On February 20, 2025, the Securities and Exchange Commission (SEC) announced formation of the new Cyber and Emerging Technologies Unit (CETU), staffed by fraud specialists and attorneys across multiple SEC offices. This unit replaces the former Crypto Assets and Cyber Unit, signaling a strategic shift away from cryptocurrency enforcement and toward combating misconduct related to cybersecurity and emerging technology issues, including artificial intelligence (AI). The SEC emphasized that CETU will focus on protecting retail investors by addressing fraudulent public disclosures and other cyber-related threats.

While the CETU sits within the SEC, it’s not just SEC-regulated business that should pay attention. CETU’s creation is an early signal from the current administration that cybersecurity and emerging technologies will remain a regulatory focus, aligning with a broader trend across many sectors. Given recent enforcement trends, some key targets include:

• Public companies, including the board and their executives, especially after the SEC has undertaken numerous enforcement actions related to the SolarWinds hack, including suing SolarWinds' Chief Information Security Officer personally and reaching settlements with various SolarWinds customers for misleading disclosures. Even more disclosure-based enforcement could be in store, too, as we near the one-year mark of the SEC’s updated Form 8-K and Form 10-K disclosure requirements taking effect.
   
• Investment advisers, which have been targeted by the SEC for purportedly deceptive claims about their AI use and technologies.
   
• Businesses using or developing AI products, which the Federal Trade Commission (FTC) has also been targeting for AI business-practice violations, as part of a nationwide crackdown.
   
• Government contractors, including recipients of federal grants, given the Department of Justice (DOJ) has intensified efforts through its long-running Civil Cyber-Fraud Initiative, recently pursuing more claims under the False Claims Act against these entities for misrepresenting cybersecurity practices and failing to report breaches.
   
• Entities in the defense and critical infrastructure sectors, who may be subject to new and forthcoming regulations, including the DoD’s now-effective Cybersecurity Model Maturity Certification (CMMC) regulations and the Cybersecurity and Infrastructure Security Agency’s still-pending notice requirements promulgated under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
   
• Healthcare providers, insurers, and business associates, who have been subject to enforcement actions by the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) for violations of HIPAA's Security Rule. (See example cases here, here and here).

Given this escalating enforcement landscape, all businesses should proactively review their cybersecurity and AI governance programs to ensure compliance. During or after an incident, companies required to provide notice (to regulators or to individuals) and those receiving government inquiries should immediately seek legal counsel. Our firm’s White-Collar, Litigation and Cybersecurity teams are ready to help with proactive compliance measures, incident response, and navigating regulatory investigations. For assistance or more information, please contact a member of our team.