Nov. 20, 2024

SEC Charges Four Companies for Misleading Cyber Incident Disclosures: New Expectations?

The SEC has charged four companies for making materially misleading public disclosures of cyber incidents and risks, alleging that each minimized the effects of the 2020 SolarWinds attack on its business. Two commissioners strongly dissented, arguing that the enforcement staff went astray by demanding an array of incident details that muddied the picture for the investor, while not adding clarity about the incident’s impact. This article, the first of a two-part series, examines key takeaways from the actions and discusses the risks and materiality questions spotlighted by the cases and the dissent, with insights from former SEC enforcers now at McGuireWoods and Fenwick & West. Part two will offer practical recommendations about what to include in cybersecurity disclosures and predictions about future enforcement. See “A Framework for Materiality Determinations Under SEC’s Cyber Incident Disclosure Rules” (Jul. 10, 2024).

DOJ’s 2024 Edits to the ECCP: Data Analytics to Find Risks and Measure Effectiveness

Principal Deputy Assistant Attorney General Nicole Argentieri gave top billing to the focus on mitigating the risk of misusing AI when she announced recent changes to the Evaluation of Corporate Compliance Programs (2024 Edits). Getting into the weeds, however, a larger proportion of the 2024 Edits relate to how companies use a broader spectrum of data collection and analytics to monitor, optimize and improve their compliance programs. In this second article of our series analyzing the 2024 Edits, we examine the new questions added that implicate use of data and data analytics in compliance programs. The first article focused on the changes related to AI. The third and final article will look at new language related to whistleblowers, compliance resources and incorporating lessons learned. See “Thoughts From DOJ Experts on Using Data Analytics to Strengthen Compliance Programs” (Jul. 17, 2024).

CFTC’s Report Calls for Engagement and Development of AI Risk Management Frameworks

The Commodity Futures Trading Commission (CFTC) has sought to position itself on the cutting edge of regulators’ response to the meteoric advances in AI and its use in the financial services industry. Earlier this year, a subcommittee of the CFTC’s Technology Advisory Committee issued a report on responsible AI in financial markets (Report). The Report assesses the opportunities and risks presented by AI and offers recommendations for the CFTC, including engaging with the industry, developing risk management frameworks, assessing existing regulations, aligning with other agencies and gaining AI expertise. This article parses the Report and includes relevant insights from CFTC Commissioner Kristin N. Johnson’s public statement. See “CFTC Commissioner Shares Five Pillars of Cyber Resilience” (Jul. 19, 2023).

BakerHostetler Welcomes Former Federal Prosecutor to Privacy and Cybersecurity Litigation Team in Los Angeles

Raymond Aghaian has joined the Los Angeles office of BakerHostetler as a partner in the digital assets and data management practice group, and a member of the privacy and digital class action and litigation team. A former federal prosecutor prior to entering private practice, he arrives from Kilpatrick Townsend & Stockton. For insights from BakerHostetler, see “Deciphering California’s Pioneering Mandate for an AI Nutrition Label” (Oct. 16, 2024), and “A Framework for Materiality Determinations Under SEC’s Cyber Incident Disclosure Rules” (Jul. 10, 2024).

Technology and Data Privacy Principal Joins Polsinelli in San Francisco

Laila Paszti has joined Polsinelli as a partner and principal in the firm’s technology transactions and data privacy practice in San Francisco. She arrives from Kirkland & Ellis. For insights from Polsinelli, see “A Look Inside Businesses’ Private Disputes Over Ransomware Costs” (Aug. 18, 2021).