SEC Spotlight: Cyber Regulation and Enforcement

00:30:08
https://www.youtube.com/watch?v=6-VZBAyCRLI

Summary

TLDRAt a lunch hosted by FGS Global, Rob Cohen interviews Laura Deair, the new chief of the SEC's cyber and emerging technologies unit. Deair discusses her background and the reformation of the unit, which now focuses on fraud stemming from emerging technologies such as AI and crypto. She outlines the unit's key priorities, which involve tackling fraud, ensuring compliance with cyber security regulations, and addressing other cyber misdeeds. The conversation also touches on the recent SEC rules for public companies concerning cyber security disclosures, emphasizing the importance of materiality and timely responses. Throughout the discussion, there is a clear commitment to protecting investors while adapting to the rapid pace of technological advancements.

Takeaways

  • πŸ₯— Welcoming the audience and thanking FGS Global for lunch.
  • πŸ” Introduction of Rob Cohen and Laura Deair.
  • πŸ›‘οΈ Laura Deair discusses her background in the SEC.
  • πŸ“ˆ The unit has evolved to focus on fraud in emerging technologies.
  • βš–οΈ New SEC rules now require timely disclosure of cyber incidents.
  • πŸ’» AI washing involves misleading claims about AI usage.
  • πŸ”¬ Key priorities include compliance with cyber security regulations.
  • πŸ—‚οΈ The unit comprises about 30 staff members across different offices.
  • 🀝 Importance of research and partnerships with other divisions for investigations.
  • 🌟 Recognition of Laura Deair's promotion and her leadership in the unit.

Timeline

  • 00:00:00 - 00:05:00

    The lunch event begins with a welcome message, thanking FGS Global for the meal, and indicating that the format will include an interview rather than a traditional keynote speech. Rob Cohen, former chief of the SEC's cyber unit, introduces himself and Laura Deair, the new chief of the SEC's cyber and emerging technologies unit, praising both for their expertise and contributions.

  • 00:05:00 - 00:10:00

    Laura briefly introduces her professional background, highlighting her tenure at law firms, her clerkship at the Fifth Circuit, and then roles at the SEC including her time as a staff attorney and an enforcement council for a commissioner. She expresses excitement about leading the newly formed cyber and emerging technologies unit, which contains around 30 staff members specializing in fraud and cybersecurity compliance.

  • 00:10:00 - 00:15:00

    Laura discusses the unit's historical context, noting its evolution from the original cyber unit formed in 2017 to its recent rebranding. She highlights that the unit is spread across multiple offices and maintains a focus on fraud, cybersecurity compliance, and cyber-related misconduct as its main priorities.

  • 00:15:00 - 00:20:00

    The conversation shifts to the specifics of emerging technologies, with Laura defining it as constantly evolving, including both genuine innovation and situations where traditional scams are repackaged as new tech. She emphasizes the importance of adapting to changes in technology and the need for regulatory frameworks to keep up with innovation while protecting investors.

  • 00:20:00 - 00:25:00

    When the topic of cryptocurrency arises, Laura explains that while fraud related to blockchain and crypto remains a priority for their unit, they are also keen on utilizing enforcement resources wisely and are seeking a balanced approach to regulation, focusing particularly on protecting retail investors from fraud.

  • 00:25:00 - 00:30:08

    The discussion transitions to cybersecurity, with Laura summarizing recent SEC rules on cybersecurity disclosures and explaining the SEC's role in ensuring investors receive material information. The conversation highlights the importance of timely disclosures and the SEC's consideration of materiality when addressing cybersecurity incidents affecting public companies.

Show more

Mind Map

Video Q&A

  • Who are the main speakers in the video?

    Rob Cohen and Laura Deair.

  • What is Laura Deair's position?

    She is the chief of the cyber and emerging technologies unit at the SEC.

  • What are the key priorities of the cyber and emerging technologies unit?

    They focus on fraud in emerging technologies, cyber security compliance, and other cyber-related misconduct.

  • What is AI washing?

    Claiming misuse of AI or misrepresenting its use in a way that harms investors.

  • What is the new SEC rule regarding cyber security disclosures?

    Companies must disclose material cyber security incidents within four business days of determining their materiality.

  • What is the role of the SEC in cyber security?

    The SEC focuses on ensuring that investors are provided with material information for informed decision-making.

  • How many staff members are in the cyber and emerging technologies unit?

    Around 30 staff members.

  • What past positions did Laura Deair hold before becoming chief?

    She worked as an attorney in the SEC and was previously part of the cyber unit under Rob Cohen.

  • What does the SEC mean by 'materiality' in these cases?

    Whether a reasonable investor would find the information important to their decisions.

  • What approach does the SEC take towards informing public companies about their disclosures?

    They encourage timely and accurate disclosures without unduly delaying the determination of materiality.

View more video summaries

Get instant access to free YouTube video summaries powered by AI!
Subtitles
en
Auto Scroll:
  • 00:00:01
    All right. Well, um, welcome everyone to
  • 00:00:03
    lunch and, uh, we want to thank FGS
  • 00:00:06
    Global for the lunch because, um, this
  • 00:00:09
    is a little better than your usual
  • 00:00:10
    rubber chicken. So, I hope everyone's
  • 00:00:11
    enjoying it and enjoying the Four
  • 00:00:14
    Seasons. So, um, what we like to do at
  • 00:00:16
    these lunches is not have a keynote
  • 00:00:18
    speaker who just speaks to you, but have
  • 00:00:20
    a government official interviewed by
  • 00:00:22
    somebody so that we can hear a little
  • 00:00:24
    bit more about what they're up to. And
  • 00:00:26
    in this situation, this is my favorite
  • 00:00:28
    kind of situation where you have the
  • 00:00:30
    former chief of the unit talking to the
  • 00:00:31
    current chief of the unit. And that's
  • 00:00:33
    what we've got going on right here. So,
  • 00:00:35
    let me introduce these two people
  • 00:00:36
    quickly. Um, what you probably already
  • 00:00:39
    know about Rob Cohen, he's the former
  • 00:00:41
    chief of the SEC's cyber unit. Um, from
  • 00:00:44
    crypto to cyber, Rob has done it all.
  • 00:00:47
    Uh, but what you may not know is that he
  • 00:00:50
    was also the former co-chief of the
  • 00:00:51
    SEC's market abuse unit. And sort of
  • 00:00:54
    like Christy Litman, as I mentioned
  • 00:00:55
    before, he also ran the insider trading,
  • 00:00:58
    market structure, manipulation, broker
  • 00:01:00
    dealers, uh, alternative trading
  • 00:01:01
    systems, exchanges. So, he's a really a
  • 00:01:03
    a two-way expert, which is so much so
  • 00:01:07
    much different than again most everyone
  • 00:01:09
    here is always a little different from
  • 00:01:10
    one another as opposed to the SEC
  • 00:01:12
    enforcement conferences where everyone's
  • 00:01:14
    kind of the same. You know, worked at
  • 00:01:15
    enforcement in the SEC and then went on
  • 00:01:18
    to private practice. These are very
  • 00:01:19
    unique individuals. So, uh, when I think
  • 00:01:22
    of Rob Cohen, I I can't help but think
  • 00:01:23
    of it's the Saul Goodman of incident
  • 00:01:26
    response. Definitely the go-to player in
  • 00:01:28
    lots of different ways, a jack of all
  • 00:01:30
    trades. And then who we a very special
  • 00:01:33
    guest, the most special guest we have of
  • 00:01:35
    all today is Laura Deair
  • 00:01:39
    Deair. Um she is chief of the cyber and
  • 00:01:42
    emerging technologies unit which was
  • 00:01:44
    formerly the crypto unit and cyber unit
  • 00:01:47
    at the SEC. From the Edgar happening
  • 00:01:49
    Edgar electronic data gathering and
  • 00:01:51
    retrieval service at the SEC to the
  • 00:01:53
    Binance fraud, she has seen it all and
  • 00:01:56
    we really have to be grateful for her
  • 00:01:58
    coming here today. It's very hard to get
  • 00:02:00
    government speakers right now. You can
  • 00:02:02
    appreciate why. Um the what you may not
  • 00:02:05
    know the dramatic changes going on at
  • 00:02:07
    the SEC. Um, I talked about it in in an
  • 00:02:11
    op-ed piece in the New York Times on
  • 00:02:12
    Friday or Saturday. Um, they've stopped
  • 00:02:15
    the entire crypto program and Laura is
  • 00:02:17
    charged with leading a new SEC where
  • 00:02:20
    more than 20% have taken retirement. And
  • 00:02:23
    it just unbelievable how terrific she is
  • 00:02:26
    at this job. And she's tough. She's the
  • 00:02:28
    Ellen Ripley of Incident Response. And
  • 00:02:31
    you know what? If she had a theme song,
  • 00:02:32
    it would be Survivor by Destiny's Child.
  • 00:02:35
    So, um, uh, let me turn it over to Rob
  • 00:02:39
    and let's hear what she has to say. So,
  • 00:02:41
    thank you. Let's give a round of
  • 00:02:42
    applause to Laura for being here. We
  • 00:02:44
    can't thank her enough.
  • 00:02:47
    Thanks. So, I thought I would start by
  • 00:02:49
    asking Laura to introduce herself and
  • 00:02:52
    just sort of explain her professional
  • 00:02:54
    background that brings her here to this
  • 00:02:55
    new job. Well, thank you. Thank you,
  • 00:02:57
    Rob. Um, and it's it's great to be here
  • 00:02:59
    with you all and and to speak with you
  • 00:03:01
    all. So to give you a little context and
  • 00:03:04
    my background and where I come from, um
  • 00:03:06
    so around the first eight years of my
  • 00:03:09
    professional career as an attorney, um I
  • 00:03:11
    spent working at two different law firms
  • 00:03:13
    in private practice. I spent a year
  • 00:03:15
    clerking on the fifth circuit down in
  • 00:03:17
    New Orleans. Um and then in late 2016, I
  • 00:03:20
    joined the commission in our general
  • 00:03:22
    core um enforcement group. Um that was
  • 00:03:25
    at the beginning of the last Trump
  • 00:03:27
    administration. Um, in 2017 I joined the
  • 00:03:31
    cyber unit led by Rob Cohen here. Um, so
  • 00:03:35
    again, really great to be here with Rob.
  • 00:03:37
    Um, worked in the unit as a staff
  • 00:03:40
    attorney um, for a number of years.
  • 00:03:42
    Spent a year um, with our trial unit
  • 00:03:45
    litigating a case called kick. Um and
  • 00:03:48
    then I spent about seven months um in um
  • 00:03:52
    our director of enforcement's office
  • 00:03:54
    advising him on um cyber security and
  • 00:03:57
    cryptoreated issues. And then I had an
  • 00:03:59
    opportunity around the time that the
  • 00:04:01
    unit became the crypto asset and cyber
  • 00:04:03
    unit to actually go and be an
  • 00:04:05
    enforcement council to one of the
  • 00:04:07
    commissioners, commissioner Hime Lazar.
  • 00:04:09
    And so I did that for about two and a
  • 00:04:10
    half years. Um, and now I'm back in
  • 00:04:13
    enforcement um, as chief of the of the
  • 00:04:16
    newlyannounced cyber and emerging
  • 00:04:18
    technologies unit. Great. And those of
  • 00:04:21
    us who work with Laura earlier in her
  • 00:04:23
    SEC career are not at all surprised that
  • 00:04:25
    she has this new leadership position
  • 00:04:27
    helping to
  • 00:04:33
    run. Unit actually was created in 2017.
  • 00:04:37
    as you said, was renamed in the last
  • 00:04:40
    administration uh under Chair Gensler
  • 00:04:42
    and was renamed and sort of rep
  • 00:04:45
    prioritized a bit a couple months ago.
  • 00:04:47
    It's now the cyber and emerging
  • 00:04:49
    technologies unit. Give us some
  • 00:04:51
    background about the unit. Just starting
  • 00:04:53
    with I don't know bags logistics. Who's
  • 00:04:56
    in the unit? How many people? Where are
  • 00:04:58
    they across the commission? Sure. Sure.
  • 00:05:00
    Um so so as you said we were originally
  • 00:05:03
    formed. I'm going to give you like some
  • 00:05:04
    background and context and then maybe
  • 00:05:05
    you know later maybe we'll get into
  • 00:05:07
    priorities for the new unit. But in
  • 00:05:08
    terms of the background and context, you
  • 00:05:10
    know, as you said, we we were formed
  • 00:05:11
    back in 2017 as the cyber unit. In 2022,
  • 00:05:14
    we were renamed as the crypto asset and
  • 00:05:16
    cyber unit. Um and then very recently,
  • 00:05:20
    just we're only two months old. Back in
  • 00:05:22
    February of 2025, um the commission
  • 00:05:25
    announced the cyber and emerging
  • 00:05:26
    technologies unit. Um that unit has
  • 00:05:29
    around 30 staff members. So, we've got
  • 00:05:32
    30 um members consisting of fraud
  • 00:05:36
    specialists. We have a whole group of
  • 00:05:38
    fraud specialists um in our unit, staff
  • 00:05:41
    attorneys um as well as supervisors and
  • 00:05:43
    and the unit chief spread out uh amongst
  • 00:05:46
    a number of offices. So, DC, our home
  • 00:05:48
    office, our headquarters in Washington
  • 00:05:50
    DC and then five other um uh regional
  • 00:05:53
    offices and we also have a couple
  • 00:05:55
    advisors um to the unit and they are in
  • 00:05:58
    uh New York. So, we're kind of we're
  • 00:06:00
    spread out. Great. Great. And I'll note,
  • 00:06:04
    um, you know, the the unit had gotten
  • 00:06:05
    bigger when it was focused on crypto.
  • 00:06:07
    You said it's about 30 people now. If
  • 00:06:10
    I'm remembering correctly, that's
  • 00:06:11
    actually a little bit bigger than it was
  • 00:06:12
    when it was first created. I think when
  • 00:06:14
    it was first created, it was mid to
  • 00:06:16
    upper 20s. So, although it is smaller
  • 00:06:18
    than it was in the last administration,
  • 00:06:20
    I think it is similar size, if not
  • 00:06:23
    bigger, um, than it was when it was
  • 00:06:25
    first created. Yeah. Yeah. I haven't
  • 00:06:26
    done a headcount specifically, but it
  • 00:06:28
    that that is that is correct. I mean,
  • 00:06:30
    roughly we're around the same size,
  • 00:06:32
    maybe a few people bigger than than when
  • 00:06:34
    we were the cyber unit. Y um so as as
  • 00:06:37
    you said, let's talk about priorities.
  • 00:06:39
    Um there was a press release. It had a
  • 00:06:41
    bullet list of what the priorities of
  • 00:06:43
    the unit were. Um what what are you
  • 00:06:46
    focused on? What are people in the group
  • 00:06:47
    focused on? So I kind of put them into
  • 00:06:50
    there there was a press release. I put
  • 00:06:51
    them into kind of three buckets of of
  • 00:06:54
    priorities that we are thinking about in
  • 00:06:56
    the unit. Um so the first bucket is it's
  • 00:06:58
    it's a little new for us and that is you
  • 00:07:01
    know a focus on fraud across the
  • 00:07:03
    emerging technologies space. So there
  • 00:07:06
    we're really looking at you know leading
  • 00:07:08
    up bad actors who are misusing
  • 00:07:11
    innovative technology or excitement
  • 00:07:13
    around innovative technology to harm
  • 00:07:15
    investors. Um and so that include fraud
  • 00:07:18
    related to AI or machine learning um as
  • 00:07:22
    well as um blockchain and and and
  • 00:07:25
    crypto. Um and then we have a second set
  • 00:07:28
    of priorities related to you know
  • 00:07:30
    probably most pertinent to this group
  • 00:07:32
    here cyber security compliance. So we're
  • 00:07:34
    looking at regist compliance with um
  • 00:07:37
    cyber security rules and regs like
  • 00:07:40
    regid regggi as well as public issuer
  • 00:07:44
    disclosure fraud. Um and then a third
  • 00:07:46
    set of priorities I would bucket in
  • 00:07:49
    other cyber related misconduct. Um so
  • 00:07:52
    that would include you know using social
  • 00:07:55
    media or fake websites or the dark web
  • 00:07:58
    to to engage in fraud. Um hacking to
  • 00:08:01
    obtain material non-public information
  • 00:08:03
    and trading on that um MNPI as well as
  • 00:08:07
    um account brokerage takeovers. Um so
  • 00:08:10
    those are kind of the three buckets of
  • 00:08:12
    priorities that that we're focused on.
  • 00:08:14
    And as you can see like there's some
  • 00:08:15
    priorities that carry on from the cyber
  • 00:08:17
    unit. There's some that are you know
  • 00:08:19
    have carried on throughout our history
  • 00:08:21
    and some new ones like with emerging
  • 00:08:22
    technology and um you've given him some
  • 00:08:26
    examples. Can you say anything else
  • 00:08:27
    about what an emerging technology you
  • 00:08:30
    know is in this context? And so for one
  • 00:08:33
    one example you know AI um it has been
  • 00:08:36
    the focus including at the commission
  • 00:08:38
    for at least a year or two. It's not
  • 00:08:39
    brand new. um AI may mean different
  • 00:08:42
    things to different people. There's
  • 00:08:44
    people who are actually using AI.
  • 00:08:46
    There's people who may be pretending to
  • 00:08:47
    use AI. So, how do you think about, you
  • 00:08:50
    know, what is an emerging technology in
  • 00:08:52
    this specific context? Um, so talking
  • 00:08:55
    about emerging technology generally, I'm
  • 00:08:57
    glad you asked because, you know, we
  • 00:08:59
    specifically use that term for a couple
  • 00:09:01
    purposes. We wanted to signify that we
  • 00:09:03
    have both a broad remit in this unit,
  • 00:09:05
    but also an evolving remmit in this
  • 00:09:07
    unit. that this unit has evolved from
  • 00:09:09
    its beginning and it's going to continue
  • 00:09:10
    to evolve. And so, you know, emerging
  • 00:09:13
    technology, what we think about in terms
  • 00:09:15
    of emerging technology today is probably
  • 00:09:17
    going to be different from how we see
  • 00:09:18
    emerging technology, you know, five or
  • 00:09:20
    10 years from now. You know, so that
  • 00:09:22
    term helps us, you know, remind us that
  • 00:09:25
    we need to be nimble. We need to keep a
  • 00:09:26
    pace with innovation across the board.
  • 00:09:29
    Um and you know again we're really
  • 00:09:32
    focused um you know broadly speaking on
  • 00:09:35
    when we think about emerging technology
  • 00:09:37
    our full mission at the commission. So
  • 00:09:40
    we want to protect investors of course
  • 00:09:43
    but we're doing that by also you know we
  • 00:09:46
    facilitate capital formation and market
  • 00:09:48
    efficiency when we weed out those bad
  • 00:09:50
    actors who are you know stifling
  • 00:09:52
    innovation dragging it down dragging
  • 00:09:54
    down investor confidence. Um so you know
  • 00:09:57
    generally when we think about emerging
  • 00:09:59
    technology and the kind of cases and
  • 00:10:01
    investigations that we're doing we're
  • 00:10:02
    looking at two kinds of buckets. One
  • 00:10:05
    bucket would be um you know folks who
  • 00:10:07
    are actually using the technology
  • 00:10:09
    misusing the technology to engage in
  • 00:10:11
    fraud to harm investors to harm investor
  • 00:10:14
    confidence in these new technologies. So
  • 00:10:16
    that can include for example you know
  • 00:10:18
    using an AI model to engage in market
  • 00:10:20
    manipulation and another bucket would be
  • 00:10:23
    what I you know personally think of as
  • 00:10:26
    emerging technology rapper cases. So
  • 00:10:29
    like instances where someone is you know
  • 00:10:32
    using terminology using excitement
  • 00:10:35
    around a new innovation to actually just
  • 00:10:37
    engage in good oldfashioned fog you know
  • 00:10:39
    so like old wine in a new bottle kind of
  • 00:10:42
    idea. Um that's generally how how we're
  • 00:10:45
    thinking about it. So on that latter
  • 00:10:46
    point, I remember earlier in my career
  • 00:10:48
    at the commission, solar was a big topic
  • 00:10:50
    like that. People were using excitement
  • 00:10:52
    about solar energy to attract retail
  • 00:10:55
    investors into a fraud. And it really
  • 00:10:57
    wasn't about solar. It was just using
  • 00:10:59
    solar to attract them. So whatever the
  • 00:11:02
    the latest greatest thing is that are
  • 00:11:04
    getting retail investors excited, people
  • 00:11:06
    are tempted to use that to try and
  • 00:11:08
    separate them from their money. Um okay.
  • 00:11:11
    So, um, we'll come back to cyber
  • 00:11:13
    security in a second. Um, but we can't
  • 00:11:16
    help but touch on crypto.
  • 00:11:19
    Um, again, from my perspective, crypto
  • 00:11:23
    really dominated the unit and much of
  • 00:11:25
    the enforcement division in the last
  • 00:11:27
    administration. Um, and so clearly
  • 00:11:30
    between the crypto task force and public
  • 00:11:32
    statements have been made, there's been
  • 00:11:33
    an effort to resteer on that. That said,
  • 00:11:36
    as as you as you noted, crypto is part
  • 00:11:39
    of the mandate of the unit. So, you
  • 00:11:41
    know, what is your focus when it comes
  • 00:11:43
    to crypto? Yeah, so thank you for the
  • 00:11:45
    question. Um, you know, and as noted in
  • 00:11:47
    the press release, one of our priorities
  • 00:11:49
    is fraud related to blockchain
  • 00:11:52
    technology and crypto. Um, you know, we
  • 00:11:54
    are looking to use our enforcement
  • 00:11:56
    resources judiciously and where it makes
  • 00:11:58
    sense. Um, and here, you know, we are
  • 00:12:01
    focused on fraud on retail investors. It
  • 00:12:04
    is worth noting um the formation of the
  • 00:12:07
    task force that was announced um a few
  • 00:12:09
    months ago as well. Um it's led by
  • 00:12:11
    commissioner pur um and when we were
  • 00:12:14
    announced our formation was announced um
  • 00:12:16
    you know it was also stated that our
  • 00:12:17
    work is going to complement um the work
  • 00:12:20
    uh of the task force. So that's that's
  • 00:12:22
    what I can say there we are focused on
  • 00:12:24
    on retail fraud at this time and um I
  • 00:12:28
    know there's only so much you can say on
  • 00:12:29
    that. So I'll just sort of comment from
  • 00:12:31
    the industry perspective that you know a
  • 00:12:33
    key narrative from the last
  • 00:12:35
    administration was that the commission's
  • 00:12:37
    energy on crypto seem to be focused on
  • 00:12:39
    enforcement first and there were you
  • 00:12:42
    know statements saying they wanted
  • 00:12:43
    people to come in and talk but because
  • 00:12:45
    of the enforcement approach I can say
  • 00:12:47
    that you know many in the industry did
  • 00:12:49
    not feel that that was a realistic
  • 00:12:51
    offer. Um it's very apparent from public
  • 00:12:53
    messaging that there's an effort to you
  • 00:12:56
    know re restart on that to have you know
  • 00:12:59
    the crypto task force and the roundts
  • 00:13:02
    have a more open you know open attitude
  • 00:13:05
    to having people come in and talk but at
  • 00:13:07
    the same time there is still an
  • 00:13:08
    enforcement team um that has a mandate
  • 00:13:11
    and is supposed to complement that
  • 00:13:12
    effort. So, uh, again, that's not a
  • 00:13:14
    question. There's not much more you can
  • 00:13:15
    say about that. But I'd say from the
  • 00:13:16
    industry's perspective, that's something
  • 00:13:19
    people are going to be looking at and
  • 00:13:20
    very people are very excited about the
  • 00:13:22
    renewed, uh, the new the new message and
  • 00:13:25
    and the mandate of the task force. Um,
  • 00:13:27
    but they're they're going to be watching
  • 00:13:29
    that. That that's of great interest. Um,
  • 00:13:31
    okay. Thank you for sharing. Actually,
  • 00:13:33
    can I say something that I forgot to
  • 00:13:35
    say? You're this is your show. So I
  • 00:13:39
    didn't give my standard disclaimer which
  • 00:13:40
    I'm supposed to be you know give at the
  • 00:13:42
    you had to ask I should have caught
  • 00:13:44
    what's the thing that you that you
  • 00:13:46
    struggle with as chief it's remembering
  • 00:13:48
    that disclaimer. Um so before we go any
  • 00:13:52
    further you know obviously my comments
  • 00:13:54
    today are in my official capacity as the
  • 00:13:57
    division of enforcements chief of the
  • 00:13:59
    cyber and emerging technologies unit. Um
  • 00:14:01
    they do not necessarily reflect the
  • 00:14:03
    views of the commission the
  • 00:14:05
    commissioners or the commission staff.
  • 00:14:07
    Sorry. And I think you were gonna ask me
  • 00:14:09
    about AI and I'm happy to talk about
  • 00:14:11
    this. Yeah. So I I uh I apologize for
  • 00:14:14
    not catching that up front. I should
  • 00:14:16
    have. That's my my job is I should have.
  • 00:14:18
    No, can't say moderator. There's only
  • 00:14:19
    one other person up here, but pseudo
  • 00:14:21
    moderator. So I'm glad I'm glad you
  • 00:14:23
    caught that. Yes. Let's talk some more
  • 00:14:25
    about AI. There's been AI washing cases.
  • 00:14:28
    There's been AI public company
  • 00:14:31
    disclosure discussion. There's been
  • 00:14:33
    investment advisor using AI to give
  • 00:14:35
    investment advice discussion. what
  • 00:14:37
    what's interesting in AI to you in your
  • 00:14:40
    job? Um, well, I would say we're we're
  • 00:14:43
    we start with the anti-fraud provisions.
  • 00:14:45
    So, we're focused on the anti-fraud
  • 00:14:46
    provisions, but we're looking at that
  • 00:14:48
    across the board when it comes to AI.
  • 00:14:50
    So, you know, you mentioned AI washing
  • 00:14:52
    before. You've mentioned, you know, we
  • 00:14:55
    can think about um and I'm sorry, I
  • 00:14:57
    don't mean to interrupt, but like AI
  • 00:14:58
    washing, it occurs to me maybe not
  • 00:15:00
    everybody knows exactly what that means,
  • 00:15:01
    right? So, you know, claiming one way to
  • 00:15:04
    define it would be, you know, you're a
  • 00:15:08
    public company and you say that you use
  • 00:15:10
    AI in a certain way or you're an
  • 00:15:11
    investment adviser and you say you use
  • 00:15:14
    AI in a certain way and it turns out
  • 00:15:15
    that that you don't like maybe you don't
  • 00:15:17
    use AI at all or you use it in a way
  • 00:15:21
    that you haven't disclosed or say you
  • 00:15:23
    use it in a way that harms investors.
  • 00:15:25
    Then we're getting more into, you know,
  • 00:15:26
    fraud directly on investors and harm
  • 00:15:28
    directly to investors. Um, so I would
  • 00:15:31
    say, you know, we're we're focused
  • 00:15:32
    across the board there. And, you know,
  • 00:15:34
    we want to put our resources where it
  • 00:15:37
    makes sense. We're always thinking about
  • 00:15:38
    that. You know, wherever we see, you
  • 00:15:41
    know, harm to investors, where we see
  • 00:15:44
    um, you know, there's a diminishment in
  • 00:15:46
    investor confidence, right, as a result
  • 00:15:49
    of that, like it may make sense. And if
  • 00:15:51
    it aligns with the commission
  • 00:15:52
    priorities, then it makes sense for us
  • 00:15:54
    to to be there. So, we really are
  • 00:15:55
    looking, you know, across across the
  • 00:15:57
    board on that. We do have in our fraud
  • 00:16:00
    specialist group, we have a fraud
  • 00:16:03
    specialist who is focused on AI. He
  • 00:16:05
    comes to us from the exams division. Um
  • 00:16:08
    and so he has he has a background
  • 00:16:10
    looking at um AI at various regs and has
  • 00:16:14
    a familiarity with the technology and so
  • 00:16:16
    he is really great. He helps us to um
  • 00:16:20
    you know triage cases. He helps us look
  • 00:16:23
    at trends and help us focus our
  • 00:16:25
    resources on where it makes sense. Um
  • 00:16:28
    and we also provide consults throughout
  • 00:16:30
    the division now on on AI related cases.
  • 00:16:33
    So we're you know kind of focused across
  • 00:16:35
    the board on that.
  • 00:16:37
    Um so turning to cyber security uh key
  • 00:16:41
    topic of the day. Um there uh there are
  • 00:16:45
    some still I'd say still relatively new
  • 00:16:48
    rules on public company disclosures of
  • 00:16:50
    cyber security. Before the new rules,
  • 00:16:53
    there were no specific SEC rules on
  • 00:16:55
    cyber security disclosure. It all fell
  • 00:16:57
    within more general rules about
  • 00:17:00
    disclosing material trends or material
  • 00:17:03
    events or things like that. So now for
  • 00:17:04
    the first time there are some cyber
  • 00:17:06
    security specific disclosures if I can
  • 00:17:09
    ask you to to briefly summarize them.
  • 00:17:12
    But I would say the broader context or
  • 00:17:14
    or the broader question I would ask is
  • 00:17:16
    you know how do you think about the
  • 00:17:17
    SEC's role when it comes to cyber
  • 00:17:19
    security? because it is uh it is not a
  • 00:17:22
    cyber security agency. There are some of
  • 00:17:24
    those. It is not a law enforcement
  • 00:17:26
    agency. It's not a um intelligence
  • 00:17:30
    agency. Um it's mostly lawyers and
  • 00:17:33
    accountants and some specialists. Um but
  • 00:17:36
    that said, clearly cyber security is a
  • 00:17:38
    focus for the commission. It has been
  • 00:17:40
    going back at least a couple of
  • 00:17:42
    administrations. Jay Clayton was very
  • 00:17:44
    focused on cyber security when he was
  • 00:17:45
    the new chair. So broad question is how
  • 00:17:48
    do you think about the SEC's role in
  • 00:17:49
    cyber security and not surprisingly as
  • 00:17:52
    part of that what are these new rules?
  • 00:17:54
    Um okay so I'm going to take it I'm
  • 00:17:56
    going to flip it. I'm going to talk
  • 00:17:57
    about the new rules and then talk about
  • 00:17:58
    you know what we're thinking. Um so the
  • 00:18:00
    new rule went into effect on public
  • 00:18:03
    issuer disclosure related to cyber
  • 00:18:05
    security back in December of 2023. Um I
  • 00:18:08
    think of it have as having like two sets
  • 00:18:10
    of requirements. So the first relates to
  • 00:18:12
    form 8K. There's a new requirement item
  • 00:18:15
    1.0. 05 on disclosing material cyber
  • 00:18:18
    security incidents and disclosing you
  • 00:18:21
    know the the nature the scope the timing
  • 00:18:24
    certain aspects of of that incident the
  • 00:18:27
    requirement around that is to disclose
  • 00:18:28
    it four business days after the company
  • 00:18:32
    makes the determination that it is
  • 00:18:34
    material that's important to note um
  • 00:18:36
    yeah I would actually just to not to
  • 00:18:37
    interrupt but I like just sort of repeat
  • 00:18:39
    that because when we counsel clients
  • 00:18:41
    that's a hugely important and helpful
  • 00:18:45
    distinction It's not 4 days from the
  • 00:18:47
    event. It's 4 days from deciding the
  • 00:18:49
    event was material. Yes, it's 4 days
  • 00:18:51
    from deciding that the event was was
  • 00:18:54
    material and four business days. Um so
  • 00:18:56
    it is important to keep that in mind and
  • 00:18:58
    there are um exemptions for that too.
  • 00:19:00
    There's a national security exemption
  • 00:19:01
    for that. If the attorney general
  • 00:19:03
    provides a notice in writing that you
  • 00:19:05
    know disclosure um would you know harm
  • 00:19:08
    national security interests for example
  • 00:19:10
    like there's an exemption for that. If
  • 00:19:12
    you're a foreign private issuer, you
  • 00:19:15
    would only be required to disclose if
  • 00:19:16
    you're required to disclose um in your
  • 00:19:19
    jurisdiction or you have already
  • 00:19:20
    disclosed it for example. Um so there's
  • 00:19:23
    you know that requirement on AK and then
  • 00:19:25
    there's a set of requirements related to
  • 00:19:27
    form 10K one relates to um you know what
  • 00:19:33
    does the company's approach what is the
  • 00:19:35
    company's approach to the identification
  • 00:19:37
    assessment and management of those
  • 00:19:38
    material cyber incidents. another set on
  • 00:19:41
    you know what is the board of directors
  • 00:19:43
    role when it comes to material cyber
  • 00:19:45
    security incidents you know what what's
  • 00:19:47
    the expertise what's what's the role
  • 00:19:49
    there disclosure around that um in terms
  • 00:19:53
    of our approach and what we're thinking
  • 00:19:56
    about and what we look at you know and
  • 00:19:58
    you ask about you know what is our role
  • 00:20:00
    on cyber security when you step back the
  • 00:20:02
    SEC we're we're a disclosure regime
  • 00:20:05
    we're about disclosure so what we care
  • 00:20:07
    about is you know our investors being
  • 00:20:10
    provided material information so that
  • 00:20:12
    they can make informed decisions,
  • 00:20:14
    informed investment decisions. And so
  • 00:20:16
    that's what we're focused on. And so,
  • 00:20:19
    you know, key to us, right, for you for
  • 00:20:22
    for public companies is the materiality
  • 00:20:25
    issue, right? Determining that
  • 00:20:26
    something's material and then
  • 00:20:28
    determining what needs to be disclosed
  • 00:20:31
    around that. Um, and when you think
  • 00:20:33
    about materiality, what are we thinking
  • 00:20:35
    about at the SEC? were thinking about
  • 00:20:37
    that Supreme Court standard on
  • 00:20:39
    materiality. Would a reasonable
  • 00:20:41
    investor, you know, would there be a
  • 00:20:42
    substantial likelihood that the
  • 00:20:43
    reasonable investor would find that
  • 00:20:45
    information important to his or her
  • 00:20:48
    decision? Would it alter um the mix of
  • 00:20:51
    information available, right?
  • 00:20:53
    Substantially alter it. So, it all comes
  • 00:20:55
    back to that. There's there's guidance
  • 00:20:56
    in the release on the on the new rules.
  • 00:20:58
    There's factors to consider like
  • 00:21:00
    reputation, etc., but it really all
  • 00:21:02
    comes back to that materiality. And you
  • 00:21:05
    know, one other thing I would note about
  • 00:21:06
    that that we're thinking about, right,
  • 00:21:08
    is, you know, there's the four business
  • 00:21:09
    days. There's the determination, right?
  • 00:21:12
    Like you have to take time to make that
  • 00:21:14
    determination and there's a balance
  • 00:21:16
    there, right? Like there can't be an
  • 00:21:18
    undue delay, but you've got to have like
  • 00:21:20
    a certain critical mass of information,
  • 00:21:23
    right? Yeah. And that guidance, I'll
  • 00:21:25
    note um it's been very helpful in
  • 00:21:27
    talking to clients. The guidance changed
  • 00:21:29
    from the proposing release to the
  • 00:21:31
    adopting release. The written this is
  • 00:21:33
    not in the rule text. It was just
  • 00:21:34
    guidance in the commission release which
  • 00:21:36
    is pretty informative. Originally it
  • 00:21:39
    said I think as soon as reasonably
  • 00:21:41
    practical
  • 00:21:43
    meaning the disclosure time period is
  • 00:21:45
    from when the company determines
  • 00:21:47
    something's material and the proposed
  • 00:21:50
    guidance was you have to decide
  • 00:21:51
    materiality as soon as reasonably
  • 00:21:52
    practical practicable. It was then
  • 00:21:55
    changed in response to comments to
  • 00:21:57
    without unreasonable delay. So, as
  • 00:21:59
    opposed to sort of an affirmative sort
  • 00:22:01
    of like pushing decide to side to side
  • 00:22:04
    as I as I view it, it was changed to a
  • 00:22:07
    look, don't artificially delay, right?
  • 00:22:09
    Like so we're not imposing a deadline on
  • 00:22:11
    you, but don't game it. Don't sort of
  • 00:22:14
    make sure nobody's talking to each other
  • 00:22:16
    so you're in effect not deciding. You
  • 00:22:17
    can't do that.
  • 00:22:19
    I think you know what might help here is
  • 00:22:21
    for me to talk a little bit about you
  • 00:22:23
    know big picture how we are thinking
  • 00:22:25
    about these these investigations and
  • 00:22:28
    cases and um it may get into another
  • 00:22:31
    question that you're going to ask but
  • 00:22:32
    I'm just I'm just messing up the order
  • 00:22:34
    here go ahead so but you know I think
  • 00:22:38
    stepping back when you think about cyber
  • 00:22:40
    security we are in this unit in the
  • 00:22:44
    commission we're keenly aware of the
  • 00:22:46
    challenges that public issuers and
  • 00:22:48
    registrants face when they are a victim
  • 00:22:51
    of a cyber security incident. You know,
  • 00:22:53
    that can be a difficult task, right, to
  • 00:22:56
    think about what needs to be disclosed
  • 00:22:58
    during that time. We're we're aware of
  • 00:23:00
    that and every company faces cyber
  • 00:23:02
    security threats. We know that. And so
  • 00:23:05
    what I'm leading up to here is that we
  • 00:23:07
    in the division of enforcement in in
  • 00:23:09
    this unit when we are looking at cases,
  • 00:23:11
    we're looking at all the facts and
  • 00:23:13
    circumstances. We're looking at the big
  • 00:23:15
    picture. We are not looking to be a
  • 00:23:17
    Monday morning quarterback. We're not
  • 00:23:19
    looking to second guessess, you know,
  • 00:23:21
    good faith, you know, reasonable based
  • 00:23:23
    like decisions. That's kind of what
  • 00:23:25
    we're thinking about. We're thinking
  • 00:23:26
    about the big picture. And that's that's
  • 00:23:28
    how we approach it. And so when you
  • 00:23:30
    think about unreasonable delay like or
  • 00:23:32
    undue delay, you know, what's the big
  • 00:23:34
    picture there? What happened? You want
  • 00:23:36
    to understand the context, you know, big
  • 00:23:38
    picture, what happened, what's
  • 00:23:40
    reasonable, what's not reasonable.
  • 00:23:42
    That's terrific. and and
  • 00:23:44
    um exactly when when um when the unit
  • 00:23:48
    was created 27 2018 there was a specific
  • 00:23:52
    effort to publicly message the idea that
  • 00:23:54
    the unit was not intended to second
  • 00:23:56
    guessess good faith decisions and during
  • 00:23:59
    the last administration I think it's
  • 00:24:01
    fair to say public companies that went
  • 00:24:03
    through these types of investigations
  • 00:24:05
    felt that that approach had been
  • 00:24:08
    abandoned um reasonable minds might
  • 00:24:10
    disagree on that but I can say that was
  • 00:24:12
    the feeling for firms that went through
  • 00:24:14
    that that process and to hear you now
  • 00:24:16
    talk about your your perspective I think
  • 00:24:18
    is I think is very helpful and I think
  • 00:24:20
    will be um you know people will wait and
  • 00:24:23
    see what the enforcement actions are but
  • 00:24:25
    I think people are very optimistic about
  • 00:24:26
    that. Well I'm not going to comment on
  • 00:24:28
    the past but I am going to say you know
  • 00:24:30
    what I said that that is the approach
  • 00:24:32
    that that we are taking. Speaking of
  • 00:24:34
    things you can't comment on um uh why
  • 00:24:38
    bring it up because maybe you can say a
  • 00:24:40
    little bit. So, so we only have a few
  • 00:24:42
    minutes left, but we can't we can't have
  • 00:24:44
    this discussion without talking about
  • 00:24:45
    the Solar Winds case. Um, I know you
  • 00:24:48
    can't it's pending. I checked the docket
  • 00:24:50
    sheet this morning to make sure. Uh, I
  • 00:24:52
    didn't get a chance to say, "Oh, it's
  • 00:24:53
    been dismissed. You can now talk." It's
  • 00:24:55
    still pending. So, you can talk about
  • 00:24:56
    pending litigation. But, you know, the
  • 00:24:58
    Solar Winds decision was very prominent.
  • 00:25:00
    Um, when it comes to SEC enforcement on
  • 00:25:02
    cyber security, there were claims about
  • 00:25:05
    a security statement posted on the
  • 00:25:07
    company's website, not in SEC filings.
  • 00:25:09
    There were claims about the company's
  • 00:25:11
    SEC filings and its disclosures and
  • 00:25:14
    there were claims against an individual,
  • 00:25:16
    a senior, you know, security officer on
  • 00:25:18
    a motion to dismiss. Um, interestingly,
  • 00:25:22
    the claims about the SEC filings were
  • 00:25:24
    dismissed. The claims about the
  • 00:25:26
    statement on the website were not
  • 00:25:27
    dismissed and the claims against the
  • 00:25:30
    individual, at least in part, were not
  • 00:25:31
    dismissed because there were claims that
  • 00:25:33
    he was involved in that security
  • 00:25:34
    statement that was alleged to be
  • 00:25:36
    misleading. The commission also had a
  • 00:25:38
    number of controls charges, accounting
  • 00:25:41
    control violations, disclosure control
  • 00:25:43
    violations, very significantly, I think,
  • 00:25:46
    to the world public companies, those
  • 00:25:48
    were all thrown out. Um, so a bit of a
  • 00:25:50
    mixed result for the commission.
  • 00:25:52
    Obviously, you can't comment on public
  • 00:25:54
    uh on pending litigation. But if we pick
  • 00:25:57
    one thing from that that got people's
  • 00:25:59
    attention, I think it was the charge
  • 00:26:00
    against the non-awyer individual at a
  • 00:26:03
    company for what was essentially
  • 00:26:04
    disclosure violations that got people's
  • 00:26:07
    attention. And I can say I spent a lot
  • 00:26:08
    of time on the phone with CISOs who are
  • 00:26:10
    very worried about what this meant for
  • 00:26:12
    for for how how they do their jobs where
  • 00:26:14
    the essence of what they do is find
  • 00:26:16
    weaknesses. Um so with that long long
  • 00:26:19
    wind up and understanding you can't talk
  • 00:26:20
    about the litigation specifically, is
  • 00:26:22
    there anything you can say on these
  • 00:26:24
    topics?
  • 00:26:26
    Okay, we got one minute 42 seconds. Um,
  • 00:26:29
    so you are correct. I cannot comment on
  • 00:26:32
    ongoing litigation and nor will I here.
  • 00:26:35
    But I will say, you know, on the the
  • 00:26:37
    topic that you raise on individuals, you
  • 00:26:40
    know, I can say something general. Look,
  • 00:26:42
    when we look at individuals, um, look at
  • 00:26:45
    individual liability, we're focused on
  • 00:26:48
    the conduct of that individual. We're
  • 00:26:51
    focused on what that individual did. And
  • 00:26:53
    so if you've got an individual,
  • 00:26:55
    generally speaking, again, I'm not
  • 00:26:56
    commenting on the case itself, but just
  • 00:26:58
    thinking about generally our approach
  • 00:27:00
    across the board, whether it's cyber
  • 00:27:01
    security or anything else, frankly, when
  • 00:27:03
    you're thinking about fraud and you're
  • 00:27:05
    thinking about individuals, we're
  • 00:27:06
    looking at the actions that individual
  • 00:27:08
    took. We're looking at the involvement
  • 00:27:10
    of that individual. And if you've got an
  • 00:27:11
    individual that that is, you know, say
  • 00:27:14
    integrally involved in the fraud, then
  • 00:27:16
    you can expect us to make a
  • 00:27:17
    recommendation on that. Um, so I just as
  • 00:27:21
    a general matter, you know, I would say
  • 00:27:23
    that um, are there other things you
  • 00:27:25
    wanted to talk about? No, that's that's
  • 00:27:28
    great. We have we have half a minute. So
  • 00:27:30
    two two last things. I'll combine them.
  • 00:27:33
    Use the time how you want. One is we
  • 00:27:35
    haven't talked about regulated entities.
  • 00:27:36
    There's rules relating to cyber security
  • 00:27:39
    for broker dealers, investment advisors,
  • 00:27:41
    stock exchanges. That's within the units
  • 00:27:43
    mandate. And then my last question um
  • 00:27:46
    was whether there's anything we haven't
  • 00:27:47
    touched on that you want to share. Okay.
  • 00:27:50
    So really really super quick on you know
  • 00:27:52
    regulated entities you know
  • 00:27:55
    regid regi um you know that's that's a
  • 00:27:58
    mandate for us you know we're going to
  • 00:28:00
    continue to look at that big picture
  • 00:28:02
    point there is that we rely on our
  • 00:28:04
    division of exams for the most part like
  • 00:28:06
    they're the boots on the ground. they
  • 00:28:08
    have the expertise to kind of initially,
  • 00:28:11
    you know, tell us and identify what's
  • 00:28:13
    something that, you know, warrants
  • 00:28:15
    enforcement's involvement. There are a
  • 00:28:16
    few caveats to that like if there's a
  • 00:28:19
    sign of, you know, say a cyber security
  • 00:28:21
    incident and there's insider trading,
  • 00:28:23
    then we have a strong enforcement
  • 00:28:25
    interest there. We may get more involved
  • 00:28:26
    more early, but generally speaking,
  • 00:28:28
    we're working very closely with our
  • 00:28:30
    exams uh partners there. So, I'll say
  • 00:28:32
    that. And then and you definitely have
  • 00:28:35
    the liberty to take another half a
  • 00:28:37
    minute or minute. What do you what do
  • 00:28:39
    you want to end with? I want to end with
  • 00:28:41
    um you know something you know we were
  • 00:28:43
    talking about you were you were chief of
  • 00:28:45
    the cyber unit. Um you know what now I'm
  • 00:28:48
    the chief of this of this new formation
  • 00:28:50
    of the of the unit the cyber emerging
  • 00:28:52
    technologies unit. And kind of something
  • 00:28:54
    that, you know, has struck me about that
  • 00:28:56
    or has been new to me about it, new or
  • 00:28:59
    unne, you know, we're we're clearly
  • 00:29:01
    we're in a time of transition. Of
  • 00:29:03
    course, this is a this is a new it's
  • 00:29:05
    it's an exciting time to be at the
  • 00:29:07
    commission in my view. Um, and it is a
  • 00:29:09
    time of change, but at the same time,
  • 00:29:12
    you know, something that stands out for
  • 00:29:13
    me personally is, you know, I'm kind of
  • 00:29:16
    coming home. like I was a staff attorney
  • 00:29:19
    um in that unit and now you know to come
  • 00:29:21
    back to it and to be in a position where
  • 00:29:24
    you know I'm the chief of the unit is
  • 00:29:26
    really a unique and and wonderful
  • 00:29:28
    experience. We have a great group of
  • 00:29:30
    folks a really strong type team
  • 00:29:32
    mentality and it's been you know it's
  • 00:29:36
    been great. That's great. That's great.
  • 00:29:37
    Well, it's a great recognition for you
  • 00:29:39
    and I know that working on a new
  • 00:29:41
    chair's, you know, priorities and and
  • 00:29:44
    what's important to them and getting to
  • 00:29:46
    help that from the ground level is is a
  • 00:29:48
    very rewarding professional experience.
  • 00:29:49
    So, thank you for doing it and thank you
  • 00:29:51
    for being comfortable coming here and
  • 00:29:53
    talking to us publicly. Thank you for
  • 00:29:54
    having me.
  • 00:29:57
    Just just fantastic, guys. And Laura, we
  • 00:30:01
    can't all we're all congratulating you
  • 00:30:02
    on a very well-deserved promotion and
  • 00:30:05
    could not be more excited to do on the
  • 00:30:07
    job. Thank the
Tags
  • SEC
  • Cyber Security
  • Emerging Technologies
  • AI
  • Crypto
  • Fraud
  • Enforcement
  • Investor Protection
  • Regulations
  • Public Disclosure