SEC Enforcement Tea Leaves: Expected Priorities in the Second Trump Administration

Protecting Retail Investors

During the first Trump Administration, the SEC Enforcement Division emphasized charging defendants who had harmed retail investors, such as in cases involving “accounting fraud, charging inappropriate or excessive fees, ‘pump-and-dump’ frauds, and Ponzi schemes…”^[1]During the second Trump Administration, we think the SEC will do the same. That emphasis will likely mean a shift away from process-and-procedures-focused cases without obvious direct victims, like the off-channel communications sweep. Indeed, Republican SEC Commissioners Hester Peirce and Mark Uyeda recently expressed “deep reservations” about the off-channel cases, particularly the penalties and undertakings imposed on firms.^[2](Firms might still see off-channel enforcement actions by FINRA, a broker-dealer regulator that is not an agency of the government.^[3])

This emphasis on protecting retail investors will not necessarily mean a small Enforcement footprint; the SEC may still pursue industry-wide Enforcement sweeps. During the first Trump Administration, for example, Enforcement launched a share-class disclosure initiative, inviting firms to-self disclose recommendations that clients buy mutual fund share classes with high fees, when cheaper share classes were available.^[4]  The initiative impacted 95 advisers and returned over $139 million to investors, though firms avoided penalties by self-disclosing.^[5] And it is worth noting that the total number of Enforcement actions filed during the first Trump Administration exceeded the number brought under Biden (3,152 vs. 2,824 enforcement actions, and 1,867 vs. 1,829 stand-alone actions).^[6]

A Focus on Crypto Fraudsters

SEC Enforcement will also likely change course on crypto and blockchain-technology cases. The current political environment favors the crypto industry.^[7]And the Commission’s Republican Commissioners, Peirce and Uyeda, have publicly dissented from crypto enforcement actions about non-fungible tokens^[8]and about a crypto firm’s failure to register as a dealer.^[9]Those Commissioners have also called for more guidance about which crypto assets are securities.^[10]  In addition, Commissioner Peirce has proposed a “safe harbor…which would allow token offerings to occur subject to a set of tailored protections for token purchasers”^[11]and has questioned whether a “securities regulatory framework” is the best way to provide “customers transparency around terms and risks of crypto lending products.”^[12]

But the SEC will likely continue to bring some crypto-related enforcement actions during the second Trump Administration. Indeed, the SEC brought such actions during the first Trump Administration.^[13]And Republicans and Democrats alike seem to agree that some crypto transactions do involve securities within the agency’s jurisdiction; at least when those transactions involve fraud, the SEC will likely continue bringing charges. For example, in In the Matter of Wireline Inc., the SEC alleged that Wireline engaged in securities fraud (and also sold unregistered securities) when it raised funds from investors in return for a promised future token distribution, by misrepresenting “the viability of the [underlying blockchain] platform and the timetable for the issuance of the tokens.”^[14]Commissioner Peirce issued a statement that she “support[ed] most of the Commission’s settled enforcement action against Wireline….” (She did raise concerns about a settlement term that prevented Wireline from distributing the tokens, arguing in part that the original capital raise was the securities transaction, that the underlying tokens might not be securities downstream, and that this provision ignored the distinction.)^[15]

During the second Trump Administration, moreover, Congress may well pass legislation clarifying at least some digital assets’ regulatory status. This change could also impact the SEC’s crypto enforcement actions (especially actions not focused on fraud).

More Conservative Approach to Corporate Disclosure and Cybersecurity Cases

We also expect the SEC to pursue more conservative theories in corporate-disclosure and cybersecurity cases. Republican Commissioners have argued that recent enforcement actions of both types went too far. 

In September 2024, for example, the SEC settled charges against Keurig Dr. Pepper Inc., alleging that the company had misrepresented in annual reports that, “without qualification, [] its testing and recycling facilities ‘validated[d] that [K-Cup beverage pods] can be effectively recycled…’”^[16]The company’s research and testing did indicate that the pods were recyclable. But according to the SEC, the representation was misleading because, in reality, “two large recycling companies had indicated that they did not presently intend to accept pods for recycling…” because of “commercial” considerations. Commissioner Peirce dissented.^[17]She argued that the company’s statement was not misleading, especially not materially so. She also argued that the SEC was engaged in “pedantic parsing” of the company’s statements and could prompt companies to “pad any statements they do make with a mountain of caveats.”

Similarly, in February 2023, the SEC settled charges against Activision Blizzard, including a charge concerning a risk-factor disclosure in the company’s public filings, which stated that the company’s success depended on retaining skilled employees. The SEC alleged that the company had failed to maintain sufficient controls and procedures to “ensure that information related to employee complaints of workplace misconduct” would reach personnel responsible for making public disclosures relating to this employee-retention risk factor.^[18]Commissioner Peirce dissented, arguing in part that it was difficult to “see where the logic of this Order stops…If workplace misconduct must be reported to the disclosure committee, so too must changes in any number of workplace amenities and workplace requirements….” She added that the Commission was playing its “new favorite game ‘Corporate Manager.’”^[19]

And in October 2024, the SEC brought settled enforcement actions against four companies impacted by a cyberattack. The SEC alleged that the companies had failed to update generic cybersecurity risk-factor disclosures in SEC filings to reflect actual cybersecurity breaches; omitted material details when publicly disclosing cyber events; or failed to maintain internal controls sufficient to ensure that information about cyber events timely reached those responsible for making disclosure decisions.  Commissioners Peirce and Uyeda dissented from the orders, saying that the Commission was “engage[d] in hindsight review to second-guess the disclosures” and was also relying on “immaterial, undisclosed details to support its charges.”^[20]The dissenting Commissioners argued that companies need only disclose the cyber events’ “impact,” not the “details regarding the incident[.]” Those Commissioners also argued that whether “risk factors need to be updated because certain hypothetical risks have materialized is not always a straightforward matter, and the Commission should be judicious in bringing charges in this area.”

In addition to cases about alleged disclosure failures, the SEC might also be more conservative in alleging that companies maintain inadequate cybersecurity protections. In June 2024, the SEC settled charges^[21]against a public company that suffered a cyberattack. The company allegedly had not established sufficient controls and procedures concerning cybersecurity incidents, a failure which was ultimately “exploited by hackers.” As a result, the SEC alleged (in part), the company had violated Section 13(b)(2)(B) of the Exchange Act, i.e., failing to “maintain a system of internal accounting controls sufficient to provide reasonable assurances…that access to company assets [was] permitted only” as management authorized. (Emphasis added.)

Commissioners Peirce and Uyeda dissented. They argued^[22]that equating an alleged cybersecurity-controls failure with an accounting-controls failure under Section 13(b)(2)(B) “gives the [SEC] a hook to regulate public companies’ cybersecurity practices.” According to the dissent, section 13(b)(2)(B) does not extend so far: In the dissent’s view, the requirement to establish accounting controls sufficient to protect “company assets” concerns “assets” that are the subject of corporate transactions, not assets like computer systems. The following month, a federal district court similarly rejected the SEC’s interpretation of section 13(b)(2)(B), saying that the accounting-controls provision “refers to a company’s financial accounting.” SEC v. SolarWinds, 2024 WL 3461952, at *49 (S.D.N.Y. July 18, 2024).

Conclusion

In the next four years, we expect the SEC to take a business-as-usual approach to Ponzi schemes, insider trading, and other types of securities fraud. But the agency may take a different approach to cases without retail-investor victims, to crypto enforcement actions that do not involve fraudsters, and to cases about corporate disclosure and cybersecurity.