SEC Staff Provides Guidance on Cyber Form 8-K Reporting

by Scott Kimpel 

Photo of the author

Photo courtesy of Hunton Andrews Kurth LLP

On May 21, 2024, staff of the U.S. Securities and Exchange Commission (“SEC”) published additional interpretive guidance on reporting material cybersecurity incidents under Form 8-K.

Since December 18, 2023, when the SEC’s rules for reporting material cybersecurity incidents under Item 1.05 on Form 8-K took effect, we have identified 17 separate companies that have made disclosures under the new rules. Since that date, several other companies also have made disclosures regarding cybersecurity incidents under other Form 8-K items. A large majority of those companies reporting under Item 1.05 have either not yet determined that the triggering incident was material, or determined that the event was in fact immaterial.

Continue reading

BIS Primes the Corporate Enforcement Engine: A Fresh Look at What Recent BIS Actions & Statements Mean and a Proposed Framework for How U.S. Companies Can Best Prepare

by Brent Carlson and Michael Huneke 

Photos of the authors.

From left to right: Brent Carlson and Michael Huneke (Photos courtesy of authors)

The risk of corporate criminal enforcement actions for export controls evasion or diversion is significantly increasing. Recent actions and statements by the Department of Commerce’s Bureau of Industry & Security (“BIS”) suggest that, beyond saber-rattling, BIS is deliberately priming the corporate enforcement engine with the fuel for an enforcement wave that will follow the Foreign Corrupt Practices Act (“FCPA”) “playbook” that the U.S. Department of Justice (“DOJ”) has successfully deployed for the last two decades.

The fuel comes in the form of official, multiagency guidance documents and other actions that describe circumstances indicating a “high probability” of misconduct, which as we have previously written is a freestanding basis for enforcement actions under both the FCPA and the Export Administration Regulations (“EAR”).[1] Such agency actions by BIS notably include the issuance to U.S. companies of lists of counterparties under cover of what BIS officials describe as “red flag” letters. Since our prior analysis,[2] BIS has reemphasized the significance of such letters and underscored the importance of how U.S. companies respond.

Continue reading

FinCEN and SEC Move Closer to New AML Requirements for Investment Advisers & ERAs

by Joel M. Cohen, Claudette Druehl, Marietou Diouf, Tami Stark, Prat Vallabhaneni, and Robert DeNault

Photos of the authors

Top: Joel M. Cohen, Claudette Druehl, and Marietou Diouf
Bottom: Tami Stark, Prat Vallabhaneni, and Robert DeNault
(Photos courtesy of White & Case LLP)

On May 13, 2024, FinCEN and the SEC jointly proposed a new rule that would require SEC-registered investment advisers and exempt reporting advisers to maintain written customer identification programs (CIPs).  The new rule supplements a proposal in February to impose requirements on investment advisers similar to those that have existed for broker-dealers since 2001, as a means to address illicit finance and national security threats in the asset management industry.

For investment advisers who do not currently have an AML/CFT program, this compliance obligation will create a large shift in the way they operate.  This will require significant legal time and attention, but it will be time well spent considering potential regulatory exposure and likely indemnification obligations which flow through commercial agreements in favor of counterparties.

Continue reading

Biden National Security Memorandum Bolsters CISA Role for Cybersecurity Oversight in Critical Infrastructure

by Beth Burgin Waller and Patrick J. Austin

Photos of authors

Beth Burgin Waller and Patrick J. Austin (photos courtesy of Woods Rogers Vandeventer Black PLC)

The Biden Administration recently rolled out a new critical infrastructure memorandum, titled National Security Memorandum on Critical Infrastructure Security and Resilience (NSM-22) which is intended to set forth the role of the federal government, including responsibilities for specific federal agencies, in protecting U.S. critical infrastructure.

NSM-22 serves to supplant PPD-21, formally known as the Presidential Policy Directive — Critical Infrastructure Security and Resilience (pdf). PPD-21, a memorandum issued during the Obama Administration, designated 16 critical infrastructure sectors that will be subject to additional oversight through the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Pursuant to CIRCIA, entities operating in critical infrastructure sectors will be obligated to report “covered cyber incidents” within 72 hours of the entity developing a reasonable belief that a cyber incident occurred. In addition, critical infrastructure entities must report ransom payments within 24 hours after a payment is made. CIRCIA delegated rulemaking authority to the Cybersecurity and Infrastructure Security Agency (CISA). We wrote about CISA’s proposed rule containing cyber incident reporting requirements in a recent article.

Continue reading

Keeping Deferred Corporate Charges Deferred: Some Dos and Don’ts

by John Savarese, Randall Jackson, and Michael Holt

photos of the authors

Left to right: John Savarese, Randall Jackson, and Michael Holt (Photos courtesy of Wachtell, Lipton, Rosen & Katz)

At the heart of every white-collar deferred prosecution agreement (DPA) is the deferral of filed criminal charges and a promise by DOJ to dismiss those charges at the end of a fixed term if the company has lived up to its remedial and other commitments. Breaches of these agreements are rare. But DOJ’s recent letter advising the U.S. District Court for the Northern District of Texas that Boeing breached its obligations under a January 2021 DPA (entered into with DOJ to resolve criminal charges relating to Boeing’s mishandling of FAA reporting concerning its 737 MAX aircraft following fatal crashes of two of those planes) provides a telling reminder of the critical need for companies to design and carry out an effective and comprehensive plan to abide by all terms established under a DPA.

Continue reading

Crypto Experts React to Recent SDNY Ethereum Fraud Indictment

The NYU Law Program on Corporate Compliance and Enforcement (PCCE) is following the U.S. Attorney’s Office for the Southern District of New York’s recent indictment of two individuals for allegedly attacking and stealing $25 million from the Ethereum blockchain. The indictment in the case, United States v. Peraire-Bueno, 24 Cr. 293 (SDNY), is available here.  Below, several crypto experts and former prosecutors provide their reactions to the case.

Photos of the authors

Left to right: Maria Vullo, Daniel Payne, Elizabeth Roper, Usman Sheikh, Justin Herring, and Robertson Park (photos courtesy of the authors)

Continue reading

Two New Keynote Speakers Added to PCCE’s 4th Annual Directors’ Academy

Photos of Keynote Speakers

Matthew Olsen and Ismail Ramsey

We are honored to announce that Matthew Olsen, the Assistant Attorney General for the National Security Division at the U.S. Department of Justice, and Ismail Ramsey, the U.S. Attorney for the Northern District of California, will be additional keynote speakers at our 4th Annual Directors’ Academy at NYU School of Law on October 31st and November 1st, 2024. The agenda and registration portal are available here

Olsen, who leads the DOJ’s mission to combat terrorism, espionage, cyber crime, and other threats to the national security, and Ramsey, who, as U.S. Attorney for Northern California, is colloquially known as the “Sheriff of Silicon Valley,” overseeing investigations and cases concerning the leading technology companies in the world, will participate in a keynote and fireside chat titled New and Persistent Cyber Threats Overlooked by Boards and Management: Lessons for Boards. The session, which will take place on October 31st, will focus on providing board directors and senior management with the information they need to identify and manage the most critical cyber and national security-related threats to their firms, include the theft of intellectual property. It will be followed immediately by an expert panel to discuss board governance and oversight of cybersecurity. Both sessions will be moderated by Joseph Facciponti, PCCE’s Executive Director and former cybercrime prosecutor at the U.S. Attorney’s Office for the Southern District of New York.

Continue reading

Former Aide to Madagascan President Sentenced for Soliciting Bribes Under UK Bribery Act

by Pamela Reddy, Robin Spedding, and Matthew Unsworth

Photos of the authors

Left to Right: Pamela Reddy, Robin Spedding, and Matthew Unsworth (photos courtesy of Latham & Watkins LLP)

Sentencing of Romy Andrianarisoa, the first ever foreign public official to be convicted under the UK Bribery Act of 2010, provides important takeaways.

On 10 May 2024, Romy Andrianarisoa was sentenced to three and a half years’ imprisonment for soliciting bribes contrary to Section 2 of the Bribery Act 2010 (Bribery Act). Andrianarisoa, former Chief of Staff to President Andry Rajoelina of Madagascar, requested substantial cash payments in exchange for helping UK-headquartered Gemfields Group Ltd (Gemfields) secure mining rights in the country. Her associate, French national Philippe Tabuteau, was also handed a 27-month sentence for his role in the scheme.

Continue reading

FTC Finalizes Expansion of Health Breach Notification Rule’s Broad Applicability to Unauthorized App Disclosures

by Adam H. Greene and Apurva Dharia

Photos of the authors

Adam H. Greene and Apurva Dharia (photos courtesy of Davis Wright Tremaine LLP)

The FTC issued a final rule to lock in changes to the Health Breach Notification Rule (HBNR) that it proposed in May 2023. While the HBNR began as a breach notification rule seemingly focused on a narrow set of applications that store medical records on behalf of consumers, the final rule continues the FTC’s path toward turning the rule into a means of imposing privacy and breach notification restrictions on virtually all health and wellness apps. Consistent with the FTC’s September 2021 policy statement and recent enforcement actions, the final rule further revises the HBNR to apply to most health and wellness apps and to require breach notification in almost any instance in which a consumer’s identifiable health data is disclosed without their authorization (including unauthorized disclosures to advertising platforms).

The HBNR requires vendors of personal health records (PHRs) and PHR related entities to notify individuals, the FTC, and, in some cases, the media, of a breach of unsecured PHR identifiable health information.[1] It also requires third-party service providers to vendors of PHRs and PHR related entities to provide notification to such vendors and PHR related entities following the discovery of a breach. The rule applies to foreign and domestic non-HIPAA covered vendors of “personal health records that contain individually identifiable health information created or received by health care providers.” The HBNR specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. The final rule will go into effect 60 days after its publication in the Federal Register.

Continue reading

New U.S. Law Extends Statute of Limitations for Sanctions Violations and Enhances Regulatory and Enforcement Focus on National Security Priorities

by Anthony Lewis, Eric Kadel Jr., Sharon Cohen Levin, Craig Jones, Adam Szubin, Amanda Houle, and Bailey Springer

Photos of the authors

Top: Anthony Lewis, Eric Kadel Jr., and Sharon Cohen Levin
Bottom: Craig Jones, Adam Szubin, and Amanda Houle
(Photos courtesy of Sullivan & Cromwell LLP)

Statute Doubles the Statute of Limitations for Sanctions Violations, Expands the Scope of Sanctions Programs, and Focuses on China’s Technology Procurement, Iranian Petroleum Trafficking, and Fentanyl Production

Summary

On April 24, President Biden signed into law H.R. 815, a sweeping national security legislative package that—in addition to providing foreign aid funding for Ukraine, Israel, and Taiwan—includes the 21st Century Peace Through Strength Act, which contains a number of provisions implementing the Biden administration’s national security priorities. As summarized below, provisions of the Act align with U.S. authorities’ continued focus on China and emphasis on sanctions enforcement. In particular, the Act:

  • Doubles the statute of limitations for civil and criminal violations of U.S. sanctions programs from five to 10 years—raising questions about retroactive application of the statute and whether authorities will amend current rules on corporate record-keeping practices;
  • Requires additional agency reports to Congress, reflecting a focus on U.S. investments in, and supply-chain contributions to, the development of sensitive technologies used by China—a topic that has likewise been the recent focus of the Department of Justice and the Department of Commerce;
  • Targets the Chinese government’s alleged evasion of U.S. sanctions on Iranian petroleum products and involvement in related financial transactions by directing the imposition of sanctions; and
  • Directs the President to impose sanctions aimed at curbing China’s alleged involvement in fentanyl trafficking and calls for forthcoming guidance for financial institutions in filing related SARs.

Continue reading