Category Archives: Securities Regulation

SEC Releases New Guidance on Material Cybersecurity Incident Disclosure

by Eric T. JuergensErez LiebermannBenjamin R. Pedersen, Paul M. Rodel, Anna Moody, Kelly Donoghue, and John Jacob

Photos of authors.

Top left to right: Eric T. Juergens, Erez Liebermann, Benjamin R. Pedersen, and Paul M. Rodel. Bottom left to right: Anna Moody, Kelly Donoghue, and John Jacob. (Photos courtesy of Debevoise & Plimpton LLP)

On June 24, 2024, the staff of the Division of Corporation Finance of the Securities and Exchange Commission (the “SEC”) released five new Compliance & Disclosure Interpretations (“C&DIs”) relating to the disclosure of material cybersecurity incidents under Item 1.05 of Form 8-K. A summary of the updates is below, followed by the full text of the new C&DIs.  While the fact patterns underlying the new C&DIs focus on ransomware, issuers should consider the guidance generally in analyzing disclosure obligations for cybersecurity events.

Continue reading

Cyber Experts React to Court Decision in the SEC’s SolarWinds Enforcement Action

Editor’s Note: PCCE has been watching the developments in the SEC’s enforcement action against SolarWinds and its CISO over allegedly misleading disclosures and controls failures related to the compromise of its Orion product by putative Russian hackers. In this post, cybersecurity experts and lawyers discuss the recent decision by U.S. District Judge Paul Engelmayer to dismiss most of the SEC’s claims in the case.

Photos of the authors

Top left to right: Randal Milch, Judy Titera, James Haldin, and Alan Wilson. Bottom left to right: Matthew Beville, Elizabeth Roper, and Jerome Tomas. (Photos courtesy of authors)

Continue reading

Supreme Court Punches SEC APs Right in the Seventh Amendment

by Andrew J. Ceresney, Charu A. Chandrasekhar, Arian M. June, Robert B. Kaplan, Julie M. Riewe, Kristin A. Snyder, and Jonathan R. Tuttle

Photos of the authors

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Arian M. June, and Robert B. Kaplan. Bottom left to right: Julie M. Riewe, Kristin A. Snyder, and Jonathan R. Tuttle. (Photos courtesy of Debevoise & Plimpton LLP)

Recently, in a long-awaited ruling with significant implications for the securities industry and administrative agencies more generally, the U.S. Supreme Court affirmed the Fifth Circuit’s decision in Jarkesy v. SEC, holding that the Seventh Amendment right to a jury trial precluded the U.S. Securities and Exchange Commission (the “SEC”) from pursuing monetary penalties for securities fraud violations through in-house administrative adjudications. The key takeaways are:

  • The Court’s ruling was limited to securities fraud claims, but other SEC claims seeking legal remedies may be impacted, as well as claims by other federal agencies that may have been adjudicated in-house previously.
  • We expect that the SEC will continue its practice of bringing new enforcement actions in district court, except when a claim only is available in the administrative forum.
  • Because of the majority decision’s focus on fraud’s common-law roots, the decision raises questions about whether the SEC may bring negligence-based or strict liability claims seeking penalties administratively.
  • The Court did not resolve other constitutional questions concerning the SEC’s administrative law judges, including whether the SEC’s use of administrative proceedings violates the non-delegation doctrine and whether the SEC’s administrative law judges are unconstitutionally protected from removal in violation of Article III.
  • We anticipate additional litigation regarding these unresolved issues.

Continue reading

Incident Response Plans Are Now Accounting Controls? SEC Brings First-Ever Settled Cybersecurity Internal Controls Charges

by Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Erez Liebermann, Benjamin R. Pedersen, Julie M. Riewe, Matt Kelly, and Anna Moody

Photos of the authors

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky and Erez Liebermann. Bottom left to right: Benjamin R. Pedersen, Julie M. Riewe, Matt Kelly and Anna Moody. (Photos courtesy of Debevoise & Plimpton LLP)

In an unprecedented settlement, on June 18, 2024, the U.S. Securities & Exchange Commission (the “SEC”) announced that communications and marketing provider R.R. Donnelley & Sons Co. (“RRD”) agreed to pay approximately $2.1 million to resolve charges arising out of its response to a 2021 ransomware attack. According to the SEC, RRD’s response to the attack revealed deficiencies in its cybersecurity policies and procedures and related disclosure controls. Specifically, in addition to asserting that RRD had failed to gather and review information about the incident for potential disclosure on a timely basis, the SEC alleged that RRD had failed to implement a “system of cybersecurity-related internal accounting controls” to provide reasonable assurances that access to the company’s assets—namely, its information technology systems and networks—was permitted only with management’s authorization. In particular, the SEC alleged that RRD failed to properly instruct the firm responsible for managing its cybersecurity alerts on how to prioritize such alerts, and then failed to act upon the incoming alerts from this firm.

Continue reading

SEC Adopts Amendments to Regulation S-P That Require Reporting Breaches of “Sensitive Customer Information”

by Mike Borgia and Andrew Lewis

From left to right: Mike Borgia and Andrew Lewis (Photos courtesy of authors)

Broker-dealers, registered investment advisors, and funds are now required to report breaches of “sensitive” nonpublic personal information (NPI) to affected individuals.

On May 15, the Securities and Exchange Commission adopted amendments to Regulation S-P, which covers broker-dealers, registered investment advisors (RIAs), and investment companies (funds). These entities are now required to report data breaches affecting “sensitive customer information,” which is “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.”

The amendments were originally proposed on March 15, 2023 (covered in a previous post). The amendments will go into effect 60 days after they are published in the Federal Register.

Continue reading

Second Circuit: Crypto Exchange Binance Subject to U.S. Securities Laws to Avoid a Regulatory Vacuum

by David Livshiz, Timothy Howard, Andrew Gladstein, Peter Linken, Jacob Johnston, and Seve Kale

Photos of the authors

Left to right: David Livshiz, Timothy Howard, Andrew Gladstein, Peter Linken, and Seve Kale (photos courtesy of authors)

A recent Second Circuit decision underscores that decentralized crypto exchanges with no claimed “home” jurisdiction face a substantial likelihood of exposure to U.S. securities laws.  In Williams v. Binance, 96 F.4th 129 (2d Cir. 2024), the Second Circuit held plaintiffs adequately alleged crypto token purchases made on Binance’s trading platform by U.S. persons were domestic transactions and subject to U.S. securities laws on two independent grounds.  First, it was plausible that plaintiffs’ purchase orders were matched with sellers on servers located in the U.S.  Second, Binance’s Terms of Use stated orders became irrevocable once they were sent to Binance, which the plaintiffs alleged occurred from their homes in the United States.  The Court’s extraterritoriality analysis focused on Binance’s express disclaimer of a physical presence or geographical headquarters and the inapplicability of any other country’s securities regime.  These factors created the possibility of a regulatory vacuum absent imposition of U.S. securities laws.  Underscoring this point, the Court reasoned that “[e]ven if the Binance exchange lacks a physical location, the answer to where [it matches transactions] cannot be ‘nowhere.’”  Williams, 96 F.4th at 138. 

It will take years before the full implications of Williams become clear; but what is already clear is that U.S. courts are likely to be skeptical of corporate structures that appear to leave a company immune from litigation anywhere.  This skepticism is particularly relevant to crypto exchanges and other decentralized actors, which may not have or maintain a traditional “home” jurisdiction or base. Such decentralized actors may wish to consider taking steps to reduce the risk of exposure to U.S. securities laws, including affirmatively establishing a domicile outside the U.S. by opening a non-U.S. office or otherwise formally submitting to regulation by another nation, using servers data centers, and other computer network infrastructure outside of the United States, and drafting terms of service or other contractual agreements to provide that transactions become irrevocable in a location outside the U.S.

Continue reading

SEC Staff Provides Guidance on Cyber Form 8-K Reporting

by Scott Kimpel 

Photo of the author

Photo courtesy of Hunton Andrews Kurth LLP

On May 21, 2024, staff of the U.S. Securities and Exchange Commission (“SEC”) published additional interpretive guidance on reporting material cybersecurity incidents under Form 8-K.

Since December 18, 2023, when the SEC’s rules for reporting material cybersecurity incidents under Item 1.05 on Form 8-K took effect, we have identified 17 separate companies that have made disclosures under the new rules. Since that date, several other companies also have made disclosures regarding cybersecurity incidents under other Form 8-K items. A large majority of those companies reporting under Item 1.05 have either not yet determined that the triggering incident was material, or determined that the event was in fact immaterial.

Continue reading

Crypto Experts React to Recent SDNY Ethereum Fraud Indictment

The NYU Law Program on Corporate Compliance and Enforcement (PCCE) is following the U.S. Attorney’s Office for the Southern District of New York’s recent indictment of two individuals for allegedly attacking and stealing $25 million from the Ethereum blockchain. The indictment in the case, United States v. Peraire-Bueno, 24 Cr. 293 (SDNY), is available here.  Below, several crypto experts and former prosecutors provide their reactions to the case.

Photos of the authors

Left to right: Maria Vullo, Daniel Payne, Elizabeth Roper, Usman Sheikh, Justin Herring, and Robertson Park (photos courtesy of the authors)

Continue reading

AI for IAs: How Artificial Intelligence Will Impact Investment Advisers

by Michael McDonald

Photo of the author

Photo courtesy of Davis Wright Tremaine LLP

The use of artificial intelligence and machine learning technology solutions (“AI”) is becoming increasingly common in all industries, including the registered investment adviser (“RIA”) space. A recent survey by AI platform Totumai and market research firm 8 Acre Perspective found that 12% of RIAs currently use AI technology in their businesses and 48% plan to use the technology at some point, which means there is a realistic expectation that 60% of RIAs will be using AI in the near future. Among other use-cases, AI has the potential to be used by RIAs for portfolio management, customer service, compliance, investor communications, and fraud detection. While regulators are not likely to prohibit the use of AI in the industry, they are likely to closely monitor and regulate specific applications and use cases which is why it is essential for RIAs to understand these emerging rules and regulatory frameworks so they can appropriately leverage the many benefits of AI while ensuring their business remains compliant with these new rules of the road. DWT has recently launched a series of webinars entitled, “AI Across All Industries” available here, that has gone in-depth on the legal issues surrounding the use of AI.

Continue reading

Preparing for AI Whistleblowers

by Charu A. Chandrasekhar, Avi Gesser, Arian M. June, Michelle Huang, Cooper Yoo, and Sharon Shaji

Photos of the authors

Top row: Charu A. Chandrasekhar, Avi Gesser, and Arian M. June
Bottom row: Michelle Huang, Cooper Yoo, and Sharon Shaji
(Photos courtesy of Debevoise & Plimpton LLP)

As artificial intelligence (“AI”) use and capabilities surge, a new risk is emerging for companies: AI whistleblowers. Both increased regulatory scrutiny over AI use and record-breaking whistleblower activity has set the stage for an escalation of AI whistleblower-related enforcement. As we’ve previously written and spoken about, the risk of AI whistleblowers is rising as whistleblower protections and awards expand, internal company disputes over cybersecurity and AI increase due to a lack of clear regulatory guidance, and public skepticism mounts over the ability of companies to offer consumer protections against cybersecurity and AI risks.

Continue reading