SEC Shifts Enforcement Focus With Launch of Cyber and Emerging Technologies Unit

On February 20, 2025, the Securities and Exchange Commission (SEC) announced the formation of the Cyber and Emerging Technologies Unit, known as “CETU,” which will replace the Crypto Assets and Cyber Unit (“CACU”).

CETU aims to combat cyber-related misconduct and provide safeguards for retail investors against malpractices emerging in the technologies sector. The formation of CETU reflects a significant shift in the SEC’s priorities as to the digital assets sector, specifically an apparent move away from non-fraud crypto enforcement actions, such as alleged registration or technical violations of the securities laws.

CETU’s Focus

In announcing the formation of CETU, Acting SEC Chairman Mark T. Uyeda emphasized that this unit will enable the SEC to allocate enforcement resources more effectively, and in more recent remarks, he noted that SEC is committed to “continue to hold wrongdoers accountable,” while also remaining “dedicated to our more traditional investor protection efforts,” signaling that the SEC plans to focus on its core mission to safeguard investors and maintain market integrity from fraudulent or harmful practices notwithstanding technological advancements.

According to the SEC, CETU will prioritize the following types of enforcement matters:

1. Combatting Fraud Involving AI and Other Emerging Technologies – The SEC will continue to focus on the use of artificial intelligence and machine learning in fraudulent schemes. The SEC will likely continue to focus on “AI washing,” where investment firms and target companies have made misstatements in marketing communications about the use of AI in their products and services.
2. Public Issuer Fraudulent Disclosures Relating to Cybersecurity – The SEC will continue to focus on public company disclosures under its recent cybersecurity rules and regulations, including disclosures regarding material cybersecurity incidents, albeit with a likely fraud focus. The Crypto Assets and Cyber Unit was aggressive under prior SEC leadership for disclosure enforcement, including in its enforcement case against SolarWinds and its chief information security officer. While a federal court substantially narrowed the SolarWinds enforcement case, the CETU will seemingly focus on “fraudulent disclosures,” such as disclosure involving investor harm, as opposed to technical disclosure or internal controls violations relating to cybersecurity.
3. Regulated Entities’ Compliance with Cybersecurity Rules and Regulations – The SEC will continue to prioritize enforcement matters involving regulated entities, such as broker-dealers, investment advisers, and investment companies, including rules relating to the protection of customer information and data, and related compliance policies and procedures under Regulation S-P.
4. Tackling Online Deception – The SEC will focus on fraud conducted via social media, the dark web, and fake websites that acutely impact retail investors.
5. Protecting Against Cyber Intrusions – The SEC will prioritize enforcement of hacking incidents used to obtain material nonpublic information, which hackers or other threat actors then use to trade securities for financial gain.
6. Preventing Retail Account Takeovers – The SEC will likely scrutinize broker-dealers and regulated entities over their cybersecurity controls to ensure appropriate safeguards are in place to prevent unauthorized access to retail brokerage accounts.
7. Ensuring Blockchain and Crypto Integrity – In a significant shift, the CETU will focus on fraud involving blockchain technology and cryptocurrency assets, as opposed to the various non-fraud registration cases the Crypto Assets and Cyber Unit had filed under prior SEC leadership. For example, the SEC will place less emphasis on enforcement involving “meme coins,” leaving it to other regulators to fill the enforcement void if there is fraud or other misconduct involving non-security meme coins.

CETU’s Staffing and Leadership

CETU consists of roughly 30 fraud specialists and attorneys from various SEC offices, representing a reduction from the approximately 50 enforcement roles in CACU.

CETU will be led by Laura D’Allaird, the former co-chief of the Crypto Assets and Cyber Unit. Acting SEC Chairman Uyeda highlighted that under D’Allaird’s leadership, CETU will complement efforts of SEC’s newly created Crypto Task Force, launched in January 2025 and led by Commissioner Hester Peirce. While the Crypto Task Force aims to create a comprehensive regulatory framework for digital assets, CETU will instead handle enforcement of not only crypto-related matters, but also cybersecurity incidents, AI, and cybersecurity controls.

Takeaways and Implications

On its face, CETU appears to be a rebranding of the Crypto Assets and Cyber Unit and is a clear signal that the SEC is going to focus on fraud involving retail investors. That said, CETU will continue to focus on topics that have been areas of historical focus for the SEC, including cybersecurity incidents, safeguarding customer information for regulated entities, and artificial intelligence.

Companies should continue to prioritize assessment of their cybersecurity compliance and controls, as compliance lapses that result in investor harm or loss could result in SEC scrutiny and enforcement, especially if such controls do not comply with existing SEC regulations. Regulated entities and issuers should also continue to regularly evaluate their incident response practices and procedures to ensure capabilities and stakeholder involvement align with applicable SEC cybersecurity rules and regulations.

Further, as more companies evaluate AI and machine learning, and incorporate these advancements into their operations, regulated entities and issuers should evaluate the risks of these new technologies and ensure marketing material and public representations are accurate, especially in connection with the solicitation of or managing of investments.