying the determination of materiality.

SEC Spotlight: Cyber Regulation and Enforcement

00:30:08

https://www.youtube.com/watch?v=6-VZBAyCRLI

Summary

TLDRAt a lunch hosted by FGS Global, Rob Cohen interviews Laura Deair, the new chief of the SEC's cyber and emerging technologies unit. Deair discusses her background and the reformation of the unit, which now focuses on fraud stemming from emerging technologies such as AI and crypto. She outlines the unit's key priorities, which involve tackling fraud, ensuring compliance with cyber security regulations, and addressing other cyber misdeeds. The conversation also touches on the recent SEC rules for public companies concerning cyber security disclosures, emphasizing the importance of materiality and timely responses. Throughout the discussion, there is a clear commitment to protecting investors while adapting to the rapid pace of technological advancements.

Takeaways

🥗 Welcoming the audience and thanking FGS Global for lunch.
🔍 Introduction of Rob Cohen and Laura Deair.
🛡️ Laura Deair discusses her background in the SEC.
📈 The unit has evolved to focus on fraud in emerging technologies.
⚖️ New SEC rules now require timely disclosure of cyber incidents.
💻 AI washing involves misleading claims about AI usage.
🔬 Key priorities include compliance with cyber security regulations.
🗂️ The unit comprises about 30 staff members across different offices.
🤝 Importance of research and partnerships with other divisions for investigations.
🌟 Recognition of Laura Deair's promotion and her leadership in the unit.

Timeline

00:00:00 - 00:05:00
The lunch event begins with a welcome message, thanking FGS Global for the meal, and indicating that the format will include an interview rather than a traditional keynote speech. Rob Cohen, former chief of the SEC's cyber unit, introduces himself and Laura Deair, the new chief of the SEC's cyber and emerging technologies unit, praising both for their expertise and contributions.
00:05:00 - 00:10:00
Laura briefly introduces her professional background, highlighting her tenure at law firms, her clerkship at the Fifth Circuit, and then roles at the SEC including her time as a staff attorney and an enforcement council for a commissioner. She expresses excitement about leading the newly formed cyber and emerging technologies unit, which contains around 30 staff members specializing in fraud and cybersecurity compliance.
00:10:00 - 00:15:00
Laura discusses the unit's historical context, noting its evolution from the original cyber unit formed in 2017 to its recent rebranding. She highlights that the unit is spread across multiple offices and maintains a focus on fraud, cybersecurity compliance, and cyber-related misconduct as its main priorities.
00:15:00 - 00:20:00
The conversation shifts to the specifics of emerging technologies, with Laura defining it as constantly evolving, including both genuine innovation and situations where traditional scams are repackaged as new tech. She emphasizes the importance of adapting to changes in technology and the need for regulatory frameworks to keep up with innovation while protecting investors.
00:20:00 - 00:25:00
When the topic of cryptocurrency arises, Laura explains that while fraud related to blockchain and crypto remains a priority for their unit, they are also keen on utilizing enforcement resources wisely and are seeking a balanced approach to regulation, focusing particularly on protecting retail investors from fraud.
00:25:00 - 00:30:08
The discussion transitions to cybersecurity, with Laura summarizing recent SEC rules on cybersecurity disclosures and explaining the SEC's role in ensuring investors receive material information. The conversation highlights the importance of timely disclosures and the SEC's consideration of materiality when addressing cybersecurity incidents affecting public companies.

Mind Map

Video Q&A

Who are the main speakers in the video?
Rob Cohen and Laura Deair.
What is Laura Deair's position?
She is the chief of the cyber and emerging technologies unit at the SEC.
What are the key priorities of the cyber and emerging technologies unit?
They focus on fraud in emerging technologies, cyber security compliance, and other cyber-related misconduct.
What is AI washing?
Claiming misuse of AI or misrepresenting its use in a way that harms investors.
What is the new SEC rule regarding cyber security disclosures?
Companies must disclose material cyber security incidents within four business days of determining their materiality.
What is the role of the SEC in cyber security?
The SEC focuses on ensuring that investors are provided with material information for informed decision-making.
How many staff members are in the cyber and emerging technologies unit?
Around 30 staff members.
What past positions did Laura Deair hold before becoming chief?
She worked as an attorney in the SEC and was previously part of the cyber unit under Rob Cohen.
What does the SEC mean by 'materiality' in these cases?
Whether a reasonable investor would find the information important to their decisions.
What approach does the SEC take towards informing public companies about their disclosures?
They encourage timely and accurate disclosures without unduly delaying the determination of materiality.

View more video summaries

Get instant access to free YouTube video summaries powered by AI!

Subtitles

Auto Scroll:

00:00:01
All right. Well, um, welcome everyone to
00:00:03
lunch and, uh, we want to thank FGS
00:00:06
Global for the lunch because, um, this
00:00:09
is a little better than your usual
00:00:10
rubber chicken. So, I hope everyone's
00:00:11
enjoying it and enjoying the Four
00:00:14
Seasons. So, um, what we like to do at
00:00:16
these lunches is not have a keynote
00:00:18
speaker who just speaks to you, but have
00:00:20
a government official interviewed by
00:00:22
somebody so that we can hear a little
00:00:24
bit more about what they're up to. And
00:00:26
in this situation, this is my favorite
00:00:28
kind of situation where you have the
00:00:30
former chief of the unit talking to the
00:00:31
current chief of the unit. And that's
00:00:33
what we've got going on right here. So,
00:00:35
let me introduce these two people
00:00:36
quickly. Um, what you probably already
00:00:39
know about Rob Cohen, he's the former
00:00:41
chief of the SEC's cyber unit. Um, from
00:00:44
crypto to cyber, Rob has done it all.
00:00:47
Uh, but what you may not know is that he
00:00:50
was also the former co-chief of the
00:00:51
SEC's market abuse unit. And sort of
00:00:54
like Christy Litman, as I mentioned
00:00:55
before, he also ran the insider trading,
00:00:58
market structure, manipulation, broker
00:01:00
dealers, uh, alternative trading
00:01:01
systems, exchanges. So, he's a really a
00:01:03
a two-way expert, which is so much so
00:01:07
much different than again most everyone
00:01:09
here is always a little different from
00:01:10
one another as opposed to the SEC
00:01:12
enforcement conferences where everyone's
00:01:14
kind of the same. You know, worked at
00:01:15
enforcement in the SEC and then went on
00:01:18
to private practice. These are very
00:01:19
unique individuals. So, uh, when I think
00:01:22
of Rob Cohen, I I can't help but think
00:01:23
of it's the Saul Goodman of incident
00:01:26
response. Definitely the go-to player in
00:01:28
lots of different ways, a jack of all
00:01:30
trades. And then who we a very special
00:01:33
guest, the most special guest we have of
00:01:35
all today is Laura Deair
00:01:39
Deair. Um she is chief of the cyber and
00:01:42
emerging technologies unit which was
00:01:44
formerly the crypto unit and cyber unit
00:01:47
at the SEC. From the Edgar happening
00:01:49
Edgar electronic data gathering and
00:01:51
retrieval service at the SEC to the
00:01:53
Binance fraud, she has seen it all and
00:01:56
we really have to be grateful for her
00:01:58
coming here today. It's very hard to get
00:02:00
government speakers right now. You can
00:02:02
appreciate why. Um the what you may not
00:02:05
know the dramatic changes going on at
00:02:07
the SEC. Um, I talked about it in in an
00:02:11
op-ed piece in the New York Times on
00:02:12
Friday or Saturday. Um, they've stopped
00:02:15
the entire crypto program and Laura is
00:02:17
charged with leading a new SEC where
00:02:20
more than 20% have taken retirement. And
00:02:23
it just unbelievable how terrific she is
00:02:26
at this job. And she's tough. She's the
00:02:28
Ellen Ripley of Incident Response. And
00:02:31
you know what? If she had a theme song,
00:02:32
it would be Survivor by Destiny's Child.
00:02:35
So, um, uh, let me turn it over to Rob
00:02:39
and let's hear what she has to say. So,
00:02:41
thank you. Let's give a round of
00:02:42
applause to Laura for being here. We
00:02:44
can't thank her enough.
00:02:47
Thanks. So, I thought I would start by
00:02:49
asking Laura to introduce herself and
00:02:52
just sort of explain her professional
00:02:54
background that brings her here to this
00:02:55
new job. Well, thank you. Thank you,
00:02:57
Rob. Um, and it's it's great to be here
00:02:59
with you all and and to speak with you
00:03:01
all. So to give you a little context and
00:03:04
my background and where I come from, um
00:03:06
so around the first eight years of my
00:03:09
professional career as an attorney, um I
00:03:11
spent working at two different law firms
00:03:13
in private practice. I spent a year
00:03:15
clerking on the fifth circuit down in
00:03:17
New Orleans. Um and then in late 2016, I
00:03:20
joined the commission in our general
00:03:22
core um enforcement group. Um that was
00:03:25
at the beginning of the last Trump
00:03:27
administration. Um, in 2017 I joined the
00:03:31
cyber unit led by Rob Cohen here. Um, so
00:03:35
again, really great to be here with Rob.
00:03:37
Um, worked in the unit as a staff
00:03:40
attorney um, for a number of years.
00:03:42
Spent a year um, with our trial unit
00:03:45
litigating a case called kick. Um and
00:03:48
then I spent about seven months um in um
00:03:52
our director of enforcement's office
00:03:54
advising him on um cyber security and
00:03:57
cryptoreated issues. And then I had an
00:03:59
opportunity around the time that the
00:04:01
unit became the crypto asset and cyber
00:04:03
unit to actually go and be an
00:04:05
enforcement council to one of the
00:04:07
commissioners, commissioner Hime Lazar.
00:04:09
And so I did that for about two and a
00:04:10
half years. Um, and now I'm back in
00:04:13
enforcement um, as chief of the of the
00:04:16
newlyannounced cyber and emerging
00:04:18
technologies unit. Great. And those of
00:04:21
us who work with Laura earlier in her
00:04:23
SEC career are not at all surprised that
00:04:25
she has this new leadership position
00:04:27
helping to
00:04:33
run. Unit actually was created in 2017.
00:04:37
as you said, was renamed in the last
00:04:40
administration uh under Chair Gensler
00:04:42
and was renamed and sort of rep
00:04:45
prioritized a bit a couple months ago.
00:04:47
It's now the cyber and emerging
00:04:49
technologies unit. Give us some
00:04:51
background about the unit. Just starting
00:04:53
with I don't know bags logistics. Who's
00:04:56
in the unit? How many people? Where are
00:04:58
they across the commission? Sure. Sure.
00:05:00
Um so so as you said we were originally
00:05:03
formed. I'm going to give you like some
00:05:04
background and context and then maybe
00:05:05
you know later maybe we'll get into
00:05:07
priorities for the new unit. But in
00:05:08
terms of the background and context, you
00:05:10
know, as you said, we we were formed
00:05:11
back in 2017 as the cyber unit. In 2022,
00:05:14
we were renamed as the crypto asset and
00:05:16
cyber unit. Um and then very recently,
00:05:20
just we're only two months old. Back in
00:05:22
February of 2025, um the commission
00:05:25
announced the cyber and emerging
00:05:26
technologies unit. Um that unit has
00:05:29
around 30 staff members. So, we've got
00:05:32
30 um members consisting of fraud
00:05:36
specialists. We have a whole group of
00:05:38
fraud specialists um in our unit, staff
00:05:41
attorneys um as well as supervisors and
00:05:43
and the unit chief spread out uh amongst
00:05:46
a number of offices. So, DC, our home
00:05:48
office, our headquarters in Washington
00:05:50
DC and then five other um uh regional
00:05:53
offices and we also have a couple
00:05:55
advisors um to the unit and they are in
00:05:58
uh New York. So, we're kind of we're
00:06:00
spread out. Great. Great. And I'll note,
00:06:04
um, you know, the the unit had gotten
00:06:05
bigger when it was focused on crypto.
00:06:07
You said it's about 30 people now. If
00:06:10
I'm remembering correctly, that's
00:06:11
actually a little bit bigger than it was
00:06:12
when it was first created. I think when
00:06:14
it was first created, it was mid to
00:06:16
upper 20s. So, although it is smaller
00:06:18
than it was in the last administration,
00:06:20
I think it is similar size, if not
00:06:23
bigger, um, than it was when it was
00:06:25
first created. Yeah. Yeah. I haven't
00:06:26
done a headcount specifically, but it
00:06:28
that that is that is correct. I mean,
00:06:30
roughly we're around the same size,
00:06:32
maybe a few people bigger than than when
00:06:34
we were the cyber unit. Y um so as as
00:06:37
you said, let's talk about priorities.
00:06:39
Um there was a press release. It had a
00:06:41
bullet list of what the priorities of
00:06:43
the unit were. Um what what are you
00:06:46
focused on? What are people in the group
00:06:47
focused on? So I kind of put them into
00:06:50
there there was a press release. I put
00:06:51
them into kind of three buckets of of
00:06:54
priorities that we are thinking about in
00:06:56
the unit. Um so the first bucket is it's
00:06:58
it's a little new for us and that is you
00:07:01
know a focus on fraud across the
00:07:03
emerging technologies space. So there
00:07:06
we're really looking at you know leading
00:07:08
up bad actors who are misusing
00:07:11
innovative technology or excitement
00:07:13
around innovative technology to harm
00:07:15
investors. Um and so that include fraud
00:07:18
related to AI or machine learning um as
00:07:22
well as um blockchain and and and
00:07:25
crypto. Um and then we have a second set
00:07:28
of priorities related to you know
00:07:30
probably most pertinent to this group
00:07:32
here cyber security compliance. So we're
00:07:34
looking at regist compliance with um
00:07:37
cyber security rules and regs like
00:07:40
regid regggi as well as public issuer
00:07:44
disclosure fraud. Um and then a third
00:07:46
set of priorities I would bucket in
00:07:49
other cyber related misconduct. Um so
00:07:52
that would include you know using social
00:07:55
media or fake websites or the dark web
00:07:58
to to engage in fraud. Um hacking to
00:08:01
obtain material non-public information
00:08:03
and trading on that um MNPI as well as
00:08:07
um account brokerage takeovers. Um so
00:08:10
those are kind of the three buckets of
00:08:12
priorities that that we're focused on.
00:08:14
And as you can see like there's some
00:08:15
priorities that carry on from the cyber
00:08:17
unit. There's some that are you know
00:08:19
have carried on throughout our history
00:08:21
and some new ones like with emerging
00:08:22
technology and um you've given him some
00:08:26
examples. Can you say anything else
00:08:27
about what an emerging technology you
00:08:30
know is in this context? And so for one
00:08:33
one example you know AI um it has been
00:08:36
the focus including at the commission
00:08:38
for at least a year or two. It's not
00:08:39
brand new. um AI may mean different
00:08:42
things to different people. There's
00:08:44
people who are actually using AI.
00:08:46
There's people who may be pretending to
00:08:47
use AI. So, how do you think about, you
00:08:50
know, what is an emerging technology in
00:08:52
this specific context? Um, so talking
00:08:55
about emerging technology generally, I'm
00:08:57
glad you asked because, you know, we
00:08:59
specifically use that term for a couple
00:09:01
purposes. We wanted to signify that we
00:09:03
have both a broad remit in this unit,
00:09:05
but also an evolving remmit in this
00:09:07
unit. that this unit has evolved from
00:09:09
its beginning and it's going to continue
00:09:10
to evolve. And so, you know, emerging
00:09:13
technology, what we think about in terms
00:09:15
of emerging technology today is probably
00:09:17
going to be different from how we see
00:09:18
emerging technology, you know, five or
00:09:20
10 years from now. You know, so that
00:09:22
term helps us, you know, remind us that
00:09:25
we need to be nimble. We need to keep a
00:09:26
pace with innovation across the board.
00:09:29
Um and you know again we're really
00:09:32
focused um you know broadly speaking on
00:09:35
when we think about emerging technology
00:09:37
our full mission at the commission. So
00:09:40
we want to protect investors of course
00:09:43
but we're doing that by also you know we
00:09:46
facilitate capital formation and market
00:09:48
efficiency when we weed out those bad
00:09:50
actors who are you know stifling
00:09:52
innovation dragging it down dragging
00:09:54
down investor confidence. Um so you know
00:09:57
generally when we think about emerging
00:09:59
technology and the kind of cases and
00:10:01
investigations that we're doing we're
00:10:02
looking at two kinds of buckets. One
00:10:05
bucket would be um you know folks who
00:10:07
are actually using the technology
00:10:09
misusing the technology to engage in
00:10:11
fraud to harm investors to harm investor
00:10:14
confidence in these new technologies. So
00:10:16
that can include for example you know
00:10:18
using an AI model to engage in market
00:10:20
manipulation and another bucket would be
00:10:23
what I you know personally think of as
00:10:26
emerging technology rapper cases. So
00:10:29
like instances where someone is you know
00:10:32
using terminology using excitement
00:10:35
around a new innovation to actually just
00:10:37
engage in good oldfashioned fog you know
00:10:39
so like old wine in a new bottle kind of
00:10:42
idea. Um that's generally how how we're
00:10:45
thinking about it. So on that latter
00:10:46
point, I remember earlier in my career
00:10:48
at the commission, solar was a big topic
00:10:50
like that. People were using excitement
00:10:52
about solar energy to attract retail
00:10:55
investors into a fraud. And it really
00:10:57
wasn't about solar. It was just using
00:10:59
solar to attract them. So whatever the
00:11:02
the latest greatest thing is that are
00:11:04
getting retail investors excited, people
00:11:06
are tempted to use that to try and
00:11:08
separate them from their money. Um okay.
00:11:11
So, um, we'll come back to cyber
00:11:13
security in a second. Um, but we can't
00:11:16
help but touch on crypto.
00:11:19
Um, again, from my perspective, crypto
00:11:23
really dominated the unit and much of
00:11:25
the enforcement division in the last
00:11:27
administration. Um, and so clearly
00:11:30
between the crypto task force and public
00:11:32
statements have been made, there's been
00:11:33
an effort to resteer on that. That said,
00:11:36
as as you as you noted, crypto is part
00:11:39
of the mandate of the unit. So, you
00:11:41
know, what is your focus when it comes
00:11:43
to crypto? Yeah, so thank you for the
00:11:45
question. Um, you know, and as noted in
00:11:47
the press release, one of our priorities
00:11:49
is fraud related to blockchain
00:11:52
technology and crypto. Um, you know, we
00:11:54
are looking to use our enforcement
00:11:56
resources judiciously and where it makes
00:11:58
sense. Um, and here, you know, we are
00:12:01
focused on fraud on retail investors. It
00:12:04
is worth noting um the formation of the
00:12:07
task force that was announced um a few
00:12:09
months ago as well. Um it's led by
00:12:11
commissioner pur um and when we were
00:12:14
announced our formation was announced um
00:12:16
you know it was also stated that our
00:12:17
work is going to complement um the work
00:12:20
uh of the task force. So that's that's
00:12:22
what I can say there we are focused on
00:12:24
on retail fraud at this time and um I
00:12:28
know there's only so much you can say on
00:12:29
that. So I'll just sort of comment from
00:12:31
the industry perspective that you know a
00:12:33
key narrative from the last
00:12:35
administration was that the commission's
00:12:37
energy on crypto seem to be focused on
00:12:39
enforcement first and there were you
00:12:42
know statements saying they wanted
00:12:43
people to come in and talk but because
00:12:45
of the enforcement approach I can say
00:12:47
that you know many in the industry did
00:12:49
not feel that that was a realistic
00:12:51
offer. Um it's very apparent from public
00:12:53
messaging that there's an effort to you
00:12:56
know re restart on that to have you know
00:12:59
the crypto task force and the roundts
00:13:02
have a more open you know open attitude
00:13:05
to having people come in and talk but at
00:13:07
the same time there is still an
00:13:08
enforcement team um that has a mandate
00:13:11
and is supposed to complement that
00:13:12
effort. So, uh, again, that's not a
00:13:14
question. There's not much more you can
00:13:15
say about that. But I'd say from the
00:13:16
industry's perspective, that's something
00:13:19
people are going to be looking at and
00:13:20
very people are very excited about the
00:13:22
renewed, uh, the new the new message and
00:13:25
and the mandate of the task force. Um,
00:13:27
but they're they're going to be watching
00:13:29
that. That that's of great interest. Um,
00:13:31
okay. Thank you for sharing. Actually,
00:13:33
can I say something that I forgot to
00:13:35
say? You're this is your show. So I
00:13:39
didn't give my standard disclaimer which
00:13:40
I'm supposed to be you know give at the
00:13:42
you had to ask I should have caught
00:13:44
what's the thing that you that you
00:13:46
struggle with as chief it's remembering
00:13:48
that disclaimer. Um so before we go any
00:13:52
further you know obviously my comments
00:13:54
today are in my official capacity as the
00:13:57
division of enforcements chief of the
00:13:59
cyber and emerging technologies unit. Um
00:14:01
they do not necessarily reflect the
00:14:03
views of the commission the
00:14:05
commissioners or the commission staff.
00:14:07
Sorry. And I think you were gonna ask me
00:14:09
about AI and I'm happy to talk about
00:14:11
this. Yeah. So I I uh I apologize for
00:14:14
not catching that up front. I should
00:14:16
have. That's my my job is I should have.
00:14:18
No, can't say moderator. There's only
00:14:19
one other person up here, but pseudo
00:14:21
moderator. So I'm glad I'm glad you
00:14:23
caught that. Yes. Let's talk some more
00:14:25
about AI. There's been AI washing cases.
00:14:28
There's been AI public company
00:14:31
disclosure discussion. There's been
00:14:33
investment advisor using AI to give
00:14:35
investment advice discussion. what
00:14:37
what's interesting in AI to you in your
00:14:40
job? Um, well, I would say we're we're
00:14:43
we start with the anti-fraud provisions.
00:14:45
So, we're focused on the anti-fraud
00:14:46
provisions, but we're looking at that
00:14:48
across the board when it comes to AI.
00:14:50
So, you know, you mentioned AI washing
00:14:52
before. You've mentioned, you know, we
00:14:55
can think about um and I'm sorry, I
00:14:57
don't mean to interrupt, but like AI
00:14:58
washing, it occurs to me maybe not
00:15:00
everybody knows exactly what that means,
00:15:01
right? So, you know, claiming one way to
00:15:04
define it would be, you know, you're a
00:15:08
public company and you say that you use
00:15:10
AI in a certain way or you're an
00:15:11
investment adviser and you say you use
00:15:14
AI in a certain way and it turns out
00:15:15
that that you don't like maybe you don't
00:15:17
use AI at all or you use it in a way
00:15:21
that you haven't disclosed or say you
00:15:23
use it in a way that harms investors.
00:15:25
Then we're getting more into, you know,
00:15:26
fraud directly on investors and harm
00:15:28
directly to investors. Um, so I would
00:15:31
say, you know, we're we're focused
00:15:32
across the board there. And, you know,
00:15:34
we want to put our resources where it
00:15:37
makes sense. We're always thinking about
00:15:38
that. You know, wherever we see, you
00:15:41
know, harm to investors, where we see
00:15:44
um, you know, there's a diminishment in
00:15:46
investor confidence, right, as a result
00:15:49
of that, like it may make sense. And if
00:15:51
it aligns with the commission
00:15:52
priorities, then it makes sense for us
00:15:54
to to be there. So, we really are
00:15:55
looking, you know, across across the
00:15:57
board on that. We do have in our fraud
00:16:00
specialist group, we have a fraud
00:16:03
specialist who is focused on AI. He
00:16:05
comes to us from the exams division. Um
00:16:08
and so he has he has a background
00:16:10
looking at um AI at various regs and has
00:16:14
a familiarity with the technology and so
00:16:16
he is really great. He helps us to um
00:16:20
you know triage cases. He helps us look
00:16:23
at trends and help us focus our
00:16:25
resources on where it makes sense. Um
00:16:28
and we also provide consults throughout
00:16:30
the division now on on AI related cases.
00:16:33
So we're you know kind of focused across
00:16:35
the board on that.
00:16:37
Um so turning to cyber security uh key
00:16:41
topic of the day. Um there uh there are
00:16:45
some still I'd say still relatively new
00:16:48
rules on public company disclosures of
00:16:50
cyber security. Before the new rules,
00:16:53
there were no specific SEC rules on
00:16:55
cyber security disclosure. It all fell
00:16:57
within more general rules about
00:17:00
disclosing material trends or material
00:17:03
events or things like that. So now for
00:17:04
the first time there are some cyber
00:17:06
security specific disclosures if I can
00:17:09
ask you to to briefly summarize them.
00:17:12
But I would say the broader context or
00:17:14
or the broader question I would ask is
00:17:16
you know how do you think about the
00:17:17
SEC's role when it comes to cyber
00:17:19
security? because it is uh it is not a
00:17:22
cyber security agency. There are some of
00:17:24
those. It is not a law enforcement
00:17:26
agency. It's not a um intelligence
00:17:30
agency. Um it's mostly lawyers and
00:17:33
accountants and some specialists. Um but
00:17:36
that said, clearly cyber security is a
00:17:38
focus for the commission. It has been
00:17:40
going back at least a couple of
00:17:42
administrations. Jay Clayton was very
00:17:44
focused on cyber security when he was
00:17:45
the new chair. So broad question is how
00:17:48
do you think about the SEC's role in
00:17:49
cyber security and not surprisingly as
00:17:52
part of that what are these new rules?
00:17:54
Um okay so I'm going to take it I'm
00:17:56
going to flip it. I'm going to talk
00:17:57
about the new rules and then talk about
00:17:58
you know what we're thinking. Um so the
00:18:00
new rule went into effect on public
00:18:03
issuer disclosure related to cyber
00:18:05
security back in December of 2023. Um I
00:18:08
think of it have as having like two sets
00:18:10
of requirements. So the first relates to
00:18:12
form 8K. There's a new requirement item
00:18:15
1.0. 05 on disclosing material cyber
00:18:18
security incidents and disclosing you
00:18:21
know the the nature the scope the timing
00:18:24
certain aspects of of that incident the
00:18:27
requirement around that is to disclose
00:18:28
it four business days after the company
00:18:32
makes the determination that it is
00:18:34
material that's important to note um
00:18:36
yeah I would actually just to not to
00:18:37
interrupt but I like just sort of repeat
00:18:39
that because when we counsel clients
00:18:41
that's a hugely important and helpful
00:18:45
distinction It's not 4 days from the
00:18:47
event. It's 4 days from deciding the
00:18:49
event was material. Yes, it's 4 days
00:18:51
from deciding that the event was was
00:18:54
material and four business days. Um so
00:18:56
it is important to keep that in mind and
00:18:58
there are um exemptions for that too.
00:19:00
There's a national security exemption
00:19:01
for that. If the attorney general
00:19:03
provides a notice in writing that you
00:19:05
know disclosure um would you know harm
00:19:08
national security interests for example
00:19:10
like there's an exemption for that. If
00:19:12
you're a foreign private issuer, you
00:19:15
would only be required to disclose if
00:19:16
you're required to disclose um in your
00:19:19
jurisdiction or you have already
00:19:20
disclosed it for example. Um so there's
00:19:23
you know that requirement on AK and then
00:19:25
there's a set of requirements related to
00:19:27
form 10K one relates to um you know what
00:19:33
does the company's approach what is the
00:19:35
company's approach to the identification
00:19:37
assessment and management of those
00:19:38
material cyber incidents. another set on
00:19:41
you know what is the board of directors
00:19:43
role when it comes to material cyber
00:19:45
security incidents you know what what's
00:19:47
the expertise what's what's the role
00:19:49
there disclosure around that um in terms
00:19:53
of our approach and what we're thinking
00:19:56
about and what we look at you know and
00:19:58
you ask about you know what is our role
00:20:00
on cyber security when you step back the
00:20:02
SEC we're we're a disclosure regime
00:20:05
we're about disclosure so what we care
00:20:07
about is you know our investors being
00:20:10
provided material information so that
00:20:12
they can make informed decisions,
00:20:14
informed investment decisions. And so
00:20:16
that's what we're focused on. And so,
00:20:19
you know, key to us, right, for you for
00:20:22
for public companies is the materiality
00:20:25
issue, right? Determining that
00:20:26
something's material and then
00:20:28
determining what needs to be disclosed
00:20:31
around that. Um, and when you think
00:20:33
about materiality, what are we thinking
00:20:35
about at the SEC? were thinking about
00:20:37
that Supreme Court standard on
00:20:39
materiality. Would a reasonable
00:20:41
investor, you know, would there be a
00:20:42
substantial likelihood that the
00:20:43
reasonable investor would find that
00:20:45
information important to his or her
00:20:48
decision? Would it alter um the mix of
00:20:51
information available, right?
00:20:53
Substantially alter it. So, it all comes
00:20:55
back to that. There's there's guidance
00:20:56
in the release on the on the new rules.
00:20:58
There's factors to consider like
00:21:00
reputation, etc., but it really all
00:21:02
comes back to that materiality. And you
00:21:05
know, one other thing I would note about
00:21:06
that that we're thinking about, right,
00:21:08
is, you know, there's the four business
00:21:09
days. There's the determination, right?
00:21:12
Like you have to take time to make that
00:21:14
determination and there's a balance
00:21:16
there, right? Like there can't be an
00:21:18
undue delay, but you've got to have like
00:21:20
a certain critical mass of information,
00:21:23
right? Yeah. And that guidance, I'll
00:21:25
note um it's been very helpful in
00:21:27
talking to clients. The guidance changed
00:21:29
from the proposing release to the
00:21:31
adopting release. The written this is
00:21:33
not in the rule text. It was just
00:21:34
guidance in the commission release which
00:21:36
is pretty informative. Originally it
00:21:39
said I think as soon as reasonably
00:21:41
practical
00:21:43
meaning the disclosure time period is
00:21:45
from when the company determines
00:21:47
something's material and the proposed
00:21:50
guidance was you have to decide
00:21:51
materiality as soon as reasonably
00:21:52
practical practicable. It was then
00:21:55
changed in response to comments to
00:21:57
without unreasonable delay. So, as
00:21:59
opposed to sort of an affirmative sort
00:22:01
of like pushing decide to side to side
00:22:04
as I as I view it, it was changed to a
00:22:07
look, don't artificially delay, right?
00:22:09
Like so we're not imposing a deadline on
00:22:11
you, but don't game it. Don't sort of
00:22:14
make sure nobody's talking to each other
00:22:16
so you're in effect not deciding. You
00:22:17
can't do that.
00:22:19
I think you know what might help here is
00:22:21
for me to talk a little bit about you
00:22:23
know big picture how we are thinking
00:22:25
about these these investigations and
00:22:28
cases and um it may get into another
00:22:31
question that you're going to ask but
00:22:32
I'm just I'm just messing up the order
00:22:34
here go ahead so but you know I think
00:22:38
stepping back when you think about cyber
00:22:40
security we are in this unit in the
00:22:44
commission we're keenly aware of the
00:22:46
challenges that public issuers and
00:22:48
registrants face when they are a victim
00:22:51
of a cyber security incident. You know,
00:22:53
that can be a difficult task, right, to
00:22:56
think about what needs to be disclosed
00:22:58
during that time. We're we're aware of
00:23:00
that and every company faces cyber
00:23:02
security threats. We know that. And so
00:23:05
what I'm leading up to here is that we
00:23:07
in the division of enforcement in in
00:23:09
this unit when we are looking at cases,
00:23:11
we're looking at all the facts and
00:23:13
circumstances. We're looking at the big
00:23:15
picture. We are not looking to be a
00:23:17
Monday morning quarterback. We're not
00:23:19
looking to second guessess, you know,
00:23:21
good faith, you know, reasonable based
00:23:23
like decisions. That's kind of what
00:23:25
we're thinking about. We're thinking
00:23:26
about the big picture. And that's that's
00:23:28
how we approach it. And so when you
00:23:30
think about unreasonable delay like or
00:23:32
undue delay, you know, what's the big
00:23:34
picture there? What happened? You want
00:23:36
to understand the context, you know, big
00:23:38
picture, what happened, what's
00:23:40
reasonable, what's not reasonable.
00:23:42
That's terrific. and and
00:23:44
um exactly when when um when the unit
00:23:48
was created 27 2018 there was a specific
00:23:52
effort to publicly message the idea that
00:23:54
the unit was not intended to second
00:23:56
guessess good faith decisions and during
00:23:59
the last administration I think it's
00:24:01
fair to say public companies that went
00:24:03
through these types of investigations
00:24:05
felt that that approach had been
00:24:08
abandoned um reasonable minds might
00:24:10
disagree on that but I can say that was
00:24:12
the feeling for firms that went through
00:24:14
that that process and to hear you now
00:24:16
talk about your your perspective I think
00:24:18
is I think is very helpful and I think
00:24:20
will be um you know people will wait and
00:24:23
see what the enforcement actions are but
00:24:25
I think people are very optimistic about
00:24:26
that. Well I'm not going to comment on
00:24:28
the past but I am going to say you know
00:24:30
what I said that that is the approach
00:24:32
that that we are taking. Speaking of
00:24:34
things you can't comment on um uh why
00:24:38
bring it up because maybe you can say a
00:24:40
little bit. So, so we only have a few
00:24:42
minutes left, but we can't we can't have
00:24:44
this discussion without talking about
00:24:45
the Solar Winds case. Um, I know you
00:24:48
can't it's pending. I checked the docket
00:24:50
sheet this morning to make sure. Uh, I
00:24:52
didn't get a chance to say, "Oh, it's
00:24:53
been dismissed. You can now talk." It's
00:24:55
still pending. So, you can talk about
00:24:56
pending litigation. But, you know, the
00:24:58
Solar Winds decision was very prominent.
00:25:00
Um, when it comes to SEC enforcement on
00:25:02
cyber security, there were claims about
00:25:05
a security statement posted on the
00:25:07
company's website, not in SEC filings.
00:25:09
There were claims about the company's
00:25:11
SEC filings and its disclosures and
00:25:14
there were claims against an individual,
00:25:16
a senior, you know, security officer on
00:25:18
a motion to dismiss. Um, interestingly,
00:25:22
the claims about the SEC filings were
00:25:24
dismissed. The claims about the
00:25:26
statement on the website were not
00:25:27
dismissed and the claims against the
00:25:30
individual, at least in part, were not
00:25:31
dismissed because there were claims that
00:25:33
he was involved in that security
00:25:34
statement that was alleged to be
00:25:36
misleading. The commission also had a
00:25:38
number of controls charges, accounting
00:25:41
control violations, disclosure control
00:25:43
violations, very significantly, I think,
00:25:46
to the world public companies, those
00:25:48
were all thrown out. Um, so a bit of a
00:25:50
mixed result for the commission.
00:25:52
Obviously, you can't comment on public
00:25:54
uh on pending litigation. But if we pick
00:25:57
one thing from that that got people's
00:25:59
attention, I think it was the charge
00:26:00
against the non-awyer individual at a
00:26:03
company for what was essentially
00:26:04
disclosure violations that got people's
00:26:07
attention. And I can say I spent a lot
00:26:08
of time on the phone with CISOs who are
00:26:10
very worried about what this meant for
00:26:12
for for how how they do their jobs where
00:26:14
the essence of what they do is find
00:26:16
weaknesses. Um so with that long long
00:26:19
wind up and understanding you can't talk
00:26:20
about the litigation specifically, is
00:26:22
there anything you can say on these
00:26:24
topics?
00:26:26
Okay, we got one minute 42 seconds. Um,
00:26:29
so you are correct. I cannot comment on
00:26:32
ongoing litigation and nor will I here.
00:26:35
But I will say, you know, on the the
00:26:37
topic that you raise on individuals, you
00:26:40
know, I can say something general. Look,
00:26:42
when we look at individuals, um, look at
00:26:45
individual liability, we're focused on
00:26:48
the conduct of that individual. We're
00:26:51
focused on what that individual did. And
00:26:53
so if you've got an individual,
00:26:55
generally speaking, again, I'm not
00:26:56
commenting on the case itself, but just
00:26:58
thinking about generally our approach
00:27:00
across the board, whether it's cyber
00:27:01
security or anything else, frankly, when
00:27:03
you're thinking about fraud and you're
00:27:05
thinking about individuals, we're
00:27:06
looking at the actions that individual
00:27:08
took. We're looking at the involvement
00:27:10
of that individual. And if you've got an
00:27:11
individual that that is, you know, say
00:27:14
integrally involved in the fraud, then
00:27:16
you can expect us to make a
00:27:17
recommendation on that. Um, so I just as
00:27:21
a general matter, you know, I would say
00:27:23
that um, are there other things you
00:27:25
wanted to talk about? No, that's that's
00:27:28
great. We have we have half a minute. So
00:27:30
two two last things. I'll combine them.
00:27:33
Use the time how you want. One is we
00:27:35
haven't talked about regulated entities.
00:27:36
There's rules relating to cyber security
00:27:39
for broker dealers, investment advisors,
00:27:41
stock exchanges. That's within the units
00:27:43
mandate. And then my last question um
00:27:46
was whether there's anything we haven't
00:27:47
touched on that you want to share. Okay.
00:27:50
So really really super quick on you know
00:27:52
regulated entities you know
00:27:55
regid regi um you know that's that's a
00:27:58
mandate for us you know we're going to
00:28:00
continue to look at that big picture
00:28:02
point there is that we rely on our
00:28:04
division of exams for the most part like
00:28:06
they're the boots on the ground. they
00:28:08
have the expertise to kind of initially,
00:28:11
you know, tell us and identify what's
00:28:13
something that, you know, warrants
00:28:15
enforcement's involvement. There are a
00:28:16
few caveats to that like if there's a
00:28:19
sign of, you know, say a cyber security
00:28:21
incident and there's insider trading,
00:28:23
then we have a strong enforcement
00:28:25
interest there. We may get more involved
00:28:26
more early, but generally speaking,
00:28:28
we're working very closely with our
00:28:30
exams uh partners there. So, I'll say
00:28:32
that. And then and you definitely have
00:28:35
the liberty to take another half a
00:28:37
minute or minute. What do you what do
00:28:39
you want to end with? I want to end with
00:28:41
um you know something you know we were
00:28:43
talking about you were you were chief of
00:28:45
the cyber unit. Um you know what now I'm
00:28:48
the chief of this of this new formation
00:28:50
of the of the unit the cyber emerging
00:28:52
technologies unit. And kind of something
00:28:54
that, you know, has struck me about that
00:28:56
or has been new to me about it, new or
00:28:59
unne, you know, we're we're clearly
00:29:01
we're in a time of transition. Of
00:29:03
course, this is a this is a new it's
00:29:05
it's an exciting time to be at the
00:29:07
commission in my view. Um, and it is a
00:29:09
time of change, but at the same time,
00:29:12
you know, something that stands out for
00:29:13
me personally is, you know, I'm kind of
00:29:16
coming home. like I was a staff attorney
00:29:19
um in that unit and now you know to come
00:29:21
back to it and to be in a position where
00:29:24
you know I'm the chief of the unit is
00:29:26
really a unique and and wonderful
00:29:28
experience. We have a great group of
00:29:30
folks a really strong type team
00:29:32
mentality and it's been you know it's
00:29:36
been great. That's great. That's great.
00:29:37
Well, it's a great recognition for you
00:29:39
and I know that working on a new
00:29:41
chair's, you know, priorities and and
00:29:44
what's important to them and getting to
00:29:46
help that from the ground level is is a
00:29:48
very rewarding professional experience.
00:29:49
So, thank you for doing it and thank you
00:29:51
for being comfortable coming here and
00:29:53
talking to us publicly. Thank you for
00:29:54
having me.
00:29:57
Just just fantastic, guys. And Laura, we
00:30:01
can't all we're all congratulating you
00:30:02
on a very well-deserved promotion and
00:30:05
could not be more excited to do on the
00:30:07
job. Thank the