Author Archives: Julius Sim

DOJ, FBI Issue Guidance for Public Companies Seeking to Delay Disclosure of Material Cybersecurity Incidents

by Michael T. Borgia and Patrick J. Austin

Left to right: Michael T. Borgia and Patrick J. Austin (Photos courtesy of Davis Wright Tremaine LLP)

Public companies may only request a delay of the SEC’s disclosure requirements for national security or public safety reasons

As we discussed in our prior blog post, the Securities and Exchange Commission (SEC) recently finalized its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule for public companies (the “Rule”). The Rule requires, among other things, that public companies disclose “material” cybersecurity incidents on Form 8-K (Form 6-K for foreign private issuers). Item 1.05 of Form 8-K must include the “material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations,” and the form must be filed within four business days of determining that an incident is material. The Rule permits companies to delay disclosure beyond four business days only where the U.S. Attorney General determines that disclosure “would pose a substantial risk to national security or public safety.” The Rule’s cyber incident disclosure requirements go into effect on December 18, 2023.

Continue reading →

Resisting Hindsight Bias: A Proposed Framework for CISO Liability

by Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Erez Liebermann, Julie M. Riewe, Anna Moody, Andreas A. Glimenakis, and Melissa Muse

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, and Erez Liebermann. Bottom left to right: Julie M. Riewe, Anna Moody, Andreas A. Glimenakis, and Melissa Muse. (Photos courtesy of Debevoise & Plimpton LLP)

On October 30, 2023, the U.S. Securities and Exchange Commission (“SEC” or “Commission”) charged SolarWinds Corporation’s (“SolarWinds” or the “Company”) chief information security officer (“CISO”) with violations of the anti-fraud provisions of the federal securities laws in connection with alleged disclosure and internal controls violations related both to the Russian cyberattack on the Company discovered in December 2020 and to alleged undisclosed weaknesses in the Company’s cybersecurity program dating back to 2018.[1] This is the first time the SEC has charged a CISO in connection with alleged violations of the federal securities laws occurring within the scope of his or her cybersecurity functions.[2] In doing so, the SEC has raised industry concerns that it intends to—with the benefit of 20/20 hindsight, but without the benefit of core cybersecurity expertise—dissect a CISO’s good-faith judgments in the aftermath of a cybersecurity incident and wield incidents to second guess the design and effectiveness of a company’s entire cybersecurity program (including as it intersects with internal accounting controls designed to identify and prevent errors or inaccuracies in financial reporting) and related disclosures and attempt to hold the CISO liable for any perceived failures.

Continue reading →

California Privacy Protection Agency Publishes Draft Regulations on Automated Decisionmaking Technology

by Hunton Andrews Kurth LLP

photo of the author

On November 27, 2023, the California Privacy Protection Agency (“CPPA”) published its draft regulations on automated decisionmaking technology (“ADMT”). The regulations propose a broad definition for ADMT that includes “any system, software, or process—including one derived from machine-learning, statistics, or other data-processing or artificial intelligence—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking.” ADMT also would include profiling, which would mean the “automated processing of personal information to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”

Continue reading →

FinCEN and BIS Issue Joint Notice Emphasizing That Financial Institutions Should Monitor for Possible Export Control Violations

by Jessica S. Carey, John P. Carlin, Roberto J. Gonzalez, Brad S. Karp, Richard S. Elliott, David Fein, David Kessler, Nathan Mitchell, and Jacobus J. Schutte

Top left to right: Jessica S. Carey, John P. Carlin, Roberto J. Gonzalez, Brad S. Karp, and Richard S. Elliott. Bottom left to right: David Fein, David Kessler, Nathan Mitchell, and Jacobus J. Schutte. (Photos courtesy of Paul, Weiss, Rifkind, Wharton & Garrison LLP)

On November 6, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) and the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) jointly issued a notice (the “Notice”) announcing a new Suspicious Activity Report (“SAR”) key term, “FIN-2023-GLOBALEXPORT,” that financial institutions should reference when reporting potential efforts by individuals or entities seeking to evade U.S. export controls.[1]

Continue reading →

Cybersecurity Experts React to NYDFS’s Amendments to its Cybersecurity Rules

Editor’s Note: The NYU School of Law Program on Corporate Compliance and Enforcement (PCCE) is following the New York State Department of Financial Services’ (NYDFS) recently announced amendments to its Part 500 Cybersecurity Regulations. In this post, cybersecurity experts offer their insight on the final amendments and the potential implications they have for corporate cybersecurity programs.

Top left to right: Johanna Skrzypczyk, Avi Gesser, Justin Herring, Kathleen McGee, and Edward Stroz.
Bottom left to right: Kellen Dwyer, Rebecca Hughes Parker, Elizabeth Ferrick, Grant Ankrom, and Alex Southwell. (Photos courtesy of the authors)

Continue reading →

Cyber Attacks: The Same Old Story, Only Improved

by Ed Stroz and Carl Young

Ed Stroz (Photo courtesy of the author)

Recently, a malware payload (referred to as “Lightless Can”) was successfully deployed in connection with fake job offers.[1] According to researchers at ESET, the North Korean-affiliated hacking group “Lazarus” was behind this targeted phishing operation, which involved tricking victims at a Spanish aerospace company by offering a fake offer of employment at well-known firms.

Of course, there is nothing new about bad actors of all types tricking unsuspecting users into downloading malware. Phishing and pretexting, two forms of social engineering, constituted approximately 20 percent of all cyberattacks in 2022.[2] The difference here is twofold: the sophistication of the software in eluding detection and the apparent authenticity of the ruse.

Continue reading →

Eight GDPR Questions when Adopting Generative AI

by Avi Gesser, Robert Maddox, Friedrich Popp, and Martha Hirst

From left to right: Avi Gesser, Robert Maddox, Friedrich Popp, and Martha Hirst. (Photos courtesy of Debevoise & Plimpton LLP)

As businesses adopt Generative AI tools, they need to ensure that their governance frameworks address not only AI-specific regulations such as the forthcoming EU AI Act, but also existing regulations, including the EU and UK GDPR.

In this blog post, we outline eight questions businesses may want to ask when developing or adopting new Generative AI tools or when considering new use cases involving GDPR-covered data. At their core, they highlight the importance of integrating privacy-by-design default principles into Generative AI development and use cases (see here).

If privacy is dealt with as an afterthought, it may be difficult to retrofit controls that are sufficient to mitigate privacy-related risk and ensure compliance. Accordingly, businesses may want to involve privacy representatives in any AI governance committees. In addition, businesses that are developing their own AI tools may want to consider identifying opportunities to involve privacy experts in the early stages of Generative AI development planning.

Continue reading →

Integrated Intelligence: Acquiring, Interpreting and Disseminating Knowledge to Support Enterprise Risk Management and Corporate Governance

by Lawrence Cunningham and Arvin Maskin

From left to right: Lawrence Cunningham and Arvin Maskin. Photos courtesy of the authors.

Enterprise risk management (“ERM”) and corporate governance are two sides of the same coin, being united by the importance of relevant decision-makers acquiring, interpreting and disseminating intelligence about risk and oversight. The goal of ERM is to help corporate managers visualize, interpret, contextualize and prioritize various forms of risk input in a timely and objective manner, and to convert it to insightful and actionable intelligence to enhance the quality, reliability and transparency of corporate decision-making and board oversight (“corporate governance”). This modern-day “distant early warning” system attempts to preempt crisis-level events and mitigate the impact of unexpected or unavoidable occurrences of consequence, while seizing on opportunities to be innovative, competitive, and resilient.

Continue reading →

Know Your Customer, But Also Yourself: A Fresh Look at Sanctions & Export Controls Risk Assessments in the Era of the “New FCPA”

by Brent Carlson and Michael Huneke

From left to right: Brent Carlson, Michael Huneke (Photos courtesy of the authors)

We have written recently about liability pitfalls caused by misperceived “loopholes” in sanctions and export controls regimes.[1] We have also written about the meaning and practical implications of the U.S. government’s emphasis on sanctions enforcement as the “new FCPA,” discussing how to identify and respond to circumstances posing a high probability of sanctions or export controls evasion.[2]

Having identified these new priority issues, what is the first step towards a solution? Risk assessments are the starting point.[3] Assess your own risk, but do so in an updated—and more effective—manner that reflects the evolving economic sanctions and export controls enforcement environment. Here are some suggestions to help with the assessment.

Continue reading →