On Monday of this week the SEC addressed its enforcement initiatives for the coming year. No major changes, but things to note:
The Commission lacks staff to police all issues, including cyber issues. It expects all companies to have a cyber policy in place to warn the public of the risk and to make disclosures if there is an incident. (They noted their prosecution of Yahoo, which suffered wholesale data breaches.) This was in reply to a question as to whether the SEC would hold boards accountable, but does not really resolve that issue one way or another. Later it was noted that in 70% of its cases, the SEC in fact names individuals as well as the companies involved.
The SEC also sent yet another signal warning about coin offerings as involving securities, and thus a need for disclosure and for either an exemption from registration or undertaking such a registration.
A couple of interesting insights into SEC operations:
Lack of money for staff, and the disruption of the government shutdown, limits SEC cyber focus to larger companies, number of breaches which were not disclosed properly, and whether some other government agency (or country government) is already taking action.
The SEC is struggling under a learning curve to keep up with the increasing sophistication of matters requiring attention, particularly since crimes develop quickly and are effected electronically. But they note one positive fall-out of the staff shortage of people and resources: the SEC claims it is learning how to work more efficiently to cover its policing beat.