On February 21, the Securities Exchange Commission charged a former bitcoin-denominated exchange and its operator with making false or misleading statements in connection with the sale of unregistered securities. The SEC’s complaint alleges that BitFunder and its founder, Jon E. Montroll, failed to disclose a cyberattack to users that had resulted in the theft of more than 6,000 bitcoins worth approximately $69.6 million. Rather than disclose the cyberattack to users or regulators, the SEC’s complaint alleges that Montroll attempted to cover up the lost bitcoins and continue the operation of BitFunder. Separately, Montroll also faces federal charges for allegedly lying to the SEC regarding BitFunder’s ability to continue operations after the cyberattack.
TIP: This is the latest in a series of high profile cases of companies failing to disclose cybersecurity attacks or weaknesses, and thus running afoul of regulators. Companies must institute comprehensive plans not only to respond to attacks internally, but to think through the legal, regulatory, and disclosure obligations that stem from an attack.