Usman: Okay, so why don't we get started. I wanted to thank all of you for joining our webinar. On behalf of Gowling WLG, let me welcome you to this session called 'Blockchain Litigation - A Discussion of the Latest Civil, Regulatory and Criminal Cases'. My name is Usman Sheikh. I'm the head of the Blockchain and Smart Contract group at our firm. Just by way of a little bit of background about our group, we've been in this space, the Blockchain space, for about 4 to 5 years now. We have around, I would say, 30 to 40 professionals who practice in the area from all different sectors, whether it's capital markets, whether it's privacy law practitioners or whether it's litigators like Brent, Kavi and myself who are on this session. Our firm represents some of the co-founders of Ethereum. We represent banks, stock exchanges, crypto platforms, pioneers, smaller startups and many others in this area and we've taken it upon ourselves, as a firm, to do quite a lot of speaking around the world, particularly to educate governments and regulators as to how to address the topic of Blockchain regulation around the world. So whether it's really addressing the Member States of the INF, or speaking to the Monetary Authority at Singapore or even our domestic and local regulators and governments our firm has been quite active in that area. So if you wish to learn more about our Blockchain group feel free to visit our website or reach out to any of the members that you see on today's panel from our firm. Our contact is also in the invite that you received. Before also diving into today's topic I should note that the webinar that you're attending today is actually the last in a 6 part series of webinars that we've been hosting over the past year, throughout the pandemic, on some of the hottest topics in the Blockchain space. The first session was on crypto asset trading platforms. The second session was on NFTs, or non-fungible tokens, and as interesting side note there's actually a lot of discussion and press around William Shatner's experience up in space. Well, in the webinar session that we had on NFTs we actually invited Vinny Lingham, one of the co-founders of Ethereum, to really describe a project on NFTs that he has with William Shatner and others to create NFTs based on Captain Kirk action figures and others. So if you want to learn about that, perhaps not Mr. Shatner going to space but perhaps him becoming an NFT, check out that webinar as well. We had a number of other sessions on Stablecoins, on DeFi, on Open Source and Intellectual Property Rights and this is the last session on Blockchain litigation. I say all of this because all of these webinars are in fact located on our website and so you're most welcome to go and visit those and will almost certainly be hosting more sessions like this in the coming year.
So just other few preliminary points before diving into this substance of today's topic, I should not that this program is eligible for up to 1 hour of substantive CPD credits with the Law Society of Ontario, British Columbia and in Quebec and may be eligible for 1 hour of CPD CLE credits in other jurisdictions and finally, lawyers being lawyers here's a key disclaimer, the presentation today is not intended as legal advice. For specific legal advice on any issues that we're going to be discussing today please contact legal counsel to get advice on your own specific issues and projects. I should also add another point that is pretty key, that is not on the deck, and that is that many of the litigation matters that we're going to have to discuss in the Blockchain space we're going to have to do so at a quite general level given that we, Gowlings and also Goodwin, our guests here today, either separately and sometimes in fact together, serve as counsel on many of the cases that have been previously decided and are currently being litigated.
Okay, with that background let's get to the topic at hand. To that end let me begin with a few introductions, if I may. I'm honoured to be joined here for today's session on Blockchain litigation with our panelists. Let me begin with my colleagues at Gowling. We have Brent Arnold. He is a partner in the Toronto office and the head of the firm's Commercial Litigation Technology sub-group. He also leads our Cyber security Litigation team. We also have, from our firm, Kavi Sivasothy. He is an associate in our Toronto Advocacy group. He is also one of our go-tos on cyber security and AML litigation related issues. We also have a few external guests today who I'm thrilled to have with us. We welcome Grant Fondo. Grant is the head of the Litigation Department for Goodwin's California offices. He's a founder and co-Chair of it's digital currency at Blockchain technology practice and a partner in the firm's Securities Litigation and White Collar Defense group. He's also an experienced Federal Prosecutor and former Assistant US Attorney in the Northern District of California and he, and Zoe I should say, are known quite well as lawyers and litigators extraordinaire in the Blockchain space in the United States. I've mentioned Zoe. Let me give you a little bit about her background. Zoe Bellars, she's an associate in the firm's Complex Litigation and Dispute Resolution practice group. Her practice focuses on securities and litigation, white collar defense, white collar investigations and Federal and State complex business litigation. She also previously served as a legal extern in the enforcement division of the United States Securities and Exchange Commission. Grant and Zoe, it's a total privilege and honour to have you with us here today. I should just note a little bit about myself. I mentioned before that I'm the head of our Blockchain and Smart Contract group and I do all things Blockchain related at Gowling, particularly on the litigation side and I'm a former prosecutor at the Ontario Securities Commission, our largest capital markets regulator in Canada.
Okay, so let's maybe jump into the heart of the matter, and I wanted to start off with a few overview questions, if I can. Just by way of some background let's perhaps discuss litigation trends and regulatory developments, generally, and maybe Grant and Zoe, if I can pick on you a little bit first, starting with you how has litigation and regulation developments in the Blockchain space really evolved over the years in the United States?
Grant: Yeah, sure. So it definitely has evolved over time, particularly, I think I'll start with the regulatory side because it's in some ways much more fascinating and scary I guess in a sense. There's been a couple of trends that we've noticed over the last few years. One is that there is more regulator involvement, both in the context of the types of regulators, the agencies in the United States, but also the amount of regulators within those agencies. There's also been more cooperation and focus on crypto assets. Anybody following the US markets have certainly heard Commissioner Gensler talk about his focus on the crypto markets, not necessarily a positive thing for some, but his focus has been on the centralized and DeFi trading platforms, also the lending products with returns, staking tokens and Stablecoins. So he's really trying to bring this industry under the SCC regulation a little bit more. You've also seen him with the DOJ. They have been involved. The SCC has been a leader in this space sort of from the beginning. The DOJ has been involved as well. They're obviously more involved in the fraud aspects of it but where they've really focused their attention on now is kind of AML, BSA issues as well as some of the fraud things but I think they're really focusing on trying to prevent digital assets as means of laundering money or committing other violations. You also have the CFTC. You've seen them get more involved. Oh, the other thing I should mention about the DOJ is they've just created a new task force. It's called the National Crypto Currency Enforcement Team with a real eye towards targeting this. You have certain Districts, Northern District of California is one for example, where they have a specific task force within that District on crypto. So you're just seeing more and more focus and involvement with the DOJ as well. The CFTC has also become more involved. They filed a case, roughly in about the last 12 months, called the Global Trading Case which is also BitMEX, and what that involved with was kind of off-shore entities trying to get access to the US markets without US regulation, so the CFTC has focused on those certain crypto transactions as being commodity type transactions and regulating those. You've also seen OFAC been involved and the IRS has kind of stepped up its involvement as well. Some of the other trends that we've seen is agency sweeps. So when agencies want to better understand what is going on in a novel industry, and you really see it with crypto, it's a pretty novel industry in many ways and cutting edge and complicated. They're trying to figure out what some of these platforms are, you'll see sweeps, where they ask for information relating to a particular product like staking, it was ICOs, but you're seeing this tool used more and more. I think you're seeing it in the DeFi space as well. So you're seeing that from the SCC and DOJ. The IRS has a tool. It's sort of like a sweep. It's the John Doe summons. So you're seeing that activity as well. You're seeing States more involved in taking a leadership role. Some of you may have been aware of the Block File litigation, for example, so that's an example of the States taking sort of a lead role in trying to regulate some of this activity. You're also seeing a real focus in the industry, and regulators dealing with it, in decentralization. Sort of decentralization from launch. 3, 4, 5, 6 years ago, at the ICO, the focus was on utility. Now the focus seems to be more on decentralization and the issue there is decentralized finance and other decentralized platforms, regulated or not.
Then as far as in civil litigation, you're seeing it get more active. There's waves with things and the trend that you see with the civil litigation it does tend to be more focused on the exchanges, the traditional exchanges, and it also tends to focus on the violations of Federal and State securities laws and consumer laws as an avenue to bring litigation against exchanges.
Usman: Okay. That's really terrific. In Canada our trends and regulatory developments has been quite an interesting one but I don't think it's too different from what I'm hearing from you, as accredited the United States. It's interesting because, for those of you in the audience who are not aware, the Bitcoin White Paper that was issued by Satoshi Nakamoto was issued almost about 13 years ago, October 31, 2008. So for years we didn't see much litigation or regulatory development in this space. Certainly in Canada. There were a few notable developments here and there, for example, in 2014 Canada became one of the first jurisdictions in the world, to our knowledge, and actually took steps to statutorily address crypto assets. That was an amendment to one of our key A&O statutes, the proceeds of crime legislation, to extend it to those who are in the business of quote/unquote dealing in virtual currencies. Although the amendment didn't really kick in until very, very recently. Then beginning in 2017 and 18 we start seeing some regulators, mostly in the securities space, really start popping up with some guidance. Most of that guidance was by, as I said, securities regulators and most of it, although not exclusively, related to initial coin offerings, or what are called ICOs. I would say one of the key moments in Canada, where individuals in the Blockchain space really came to discover that laws and regulations would apply to them, was actually a US development which was the SCCs issuance of its famous DAO Report when it looked into a quite notable hacking, some would say, of an entity called a DAO, or decentralized autonomous organization, and whether US Federal securities laws were violated. But I remember the day that that report came out and my phone just started ringing off the hook, non-stop. People started contacting us saying, "We thought that this area was not regulated by securities regulators." and they started to get advice. It's really been though in the last 2, 3 years that we've just been seeing a flurry of activity and significant developments, both on the regulatory and the litigation front. On the AML side we have now the rules kicked in for those who are dealing in virtual currencies. There's a requirement to register, have a compliance system in place when dealing with virtual currencies and there's been ongoing guidance that has been issued by FINTRAC, the regulator in that space, and on the security side there's also been a significant amount of activity, whether it's additional guidance from our regulators, consultation papers, exempt of relief orders, and we'll come to those in a moment, and the amount of litigation that we, certainly at Gowlings, have seen in this space has increased exponentially. In the earlier years it was really on ICOs and now it's gone into crypto platforms, insolvencies and bankruptcies and also just civil litigation involving breach of contract cases and others. We're really seeing the litigation all over the place. I know, Brent, you wanted to add a point on trends so go ahead.
Brent: Thanks. With respect to the regulatory trends, we're seeing the beginning of a wave and we're not really sure where it's going, but what we're seeing in a lot of places are discussions about limiting one of the uses of crypto currency which is paying of ransoms in ransomware attacks. Early on we've been seeing talk about banning crypto entirely. I don't think that we're going to see that get very far, but we are seeing things more along the lines of bans on ransomware payments, which are difficult to enforce because it tends to just drive the activity into secret. So dealing with that issue, one of the more interesting bills we've seen pop up is one that Senator Elizabeth Warren has proposed in the States, which is a law that would require disclosure when companies or other organizations pay ransoms. They'd have to include things like the amount and the currency used. So if it's Bitcoin or if it's something else they would have to disclose the type of currency that was used. Sort of I guess a shaming function, in addition to an intelligence tracking function, but this information would be made, not just reportable to the government, but would be made public as well. So it'll be curious to see whether that goes forward and whether the Canadian state and other governments follow suit.
Usman: Okay. We'll get into some of the cases in a moment but, Grant and Zoe, maybe if I could start off with you. What are really some of the current hot button issues that we're seeing on the litigation regulatory front in Blockchain in the United States?
Zoe: Sure. Thank you so much, Usman, first of all for having us. We're happy to be here with you all and happy to dive into this a little bit. I think we'll touch on a lot of these but I think I'd be remiss not to call out NFTs right now. They're sort of a hot topic. The spicy new thing that everyone seems to be talking about. NFTs, of course if stands for non-fungible tokens, and they're a digital file that serve as a virtual representation of a unique or limited edition asset. This is an emerging digital asset class and there are a lot of sort of interesting and novel legal and regulatory issues that are presented when considering NFTs. A threshold issue is how are they categorized? Are they securities? Are they commodities? Are they something else entirely? I think our regulators are grappling with that as well. Other issues surrounding NFTs arise in the context of intellectual property rights, whether there are any related anti-money laundering implications, any sanctions implications, cyber security concerns and also how United States law will further develop to govern digital currencies, generally, but also including NFTs. I think looking ahead kind of, as a general principle, we're seeing that regulations and laws in the US are sort of maybe always going to be in this state of playing catch up. I guess that kind of brings me to my next big takeaway, my next big hot topic issue. Grant touched on this a little bit but there's been a lot of discussion about Gary Gensler, who is the Chair of the SCC, and in particular some of his recent speeches, interviews, some of his recent writings and I'll preface all of that with saying we're definitely seeing more activity on the part of regulators in this space, of course, and it seems that they're catching up a little bit, albeit slowly, but the existing regulatory and legal environment and framework really was not designed to deal with, to accommodate, digital assets. So I think the SCC is sort of on to that. I think the biggest sort of Gensler story, in a series of recent interviews and speeches that have kind of perked our ears up, is the series of letters that he exchanged with Senator Elizabeth Warren. She is the Chair of one of the Senate subcommittees that deals with some issues in e-banking industry and so earlier this summer Senator Warren sent Chair Gensler a letter asking about, just in very broad strokes, the risks that crypto exchanges can pose. In his response Chair Gensler sort of expressed some skepticism that the existing regulatory regime can fully cover platforms like DeFi, decentralized finance, and he also touted the need for some additional regulatory authority and this makes me think that he might not believe the SCC actually has the existing authority to create this very needed regulatory framework. He wrote in this letter, and I think this kind of sums it all up, "In my view the legislative priority should center on crypto trading, blending and DeFi platforms. Regulators would benefit from additional plenary authority to write rules for and attach guardrails to crypto trading and lending." Certainly this is all connected to decentralized finance and the networks and various protocols, platforms, exchanges that either really are decentralized, which is difficult to achieve, or purport to be decentralized. We'll touch on this a little bit later but this is definitely a hot button issue.
Usman: I feel like I could take all of your comments and equally apply them to Canada. Certainly the major hot button issues that we're seeing right now is definitely on crypto asset trading platforms, particularly how they should be regulated and we're going to discuss that in a moment, and our regulators set out, very recently, just a few months ago, a path forward for compliance for these things called crypto platforms and on the same day as setting out that path forward, the largest securities regulator in Canada, which is the Ontario Securities Commission, issued a warning telling parties that they need to come in line or else they may face enforcement. So that's a major hot button issue. We're going to get to that. DeFi as well, as you were saying, NFTs as well, cyber security, Brent I know you're going to talk about that a little bit later on as well. Another quite late breaking major issue, literally a few days ago, is this topic that you were talking about, Zoe, on regulatory authority because in our Province authority issuance, as I'm sure is the case in the United States, it is on the characterization of crypto assets and tokens. So our government, back in February of 2020, made a commitment, I should say further to its commitment to modernize the capital markets and the regulatory regime, created what's called a capital markets modernization task force. They issued a final report in January of 2021 listing a whole bunch of recommendations and their draft legislation relating to those recommendations on how to restructure things in terms of securities regulation in Canada, on a whole bunch of topics, was just released a few days ago. Of note, that draft legislation is now proposing to provide the OSC with designation powers and rule making authority for crypto assets that are not already securities or derivatives. In other words, it gives the regulator the ability to designate crypto assets as securities or derivatives, even if it doesn't fall otherwise under the existing definition for a security or a derivative. A lot of really, I mean we're just sort of reading the legislation now and we likely will be providing a comment, but a lot of really interesting issues are raised by that legislation. The ability of, it's really the Chief Regulator they say who is the CEO, who has the ability to issue these designation orders. They say that the Chief Regulator may not make one of these designation orders without giving the persons they say, "directly affected by the order an opportunity to be heard." So that hearing process is going to be interesting but think about public Blockchains and crypto assets that reside or are native to public Blockchains. I mean, who arguably many, many parties who are directly affected by the designation of a token as a security all around the word, whether you're a node, whether you're a combiner, whether you're a core developer, many, many other parties. They also provide a really interesting definition of crypto asset and I'll just read it to you. They say that, "Crypto asset means a digital representation of value or contractual rights which may be transferred and stored electronically, using distributed ledger or similar technology." So they can designate something that is a crypto asset as a security or derivative, but aside from the vagueness of that definition, it's also not necessarily consistent with other legislation, legislative provisions defining what crypto assets are, including under the proceeds of Crime legislation. So a lot of interesting issues and this is going to be a very thorny hot button issue in the coming while. So we'll keep looking at that. So again, before getting into some of the other issues, another just general question on the overview front, how is litigation, qua litigators like all of us, different in the Blockchain space when you're litigating or is it? I'm not sure, Grant or Zoe, if you want to start us off on that.
Grant: Yeah. I think it's an interesting question. I do think it's different. I think it's different in a couple of ways. Sort of what makes it fun actually. Every case has this regulatory overhang. Where even if it's just a straight up breach of contract claim, there's securities claims in there, or commodities claims in there, you know Commodities Exchange Act issues, and so it's like you can't have a civil litigation without a regulatory overhang. That's pretty unique. And you also have to think bigger picture. Okay, what are all the ramifications of this? Maybe a simple dispute of founders who whatever it is. The other things that's really interesting is I can't think of any other industry where so many of the participants and companies, meaning the individuals as well as the companies, are offshore. So when you get into litigation you have all these interesting, often jurisdictional issues. Where is the company located? Where are the executive team located? I think with the COVID era you're seeing more of that with regular tech companies and other companies as well. I think you see it in spades in the crypto world. But it also creates lots of interesting jurisdictional issues. Just sort of fascinating stuff and you see with the SCC, for example, where do they have authority, when do they get authority and what does it take to get that authority? Is a simple transfer of payment into the US enough? Are servers in the US enough? So just really interesting stuff. I also think you have very sophisticated consumers so it's a very different consumer base and sort of plaintiff base in a sense. These consumers, if anyone has tried to use many of these DeFi platforms, it's not for the average person. Right? Very complicated. They're also very risk seeking so most of the time these are not the typical more conservative, I just want to see my stuff go up 3% kind of thing, this is people who are very interested in this space. Very knowledgeable and a risk taker by nature. So that's very different. I think you also see the judges kind of like it. Like they're pretty fascinated with the technology and so they dig into it but they also like just really kind of like almost seem excited when you show up because they're going to learn something new today, maybe, or they find the whole area fascinating. But the other aspect is they're kind of skeptical. There's some bad press out there. Then I think the last one I would end up with, because we haven't seen a lot of it yet, but in the DeFi space, like, okay, who is the defendant? Usually there's a company, there's a CEO, so in the crypto space I think there's always that issue about who are the potential defendants in any case.
Zoe: Really quickly just building off that, to Grant's point of that we have some pretty sophisticated players involved, I think anytime, in particular when you hear the SCC discuss really anything, they are pretty focused on their 3 part mission. The 3 part mission, protect investors, to ensure fair, orderly and efficient markets and to facilitate capital formation and so a lot of emphasis is really placed on this first part, the investor protection. I think Gensler recently said, he regurgitated the mission then said, "But really we're at the core of us for investor protection thinking basing." So really thinking about a lot of these areas, especially I think decentralized finance protocols, products that we're seeing, some might have a pretty low barrier to entry but others are incredibly sophisticated and only really savvy people could access them in the first place. So it's interesting to think about sort of the heightened scrutiny that the SCC, and that other regulators, may be placing when really I don't know if these are the kind of investors that need as much protection as your sort of more traditional mom and pop investors. Just a thought.
Usman: Yeah, that's really interesting. I don't know, Brent, if you've got anything or had some comments as well. Well just as a litigator in this space, having been on a number of matters in Canada, one thing that strikes me as very different than the litigation that we've been dealing with in other realms, so to speak, is number one the lack of precedent. So oftentimes, we as practitioners, have to go right back down to the very first principles to figure out how to treat a matter. So I don't know about you folks, Grant and Zoe in the United States, but in law school when studying securities laws, the investment contract test, yes we read the key cases, Howie, in Canada a specific ..., but really we haven't brushed those cases off for many, many years. Really this technology is forcing us right back to those core cases on what's really the principle that operates here, and it really requires as practitioners to scan the globe, to really look for precedent in other key jurisdictions. So, we don't need to huff you folks up, but we often look to the jurisprudence in the United States. We look at the jurisprudence in the United Kingdom and Australia and many other jurisdictions so that's something that really strikes me as different as a litigator in this area. Another is just understanding the technology. So one really does need to understand and at times it does matter how the technology works and so as a lawyer we're often forced into the coding and other technical standards, knowing what an ERC-20 token is from an ERC-721 token, is important understanding how the industry works and the role of key players, like miners and core developers, is another thing that is quite unique in this area. Then the other thing that strikes me as quite unique in this area as well, Zoe, to your point, is that a common theme that arises in our cases, particularly on the regulatory front, is this tension between the balance between investor protection on the one hand and ensuring the efficiency of the capital markets, which also means not stifling innovation and that comes up a lot in our cases, trying to speak to regulators and authorities about where does that balance properly lie. If you take this harsh action against this party what is the domino effect? What's the follow on effect from that quick win or that effort? So that's another thing. Perhaps if I can maybe turn to the topic of cyber attacks, and perhaps to set the scene, Brent and Kavi, can you maybe give our audience a view of what the recent landscape looks like on the cyber attack ransomware front as it relates to crypto or crypto assets?
Brent: Sure. I'm happy to start us off on that. So the biggest story, and this will come as a surprise to no one that reads the news, is ransomware and ransomware is a crypto issue because, as we all know, the threat actors want to be paid in something close to untraceable, if not untraceable, and that's always crypto currency. So ransomware has emerged as the single biggest cyber threat that we have seen, apart from nation state attacks but it certainly, as we saw with the capital pipeline attack, they have the ability to be just as disruptive as a nation state attack. We've also seen an evolution in the way ransomware works. When it first emerged it basically just encrypted your data and then the ransom came to you saying, "Pay up or we will help you free up your data." Now it infiltrates your system, downloads at least some of your data and then encrypts and so it's a double threat. Pay us or we won't help you decrypt your data and we're going to publish what we stole either on the dark web, or we might sell it on the dark web, or we may post it on a public shaming site that anyone can access with an internet browser. So that's been an exciting evolution in the way that you hope to never see anything exciting happen. We've also seen the emergence of an incredibly complex ransomware criminal ecosystem that we're starting to understand better now. You have ransomware as a service that you can rent out or buy. You can buy off the shelf ransomware for attacks. So not even not very sophisticated hackers can get the tools to launch their own attacks. You have more sophisticated entities hacking into organization systems and selling that access, those backdoors, to other cyber criminals who then exploit them with ransomware attacks. We've seen a very fluid change in reconfiguration of the groups because these are basically criminal gangs and they're very much into branding. So you have Dark Side, which goes for a while, and then when Dark Side gets in trouble over the capital pipeline attack they ostensibly dissolve and then they remerge a few months later as Black Matter and that's one of the threat actors that we're dealing with now. You also see individuals moving from group to group and as that happens the danger is that they're going to be sharing data that's been taken from vulnerable targets. So if you pay the ransom and hope that you're off the hook now, hope that they've deleted it and never going to see it again, well maybe not. They may just take it somewhere else. We've been seeing new strategies for exploiting and introducing the ransomware. We're seeing residual malware. We're seeing botnets, that sort of a thing. On the crypto front itself, ransoms have been going up in size, steadily. Skyrocketing really. We've begun to see, and this was really interesting, the wisdom 5 years ago was if you pay the ransom you were never going to catch the guys that did this, but we're starting to get better at that. We're learning that crypto is more traceable than we first thought it was. There is, for instance, a company that we've worked with called Chainalysis that has experts from our police and FBI and that sort of thing and then incredible sophisticated programmers, they can actually, and they've done this on the case that I'm on, traced movement of stolen, in this case it wasn't a ransom it was stolen crypto but it would work for ransom, through the Blockchain and through mixtures where they attempt to sort of launder it and then move it to different exchanges. In fact, we were able to anticipate where it was going to go based on patterns that they had seen with this particular threat actor before, and alert the crypto platforms you're going to be seeing funds come in from this source. We expect you to stop it. So we're more hopeful now that if you pay a ransom there's going to be the possibility, at least, to catching the people that did this. I mean the technology has the downside as well. As you follow your money through the Blockchain it's a bit like having your house robbed in the prairies and you can watch them run away with your stuff for 3 days. But it's a fascinating development. As I said before, we're seeing moves to possibly regulate the use of crypto in paying ransoms, to try to head off what we're seeing as essentially a wave of crime in this. Again, it's hard to guess where this is going to go but it's going to be fascinating.
Usman: Okay. Let me move to the next question then. So you talked a lot about ransomware. How should a company really respond to a ransomware attack when a crypto payment is demanded? Do you have any tips in relation to those who may be subject to those types of attacks? Or requests?
Kavi: Sure. I can maybe take the lead on this one. As Brent already alluded to there are risks and pitfalls to either option. You can either refuse to pay the ransom and I think, particularly the best example was CD Projekt Red. That was a game developer, a polish game developer, that basically said, "You know what? Go ahead. We're not going to pay the ransom." and all their source code was released. All their IP was released and they felt they were resilient enough to weather it. But again, I think it comes down to what the organization feels comfortable with the decision maker behind the organization. But from the case that we've helped on, at least to date I think, we've come up with a few influential factors. One of them is, again, resiliency. So again, depending on what the actual event, was it ransomware? Are your assets frozen? Was their exfiltration? It may change, but again, what is the ability of the organization to recover from the backups it might have? Something that organizations might forget is if you have weekly backups, they have to mindful of is that something happens in the intervening time period, that we actually really want to be able to preserve. Again, it's a fact specific consideration but it's something that organizations need to be wary of. Obviously, what's the ability of the organization to recover? If it's just frozen information, let's say it's frozen and they don't have independent backups, maybe they can pay the ransom, they can walk away. But if it's exfiltrated, again Brent alluded to it, there's a lot of migration between these criminal threat actors so there's no guarantee that even if you pay a ransom that the exfiltrated information is necessarily going to be safeguarded moving forward. Obviously anytime there is exfiltration you have to mindful of what are the steps that we have to take to preserve client privacy. Like preserving control over business secrets and what have you. Those are factors as well that you have to be mindful of. Reputation. This is a bit of a hard place and a rock, right? If you pay a ransom do you ... or do you actually act preemptively to make sure you safeguarding the information, your vendors, your customers, everything else is kind of like provide to you for safekeeping. Responsibility. This is one that I think organizations may not always be cognizant of but, again, does a board of directors have to become involved in this? If they have to authorize any payments, are they responsive enough to actually even move at the pace that threat actors demand? Because we're not talking about months. We're talking about days before they're going to move on to the next target. Organizations need to be mindful of do they have the capacity to even respond to the crisis in time? The ability to pay. Amounts of ransoms, we've seen in some instances that oftentimes the threat actor will actually lie in hiding for a little while, observe and to some reconnaissance, so it's not like they're acting blindly in some of these instances. They have a decent sense of what the financial health of the organization is and the ability to pay. So ransom amounts are often going to be targeted in way that pushes the outer bounds of what the organization wants to part with. But again, it's a fundamental question, but can you actually make the payment? Something that comes up here a lot, is there an insurance policy in place that actually might apply and cover some of these costs? Does it cover the cost of locating a breach coach? Does it cover the cost to pay a ransom? And when the insurance policy is involved, does the insurer want to have some control over the process? So again, I'm kind of piling pebbles onto the hill here, but these are all the kind of factors that obviously companies have to be mindful of when they make that decision of yes or no. Do you pay a ransom? Publicity. So, as Brent said, there's some legislation in States that actually might make it a requirement to come forward about ransoms being paid. Right now, I mean again the police obviously want to have some insight, but it's not necessarily required. So is the organization comfortable actually having the fact that ransom was paid become public because they might be sensitive to the fact that, "Listen. Are we opening ourselves up to future targets because now they know that we're willing to pay?" So there a ton of variables here but, honestly, if we can leave a couple of general tips I think retaining a breach coach can be incredibly helpful. Again, the more sophisticated organization the more likely it is it might have an internal plan on how to respond. But having a breach coach who can actually liaise with other experts and specialists, bring a ransom negotiator in, someone who understands the environment and the threat actors, can be really helpful for providing some reassurance. Especially for the decision makers kind of rolling up. You also need to be mindful, again, when you're making a payment it's not a crime to make a payment but it is a crime to also ... So you have to mindful that again there's an opaqueness to the threat actors here. You don't always know what the flow through is but are you making payments that actually might end up to someone that's on a sanctions list? Because that in itself could invite another hellacious consequence. So I've thrown a lot there, but again, those are some of the factors that we found coming up in repeated instances when it comes to how an organization decides whether they can or should make a payment. Brent, I don't know if you have anything else you want to just briefly add on there.
Brent: No, I think that covers it nicely, thanks.
Usman: So we've dealt with, I'm sure everyone else as well, cyber attacks and ransomware attacks or requests, for years. Long before Blockchain came around but what is it or is there anything different about litigating these matters in the crypto space?
Brent: Well, yes and the problems essentially stem from the complex nature of crypto, and the unique nature of crypto, and the fact that we are dealing with a judicial system that, until very recently, didn't have Zoom or useful web pages. I mean it's an old process, litigating a case. So setting aside for the moment who's involved in the litigation or what it's about, when you've got crypto as something that you need to make the judge understand, I was very interested in Grant's insight that the judges down there are interested in learning about this. Our judges are intellectually curious as well but they also don't come from that technical background. It didn't exist when most of them were put on the bench. So explaining cryptocurrency, and explaining Blockchain to anyone who's not a technical person is difficult, you have to make it comprehensible to a judge, you have to make it also be comprehensible to a jury, which can be enormously difficult. The nature of the evidence doesn't lend itself well to our court process either, because we're not talking about a document and we're not talking about oral evidence, which are the things that our judicial system is basically based on. That's the kind of evidence a court understands. So how do you present evidence about this in a way that's comprehensible in a proceeding? There's also a relative shortage of people who are court witnesses. People recognized as experts who can testify in court about these matters, at least in Canada, because it's such an emerging thing. So we're reliant on American expertise, to a large extent. This is changing but it's a generational thing. It changes over time. Anything to add to that, Kavi?
Kavi: Again, I think the only thing I would add is this is not necessarily unique to crypto or Blockchain, but again, threat actors often are outside the jurisdiction. So there's going to be some challenges as well in terms of how exactly do you even commence a claim? How do you identify them? How do you enforce a judgment? Oftentimes that means the victim of the ransomware or the cyber security attack is the one who is going to be the target of litigation.
Usman: Okay, well let's talk about crypto platforms and, Grant and Zoe, we call crypto exchanges up in Canada crypto asset trading platforms. Our regulators, probably for good reason, don't like the crypto exchange because it exchanges a defined term under securities laws. You think of the Toronto Stock Exchange or the CSE, the Canadian Securities Exchange and other exchanges. In terms of, for our audience, what crypto asset trading platforms are, and feel free Grant and Zoe, to use whatever term you prefer, but in terms of what they we've seen a variety of different models, but generally speaking these platforms allow one to transfer, being buy or sell crypto assets and potentially do other things on these platforms with those crypto assets as well. Through these platforms sometimes buy crypto assets using Fiat, like Canadian dollars, USD. You can buy them or sell them using other cryptos. You can sit on some of these platforms, wire your funds, use debit cards, credit cards and some platforms are what we call custodial, meaning that the crypto asset of, let's say the crypto asset that Brent owns is actually kept by, in custody by, the platform itself. Where the private key for the crypto asset is really custody by that platform and then we've seen non-custodial platforms. There's many others where you in fact keep the private key and are able to control that crypto asset. Then we've seen other models as well like crypto asset OPC ... and others. The types of tokens that may transfer or be traded on these platforms can vary considerably. So you can have what we call native assets, or native crypto assets like Bitcoin or Ethereum or Ether, which is made of two Blockchain protocol. You can have what are called ERC-20 tokens, which are tokens that are generated from the Ethereum Blockchain, oftentimes in the context of ICO or in other circumstances you can have crypto tokens that are what are called Stablecoins, whose value is tied to or pegged to an outside asset. You can have what Zoe was mentioning at the front of the call which are non-fungible tokens, or NFTs, which are really one of a kind digital crypto tokens that can also potentially trade or be transferred on these platforms as well. I'm mindful of the time but maybe we can do this two questions in the same breath which is, how are these entities regulated in the United States and what are some cases? Maybe, Grant or Zoe, I can turn it over to you on that.
Grant: Maybe I'll start with just sort how they regulate it. I would put them almost in two buckets. One is the centralized exchanges like the coin bases of the world, etcetera. Then the decentralized exchanges. The centralized exchanges, and both of these by the way there's a question of whether they should be regulated more, but in the centralized exchanges they generally regulated, they have money transmitter licences so they have FinCEN licences, so they're regulated about the movement of crypto assets and money. There's also OFAC regulation. Someone earlier mentioned sanctions list to make sure those funds are not going to terrorists. I think the big battle ground for them going forward, according to the SCC, is whether these should be, to Usman's point before is, are these trading platforms or are these exchanges? If they're not exchanging on SCC regulated exchanges, are they regulated by the CFG? So that's, I think, the regulatory battle that we're going to see going forward over the next number of months. As far as DeFi, DeFi generally refers to decentralized finance, it's a pretty amazing concept actually and what you have is you have peer to peer trading. So instead of a coin base or a New York Stock Exchange being in the middle of these trades it's sort of like walking to your neighbour and buying and selling goods except that it's global and you don't know who it is on the other side. Other than it goes through a smart contract. There is no generalized central authority. The SCC has I think definitional concerns or issues about what central authority means or a lack thereof. But generally the concept is there is no CEO, board of directors, etcetera, controlling this exchange and it's just peer to peer actors making decisions, together and buying and trading digital assets, lending, etcetera. There is a lot of discussion in the United States about should those be regulated? If so, who? I think you're going to see more out there on that as well. But generally those DeFi platforms do not follow the same regulatory regimes that you have with the, what we call, centralized trading platforms that I mentioned before.
Zoe: And to your sort of second question about sort of notable cases that have risen in these spaces, I think we can think about it again in the same structure as centralized versus decentralized. So in the centralized space I think the most notable thing happening, as of late, is the SCCs issuance of a Wells notice letter to Coinbase. Basically, letting them know that the SCC intended to sue them over their lend program, which actually was scrapped a couple of weeks after receiving the Wells notice. In very broad strokes, keeping an eye on time, basically Coinbase had planned to lend USDC, which is a Stablecoin as Usman just mentioned, it's roughly pegged to the value of the US dollar, roughly one to one. So Coinbase wanted to develop this program that basically was designed as a high yield alternative to a traditional savings account. They're promising 4% annual yield and I think that's easy. There's not a problem with this being a little too akin to what a bank does and so that plan has since been scrapped. But then I think about we're thinking about DeFi, I mean, there's so much development that has just really happened in the last couple of months. In August we saw the very first enforcement action in the DeFi space in the matter of Blockchain credit partners. I don't need to get too much into the leads on what was at issue there. There's also BitConnect which has had a series of lawsuits against individuals involved and then also the company and its founders. There's also a parallel lawsuit with the DOJ where one of the, I think, promotors plead guilty recently and he'll be sentenced in a month. So there's definitely a lot of activity kind of coming in the most recent couple of months. We'll see what happens.
Usman: Yeah, in Canada for its part, its quite an interesting story and I'll keep it brief, but basically our regulators, about 2 years ago, thereabouts, March 2019, issued a consultation paper saying, these things, crypto asset trading platforms, they're quite unique. Rare is it to see a platform that has all these functions that are under our regime are typically separately regulated, or are severed and segregated, almost sort of combined in one. So trading platform, dealer function, custody function, all that other sort of mixed into one and so they said in that consultation paper, I'm simply summarizing it, is we need to maybe think how to regulate these things. So 2 years after on March of this past year, 2021, they said after receiving over 50 comment letters, here is our view on how these things should be regulated. So they provided a variety of different types of platforms and said here's the application process. They said we're prepared to let certain platforms get up and running right away as restricted dealers assuming they meet certain conditions. So what we have seen is since that period, or up until today's date, at least 3 to 4 different parties, while simple net coins, having received exemptive relief orders to operate as restricted dealers or otherwise able to trade and transfer crypto assets in the market. We've seen a lot of litigation happening in respect of crypto asset trading platforms in Canada. So there was the QuadrigaCX case, which you may have heard about, Grant and Zoe in the United States, but a quite famous case involving the potential loss of almost $169 million by various investors for purchasers of crypto assets. Our Ontario Securities Commission issued a report on that. They decided, just like in the DOA report case, to not pursue enforcement action in that case because they main principal had passed away, unfortunately, and QuadrigaCX itself was facing a bankruptcy proceeding. But a lot of the action of late has been really in relation to that regime that came out in March of 2021 and the related press released by Ontario Securities Commission saying we're going to commence enforcement if you don't come in line. Since that time about 4 major prosecutions have been commenced against Poloniex and Bybit, OKEx, KuCoin, largely along the lines of saying that you're a platform, you're available to Ontario wins. Ontario wins can open accounts, can basically deposit and trade in crypto assets. You're then subject to Ontario securities laws because your platform offers products that would be securities and derivatives and you're therefore in violation of our, what's called, being in the business of trading securities prohibition without being registered and you've also basically traded in securities without complying with prospectus requirements as well. So maybe just to end off, the regulation, we talked about NFTs, to Zoe and Grant, what are the legal and regulatory issues? I know you've already talked about DeFi, but what are some of the legal and regulatory issues that arose with NFTs?
Grant: Some of the regulatory, they're pretty interesting. NFTs in their core, just a digital representation of a piece of art or cryptokitty or any NBA has these digital representations of LeBron James making a dunk. There's not really regulatory issues with that. I think both Gensler and Hester Peirce have made statements that there is no issues with those, generally. Where they get into trouble, where you get into regulatory problems is what do you do with them? What I mean by that is so has this now, instead of being just a piece of art or a trading card, is it becoming an investment product? Also, are people using NFTs to generate revenue through sharing of revenue? Let's say a song or a piece of art and you're getting a fractional ownership of that NFT. You're seeing NFT marketplaces come up that have caused some concern with the regulators. Not everything is essentially investment markets rather than novelties type markets. So those are some of the issues that you're seeing so the SCC has said, "Listen. Be careful. Don't go beyond just this nice piece of art or this nice dunk by LeBron James. Let's not make it and turn it into a financial instrument.", essentially.
Kavi: So along that vein we haven't seen enforcement actions yet and there are very few cases involving NFTs but a couple of interesting developments. There's been a private security class action that's been brought against Dapper Labs, which is an NFT digital marketplace, and then I actually think that the other development is more interesting to me, I want to call out Arcos Capital which is a broker dealer that's registered with the SCC and FINRA, they petitioned the SCC for rule making regarding NFTs. Basically saying that there's a pretty large lack of clarity when it comes to when an NFT actually qualifies as a security. That to me underscores just how unchartered this area is with respect to existing regulation and how sort of that can address NFTs, if it can.
Usman: Yeah, the exact comments I would say apply to Canada as well. The key issues that we look at, from a securities law perspective is the characterization of the token. The regulators will pierce through to the economic realities of these tokens. You can call an NFT an NFT and yet if it's operating in the manner that Grant was describing then you start getting into a little bit of danger territory. Same thing with the platforms as well. We check to see whether they're triggering marketplace requirements. Then there's also AML will have to comply with these platforms, as well, at times in certain circumstances.
So, we've unfortunately run out of time. So I'm going to end things there, if you don't mind, but it was a fascinating discussion. I want to thank all of you in the audience for joining us today. I wanted to thank you, Brent and Kavi. I want to say a very special thank you to you, Grant and Zoe, for joining us all the way, albeit virtually, from California. Thanks a lot for joining us and stay tuned for the next series of webinars. Thanks again.