When drafting policies on the use of artificial intelligence, one challenge that many businesses face is how to define AI, and relatedly, when should AI governance and compliance programs apply to models that do not meet the definition of AI. Choosing a Regulatory Definition of AI One common approach is to adopt the definition that is used in a regulation…
On July 18, 2024, in the landmark SEC v. SolarWinds Corp. case, U.S. District Judge Paul Engelmayer dismissed the majority of the claims brought by the U.S. Securities and Exchange Commission (the “SEC”) against SolarWinds Corporation (“SolarWinds”), including the SEC’s previously untested claim that alleged deficiencies in SolarWinds’ cybersecurity controls amounted to violations of the internal accounting controls requirements of Section 13(b)(2)(B)…
On Friday, July 26 at 11:00am EDT, Eric Dinallo from Debevoise’s Insurance Regulatory practice joined Avi Gesser and Sharon Shaji from the firm’s Data Strategy and Security practice, for a debrief on the final version of Insurance Circular No. 7, which sets out detailed requirements for insurance companies operating in New York that use AI or external data relating to…
On July 11, 2024, the New York State Department of Financial Services (the “NYDFS”) adopted Insurance Circular Letter No. 7 regarding the Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing (the “Final Circular”). The Final Circular largely adopts that language of the January 2024 Proposed Insurance Circular Letter on these issues…
The EU AI Act (the “Act”) has made it through the EU’s legislative process and has passed into law today; it will come into effect on 1 August 2024. Most of the substantive requirements will come into force two years later, from 1 August 2026, with the main exception being “Prohibited” AI systems, which will be banned from 1 February…
Debevoise’s Data Strategy and Security group recently assisted four leading trade associations that represent the financial services industry in preparing a joint comment letter in response to the Cybersecurity and Infrastructure Security Agency’s (“CISA”) notice of proposed rulemaking for reporting requirements for critical infrastructure entities that experience covered cybersecurity incidents (the “Proposed Rule”), developed pursuant to the Cyber Incident Reporting…
This is the second post in our two-part Debevoise Data Blog series covering the U.S. Treasury Department’s report on Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector (the “Report”). In Part 1, we addressed the Report’s coverage of the state of AI regulation and best practices recommendations for AI risk management and governance. In Part 2, we review the Report’s…
While the SEC made an early foray into proposing rules to govern use of generative AI (Gen AI) by broker-dealers,[1] FINRA has been taking a more traditional approach to emergent technology: surveying members on uses, issuing white papers,[2] publishing observations from its examinations program,[3] and issuing guidance about the application of existing rules.[4] Consistent with this approach, on June 27,…
Over the last week, the Consumer Financial Protection Bureau (“CFPB”) and the Office of the Comptroller of the Currency (“OCC”) approved the Quality Control Standards for Automated Valuation Models (the “Rule”), which will require mortgage originators and secondary market issuers to ensure that algorithms used for real estate valuation, including artificial intelligence (“AI”) systems (collectively, “automated valuation models” or “AVMs”),…
Our top five European data protection developments from May are: UK guidance on ransom payments: The UK NCSC and various insurance industry bodies co-published guidance on key considerations for ransomware payments. The guidance does not introduce new restrictions or obligations, and is consistent with prior industry standards, as well as UK NCSC and UK ICO messaging. However, there may be…