Tag Archives: Andrew J. Ceresney

Supreme Court Punches SEC APs Right in the Seventh Amendment

by Andrew J. Ceresney, Charu A. Chandrasekhar, Arian M. June, Robert B. Kaplan, Julie M. Riewe, Kristin A. Snyder, and Jonathan R. Tuttle

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Arian M. June, and Robert B. Kaplan. Bottom left to right: Julie M. Riewe, Kristin A. Snyder, and Jonathan R. Tuttle. (Photos courtesy of Debevoise & Plimpton LLP)

Recently, in a long-awaited ruling with significant implications for the securities industry and administrative agencies more generally, the U.S. Supreme Court affirmed the Fifth Circuit’s decision in Jarkesy v. SEC, holding that the Seventh Amendment right to a jury trial precluded the U.S. Securities and Exchange Commission (the “SEC”) from pursuing monetary penalties for securities fraud violations through in-house administrative adjudications. The key takeaways are:

The Court’s ruling was limited to securities fraud claims, but other SEC claims seeking legal remedies may be impacted, as well as claims by other federal agencies that may have been adjudicated in-house previously.
We expect that the SEC will continue its practice of bringing new enforcement actions in district court, except when a claim only is available in the administrative forum.
Because of the majority decision’s focus on fraud’s common-law roots, the decision raises questions about whether the SEC may bring negligence-based or strict liability claims seeking penalties administratively.
The Court did not resolve other constitutional questions concerning the SEC’s administrative law judges, including whether the SEC’s use of administrative proceedings violates the non-delegation doctrine and whether the SEC’s administrative law judges are unconstitutionally protected from removal in violation of Article III.
We anticipate additional litigation regarding these unresolved issues.

Continue reading →

Incident Response Plans Are Now Accounting Controls? SEC Brings First-Ever Settled Cybersecurity Internal Controls Charges

by Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Erez Liebermann, Benjamin R. Pedersen, Julie M. Riewe, Matt Kelly, and Anna Moody

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky and Erez Liebermann. Bottom left to right: Benjamin R. Pedersen, Julie M. Riewe, Matt Kelly and Anna Moody. (Photos courtesy of Debevoise & Plimpton LLP)

In an unprecedented settlement, on June 18, 2024, the U.S. Securities & Exchange Commission (the “SEC”) announced that communications and marketing provider R.R. Donnelley & Sons Co. (“RRD”) agreed to pay approximately $2.1 million to resolve charges arising out of its response to a 2021 ransomware attack. According to the SEC, RRD’s response to the attack revealed deficiencies in its cybersecurity policies and procedures and related disclosure controls. Specifically, in addition to asserting that RRD had failed to gather and review information about the incident for potential disclosure on a timely basis, the SEC alleged that RRD had failed to implement a “system of cybersecurity-related internal accounting controls” to provide reasonable assurances that access to the company’s assets—namely, its information technology systems and networks—was permitted only with management’s authorization. In particular, the SEC alleged that RRD failed to properly instruct the firm responsible for managing its cybersecurity alerts on how to prioritize such alerts, and then failed to act upon the incoming alerts from this firm.

Continue reading →

AI Enforcement Starts with Washing: The SEC Charges its First AI Fraud Cases

by Andrew J. Ceresney, Charu A. Chandrasekhar, Avi Gesser, Arian M. June, Robert B. Kaplan, Julie M. Riewe, Jeff Robins, and Kristin A. Snyder

Top (left to right): Andrew J. Ceresney, Charu A. Chandrasekhar, Avi Gesser, and Arian M. June
Bottom (left to right): Robert B. Kaplan, Julie M. Riewe, Jeff Robins, and Kristin A. Snyder (photos courtesy of Debevoise & Plimpton LLP)

On March 18, 2024, the U.S. Securities and Exchange Commission (“SEC”) announced settled charges against two investment advisers, Delphia (USA) Inc. (“Delphia”) and Global Predictions Inc. (“Global Predictions”) for making false and misleading statements about their alleged use of artificial intelligence (“AI”) in connection with providing investment advice. These settlements are the SEC’s first-ever cases charging violations of the antifraud provisions of the federal securities laws in connection with AI disclosures, and also include the first settled charges involving AI in connection with the Marketing and Compliance Rules under the Investment Advisers Act of 1940 (“Advisers Act”). The matters reflect Chair Gensler’s determination to target “AI washing”—securities fraud in connection with AI disclosures under existing provisions of the federal securities laws—and underscore that public companies, investment advisers and broker-dealers will face rapidly increasing scrutiny from the SEC in connection with their AI disclosures, policies and procedures. We have previously discussed Chair Gensler’s scrutiny of AI washing and AI disclosure risk in Form ADV Part 2A filings. In this client alert, we discuss the charges and AI disclosure and compliance takeaways.

Continue reading →

DOJ Announces Initiative to Combat AI-Assisted Crime

by Helen V. Cantwell, Andrew J. Ceresney, Avi Gesser, Andrew M. Levine, David A. O’Neil, Winston M. Paes, Jane Shvets, Bruce E. Yannett, and Douglas S. Zolkind

Top (left to right): Helen V. Cantwell, Andrew J. Ceresney, Avi Gesser, Andrew M. Levine, and David A. O’Neil
Bottom (left to right): Winston M. Paes, Jane Shvets, Bruce E. Yannett, and Douglas S. Zolkind (photos courtesy of Debevoise & Plimpton LLP)

On February 14, 2024, Deputy Attorney General Lisa O. Monaco announced an initiative within the U.S. Department of Justice to ramp up the detection and prosecution of crimes perpetrated through artificial intelligence (AI) technology, including seeking harsher sentences for certain AI-assisted crimes. Monaco also announced a new effort to evaluate how the Department can best use AI internally to advance its mission while guarding against AI risks.

Continue reading →

SDNY Whistleblower Pilot Program Incentivizes Self-Disclosure and Cooperation

by Helen V. Cantwell, Andrew J. Ceresney, Andrew M. Levine, David A. O’Neil, Winston M. Paes, Jane Shvets, Bruce E. Yannett, Douglas S. Zolkind, Erich O. Grosz, and Rebecca Maria Urquiola

Top left to right: Helen V. Cantwell, Andrew J. Ceresney, Andrew M. Levine, David A. O’Neil, and Winston M. Paes.
Bottom left to right: Jane Shvets, Bruce E. Yannett, Douglas S. Zolkind, Erich O. Grosz, and Rebecca Maria Urquiola. (Photos courtesy of Debevoise & Plimpton LLP)

On Wednesday, January 10, 2024, the U.S. Attorney’s Office for the Southern District of New York (“SDNY”) launched the SDNY Whistleblower Pilot Program (the “Program”).[1] The Program seeks to incentivize individuals to report criminal wrongdoing—including corporate control failures, state and local bribery, and fraudulent dealings involving public funds—before SDNY learns of the conduct and to fully cooperate with any resulting investigations and prosecutions. U.S. Attorney Damian Williams encouraged individuals “to come clean, cooperate, and get on the right side of the law,” cautioning “[c]all us before we call you.”[2]

Continue reading →

Resisting Hindsight Bias: A Proposed Framework for CISO Liability

by Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Erez Liebermann, Julie M. Riewe, Anna Moody, Andreas A. Glimenakis, and Melissa Muse

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, and Erez Liebermann. Bottom left to right: Julie M. Riewe, Anna Moody, Andreas A. Glimenakis, and Melissa Muse. (Photos courtesy of Debevoise & Plimpton LLP)

On October 30, 2023, the U.S. Securities and Exchange Commission (“SEC” or “Commission”) charged SolarWinds Corporation’s (“SolarWinds” or the “Company”) chief information security officer (“CISO”) with violations of the anti-fraud provisions of the federal securities laws in connection with alleged disclosure and internal controls violations related both to the Russian cyberattack on the Company discovered in December 2020 and to alleged undisclosed weaknesses in the Company’s cybersecurity program dating back to 2018.[1] This is the first time the SEC has charged a CISO in connection with alleged violations of the federal securities laws occurring within the scope of his or her cybersecurity functions.[2] In doing so, the SEC has raised industry concerns that it intends to—with the benefit of 20/20 hindsight, but without the benefit of core cybersecurity expertise—dissect a CISO’s good-faith judgments in the aftermath of a cybersecurity incident and wield incidents to second guess the design and effectiveness of a company’s entire cybersecurity program (including as it intersects with internal accounting controls designed to identify and prevent errors or inaccuracies in financial reporting) and related disclosures and attempt to hold the CISO liable for any perceived failures.

Continue reading →

Hackers Turned Whistleblowers: SEC Cybersecurity Rules Weaponized Over Ransom Threat

by Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Matthew E. Kaplan, Erez Liebermann, Benjamin R. Pedersen, Steven J. Slutzky, Jonathan R. Tuttle, Matt Kelly, and Kelly Donoghue

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Matthew E. Kaplan, and Erez Liebermann
Bottom left to right: Benjamin R. Pedersen, Steven J. Slutzky, Jonathan R. Tuttle, Matt Kelly, and Kelly Donoghue (Photos courtesy of Debevoise & Plimpton LLP)

On November 7, 2023, the profilic ransomware group AlphV (a/k/a “BlackCat”) reportedly breached software company MeridianLink’s information systems, exfiltrated data and demanded payment in exchange for not publicly releasing the stolen data. While this type of cybersecurity incident has become increasingly common, the threat actor’s next move was less predictable. AlphV filed a whistleblower tip with the U.S. Securities and Exchange Commission (the “SEC”) against its victim for failing to publicly disclose the cybersecurity incident. AlphV wrote in its complaint[1]:

We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules. It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.

As we have previously reported, the SEC adopted final rules mandating disclosure of cybersecurity risk, strategy and governance, as well as material cybersecurity incidents. This includes new Item 1.05 of Form 8-K, which, beginning December 18, will require registrants to disclose certain information about a material cybersecurity incident within four business days of determining that a cybersecurity incident it has experienced is material. Though AlphV jumped the gun on the applicability of new Item 1.05, its familiarity with, and exploitation of their target’s public disclosure obligations is a further escalation in a steadily increasing trend of pressure tactics by leading ransom groups.

Continue reading →

SEC Proposes Rule to Eliminate or Neutralize Conflicts in the Use of “Predictive Data Analytics” Technologies

by Andrew J. Ceresney, Charu A. Chandrasekhar, Avi Gesser, Jeff Robins, Matt Kelly, Gary E. Murphy, Jarrett Lewis, Robert B. Kaplan, Marc Ponchione, Sheena Paul, Catherine Morrison, Julie M. Riewe, Kristin A. Snyder, and Mengyi Xu

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Avi Gesser, Jeff Robins, Matt Kelly, Gary E. Murphy, and Jarrett Lewis.
Bottom left to right: Robert B. Kaplan, Marc Ponchione, Sheena Paul, Catherine Morrison, Julie M. Riewe, Kristin A. Snyder, and Mengyi Xu.
(Photos courtesy of Debevoise & Plimpton LLP)

On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) issued proposed rules (the “Proposed Rules”) that would require broker-dealers and investment advisers (collectively, “firms”) to evaluate their use of predictive data analytics (“PDA”) and other covered technologies in connection with investor interactions and to eliminate or neutralize certain conflicts of interest associated with such use. The Proposed Rules also contain amendments to rules under the Securities Exchange Act of 1934[1] (“Exchange Act”) and the Investment Advisers Act of 1940[2] (“Advisers Act”) that would require firms to have policies and procedures to achieve compliance with the rules and to make and maintain related records.

In this memorandum, we first discuss the scope of the Proposed Rules and provide a summary of key provisions. We also discuss some key implications regarding the scope and application of the rules if adopted as proposed. The full text of the proposal is available here.

Continue reading →

Supreme Court Repudiates “Right-to-Control” Theory Under the Federal Wire Fraud Statute

Editor’s Note: The NYU Law Program on Corporate Compliance and Enforcement (PCCE) is following the recent U.S. Supreme Court decisions in Percoco v. United States and Ciminelli v. United States, which narrow the scope of honest services fraud and eliminate the so-called “Right to Control” theory in federal fraud cases, respectively. Together, these two cases continue a trend of circumscribing the federal government’s ability to prosecute domestic public corruption in the United States.

by Helen V. Cantwell, Andrew J. Ceresney, Courtney M. Dankworth, John Gleeson, David A. O’Neil, Winston M. Paes, Bruce E. Yannett, Douglas S. Zolkind, and Scott M. Caravello

From top left to right: Helen V. Cantwell, Andrew J. Ceresney, Courtney M. Dankworth, John Gleeson, and David A. O’Neil. From bottom left to right: Winston M. Paes, Bruce E. Yannett, Douglas S. Zolkind, and Scott M. Caravello.
(Photos courtesy of Debevoise & Plimpton LLP)

On May 11, 2023, the United States Supreme Court issued its latest opinion in a series of decisions narrowing the scope of the federal fraud statutes. In that case, Ciminelli v. United States, the Court foreclosed prosecutors’ ability to pursue fraud charges for misrepresentations that did not result in financial harm, but instead deprived victims of information that may have been useful in deciding how to use assets. In repudiating this theory, known as “right-to-control,” a unanimous Court held that the federal fraud statutes touch only schemes aimed at traditional property interests, like money, and not “mere information.” To have held otherwise would have meant that “almost any deceptive act could be a crime.”

Going forward, the Department of Justice will not be able to prosecute a defendant for engaging in mere deceptive or unethical conduct, but must additionally prove that the defendant’s objective was to deprive the victim of money or property.

Continue reading →

The SEC’s New Risk Alert Warns about the Use of Alternative Data

by Andrew J. Ceresney, Avi Gesser, Julie M. Riewe, Kristin A. Snyder, Jonathan R. Tuttle, Charu A. Chandrasekhar, and Mengyi Xu

On April 26, 2022, the Division of Examinations (“EXAMS”) of the Securities and Exchange Commission (the “SEC”) issued a Risk Alert titled “Investment Adviser MNPI Compliance Issues” (“Risk Alert”) on the use of alternative data. The Risk Alert outlines EXAMS’ recent observations on compliance deficiencies related to Section 204A of the Investment Advisers Act of 1940—including deficiencies relating to policies and procedures for alternative data—and Rule 204A-1 (the “Code of Ethics Rule”). Based on the Risk Alert, and the recent SEC enforcement action in this area, we offer three takeaways for investment advisers to reduce their risk when purchasing and using alternative data.

Continue reading →