SEC ramps up fight on cryptocurrency fraud by doubling cyber unit

The US Securities and Exchange Commission (SEC) announced today that it will almost double the Crypto Assets and Cyber Unit to ramp up the fight against cryptocurrency fraud to protect investors from “cyber-related threats.”

SEC says it will add an extra 20 positions to the cyber team (including supervisors, investigative staff attorneys, trial counsels, and fraud analysts) to expand it to 50 employees focused on fighting crypto-based cybercrime.

“By nearly doubling the size of this key unit, the SEC will be better equipped to police wrongdoing in the crypto markets while continuing to identify disclosure and controls issues with respect to cybersecurity,” SEC Chair Gary Gensle said in a statement issued today.

Since its creation in 2017, the SEC Enforcement Division’s cyber team has battled against and investigated cyber threats targeting retail investors (individuals investing in securities through third parties such as brokerage firms).

So far, SEC’s cryptocurrency cops have “brought more than 80 enforcement actions related to fraudulent and unregistered crypto asset offerings and platforms, resulting in monetary relief totaling more than $2 billion.”

This expanded cyber unit will protect those investing in crypto markets by investigating securities law violations linked to crypto exchanges and multiple crypto products, including but not limited to non-fungible tokens (NFTs), decentralized finance (DeFi) platforms, and stablecoins.

The SEC cyber team can also take action against public companies and SEC registrants who fail to disclose cybersecurity incidents and maintain adequate cybersecurity controls to defend against them.

“The bolstered Crypto Assets and Cyber Unit will be at the forefront of protecting investors and ensuring fair and orderly markets in the face of these critical challenges,” added Gurbir S. Grewal, the Director of the SEC’s Division of Enforcement.

SEC also recently proposed rule amendments requiring publicly traded companies to report data breaches and cybersecurity incidents within four business days “after they’re determined as being a material incident.”