As we approach the end of the year, here are the Top 10 SEC Cyber/AI posts on the Debevoise Data Blog in 2024 by page views. If you are not already a Blog subscriber, click here to sign up.

  1. 100 Days of Cybersecurity Incident Reporting on Form 8-K: Lessons Learned (March 28, 2024)

On December 18, 2023, the SEC’s rule requiring disclosure of material cybersecurity incidents became effective. In the first 100 days of mandatory reporting, 11 companies disclosed a cybersecurity incident on Form 8-K, averaging 5.45 days between detection of the incident and disclosure. This post provides several considerations for companies to evaluate when considering Form 8-K disclosure and the timing of such filings.

  1. SEC Charges Four Companies for Misleading Cyber Disclosures (October 28, 2024)

On October 22, 2024, the SEC announced settled charges in separate actions against four technology companies that had been downstream victims of the 2020 SUNBURST cyber-attack. These actions represented the SEC’s first resolutions based on its multi-year investigations into the adequacy and accuracy of disclosures made by victims of that attack, and of related compromises believed to be committed by the same state-sponsored threat actors. Although the disclosures and statements in these four matters pre-dated the SEC’s new cybersecurity disclosure rules, this post discusses how these cases may reflect the Commission’s views on materiality assessments and disclosure decisions, and corresponding cybersecurity best practices for issuers.

  1. The SEC Adopts Significant Cybersecurity Amendments to Reg S-P (May 17, 2024)

On May 16, 2024, the SEC adopted significant cybersecurity amendments to Regulation S-P (“Reg S-P”). Amended Reg S-P represents a substantial expansion of the privacy obligations for broker-dealers and registered investment advisers under the federal securities laws. This post synthesizes key compliance requirements under this expanded regulation.

  1. AI Enforcement Starts with Washing: The SEC Charges its First AI Fraud Cases (March 19, 2024)

On March 18, 2024, the SEC announced settled charges against two registered investment advisers for making false and misleading statements about their alleged use of AI in connection with investment advice. These settlements were the SEC’s first-ever cases charging violations of the antifraud provisions of the federal securities laws in connection with AI disclosures. The cases also included settled charges involving AI brought under the Marketing and Compliance Rules under the Investment Advisers Act of 1940. This post discusses the charges as well as disclosure and compliance takeaways for SEC registrants.

  1. Have You Reviewed Your Form ADV AI Disclosures? (February 26, 2024)

AI use has exploded across the securities markets, and the SEC has prioritized examinations and enforcement that target “AI washing” by registered investment advisers. In this post, we discuss best practices for annual Form ADV amendments to meet the SEC’s sharpening scrutiny of AI usage by registrants: (1) be clear on what you do (and don’t) use AI for, (2) avoid using hypothetical language for actual AI practices, and (3) understand and accurately disclose the risks associated with AI use.

  1. SEC Releases New Guidance on Material Cybersecurity Incident Disclosure (June 27, 2024)

On June 24, 2024, the staff of the Division of Corporation Finance of the SEC released five new Compliance & Disclosure Interpretations (“C&DIs”) relating to the disclosure of material cybersecurity incidents under Item 1.05 of Form 8-K. In this article, we summarize the new C&DIs and address how issuers should consider the guidance more broadly when analyzing disclosure obligations for cybersecurity events.

  1. Announcing the Debevoise Tracker for Cybersecurity Incident Disclosure on Form 8-K (March 6, 2024)

This post launches the Debevoise tracker of Item 1.05 8-K filings, which requires the disclosure of material cybersecurity incidents. This tracker is continuously updated with links to 8-K cybersecurity filings.

  1. SEC Targets AI Washing in Private Capital Markets: “Old School Fraud Using New School Buzzwords” (June 14, 2024)

On June 11, 2024, the SEC filed its first litigated AI washing matter involving a private capital markets transaction. This post discusses the SEC’s use of the existing antifraud provisions of the securities to charge AI cases and the importance of clear, accurate and comprehensive statements about the use of technology, automation, and AI.

  1. Internal Accounting Controls Claim Rejected in SolarWinds Case (July 23, 2024)

On July 18, 2024, a federal district court for the Southern District of New York dismissed the majority of the charges brought by the SEC against SolarWinds, including the SEC’s previously untested claim that alleged deficiencies in the company’s cybersecurity controls could constitute violations of the internal accounting controls requirements of the Securities Exchange Act of 1934. This post explores the court’s reasoning rejecting the SEC’s internal accounting controls claim and the Commission’s novel use of this charge in the cybersecurity context.

  1. Incident Response Plans Are Now Accounting Controls? SEC Brings First-Ever Settled Cybersecurity Internal Controls Charges (June 20, 2024)

On June 18, 2024, the SEC announced an unprecedented settlement with communications and marketing provider R.R. Donnelley & Sons Co. (“RRD”) in which the firm resolved disclosure controls and internal accounting controls charges arising out of its response to a 2021 ransomware attack. The settlement marks a striking expansion of the SEC’s view of its oversight authority relating to public company cybersecurity policies and procedures. Given this emerging area of public company cybersecurity enforcement risk, this article discusses potential enhancements to cybersecurity policies and procedures for issuers.

The authors would like to thank Debevoise Law Clerk Achutha Raman for his contribution to this blog post.

***

To subscribe to the Data Blog, please click here.

The cover art used in this blog post was generated by ChatGPT.

Author

Andrew J. Ceresney is a partner in the New York office and Co-Chair of the Litigation Department. Mr. Ceresney represents public companies, financial institutions, asset management firms, accounting firms, boards of directors, and individuals in federal and state government investigations and contested litigation in federal and state courts. Mr. Ceresney has many years of experience prosecuting and defending a wide range of white collar criminal and civil cases, having served in senior law enforcement roles at both the United States Securities and Exchange Commission and the U.S. Attorney’s Office for the Southern District of New York. Mr. Ceresney also has tried and supervised many jury and non-jury trials and argued numerous appeals before federal and state courts of appeal.

Author

Charu A. Chandrasekhar is a litigation partner based in the New York office and a member of the firm’s White Collar & Regulatory Defense and Data Strategy & Security Groups. Her practice focuses on securities enforcement and government investigations defense and cybersecurity regulatory counseling and defense.

Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.

Author

Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.

Author

Eric T. Juergens is a corporate partner and a member of the firm’s Capital Markets, Public Company Advisory, Insurance and Private Equity Groups. His practice focuses on securities laws, representations of issuers and financial intermediaries in capital markets transactions, and providing public companies with advice on corporate governance matters and compliance with SEC and stock exchange rules and regulations. He can be reached at etjuergens@debevoise.com

Author

Arian June is a litigation partner at Debevoise based in the firm’s Washington, D.C. office and is a member of the White Collar & Regulatory Defense Group.

Author

Robert Kaplan is a litigation partner based in the firm’s Washington, D.C. office. He has significant experience with a broad range of securities-related enforcement and compliance issues, including those involving requirements affecting SEC-registered investment advisers affiliated with hedge funds, private equity funds, investment companies, mutual funds and separately managed accounts. Mr. Kaplan routinely represents these clients in matters before the SEC, state attorneys general and FINRA. He is recommended by Chambers USA (2020), and, in 2017, Securities Docket recognized him as one of the “best and brightest in securities enforcement defense.”

Author

Erez is a litigation partner and a member of the Debevoise Data Strategy & Security Group. His practice focuses on advising major businesses on a wide range of complex, high-impact cyber-incident response matters and on data-related regulatory requirements. Erez can be reached at eliebermann@debevoise.com

Author

Sheena Paul is a counsel in the Investment Management Group’s U.S. regulatory practice, based in the firm’s Washington, D.C. office. Ms. Paul focuses her practice on providing regulatory advice to investment managers, with a particular focus on private equity clients. She works closely with the firm’s other practices on regulatory advice related to domestic and cross-border corporate and capital markets transactions, and enforcement matters. She can be reached at spaul@debevoise.com

Author

Ben Pedersen is a partner in the firm’s Capital Markets Group and member of the Special Situations team. His practice focuses on a broad range of capital markets transactions, regularly representing issuers, private equity firms and underwriters in public and private offerings of debt and equity securities, and advising public and private companies on securities laws, disclosure, corporate governance and general corporate matters. He can be reached at brpedersen@debevoise.com.

Author

Marc Ponchione, a partner in Debevoise's Investment Management Group, focuses on advising financial services firms on various regulatory, compliance and transactional issues arising in the asset management industry. He can be reached at mponchione@debevoise.com.

Author

Jeffrey L. Robins is a corporate partner and a member of the Debevoise Banking Group. His practice focuses on representing broker-dealers, swap dealers, banks, securities exchanges, industry associations and buy-side institutions in regulatory and transactional matters. He can be reached at jlrobins@debevoise.com.

Author

Paul Rodel is a corporate partner and a member of Debevoise’s Capital Markets, Private Equity and Latin America Groups. He represents clients in the financial services, healthcare, insurance, technology and media industries in registered, private and offshore capital markets transactions.

Author

Julie M. Riewe is a litigation partner and a member of Debevoise's White Collar & Regulatory Defense Group. Her practice focuses on securities-related enforcement and compliance issues and internal investigations, and she has significant experience with matters involving private equity funds, hedge funds, mutual funds, business development companies, separately managed accounts and other asset managers. She can be reached at jriewe@debevoise.com.

Author

Kristin Snyder is a litigation partner and member of the firm’s White Collar & Regulatory Defense Group. Her practice focuses on securities-related regulatory and enforcement matters, particularly for private investment firms and other asset managers.

Author

Jonathan Tuttle, managing partner of the Washington, D.C. office, is a member of the firm’s Litigation Department. He has represented public companies, regulated institutions, boards of directors, audit and special committees of boards, and individual directors, officers and employees in enforcement investigations and proceedings brought by the Securities and Exchange Commission, the Department of Justice, FINRA and the PCAOB, as well as in securities class actions, shareholder derivative suits, internal corporate investigations and a variety of other securities and finance-related litigation and regulatory matters.

Author

Philip Fortino is a litigation counsel based in the firm’s New York office and a member of the firm’s White Collar & Regulatory Defense Group.

Author

Matthew Kelly is a litigation counsel based in the firm’s New York office and a member of the Data Strategy & Security Group. His practice focuses on advising the firm’s growing number of clients on matters related to AI governance, compliance and risk management, and on data privacy. He can be reached at makelly@debevoise.com

Author

Anna Moody is a counsel in Debevoise’s Litigation Department, resident in the Washington, D.C. office. Her practice focuses on securities-related enforcement defense, including cybersecurity regulatory counseling and defense, SEC examinations, internal investigations and white collar criminal defense.

Author

Stephan Schlegelmilch is a litigation counsel based in the firm’s Washington, D.C. office and a member of the firm’s White Collar & Regulatory Defense Group. His practice focuses on securities enforcement and government investigations, internal investigations, and complex commercial litigation.

Author

Johanna Skrzypczyk (pronounced “Scrip-zik”) is a counsel in the Data Strategy and Security practice of Debevoise & Plimpton LLP. Her practice focuses on advising AI matters and privacy-oriented work, particularly related to the California Consumer Privacy Act. She can be reached at jnskrzypczyk@debevoise.com.

Author

Suchita Mandavilli Brundage is an associate in the Debevoise Data Strategy & Security Group. She can be reached at smbrundage@debevoise.com.

Author

Kelly Donoghue is a corporate associate in the Capital Markets Group. She can be reached at kgdonogh@debevoise.com.

Author

Andreas A. Glimenakis is a litigation associate and a member of the firm’s White Collar & Regulatory Defense Group. His practice focuses on government and internal investigations, securities enforcement actions, and compliance advice. Mr. Glimenakis is also an associate editor of FCPA Update, the firm’s monthly newsletter addressing developments in anti-corruption law enforcement and related compliance topics.

Author

Alice Gu is a corporate associate and a member of the Capital Markets Group. She can be reached at agu@debevoise.com

Author

John M. Jacob is an international associate and a member of the Capital Markets Group. He can be reached at jjacob@debevoise.com.

Author

Gabriel Kohan is a litigation associate at Debevoise and can be reached at gakohan@debevoise.com.

Author

Talia Lorch is a corporate law clerk in the Capital Markets Group. She can be reached at tnlorch@debevoise.com.

Author

Ciera Mandelsberg is an associate in the Litigation Department. She can be reached at cmmandelsberg@debevoise.com.

Author

Noah L. Schwartz is an associate in the Litigation Department and a member of the Data Strategy & Security practice group. His practice focuses on incident response, crisis management and regulatory counselling. He can be reached at nlschwartz@debevoise.com.

Author

Ned Terrace is an associate in the Litigation Department. He can be reached at jkterrac@debevoise.com.

Author

Mengyi Xu is an associate in Debevoise's Litigation Department and a Certified Information Privacy Professional (CIPP/US). As a member of the firm’s interdisciplinary Data Strategy & Security practice, she helps clients navigate complex data-driven challenges, including issues related to cybersecurity, data privacy, and data and AI governance. Mengyi’s cybersecurity and data privacy practice focuses on incident preparation and response, regulatory compliance, and risk management. She can be reached at mxu@debevoise.com.