Author Archives: Judy Jiang

Treasury’s Report on AI (Part 2) – Managing AI-Specific Cybersecurity Risks in the Financial Sector

by Avi Gesser, Erez Liebermann, Matt Kelly, Jackie Dorward, and Joshua A. Goland

Photos of authors.

Top: Avi Gesser, Erez Liebermann, and Matt Kelly. Bottom: Jackie Dorward and Joshua A. Goland (Photos courtesy of Debevoise & Plimpton LLP)

This is the second post in the two-part Debevoise Data Blog series covering the U.S. Treasury Department’s report on Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector (the “Report”).

In Part 1, we addressed the Report’s coverage of the state of AI regulation and best practices recommendations for AI risk management and governance. In Part 2, we review the Report’s assessment of AI-enhanced cybersecurity risks, as well as the risks of attacks against AI systems, and offer guidance on how financial institutions can respond to both types of risks.

Continue reading

Balancing Victim Compensation and Efficiency in Non-Trial Resolutions: A Comparative Perspective from the International Academy of Financial Crime Litigators

by Stéphane Bonifassi, Lincoln Caylor, Grégoire Mangeat, Léon Moubayed, Jonathan Sack, Andrew Stafford K.C., Wolfgang Spoerr, and Thomas Weibel

Photos of authors.

Top left to right: Stéphane Bonifassi, Lincoln Caylor, Grégoire Mangeat, Léon Moubayed. Bottom left to right: Jonathan Sack, Andrew Stafford K.C., Wolfgang Spoerr, and Thomas Weibel. (Photos courtesy of authors)

Introduction

Negotiated settlements for financial crimes offer a practical approach to resolving cases without lengthy trials. However, they pose a complex dilemma: how to balance efficiency with the need for victims to have a meaningful role in the proceeding and achieve adequate victim compensation. Across various jurisdictions, the approaches to non-trial resolutions reflect differing priorities, with some countries leaning towards expediency and others emphasizing victim rights. This is why the International Academy of Financial Crime Litigators published a working paper on the topic. This piece explores the current state of how victims of financial crime are being compensated in non-trial resolutions across different legal jurisdictions. Furthermore, it identifies some of the challenges and trade-offs lawmakers face when trying to infuse an optimal amount of victim involvement into the settlement process, providing suggestions on how victims of financial crime can be better heard and compensated in settlement procedures.

Continue reading

Biden Administration Releases Proposed Rule on Outbound Investments in China

by Paul D. Marquardt and Kendall Howell

Photos of authors

From left to right: Paul D. Marquardt and Kendall Howell (Photos courtesy of Davis Polk & Wardwell LLP)

The Biden administration released its proposed rule that would establish a regulatory framework for outbound investments in China, following its advanced notice of proposed rulemaking released last August.

On June 21, 2024, the U.S. Department of the Treasury (Treasury) released its long-awaited notice of proposed rulemaking that would impose controls on outbound investments in China (the Proposed Rule). The Proposed Rule follows Treasury’s advanced notice of proposed rulemaking (the ANPRM) released in August 2023 (discussed in this client update) and implements the Biden administration’s Executive Order 14105 (the Executive Order), which proposed a high-level framework to mitigate the risks to U.S. national security interests stemming from U.S. outbound investments in “countries of concern” (currently only China). Like the Executive Order and ANPRM, the Proposed Rule reflects an effort by the Biden administration to adopt a “narrow and targeted” program and is in large part directed at the “intangible benefits” of U.S. investment (e.g., management expertise, prestige, and know-how), rather than capital alone.[1]

Continue reading

Incident Response Plans Are Now Accounting Controls? SEC Brings First-Ever Settled Cybersecurity Internal Controls Charges

by Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Erez Liebermann, Benjamin R. Pedersen, Julie M. Riewe, Matt Kelly, and Anna Moody

Photos of the authors

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky and Erez Liebermann. Bottom left to right: Benjamin R. Pedersen, Julie M. Riewe, Matt Kelly and Anna Moody. (Photos courtesy of Debevoise & Plimpton LLP)

In an unprecedented settlement, on June 18, 2024, the U.S. Securities & Exchange Commission (the “SEC”) announced that communications and marketing provider R.R. Donnelley & Sons Co. (“RRD”) agreed to pay approximately $2.1 million to resolve charges arising out of its response to a 2021 ransomware attack. According to the SEC, RRD’s response to the attack revealed deficiencies in its cybersecurity policies and procedures and related disclosure controls. Specifically, in addition to asserting that RRD had failed to gather and review information about the incident for potential disclosure on a timely basis, the SEC alleged that RRD had failed to implement a “system of cybersecurity-related internal accounting controls” to provide reasonable assurances that access to the company’s assets—namely, its information technology systems and networks—was permitted only with management’s authorization. In particular, the SEC alleged that RRD failed to properly instruct the firm responsible for managing its cybersecurity alerts on how to prioritize such alerts, and then failed to act upon the incoming alerts from this firm.

Continue reading

The Need to Integrate Externalities, Market Failures, and Collective Action Problems in Antitrust Analysis—Thoughts on the US House Judiciary Committee Report on ESG Investigation and the Rebuttal Report

by Maurits Dolmans

Photo of the author.

Photo courtesy of Cleary Gottlieb Steen & Hamilton LLP.

On June 11, 2024, the US House Judiciary Committee released an interim staff report titled “Climate Control: Exposing the Decarbonization Collusion in Environmental, Social and Governance (ESG) Investing” (the “Majority Report). This was followed by a hearing by the House Judiciary Committee on June 12.

The Majority Report contains strongly worded conclusions.  It argues that a “climate cartel’ of left-wing environmental activists and major financial institutions has colluded to force American companies to ‘decarbonize’ and reach ‘net zero.’”  Organizations like Climate Action 100+, Ceres, CalPERS, and Arjuna, for instance, allegedly “declared war on the American way of life,” to limit how Americans “drive, fly, and eat.”  They did this “by forcing corporations to disclose their carbon emissions, to reduce their carbon emissions, and … handcuffing company leadership and muzzling corporate free speech and petitioning.”  Employing nice alliteration, it is said they “collude to kill carbon.”  It is suggested that corporate compliance with the goals of the Paris Agreement raises prices to American consumers—ignoring the OPEC+ output reductions, the wars in Ukraine and the Middle East, and the Houthi attacks on shipping, but also the long-term costs of climate change, the findings of the International Energy Agency that no new fossil fuel development is needed to meet current and expected demand, and that renewables and nuclear energy are increasingly cheaper than fossil fuels.  The Majority Report boasts of the effect of antitrust threats in causing firms to shy away from cooperation to mitigate the climate risk.

Continue reading

Recently Enacted AI Law in Colorado: Yet Another Reason to Implement an AI Governance Program

by Avi GesserErez Liebermann, Matt KellyMartha HirstAndreas Constantine PavlouCameron Sharp, and Annabella M. Waszkiewicz

Photos of the authors.

Top left to right: Avi Gesser, Erez Liebermann, Matt Kelly, and Martha Hirst. Bottom left to right: Andreas Constantine Pavlou, Cameron Sharp, and Annabella M. Waszkiewicz. (Photos courtesy of Debevoise & Plimpton LLP)

On May 17, 2024, Colorado passed Senate Bill 24-205 (“the Colorado AI Law” or “the Law”), a broad law regulating so-called high-risk AI systems that will become effective on February 1, 2026.  The law imposes sweeping obligations on both AI system deployers and developers doing business in Colorado, including a duty of reasonable care to protect Colorado residents from any known or reasonably foreseeable risks of algorithmic discrimination.

Continue reading

Land of 10,000 Data Lakes: Minnesota Consumer Data Privacy Act Signed into Law

by Nancy Libin, John D. Seiver, and Jevan Hutson

Photo of the authors.

From left to right: Nancy Libin, John D. Seiver, and Jevan Hutson. (Photos courtesy of Davis Wright Tremaine LLP)

Minnesota is the 18th state to enact a consumer data privacy law.

On May 25, 2024, Minnesota Governor Tim Walz signed the Minnesota Consumer Data Privacy Act (the “Act”), which takes effect on July 31, 2025, for most controllers and on July 31, 2029, for certain postsecondary educational institutions. Minnesota is the 18th state to enact a comprehensive consumer data privacy law.

The Act adopts the same framework as most other state privacy laws but includes several novel provisions, including broader rights for Minnesota residents who are subject to profiling in furtherance of decisions that produce legal or similarly significant effects.

We highlight key aspects of the Act below.

Continue reading

SEC Adopts Amendments to Regulation S-P That Require Reporting Breaches of “Sensitive Customer Information”

by Mike Borgia and Andrew Lewis

From left to right: Mike Borgia and Andrew Lewis (Photos courtesy of authors)

Broker-dealers, registered investment advisors, and funds are now required to report breaches of “sensitive” nonpublic personal information (NPI) to affected individuals.

On May 15, the Securities and Exchange Commission adopted amendments to Regulation S-P, which covers broker-dealers, registered investment advisors (RIAs), and investment companies (funds). These entities are now required to report data breaches affecting “sensitive customer information,” which is “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.”

The amendments were originally proposed on March 15, 2023 (covered in a previous post). The amendments will go into effect 60 days after they are published in the Federal Register.

Continue reading