Category Archives: Directors & Officers

From Peanuts to Prison Time – A Fresh Look at the Evolution of Export Controls Penalties

by Brent Carlson and Michael Huneke

Photos of the authors

From left to right: Brent Carlson and Michael Huneke (Photos courtesy of authors)

New export controls rules recently issued by the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) have set the corporate compliance world abuzz, as export controls continue to increase everywhere amid accelerating economic and geopolitical competition. Multinational companies are placed in an increasingly precarious position, caught between superpowers in a “disordered,” multipolar world. The consequences of failing to navigate successfully through myriad export controls regimes are only going to grow more severe, with the U.S. government signaling that a wave of increasing enforcement activity is on the way.

In this installment of our Fresh Looks series, we examine the evolution of export controls penalties, from where they are today to where they are heading tomorrow. The U.S. Department of Justice (“DOJ”) has called export controls and economic sanctions the “new FCPA” and included both among America’s national security enforcement priorities. This provides an important—and unambiguous—signal of the directional trends underway for export controls enforcement. Continue reading

UK ICO Publishes Guidance on Workplace Monitoring

by Sarah Pearce and Olivia Lee

From left to right: Sarah Pearce and Olivia Lee. (Photos courtesy of Hunton Andrews Kurth LLP)

On October 3, 2023, the UK Information Commissioner’s Office (“ICO”) published new Guidance on lawful monitoring in the workplace, designed to help employees comply with their obligations under the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA”).

Continue reading

The Final Colorado AI Insurance Regulations: What’s New and How to Prepare

by Avi Gesser, Erez Liebermann, Eric Dinallo, Matt Kelly, Corey Jeremy Goldstein, Stephanie D. Thomas, Samuel J. Allaman, and Basil Fawaz

Photo of authors

Top left to right: Avi Gesser, Erez Liebermann, Eric Dinallo and Matt Kelly
Bottom left to right: Corey Jeremy Goldstein, Stephanie D. Thomas, Samuel J. Allaman and Basil Fawaz
(Photos courtesy of Debevoise & Plimpton LLP)

On September 21, 2023, the Colorado Division of Insurance (the “DOI”) released its Final Governance and Risk Management Framework Requirements for Life Insurers’ Use of External Consumer Data and Information Sources, Algorithms, and Predictive Models (the “Final Regulation”). As discussed below, the Final Regulation (which becomes effective on November 14, 2023) reflects several small changes from the previous version of the regulation that was released on May 26, 2023 (the “Draft Regulation”). A redline reflecting these changes can be found here.

The most substantive change is the requirement that insurers must remediate any detected unfair discrimination. This change is especially significant in light of the DOI’s release of its draft regulation on Quantitative Testing for Unfairly Discriminatory Outcomes for Algorithms and Predictive Models Used for Life Insurance Underwriting (the “Draft Testing Regulation”) on September 28, 2023, which requires insurers to estimate the race and ethnicity of all proposed insureds that have applied for life insurance coverage and then conduct detailed quantitative testing of models that use external consumer data and information sources (“ECDIS”) for potential bias. The Testing Regulation provides that certain results of that prescribed testing methodology will be deemed to be unfairly discriminatory and thereby require the insurer to “immediately take reasonable steps . . . to remediate the unfairly discriminatory outcome . . .”  We will be writing much more about our concerns over the Draft Testing Regulation in the coming weeks.

In this Blog Post, we discuss the Final Regulation, how it differs from the Draft Regulation, and what companies should be doing now to prepare for compliance.

Continue reading

Reading the Fine Print: The NYDFS Assessment of Comments on its Proposed Cybersecurity Amendments

by Matthew L. Levine

Photo of Matthew L. Levine

Matthew L. Levine (Photo courtesy of the author)

The New York State Department of Financial Services (“DFS”) has issued its long-awaited proposed revision to “Part 500,” the agency’s groundbreaking Cybersecurity Regulation.[1]  This revision may be the basis for the final rule that will go into effect in stages after the Notice of Adoption is published in the State Register.

A catalog of analysis by law and consulting firms has already popped up online concerning the specific changes proposed, and not proposed, in this latest revision.  There is no question that, when implemented, the regulation’s final changes are likely to have a material impact on financial institutions regulated by DFS.

Yet another document that accompanied the proposed revision should not be overlooked:  the DFS “Assessment of Public Comments” (the “Assessment”).  The rough equivalent of the “fine print” accompanying the proposal, the Assessment responds to an extensive body of commentary received by DFS from financial institutions, trade groups, law firms and others after DFS issued a previous iteration of the proposed amendments in November 2022.[2]

Continue reading

Integrated Intelligence: Acquiring, Interpreting and Disseminating Knowledge to Support Enterprise Risk Management and Corporate Governance

by Lawrence Cunningham and Arvin Maskin

Photos of the authors

From left to right: Lawrence Cunningham and Arvin Maskin. Photos courtesy of the authors.

Enterprise risk management (“ERM”) and corporate governance are two sides of the same coin, being united by the importance of relevant decision-makers acquiring, interpreting and disseminating intelligence about risk and oversight. The goal of ERM is to help corporate managers visualize, interpret, contextualize and prioritize various forms of risk input in a timely and objective manner, and to convert it to insightful and actionable intelligence to enhance the quality, reliability and transparency of corporate decision-making and board oversight (“corporate governance”). This modern-day “distant early warning” system attempts to preempt crisis-level events and mitigate the impact of unexpected or unavoidable occurrences of consequence, while seizing on opportunities to be innovative, competitive, and resilient.

Continue reading

SEC Adopts New Cybersecurity Rules for Issuers – Part 2 Key Takeaways

by Charu A. Chandrasekhar, Avi Gesser, Matthew E. Kaplan, Erez Liebermann, Benjamin R. Pedersen, Paul M. Rodel, Steven J. Slutzky, Matt Kelly, Kelly Donoghue, Chris Duff, John Jacob, Amy Pereira, Ned Terrace, Luke Dembosky, and Mengyi Xu

Photos of the authors

Top left to right: Charu A. Chandrasekhar, Avi Gesser, Matthew E. Kaplan, Erez Liebermann, Benjamin R. Pedersen, Paul M. Rodel, Steven J. Slutzky, and Matt Kelly.
Bottom left to right: Kelly Donoghue, Chris Duff, John Jacob, Amy Pereira, Ned Terrace, Luke Dembosky, and Mengyi Xu.
(Photos courtesy of Debevoise & Plimpton LLP)

On July 26, 2023, the SEC adopted long-anticipated final rules on cybersecurity risk management, strategy, governance and incident disclosure for issuers (“Final Rules”). We summarized the key obligations under the Final Rules, and changes from the Proposing Release,[1] in our July 27, 2023 update. In this companion update, we discuss key takeaways across three areas for issuers to consider:

Continue reading

DEI Initiatives Post-SFFA: Considerations for Boards and Management

by Martin Lipton, John F. Savarese, Adam J. Shapiro, Erica E. Bonnett, Noah B. Yavitz, and Carmen X. W. Lu

Photos of the authors

Top left to right: Martin Lipton, John F. Savarese, and Adam J. Shapiro.
Bottom left to right: Erica E. Bonnett, Noah B. Yavitz, and Carmen X. W. Lu
(Photos courtesy of Wachtell, Lipton, Rosen & Katz)

It is no secret that American corporations face vigorous — and often conflicting — demands concerning diversity, equity and inclusion (DEI) initiatives.  Over the past year, DEI initiatives and commitments have come under pressure in the face of macroeconomic headwinds, political scrutiny and legal challenges.  That pressure has only grown following the Supreme Court’s recent decision against affirmative action in SFFA v. Harvard (as discussed in our prior memo), after which Attorneys General from both red and blue states sent conflicting letters to Fortune 100 companies on what the SFFA decision meant for corporate DEI initiatives. 

Continue reading

Revisiting The New Paradigm

by Martin Lipton, Steven A. RosenblumKaressa L. Cain, Elina Tetelbaum, and Carmen X. W. Lu

Photos of the authors

Left to right: Martin Lipton, Steven A. Rosenblum, Karessa L. Cain, Elina Tetelbaum, and Carmen X. W. Lu (photos courtesy of Wachtell, Lipton, Rosen & Katz)

In view of the attacks on “woke” corporations, ongoing legislative opposition to the consideration by investors and corporations of environmental, social and governance (ESG) issues, legal challenges to elements of ESG itself (notably, initiatives designed to further diversity, equity and inclusion), and the attendant political polarization, we undertook to revisit The New Paradigm: A Roadmap for an Implicit Corporate Governance Partnership Between Corporations and Investors to Achieve Sustainable Long-Term Investment and Growth that we prepared for the International Business Council of the World Economic Forum in September 2016.  

Continue reading

SEC Adopts New Cybersecurity Rules for Issuers

by Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Matthew E. Kaplan, Erez Liebermann, Benjamin R. Pedersen, Paul M. Rodel, Steven J. Slutzky, Matt Kelly, Kelly Donoghue, John Jacob, Amy Pereira, Mengyi Xu, and Chris Duff 

Photos of the authors

Top left to right: Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Matthew E. Kaplan, Erez Liebermann, Benjamin R. Pedersen, and Paul M. Rodel.
Bottom left to right: Steven J. Slutzky, Matt Kelly, Kelly Donoghue, John Jacob, Amy Pereira, Mengyi Xu, and Chris Duff.
(photos courtesy of authors)

On July 26, 2023, the SEC adopted the long-anticipated final rules on cybersecurity risk management, strategy, governance, and incident disclosure for issuers. The new rules are part of the SEC’s larger efforts focused on cybersecurity regulation with a growing universe of rules aimed at different types of SEC registrants, including: (i) its proposed cybersecurity rules for registered investment advisers and funds and market entities, including broker-dealers, (ii) its proposed amendments to Reg S-P and Reg SCI and (iii) existing cybersecurity obligations under SEC regulations, including Reg S-P, Reg S-ID, and the recently amended Form PF.

Continue reading

A Game-Changer for UK Corporate Crime Enforcement? Major Expansion of Corporate Criminal Liability Proposed

by Karolos Seeger, Konstantin Bureiko, Aisling Cowell, and Andrew Lee

Photos of the authors

From left to right: Karolos Seeger, Konstantin Bureiko, Aisling Cowell, and Andrew Lee (Photos courtesy of Debevoise & Plimpton LLP)

Recently, the UK government announced a groundbreaking proposal to reform the identification doctrine—the principle used to hold a company liable for criminal offences committed by those who represent its “directing mind and will”.[1]

For a wide range of offences, including bribery, money laundering, sanctions, fraud and false accounting offences, the actions of a “senior manager… acting within the actual or apparent scope of their authority” will be attributable to his or her employer. The draft wording was added to the Economic Crime and Corporate Transparency Bill, which, as part of the government’s focus on overhauling UK economic crime legislation, already includes a new failure to prevent fraud corporate offence.[2]

Continue reading