Photo courtesy of the author
For many years, regulatory uncertainty in the United States has been part of the landscape for innovators, particularly with the rise of emerging technologies such as cryptocurrencies, blockchain, and artificial intelligence. It can, unfortunately, thwart the progress of responsible innovation and place our innovators at a competitive disadvantage.
We recently have seen a dramatic example of regulatory uncertainty in the artificial intelligence space.
by Martin Lipton, Steven A. Rosenblum, Karessa L. Cain, Elina Tetelbaum, and Hannah Clark
Left to right: Martin Lipton, Steven A. Rosenblum, Karessa L. Cain, Elina Tetelbaum, and Hannah Clark (photos courtesy of Wachtell, Lipton, Rosen & Katz)
As we look ahead to the challenges and opportunities facing boards of directors in this new year, it is illuminating to reflect on how much has changed in corporate governance. Over the last five decades, we have been on the front lines with our clients as the evolution of corporate governance has been propelled by multiple crises and systemic shocks—including the Enron and WorldCom scandals and ensuing Sarbanes-Oxley legislation, which prompted incremental layers of disclosure and regulations, followed by the financial crisis and subsequent Dodd-Frank reforms, and most recently the Covid pandemic, which intensified the spotlight on ESG and stakeholder governance. In the private ordering arena, ISS and shareholder activists were remarkably successful in changing the status quo for once-common governance features like staggered board structures, and we saw the shelving of poison pills—a defense we originated and subsequently defended in Moran, Airgas and other cases. These trends have, in turn, increased the prevalence and omnipresent threat of proxy fights. And as the corporate governance debates have continued to evolve, we have seen institutional investors become increasingly active participants, with detailed and often diverging policies setting forth their priorities, preferences and perspectives on issues ranging from climate disclosures to DEI to over-boarded directors. The compounding effect is that boards today are expected to navigate a corporate governance landscape that has become much more complex and nuanced, with an expanding set of expectations for their oversight role and responsibilities.
by Maia Gez, Scott Levi, Michelle Rutta, Melinda Anderson, and Danielle Herrick
Left to Right: Maia Gez, Scott Levi, Michelle Rutta, Melinda Anderson, and Danielle Herrick. (Photos courtesy of White & Case LLP)
With the 2025 annual reporting season upon us, public companies should consider potential updates to their risk factors for their Form 10-Ks and 20-Fs in light of recent economic, political, technological, and regulatory developments.[1]
As a starting point, this alert features (i) a list of key developments that US public companies should consider as they update risk factors in Part I and (ii) critical drafting considerations in Part II. Each company will, of course, need to assess its own material risks and tailor its risk factor disclosure to its particular circumstances.
As further described below, calendar year-end companies should review and update their risk factors by assessing the material risks that impact their businesses. Well-drafted risk factors play a crucial role in defending public companies against allegations of fraud under the US federal securities laws, and companies should therefore take the time to update their risk factor disclosure and tailor risks to their own facts and circumstances.
by Francesca L. Odell, Rahul Mukhi, Tom Bednar, Nina E. Bell, and Greg Stephens
Left to right: Francesca L. Odell, Rahul Mukhi, Tom Bednar, and Nina E. Bell (Photos courtesy of Cleary Gottlieb Steen & Hamilton LLP) (Not Pictured: Greg Stephens)
The SEC pursued multiple high-profile enforcement actions in 2024, alongside issuing additional guidance around compliance with the new cybersecurity disclosure rules.
Together these developments demonstrate a continued focus by the SEC on robust disclosure frameworks for cybersecurity incidents. Public companies will need to bear these developments in mind as they continue to grapple with cybersecurity disclosure requirements going into 2025.
by Martin Lipton, David A. Katz, and Elina Tetelbaum
Left to Right: Martin Lipton, David A. Katz and Elina Tetelbaum. (Photos Courtesy of Watchell, Lipton, Rosen & Katz)
The District Court for the Northern District of Texas recently ruled that a company breached its fiduciary duties under the Employee Retirement Income Security Act of 1974 (“ERISA”) for permitting BlackRock’s inclusion as an investment manager of its employees’ retirement assets in a 401(k) Plan. After a four-day bench trial, the Court found that the company failed to “loyally act solely in the retirement plan’s best financial interests by allowing their corporate interests, as well as BlackRock’s ESG interests, to influence management of the plan.”
Photo courtesy of author
In an upcoming paper, I explore whether the use of AI to enhance decision-making brings about radical change for legal doctrine or, by contrast, is just another new tool. The essay submits that we must rethink the law’s implicit assumption that (and how) humans make the decisions that corporate law regulates. If there is movement in implicit assumptions about how people make decisions, legal rules need review.
Decision-making is the cornerstone of corporate life and of keen interest to a variety of scholarly disciplines. They range from rational-actor theories over behavioral approaches to neuro-economics and psychology. The law has its own theories on decision-making. Many are normative and specify decision procedures and outcomes. In addition, the law rests on implicit theories of decision-making: A legal rule will look different if, for instance, it assumes either that decision-making follows optimal choice patterns or that heuristics and biases guide human decisions.
by Ann Sultan, John E. Davis, and Kathryn Cameron Atkinson
Left to right: Ann Sultan, John E. Davis, and Kathryn Cameron Atkinson. (Photos courtesy of Miler Chevalier Chartered)
On September 23, 2024, in conjunction with a related speech at the Society of Corporate Compliance and Ethics (SCCE) Compliance & Ethics Institute by Principal Deputy Assistant Attorney General (PDAAG) Nicole M. Argentieri, the U.S. Department of Justice (DOJ) released an updated version of its guidance to prosecutors on the Evaluation of Corporate Compliance Programs (updated ECCP). The DOJ last updated this guidance in March 2023. View a redline comparison of the September 2024 updates to the March 2023 version here.
The DOJ’s substantive revisions for this round of updates focused primarily on using data and technology related to various compliance program elements, integrating and adapting to lessons learned from other companies, and reporting. As PDAAG Argentieri noted, the DOJ “regularly evaluate[s] our policies and enforcement tools, including the ECCP, to account for changing circumstances and new risks.”
by Ilona Cohen
Photo courtesy of the author
Last year, the government filed a landmark lawsuit alleging that SolarWinds and its Chief Information Security Officer (CISO) misled the public about the company’s cybersecurity practices before and after a major cyberattack. The charges surprised leaders in the industry and forced many companies to reevaluate their own security programs. In a recent development, however, a judge in New York dismissed most of the charges against the company and SolarWinds’ CISO, leaving many to wonder what these developments mean for them.
The case against SolarWinds was filed by the Securities and Exchange Commission (SEC), a government agency that has interpreted its authority broadly to regulate publicly traded companies. The court did not agree with the SEC’s use of that authority in key respects and dismissed allegations that the statements in SolarWinds’ press releases, blog posts, podcasts, and certain SEC filings, misrepresented the company’s cybersecurity risks and controls.
by Avi Gesser, Erez Liebermann, Matt Kelly, Jackie Dorward, and Joshua A. Goland
Top: Avi Gesser, Erez Liebermann, and Matt Kelly. Bottom: Jackie Dorward and Joshua A. Goland (Photos courtesy of Debevoise & Plimpton LLP)
This is the second post in the two-part Debevoise Data Blog series covering the U.S. Treasury Department’s report on Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector (the “Report”).
In Part 1, we addressed the Report’s coverage of the state of AI regulation and best practices recommendations for AI risk management and governance. In Part 2, we review the Report’s assessment of AI-enhanced cybersecurity risks, as well as the risks of attacks against AI systems, and offer guidance on how financial institutions can respond to both types of risks.
by Adam O. Emmerich, David A. Katz, Karessa L. Cain, Elina Tetelbaum, and Carmen X. W. Lu
Left to right: Adam O. Emmerich, David A. Katz, Karessa L. Cain, Elina Tetelbaum and Carmen X. W. Lu. (Photos courtesy of Wachtell, Lipton, Rosen & Katz)
In recent years, one of the most significant developments in corporate governance has been the adoption and expansion of voting choice programs by the largest institutional investors. Such changes have come in response to growing scrutiny and pressure from asset owners and regulators with diametrically opposed and fervently held views on the role of environmental and social issues such as climate change and diversity, equity and inclusion (DEI) in investment decisions. In furtherance of this trend, BlackRock has now adopted separate voting guidelines tailored towards specific funds and investors.
Early this month, BlackRock released climate and decarbonization stewardship guidelines for its funds with explicit decarbonization or climate-related investment objectives or other funds where clients have instructed BlackRock to apply these guidelines to their holdings. These new guidelines will supplement BlackRock’s benchmark policies applicable to all assets under management and will focus attention on how companies have aligned their business model and strategies to meet the goals of the Paris Agreement. A total of 83 funds with $150 billion of combined assets are expected to be covered by the new guidelines. BlackRock has indicated that it will apply the guidelines to those companies held by covered funds and clients who have opted into the guidelines and that produce goods and services that “contribute to real world decarbonization,” have a “carbon intensive business model” or face “outsized impacts from the low carbon transition,” based on their Scopes 1, 2, and 3 greenhouse gas emissions.