Key Takeaways Two years after the May 21, 2024 statement by the Securities and Exchange Commission’s (“SEC”) Division of Corporation Finance clarifying the intended use of Item 1.05 of Form 8-K for cybersecurity incident disclosures, voluntary Item 8.01 cybersecurity filings (where materiality has not yet been determined) have significantly outpaced Item 1.05 filings (for material cybersecurity incidents) and most incidents…

Debevoise & Plimpton LLP was featured in Legaltech News for its approach to AI innovation and transformation, highlighting the firm’s integration of internal experimentation, governance and client collaboration through its proprietary Suite of Tools for Assessing AI Risk (STAAR). Read the PDF of the article here. The article examines how Debevoise leverages its internal AI experts and client-facing AI practice…

The Council of the EU and the European Parliament have reached an agreement on delays and amendments to the EU AI Act, as part of the EU’s ongoing digital simplification programme. Most notably, compliance obligations for stand-alone high-risk AI systems will now come into effect on 2 December 2027 rather than August 2026, as originally planned. Despite the attention surrounding…

On April 29, 2026, the New York State Department of Financial Services (“DFS”) issued its first cybersecurity enforcement action of 2026—a Consent Order against Delta Dental Insurance Company and Delta Dental of New York, Inc. (the “Companies”) imposing a $2,250,000 civil monetary penalty for violations of the Part 500 Cybersecurity Regulation. The action is notable as the Department’s first—and to…

In some ways, the dominant mode of legal service delivery resembles the old VHS or DVD model, whereby everyone rented movies by walking or driving to their local video store. For most legal services, a client identifies a need, contacts outside counsel, and receives a tailored product in response to a discrete request. The model reflects the nature of most…