Photo courtesy of author
Legal developments emerging in the wake of the Supreme Court’s decision in SEC v. Jarkesy, 603 U.S. 109 (2024), present an important question for entities licensed by the New York State Department of Financial Services (NYDFS): in an administrative enforcement action brought by NYDFS, does Jarkesy entitle the targeted entity to a jury trial?
by Eric T. Juergens, Erez Liebermann, Benjamin R. Pedersen, Paul M. Rodel, Anna Moody, Kelly Donoghue, and John Jacob
Top left to right: Eric T. Juergens, Erez Liebermann, Benjamin R. Pedersen, and Paul M. Rodel. Bottom left to right: Anna Moody, Kelly Donoghue, and John Jacob. (Photos courtesy of Debevoise & Plimpton LLP)
On June 24, 2024, the staff of the Division of Corporation Finance of the Securities and Exchange Commission (the “SEC”) released five new Compliance & Disclosure Interpretations (“C&DIs”) relating to the disclosure of material cybersecurity incidents under Item 1.05 of Form 8-K. A summary of the updates is below, followed by the full text of the new C&DIs. While the fact patterns underlying the new C&DIs focus on ransomware, issuers should consider the guidance generally in analyzing disclosure obligations for cybersecurity events.
by Robert Maddox, Stephanie Thomas, Annabella M. Waszkiewicz, and Michiko Wongso
Left to right: Robert Maddox, Stephanie Thomas, Annabella M. Waszkiewicz, and Michiko Wongso (photos courtesy of Debevoise & Plimpton LLP)
With the EU Digital Operational Resilience Act (“DORA”) implementation deadline set for January 2025, many financial services firms are spending 2024 preparing for the new regime. Amongst many operational resilience and management oversight requirements, DORA will require covered entities to monitor for, identify, and classify Information and Communications Technology (“ICT”)-related incidents (“incidents”) and cyber threats and report them under certain circumstances to regulators, clients, and the public.
In this post, we take a closer look at DORA’s ICT-related incident and cyber threat reporting obligations (which can require notifications as fast as four hours) and how covered entities can prepare to address them within their existing incident response plans (“IRPs”).
For a more general overview of DORA’s requirements, please see our previous blog post here, along with our coverage of management obligations for covered entities under DORA and how DORA will impact fund managers and the insurance sector in Europe.
Editor’s Note: This post contains excerpts from Wachtell, Lipton, Rosen & Katz’s Guide: “Financial Institutions M&A 2024: Seizing Opportunities, Navigating Pitfalls,” the full version of which is available here.
by Ed Herlihy, Richard Kim, Nick Demmo, David Shapiro, Matt Guest, Mark Veblen, Brandon Price, and Jake Kling
Top left to right: Ed Herlihy, Richard Kim, Nick Demmo, and David Shapiro
Bottom left to right: Matt Guest, Mark Veblen, Brandon Price, and Jake Kling
(Photos courtesy of Wachtell, Lipton, Rosen & Katz)
Financial institutions M&A fell for the second year in a row in 2023. Like most other sectors of the economy, financial institutions faced significant M&A headwinds during the year, including geopolitical instability, elevated inflation, high interest rates, challenging and often volatile equity markets, enhanced antitrust risks and uncertainty, and recessionary fears that softened only towards the end of the year.
by Louis W. Tompros, Arianna Evers, Eric P. Lesser, Allie Talus, and Lauren V. Valledor
(Left to right) Louis W. Tompros, Arianna Evers, Eric P. Lesser, Allie Talus, and Lauren V. Valledor (Photos courtesy of Wilmer Cutler Pickering Hale and Dorr LLP)
Recently, New York Governor Kathy Hochul proposed sweeping artificial intelligence (AI) regulatory measures intended to protect against untrustworthy and fraudulent uses of AI. Presented as part of her FY 2025 Executive Budget, the bill would amend existing penal, civil rights and election laws—establishing a private right of action for voters and candidates impacted by deceptive AI-generated election materials and criminalizing certain AI uses, among other measures. Governor Hochul’s proposals are part of a wider trend of governors and state lawmakers taking more expansive measures to regulate AI that deserve attention from businesses developing and using AI.
by Eric Dinallo, Avi Gesser, Erez Liebermann, Marshal Bozzo, Matt Kelly, Johanna Skrzypczyk, Corey Goldstein, Samuel J. Allaman, Michelle Huang, and Sharon Shaji
Top (from left to right): Eric Dinallo, Avi Gesser, Erez Liebermann, Marshal Bozzo, and Matt Kelly
Bottom (from left to right): Johanna Skrzypczyk, Corey Goldstein, Samuel J. Allaman, Michelle Huang, and Sharon Shaji (Photos courtesy of Debevoise & Plimpton LLP)
On January 17, 2024, the New York State Department of Financial Services (the “NYDFS”) issued a Proposed Insurance Circular Letter regarding the Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing (the “Proposed Circular” or “PCL”). The Proposed Circular is the latest regulatory development in artificial intelligence (“AI”) for insurers, following the final adoption of Colorado’s AI Governance and Risk Management Framework Regulation (“CO Governance Regulation”) and the proposed Colorado AI Quantitative Testing Regulation (the “CO Proposed Testing Regulation”), discussed here, and the National Association of Insurance Commissioners’ (“NAIC”) model bulletin on the “Use of Artificial Intelligence Systems by Insurers” (the “NAIC Model Bulletin”), discussed here. In the same way that NYDFS’s Part 500 Cybersecurity Regulation influenced standards for cybersecurity beyond New York State and beyond the financial sector, it is possible that the Proposed Circular will have a significant impact on the AI regulatory landscape.
The PCL builds on the NYDFS’s 2019 Insurance Circular Letter No. 1 (the “2019 Letter”) and includes some clarifying points on the 2019 Letter’s disclosure and transparency obligations. The 2019 Letter was limited to the use of external consumer data and information sources (“ECDIS”) for underwriting life insurance and focused on risks of unlawful discrimination that could result from the use of ECDIS and the need for consumer transparency. The Proposed Circular incorporates the general obligations from the 2019 Letter, adding more detailed requirements, expands the scope beyond life insurance, and adds significant governance and documentation requirements.
Editor’s Note: The NYU School of Law Program on Corporate Compliance and Enforcement (PCCE) is following the New York State Department of Financial Services’ (NYDFS) recently announced amendments to its Part 500 Cybersecurity Regulations. In this post, cybersecurity experts offer their insight on the final amendments and the potential implications they have for corporate cybersecurity programs.
Top left to right: Johanna Skrzypczyk, Avi Gesser, Justin Herring, Kathleen McGee, and Edward Stroz.
Bottom left to right: Kellen Dwyer, Rebecca Hughes Parker, Elizabeth Ferrick, Grant Ankrom, and Alex Southwell. (Photos courtesy of the authors)
by Avi Gesser, Erez Liebermann, Eric Dinallo, Matt Kelly, Corey Jeremy Goldstein, Stephanie D. Thomas, Samuel J. Allaman, and Basil Fawaz
Top left to right: Avi Gesser, Erez Liebermann, Eric Dinallo and Matt Kelly
Bottom left to right: Corey Jeremy Goldstein, Stephanie D. Thomas, Samuel J. Allaman and Basil Fawaz
(Photos courtesy of Debevoise & Plimpton LLP)
On September 21, 2023, the Colorado Division of Insurance (the “DOI”) released its Final Governance and Risk Management Framework Requirements for Life Insurers’ Use of External Consumer Data and Information Sources, Algorithms, and Predictive Models (the “Final Regulation”). As discussed below, the Final Regulation (which becomes effective on November 14, 2023) reflects several small changes from the previous version of the regulation that was released on May 26, 2023 (the “Draft Regulation”). A redline reflecting these changes can be found here.
The most substantive change is the requirement that insurers must remediate any detected unfair discrimination. This change is especially significant in light of the DOI’s release of its draft regulation on Quantitative Testing for Unfairly Discriminatory Outcomes for Algorithms and Predictive Models Used for Life Insurance Underwriting (the “Draft Testing Regulation”) on September 28, 2023, which requires insurers to estimate the race and ethnicity of all proposed insureds that have applied for life insurance coverage and then conduct detailed quantitative testing of models that use external consumer data and information sources (“ECDIS”) for potential bias. The Testing Regulation provides that certain results of that prescribed testing methodology will be deemed to be unfairly discriminatory and thereby require the insurer to “immediately take reasonable steps . . . to remediate the unfairly discriminatory outcome . . .” We will be writing much more about our concerns over the Draft Testing Regulation in the coming weeks.
In this Blog Post, we discuss the Final Regulation, how it differs from the Draft Regulation, and what companies should be doing now to prepare for compliance.
Matthew L. Levine (Photo courtesy of the author)
The New York State Department of Financial Services (“DFS”) has issued its long-awaited proposed revision to “Part 500,” the agency’s groundbreaking Cybersecurity Regulation.[1] This revision may be the basis for the final rule that will go into effect in stages after the Notice of Adoption is published in the State Register.
A catalog of analysis by law and consulting firms has already popped up online concerning the specific changes proposed, and not proposed, in this latest revision. There is no question that, when implemented, the regulation’s final changes are likely to have a material impact on financial institutions regulated by DFS.
Yet another document that accompanied the proposed revision should not be overlooked: the DFS “Assessment of Public Comments” (the “Assessment”). The rough equivalent of the “fine print” accompanying the proposal, the Assessment responds to an extensive body of commentary received by DFS from financial institutions, trade groups, law firms and others after DFS issued a previous iteration of the proposed amendments in November 2022.[2]
by Lisa Sotto and Michael La Marca
Lisa Sotto and Michael La Marca (Photos courtesy of Hunton Andrews Kurth)
On June 28, 2023, the New York Department of Financial Services (“NYDFS”) published an updated proposed Second Amendment (“Amendment”) to its Cybersecurity Regulation, 23 NYCRR Part 500. On November 9, 2022, NYDFS published a first draft of the proposed Amendment and received comments from stakeholders over a 60-day period. The updated proposed Amendment will be subject to an additional 45-day comment period.