The NYU School of Law Program on Corporate Compliance and Enforcement (PCCE) is delighted to announce that Stephanie Avakian, a highly-experienced white collar defense attorney and former director of enforcement at the Securities and Exchange Commission (SEC), has joined PCCE’s Board of Advisors.
Photo courtesy of Wilmer Cutler Pickering Hale and Dorr LLP
by Staff at the Federal Trade Commission’s Office of Technology
The FTC’s Tech Summit on AI[1] highlighted three panels that reflect different layers of the AI tech stack – hardware and infrastructure, data and models, and front-end user applications. Here, we publish the first in a three-part series of “Quote Books” summarizing each of the three panels. This first quote book is focused on hardware and infrastructure, including semiconductor chips and cloud computing.
by Michael A. Asaro, James Joseph Benjamin Jr., Ezra Zahabi, and Joe Hewton
From left to right: Michael A. Asaro, James Joseph Benjamin Jr., Ezra Zahabi, and Joe Hewton. (Photos courtesy of Akin Gump Strauss Hauer & Feld LLP).
Last month, the United Kingdom Financial Conduct Authority (FCA) announced that it is considering new procedures under which it would publicly identify firms that are under investigation as soon as the investigation has been opened.[1] The consultation period closes on April 30, 2024. (See our recent client alert here). The proposed new approach—which, if adopted, would be a dramatic break from historical practice—would result in public disclosure before any charges have been filed and before the FCA has determined whether the firm actually did anything wrong. In this article, we draw comparisons between the investigation disclosure regimes in the U.K. and the United States. We also provide commentary on the FCA’s proposals.
by Jamillia Ferris, Vinita Kailasanath, Christine Lyon, Jan Rybnicek, and David Sewell
Left to right: Jamillia Ferris, Vinita Kailasanath, Christine Lyon, Jan Rybnicek, and David Sewell (photos courtesy of Freshfields Bruckhaus Deringer LLP)
Freshfields recently hosted a U.S. Fintech Hot Topics Webinar to highlight on-the-ground insights from our Antitrust and Competition, Data Privacy and Security, Financial Services Regulatory, and Transactional teams. The fintech sector has recently seen a return to explosive growth and is expected to continue growing rapidly notwithstanding regulatory and economic headwinds. Our top takeaways from the panel discussion are below, and the full recording is available here.
by Stephen M. Kohn, Alyce Petit, Kate Reeves, and Geoff Schweller
Left to Right: Stephen M. Kohn, Alyce Petit, Kate Reeves and Geoff Schweller (photos courtesy of authors)
Corporate whistleblowers who report through internal compliance channels face higher rates of retaliation than those who report externally to the government, according to research published in a working paper on the Social Science Research Network (SSRN).
An analysis of 8-years worth of Dodd-Frank Act and Sarbanes-Oxley Act (SOX) whistleblower retaliation cases found that over 90% of the cases involved internal whistleblowers.
These findings are of particular importance in light of Congressional efforts to amend the Dodd-Frank Act to extend anti-retaliation protections for internal whistleblowers. They also validate the importance of regulations by the U.S. Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) that explicitly do not require whistleblowers to make internal reports prior to qualifying for a reward under the Dodd-Frank.
by Brent Carlson and Michael Huneke
From left to right: Brent Carlson and Michael Huneke (Photos courtesy of authors)
On March 27–29, 2024, the U.S. Department of Commerce’s Bureau of Industry & Security (“BIS”) hosted an Update Conference on Export Controls & Policy. The event was a major outreach effort by the U.S. government. Nearly 100 BIS and other U.S. agency officials engaged with 1,200 attendees over three days.
As was appropriate for an event coinciding with Opening Day of the U.S. Major League Baseball season, BIS officials emphasized that they—and those they regulate—are playing a whole new national security ballgame. This theme ran through every topic. It also drives the key practical takeaways that we highlight below for in-house compliance professionals assessing evasion and diversion risks and responding to reports of the same—particularly reports that some U.S. companies recently received directly from the U.S. government. Continue reading
by Charu A. Chandrasekhar, Erez Liebermann, Benjamin R. Pedersen, Paul M. Rodel, Matt Kelly, Anna Moody, John Jacob, and Kelly Donoghue
Top (left to right): Charu A. Chandrasekhar, Erez Liebermann, Benjamin R. Pedersen, and Paul M. Rodel
Bottom (left to right): Matt Kelly, Anna Moody, John Jacob, and Kelly Donoghue (photos of courtesy of Debevoise & Plimpton LLP)
On December 18, 2023, the Securities and Exchange Commission’s (the “SEC”) rule requiring disclosure of material cybersecurity incidents became effective. To date, 11 companies have reported a cybersecurity incident under the new Item 1.05 of Form 8-K (“Item 1.05”).[1]
After the first 100 days of mandatory cybersecurity incident reporting, we examine the early results of the SEC’s new disclosure requirement.
by Patrick J. Austin and John Pilch
From the left to right: Patrick J. Austin and John Pilch
On February 28, 2024, U.S. President Joe Biden issued Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern (EO), which authorizes the U.S. Attorney General to restrict large-scale transfers of personal data to “countries of concern.” The “countries of concern” identified in the EO include China (along with Hong Kong and Macau), Russia, Iran, North Korea, Cuba and Venezuela, according to a summary issued by the White House.
by Andrew J. Ceresney, Charu A. Chandrasekhar, Avi Gesser, Arian M. June, Robert B. Kaplan, Julie M. Riewe, Jeff Robins, and Kristin A. Snyder
Top (left to right): Andrew J. Ceresney, Charu A. Chandrasekhar, Avi Gesser, and Arian M. June
Bottom (left to right): Robert B. Kaplan, Julie M. Riewe, Jeff Robins, and Kristin A. Snyder (photos courtesy of Debevoise & Plimpton LLP)
On March 18, 2024, the U.S. Securities and Exchange Commission (“SEC”) announced settled charges against two investment advisers, Delphia (USA) Inc. (“Delphia”) and Global Predictions Inc. (“Global Predictions”) for making false and misleading statements about their alleged use of artificial intelligence (“AI”) in connection with providing investment advice. These settlements are the SEC’s first-ever cases charging violations of the antifraud provisions of the federal securities laws in connection with AI disclosures, and also include the first settled charges involving AI in connection with the Marketing and Compliance Rules under the Investment Advisers Act of 1940 (“Advisers Act”). The matters reflect Chair Gensler’s determination to target “AI washing”—securities fraud in connection with AI disclosures under existing provisions of the federal securities laws—and underscore that public companies, investment advisers and broker-dealers will face rapidly increasing scrutiny from the SEC in connection with their AI disclosures, policies and procedures. We have previously discussed Chair Gensler’s scrutiny of AI washing and AI disclosure risk in Form ADV Part 2A filings. In this client alert, we discuss the charges and AI disclosure and compliance takeaways.
by Beth Burgin Waller and Patrick J. Austin
From left to right: Beth Burgin Waller and Patrick J. Austin (photos courtesy of authors)
The federal Cybersecurity and Infrastructure Security Agency (CISA) released a draft of its proposed rule detailing how covered entities operating in critical infrastructure sectors report cyberattacks and ransomware payments to the federal government. The proposed rule states that entities operating in critical infrastructure sectors will be obligated to report “covered cyber incidents” within 72 hours after an entity reasonably believes a cyber incident has occurred and report ransom payments within 24 hours after a payment is made. The proposed Cyber Rule – hundreds of pages as drafted – adds significant requirements for those required to make a report, including a requirement that the entity preserve materials used to create the report (such as the threat actor’s ransom note, logs, and forensic artifacts) for two years. As proposed, the Rule applies to large businesses and the critical infrastructure sector alike. Failure to comply can result in an entity being subpoenaed and ultimately referred to the Department of Justice for noncompliance.
The proposed rule is scheduled to be published on the Federal Register on April 4, 2024. An unpublished version of the proposed rule may be accessed here (pdf).