Tag Archives: Luke Dembosky

Maturing Compliance with the Bulk Sensitive Data Rule before the July 8, 2025 Safe Harbor Expires

by Luke Dembosky, Avi Gesser, Erez Liebermann, Rick Sofield, Johanna N. Skrzypczyk, and Mengyi Xu

Top left to right: Luke Dembosky, Avi Gesser, Erez Liebermann, Rick Sofield, Johanna N. Skrzypczyk, and Mengyi Xu (photos courtesy of Debevoise & Plimpton LLP)

All eyes are on the DOJ Bulk Sensitive Data Rule (28 C.F.R. Part 202) and July 8, 2025, when the recently announced good-faith safe harbor expires. The rule, which the Department of Justice now refers to as the Data Security Program (the “DSP”), creates a comprehensive export control regime to restrict the transfer of bulk sensitive personal and government-related data to foreign adversaries deemed threats to U.S. national security. On April 11, 2025, shortly after the first effective date of the DSP, the National Security Division (“NSD”) of DOJ issued a suite of three policy and guidance documents to facilitate compliance with the DSP, including a 90-day civil enforcement safe harbor for good-faith compliance. As previously discussed, the DSP seeks to address the bipartisan concern that sensitive datasets could be exploited by foreign adversaries for espionage, cyberattacks, malign influence, and coercion, which would undermine the United States’ national security interests.

Continue reading

SEC’s Focus on Cyber and AI to Continue Under Trump Administration

by Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Erez Liebermann, Julie M. Riewe, Jeff Robins, Kristin A. Snyder, and Cameron Sharp

Photos of the authors

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, and Avi Gesser. Bottom left to right: Erez Liebermann, Julie M. Riewe, Jeff Robins, and Kristin A. Snyder. (Photos courtesy of Debevoise & Plimpton LLP).

On February 20, 2025, the SEC announced the creation of the Cyber and Emerging Technologies Unit (“CETU”) to focus on “combatting cyber-related misconduct and to protect retail investors from bad actors in the emerging technologies space.” In this blog post, we provide an overview of the announcement, which illustrates that the Trump administration will continue to prioritize SEC cybersecurity and artificial intelligence examinations and enforcement, with a particular emphasis on fraudulent conduct impacting retail investors.

Continue reading

Managing Cybersecurity Risks Arising from AI — New Guidance from the NYDFS

by Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Erez Liebermann, Marshal Bozzo, Johanna Skrzypczyk, Ned Terrace, and Mengyi Xu.

Photos of the authors

Top left to right: Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, and Erez Liebermann. 
Bottom left to right: Marshal Bozzo, Johanna Skrzypczyk, Ned Terrace, and Mengyi Xu. (Photos courtesy of Debevoise & Plimpton LLP)

On October 16, 2024, the New York Department of Financial Services (the “NYDFS”) issued an Industry Letter providing guidance on assessing cybersecurity risks associated with the use of AI (the “Guidance”) under the existing 23 NYCRR Part 500 (“Part 500” or “Cybersecurity Regulation”) framework. The Guidance applies to entities that are covered by Part 500 (i.e., entities with a license under the New York Banking Law, Insurance Law or Financial Services Law), but it provides valuable direction to all companies for managing the new cybersecurity risks associated with AI.

The NYDFS makes clear that the Guidance does not impose any new requirements beyond those already contained in the Cybersecurity Regulation. Instead, the Guidance is meant to explain how covered entities should use the Part 500 framework to address cybersecurity risks associated with AI and build controls to mitigate such risks. It also encourages companies to explore the potential cybersecurity benefits from integrating AI into cybersecurity tools (e.g., reviewing security logs and alerts, analyzing behavior, detecting anomalies, and predicting potential security threats). Entities that are covered by Part 500, especially those that have deployed AI in significant ways, should review the Guidance carefully, along with their current cybersecurity policies and controls, to see if any enhancements are appropriate.

Continue reading

Incident Response Plans Are Now Accounting Controls? SEC Brings First-Ever Settled Cybersecurity Internal Controls Charges

by Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Erez Liebermann, Benjamin R. Pedersen, Julie M. Riewe, Matt Kelly, and Anna Moody

Photos of the authors

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky and Erez Liebermann. Bottom left to right: Benjamin R. Pedersen, Julie M. Riewe, Matt Kelly and Anna Moody. (Photos courtesy of Debevoise & Plimpton LLP)

In an unprecedented settlement, on June 18, 2024, the U.S. Securities & Exchange Commission (the “SEC”) announced that communications and marketing provider R.R. Donnelley & Sons Co. (“RRD”) agreed to pay approximately $2.1 million to resolve charges arising out of its response to a 2021 ransomware attack. According to the SEC, RRD’s response to the attack revealed deficiencies in its cybersecurity policies and procedures and related disclosure controls. Specifically, in addition to asserting that RRD had failed to gather and review information about the incident for potential disclosure on a timely basis, the SEC alleged that RRD had failed to implement a “system of cybersecurity-related internal accounting controls” to provide reasonable assurances that access to the company’s assets—namely, its information technology systems and networks—was permitted only with management’s authorization. In particular, the SEC alleged that RRD failed to properly instruct the firm responsible for managing its cybersecurity alerts on how to prioritize such alerts, and then failed to act upon the incoming alerts from this firm.

Continue reading

Real-Time Deepfakes May Necessitate Enhancements to Wire Transfer BEC Policies

by Charu ChandrasekharLuke DemboskyAvi GesserErez LiebermannMatt Kelly and Karen Joo  

Photos of the Authors

Left to right: Charu Chandrasekhar, Luke Dembosky, Avi Gesser, Erez Liebermann, Matt Kelly and Karen Joo. (Photos courtesy of Debevoise & Plimpton LLP)

The following scenario is no longer science fiction: An employee receives an email from the CEO asking her to join a video call. The CEO directs the employee to send confidential documents to a third party. The request is unusual, but the employee saw the CEO with her own eyes, so she complies. It turns out, however, that it was a real-time deepfake and not the real CEO who gave the instructions on the video call.

We’ve previously written about business email compromise (“BEC”) and wire transfer fraud scams, and the various measures that companies can implement to reduce the associated risks. But in light of recent developments in deepfake technologies, and their increasing use as part of BECs, companies should consider revisiting their BEC mitigation strategies because some existing BEC policies may no longer be sufficient to address these emerging threats.

Continue reading

Resisting Hindsight Bias: A Proposed Framework for CISO Liability

by Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Erez Liebermann, Julie M. Riewe, Anna Moody, Andreas A. Glimenakis, and Melissa Muse

photos of the authors

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, and Erez Liebermann.                    Bottom left to right: Julie M. Riewe, Anna Moody, Andreas A. Glimenakis, and Melissa Muse. (Photos courtesy of Debevoise & Plimpton LLP)

On October 30, 2023, the U.S. Securities and Exchange Commission (“SEC” or “Commission”) charged SolarWinds Corporation’s (“SolarWinds” or the “Company”) chief information security officer (“CISO”) with violations of the anti-fraud provisions of the federal securities laws in connection with alleged disclosure and internal controls violations related both to the Russian cyberattack on the Company discovered in December 2020 and to alleged undisclosed weaknesses in the Company’s cybersecurity program dating back to 2018.[1] This is the first time the SEC has charged a CISO in connection with alleged violations of the federal securities laws occurring within the scope of his or her cybersecurity functions.[2] In doing so, the SEC has raised industry concerns that it intends to—with the benefit of 20/20 hindsight, but without the benefit of core cybersecurity expertise—dissect a CISO’s good-faith judgments in the aftermath of a cybersecurity incident and wield incidents to second guess the design and effectiveness of a company’s entire cybersecurity program (including as it intersects with internal accounting controls designed to identify and prevent errors or inaccuracies in financial reporting) and related disclosures and attempt to hold the CISO liable for any perceived failures.

Continue reading

Hackers Turned Whistleblowers: SEC Cybersecurity Rules Weaponized Over Ransom Threat

by Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Matthew E. Kaplan, Erez Liebermann, Benjamin R. Pedersen, Steven J. Slutzky, Jonathan R. Tuttle, Matt Kelly, and Kelly Donoghue

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Matthew E. Kaplan, and Erez Liebermann
Bottom left to right: Benjamin R. Pedersen, Steven J. Slutzky, Jonathan R. Tuttle, Matt Kelly, and Kelly Donoghue (Photos courtesy of Debevoise & Plimpton LLP)

On November 7, 2023, the profilic ransomware group AlphV (a/k/a “BlackCat”) reportedly breached software company MeridianLink’s information systems, exfiltrated data and demanded payment in exchange for not publicly releasing the stolen data. While this type of cybersecurity incident has become increasingly common, the threat actor’s next move was less predictable. AlphV filed a whistleblower tip with the U.S. Securities and Exchange Commission (the “SEC”) against its victim for failing to publicly disclose the cybersecurity incident. AlphV wrote in its complaint[1]:

We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules. It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.

As we have previously reported, the SEC adopted final rules mandating disclosure of cybersecurity risk, strategy and governance, as well as material cybersecurity incidents. This includes new Item 1.05 of Form 8-K, which, beginning December 18,­ will require registrants to disclose certain information about a material cybersecurity incident within four business days of determining that a cybersecurity incident it has experienced is material. Though AlphV jumped the gun on the applicability of new Item 1.05, its familiarity with, and exploitation of their target’s public disclosure obligations is a further escalation in a steadily increasing trend of pressure tactics by leading ransom groups.

Continue reading

SEC Adopts New Cybersecurity Rules for Issuers

by Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Matthew E. Kaplan, Erez Liebermann, Benjamin R. Pedersen, Paul M. Rodel, Steven J. Slutzky, Matt Kelly, Kelly Donoghue, John Jacob, Amy Pereira, Mengyi Xu, and Chris Duff 

Photos of the authors

Top left to right: Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Matthew E. Kaplan, Erez Liebermann, Benjamin R. Pedersen, and Paul M. Rodel.
Bottom left to right: Steven J. Slutzky, Matt Kelly, Kelly Donoghue, John Jacob, Amy Pereira, Mengyi Xu, and Chris Duff.
(photos courtesy of authors)

On July 26, 2023, the SEC adopted the long-anticipated final rules on cybersecurity risk management, strategy, governance, and incident disclosure for issuers. The new rules are part of the SEC’s larger efforts focused on cybersecurity regulation with a growing universe of rules aimed at different types of SEC registrants, including: (i) its proposed cybersecurity rules for registered investment advisers and funds and market entities, including broker-dealers, (ii) its proposed amendments to Reg S-P and Reg SCI and (iii) existing cybersecurity obligations under SEC regulations, including Reg S-P, Reg S-ID, and the recently amended Form PF.

Continue reading

Lessons from The Financial Stability Board’s Report on Cyber Incident Reporting

by Luke Dembosky, Avi Gesser, Erez Liebermann, Kristin Snyder, Charu A. Chandrasekhar, and Tristan Lockwood

Photos of the authors

From left to right: Luke Dembosky, Avi Gesser, Erez Liebermann, Kristin Snyder, Charu A. Chandrasekhar, and Tristan Lockwood (Photos courtesy of Debevoise & Plimpton LLP)

Big businesses, especially those with a global footprint and operating in regulated sectors, are increasingly confronted with new and diverging cyber incident reporting requirements. A single incident—even a relatively minor one—may require notification to dozens of data protection, cyber, law enforcement, and sectoral regulators around the world, in addition to insurers, customers, and counterparties. Not only do many regulatory reporting obligations have materially different triggers, but also significant variation exists in reporting timeframes, content requirements, and subsequent regulatory engagement practices. The cumulative effect of this regulatory spiderweb of red tape is often to divert attention and resources away from substantive incident response and remediation, and to create a bureaucratic vortex for compliance and legal personnel.  To make matters worse, businesses cannot simply hire their way out of this morass. With a ~3.4 million person shortage in information security professionals, when regulators force too much attention on incident reporting they are invariably diverting eyes from actual information security.

Continue reading

A Late Winter Blizzard of SEC Cybersecurity Rulemaking: the Proposed BD Cybersecurity Rules and Expanded Reg S-P and Reg SCI Obligations

by Luke Dembosky, Avi Gesser, Erez Liebermann, Marc Ponchione, Julie M. Riewe, Jeff Robins, Kristin Snyder, Charu A. Chandrasekhar, Sheena Paul, Suchita Brundage, Michael R. Roberts, Mengyi Xu, and Ned Terrace

Photos of the authors

Top row from left to right: Luke Dembosky, Avi Gesser, Erez Liebermann, Marc Ponchione, Julie M. Riewe, and Jeff Robins.
Bottom row from left to right: Kristin Snyder, Charu A. Chandrasekhar, Sheena Paul, Suchita Brundage, Michael R. Roberts, and Mengyi Xu.
(Photos courtesy of Debevoise & Plimpton LLP)

On March 15, 2023, the U.S. Securities and Exchange Commission (the “SEC”) released a suite of proposed new rules (the “Proposed Rules”) that include:

  • Proposed new cybersecurity rules for broker-dealers, security-based swap dealers, major security-based swap participants, transfer agents, a variety of market infrastructure providers (national securities exchanges, clearing agencies, and security-based swap data repositories), and securities SROs (collectively, “Market Entities”) that would impose new policies and procedures requirements and incident notification obligations (“BD Cyber Proposal”);
  • Amendments to Regulation S-P (“Reg S-P”) that would require the implementation of an incident response program, including a new customer notification obligation; expand the scope of the existing requirements relating to the safeguarding of “customer” information and the disposal of “consumer” information relating to individuals (the “Safeguards and Disposal Rules”); and impose new recordkeeping requirements (“Reg S-P Proposal”); and
  • Amendments to Regulation SCI (“Reg SCI”) to expand the scope of covered entities to cover certain broker-dealers without an ATS and security-based swap data repositories and to update requirements relating to policies and procedures, incident notification, and other compliance obligations (“Reg SCI Proposal”).

Continue reading