Photo courtesy of author
Legal developments emerging in the wake of the Supreme Court’s decision in SEC v. Jarkesy, 603 U.S. 109 (2024), present an important question for entities licensed by the New York State Department of Financial Services (NYDFS): in an administrative enforcement action brought by NYDFS, does Jarkesy entitle the targeted entity to a jury trial?
by Jenny Cieplak, Zachary Fallon, Ghaith Mahmood, Yvette D. Valdez, Stephen P. Wink, and Deric Behar
Top left to right: Jenny Cieplak, Zachary Fallon, and Ghaith Mahmood. Bottom left to right: Yvette D. Valdez, Stephen P. Wink, and Deric Behar. (Photos courtesy of Latham & Watkins LLP)
On February 27, 2025, the Securities and Exchange Commission’s (SEC’s) Division of Corporation Finance published a Staff Statement on Meme Coins (the Statement). The Statement is the first tangible clarification of how the federal securities laws apply to a specific category of crypto since President Trump issued an executive order on digital assets (for more information, see this Latham blog post) and the SEC established a Crypto Task Force (for more information, see this Latham blog post). The Statement is responsive to the Crypto Task Force’s first priority (as highlighted by SEC Commissioner Hester Peirce, who leads the task force): determining the status of digital assets under the securities laws.
by Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Erez Liebermann, Marshal Bozzo, Johanna Skrzypczyk, Ned Terrace, and Mengyi Xu.
Top left to right: Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, and Erez Liebermann.
Bottom left to right: Marshal Bozzo, Johanna Skrzypczyk, Ned Terrace, and Mengyi Xu. (Photos courtesy of Debevoise & Plimpton LLP)
On October 16, 2024, the New York Department of Financial Services (the “NYDFS”) issued an Industry Letter providing guidance on assessing cybersecurity risks associated with the use of AI (the “Guidance”) under the existing 23 NYCRR Part 500 (“Part 500” or “Cybersecurity Regulation”) framework. The Guidance applies to entities that are covered by Part 500 (i.e., entities with a license under the New York Banking Law, Insurance Law or Financial Services Law), but it provides valuable direction to all companies for managing the new cybersecurity risks associated with AI.
The NYDFS makes clear that the Guidance does not impose any new requirements beyond those already contained in the Cybersecurity Regulation. Instead, the Guidance is meant to explain how covered entities should use the Part 500 framework to address cybersecurity risks associated with AI and build controls to mitigate such risks. It also encourages companies to explore the potential cybersecurity benefits from integrating AI into cybersecurity tools (e.g., reviewing security logs and alerts, analyzing behavior, detecting anomalies, and predicting potential security threats). Entities that are covered by Part 500, especially those that have deployed AI in significant ways, should review the Guidance carefully, along with their current cybersecurity policies and controls, to see if any enhancements are appropriate.
by Sujit Raman and Thomas Armstrong
From left to right: Sujit Raman and Thomas Armstrong. (Photos courtesy of authors).
Everyone these days is talking about artificial intelligence and how to use it responsibly. Among law enforcement and compliance professionals, discussions around the responsible use of AI are nothing new. Even so, recent advances in machine learning have turbocharged AI’s transformative potential in detecting, preventing, and—in a particular sense—even predicting illicit activity. These advances are especially notable in the field of blockchain analytics: the process of associating digital asset wallets to real-world entities.
In a recent, pathbreaking opinion and order, U.S. District Judge Randolph Moss rejected a criminal defendant’s challenge to the government’s evidentiary use of blockchain analytics to link him to illicit financial activity.[1] Many courts—including, just a few days ago, a U.S. district court in Massachusetts[2]—have relied on the validity of blockchain analytics when taking pre-trial actions like issuing seizure orders and authorizing arrest warrants; Judge Moss’s opinion is the first trial court examination of this powerful analytic capability. Taken together, this growing body of legal authority forcefully affirms the reliability—and therefore admissibility in court—of evidence derived from such analytics.
by Eric Dinallo, Avi Gesser, Erez Liebermann, Marshal Bozzo, Matt Kelly, Johanna Skrzypczyk, Corey Goldstein, Samuel J. Allaman, Michelle Huang, and Sharon Shaji
Top (from left to right): Eric Dinallo, Avi Gesser, Erez Liebermann, Marshal Bozzo, and Matt Kelly
Bottom (from left to right): Johanna Skrzypczyk, Corey Goldstein, Samuel J. Allaman, Michelle Huang, and Sharon Shaji (Photos courtesy of Debevoise & Plimpton LLP)
On January 17, 2024, the New York State Department of Financial Services (the “NYDFS”) issued a Proposed Insurance Circular Letter regarding the Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing (the “Proposed Circular” or “PCL”). The Proposed Circular is the latest regulatory development in artificial intelligence (“AI”) for insurers, following the final adoption of Colorado’s AI Governance and Risk Management Framework Regulation (“CO Governance Regulation”) and the proposed Colorado AI Quantitative Testing Regulation (the “CO Proposed Testing Regulation”), discussed here, and the National Association of Insurance Commissioners’ (“NAIC”) model bulletin on the “Use of Artificial Intelligence Systems by Insurers” (the “NAIC Model Bulletin”), discussed here. In the same way that NYDFS’s Part 500 Cybersecurity Regulation influenced standards for cybersecurity beyond New York State and beyond the financial sector, it is possible that the Proposed Circular will have a significant impact on the AI regulatory landscape.
The PCL builds on the NYDFS’s 2019 Insurance Circular Letter No. 1 (the “2019 Letter”) and includes some clarifying points on the 2019 Letter’s disclosure and transparency obligations. The 2019 Letter was limited to the use of external consumer data and information sources (“ECDIS”) for underwriting life insurance and focused on risks of unlawful discrimination that could result from the use of ECDIS and the need for consumer transparency. The Proposed Circular incorporates the general obligations from the 2019 Letter, adding more detailed requirements, expands the scope beyond life insurance, and adds significant governance and documentation requirements.
by Kevin S. Schwartz, Rosemary Spaziani, David M. Adlerstein, Samantha M. Altschuler, and Sabina M. Beleuz Neagu
Left to right: Kevin S. Schwartz, Rosemary Spaziani, David M. Adlerstein, Samantha M. Altschuler and Sabina M. Beleuz Neagu (Photos courtesy of Wachtell, Lipton, Rosen & Katz)
The U.S. cryptoasset industry just rang in the new year with the watershed SEC approval of the first spot ETFs for a digital asset. With the approval of the first bitcoin Spot ETFs, making possible a path for millions of Americans to have direct bitcoin exposure in retirement and other traditional investment accounts, it is an appropriate time to reflect on significant recent developments that may shape the crypto industry in the year to come.
by John P. Carlin, Jeh Charles Johnson, Jeannie S. Rhee, Peter Carey, and Steven C. Herzog
From left to right: John P. Carlin, Jeh Charles Johnson, Jeannie S. Rhee, Peter Carey, and Steven C. Herzog. Photos courtesy of Paul, Weiss, Rifkind, Wharton & Garrison LLP.
At the beginning of the year, we predicted that the use of personal information and the protection of data in an evolving threat environment would be the focus of increased legislation, regulation, and regulatory enforcement. And 2023 delivered, with both threat actors and regulators presenting new challenges for technology and legal teams. At the same time, these teams are navigating how to harness the burgeoning potential of rapidly evolving artificial intelligence applications while mitigating associated security, legal, and related risks. Amidst all of the noise, we break down below ten key developments of 2023 that contributed to an increasingly complex legal and data security landscape and prompted business leaders to increase resources and attention to bolster their defenses and ensure compliance with their growing list of legal obligations. We predict a continued flurry of activity in 2024. Continue reading
On November 17, 2023, the NYU Law Program on Corporate Compliance and Enforcement (PCCE) hosted a standing-room-only full-day conference on Security, Privacy, and Consumer Protection. The conference addressed issues such as managing effective cybersecurity and privacy compliance programs, the use of “dark patterns” to manipulate consumer choices, and whether privacy regulation and enforcement actions actually prompt firms to update their privacy policies. A full agenda of the conference, along with speaker bios, is available here. In this post, several participants from the panel titled The NYDFS Cybersecurity Rule Amendments and Their Implications for Firms Beyond the Financial Sector share further thoughts on the issue.
Left to right: Justin Herring, Matthew Levine, Cheryl James, Edward Stroz, and Alexander Southwell (Moderator)(©Hollenshead: Courtesy of NYU Photo Bureau)
Editor’s Note: The NYU School of Law Program on Corporate Compliance and Enforcement (PCCE) is following the New York State Department of Financial Services’ (NYDFS) recently announced amendments to its Part 500 Cybersecurity Regulations. In this post, cybersecurity experts offer their insight on the final amendments and the potential implications they have for corporate cybersecurity programs.
Top left to right: Johanna Skrzypczyk, Avi Gesser, Justin Herring, Kathleen McGee, and Edward Stroz.
Bottom left to right: Kellen Dwyer, Rebecca Hughes Parker, Elizabeth Ferrick, Grant Ankrom, and Alex Southwell. (Photos courtesy of the authors)
Matthew L. Levine (Photo courtesy of the author)
The New York State Department of Financial Services (“DFS”) has issued its long-awaited proposed revision to “Part 500,” the agency’s groundbreaking Cybersecurity Regulation.[1] This revision may be the basis for the final rule that will go into effect in stages after the Notice of Adoption is published in the State Register.
A catalog of analysis by law and consulting firms has already popped up online concerning the specific changes proposed, and not proposed, in this latest revision. There is no question that, when implemented, the regulation’s final changes are likely to have a material impact on financial institutions regulated by DFS.
Yet another document that accompanied the proposed revision should not be overlooked: the DFS “Assessment of Public Comments” (the “Assessment”). The rough equivalent of the “fine print” accompanying the proposal, the Assessment responds to an extensive body of commentary received by DFS from financial institutions, trade groups, law firms and others after DFS issued a previous iteration of the proposed amendments in November 2022.[2]