SAN FRANCISCO — Robert Cohen, the head of the U.S. Securities and Exchange Commission's cyber unit, warned on Thursday that the agency may seek more severe sanctions against issuers of initial coin offerings if they continue to flout securities regulations.

In a keynote address at the annual Securities Enforcement Forum West event, Cohen said the agency put participants in the ICO space on notice of how securities laws apply through last summer's “DAO Report,” numerous speeches by SEC Chairman Jay Clayton, and the Munchee ICO enforcement action, which did not result in any penalty.

“If the conduct continues, despite all that, I think you will continue to see cases and probably the remedies will go up,” Cohen said.

The senior SEC official said the agency still has “a number of investigations ongoing” over ICOs, not only related to fraud but also “purely registration issues.” Cohen said investigating digital assets has been one of the biggest areas of focus of the cyber unit, which was created in September as part of the SEC enforcement division.

“The ICO cases and digital asset fraud cases are keeping us very busy,” he said.

His remarks come amid a wave of enforcement actions over alleged frauds that sought to rip off retail investors using the hype around bitcoin and blockchain technology, as well as civil litigation alleging that certain digital tokens are actually unregistered securities. Aside from Munchee, the SEC has not yet brought another case purely over a registration violation.

Cohen said the creation of the cyber unit reflects the priority the SEC places on digital assets as well as cybersecurity issues. He noted that the roughly 30-person unit was created with existing SEC staff—not new hiring—and has groups at SEC offices in Washington, New York, Chicago, San Francisco, and Philadelphia.

At a different panel later in the day, Michele Layne, director of the SEC's Los Angeles regional office, also said her office is conducting a number of registration and fraud-based ICO investigations.

Cohen's other remarks at the event focused on the SEC's recent cybersecurity breach disclosure guidance. In his comments, he underscored that the commission does not want to second-guess “reasonable, good-faith disclosures.”

Noting the SEC's recent $35 million settlement with Yahoo over its belated disclosures, Cohen said: “I don't think a reasonable person could argue that that was a close call.”

Cohen also stressed that the SEC is very focused on ensuring companies have a plan for what to do after they get hacked, given that breaches of some kind are increasingly inevitable.

“The nature of the entities and nations that are looking to infiltrate the systems in corporate America are very sophisticated,” Cohen said. “It's often shockingly easy to figure out whether this was a firm that thought about this or not.”


➤➤ Want to read more about how new tech is challenging old laws and changing the legal profession? Sign up for What's Next, a weekly email briefing on the future of law.