Tag Archives: Marc Ponchione

30 Days to Form ADV: Have You Reviewed Your AI Disclosures?

by Charu ChandrasekharAvi GesserKristin SnyderJulie M. RieweMarc PonchioneMatt KellySheena PaulMengyi Xu, and Ned Terrace

Photos authors

Top left to right: Charu Chandrasekhar, Avi Gesser, Kristin Snyder, Julie M. Riewe, and Marc Ponchione.
Bottom left to right: Matt Kelly, Sheena Paul, Mengyi Xu, and Ned Terrace. (Photos courtesy of Debevoise & Plimpton LLP)

Registered investment advisers (“RIAs”) have swiftly embraced AI for investment strategy, market research, portfolio management, trading, risk management, and operations. In response to the exploding use of AI across the securities markets, Chair Gensler of the Securities and Exchange Commission (“SEC”) has declared that he plans to prioritize securities fraud in connection with AI disclosures and warned market participants against “AI washing.” Chair Gensler’s statements reflect the SEC’s sharpening scrutiny of AI usage by registrants. The SEC’s Division of Examinations included AI as one of its 2024 examination priorities, and also launched a widespread AI sweep of RIAs focused on AI in connection with advertising, disclosures, investment decisions, and marketing. The SEC previously charged an RIA in connection with misleading Form ADV Part 2A disclosures regarding the risks associated with its use of an AI-based trading tool.

Continue reading

SEC Proposes Rule to Eliminate or Neutralize Conflicts in the Use of “Predictive Data Analytics” Technologies

by Andrew J. Ceresney, Charu A. Chandrasekhar, Avi Gesser, Jeff Robins, Matt Kelly, Gary E. Murphy, Jarrett Lewis, Robert B. Kaplan, Marc Ponchione, Sheena Paul, Catherine Morrison, Julie M. Riewe, Kristin A. Snyder, and Mengyi Xu

Photos of the authors

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Avi Gesser, Jeff Robins, Matt Kelly, Gary E. Murphy, and Jarrett Lewis.
Bottom left to right: Robert B. Kaplan, Marc Ponchione, Sheena Paul, Catherine Morrison, Julie M. Riewe, Kristin A. Snyder, and Mengyi Xu.
(Photos courtesy of Debevoise & Plimpton LLP)

On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) issued proposed rules (the “Proposed Rules”) that would require broker-dealers and investment advisers (collectively, “firms”) to evaluate their use of predictive data analytics (“PDA”) and other covered technologies in connection with investor interactions and to eliminate or neutralize certain conflicts of interest associated with such use. The Proposed Rules also contain amendments to rules under the Securities Exchange Act of 1934[1] (“Exchange Act”) and the Investment Advisers Act of 1940[2] (“Advisers Act”) that would require firms to have policies and procedures to achieve compliance with the rules and to make and maintain related records.

In this memorandum, we first discuss the scope of the Proposed Rules and provide a summary of key provisions. We also discuss some key implications regarding the scope and application of the rules if adopted as proposed. The full text of the proposal is available here.

Continue reading

A Late Winter Blizzard of SEC Cybersecurity Rulemaking: the Proposed BD Cybersecurity Rules and Expanded Reg S-P and Reg SCI Obligations

by Luke Dembosky, Avi Gesser, Erez Liebermann, Marc Ponchione, Julie M. Riewe, Jeff Robins, Kristin Snyder, Charu A. Chandrasekhar, Sheena Paul, Suchita Brundage, Michael R. Roberts, Mengyi Xu, and Ned Terrace

Photos of the authors

Top row from left to right: Luke Dembosky, Avi Gesser, Erez Liebermann, Marc Ponchione, Julie M. Riewe, and Jeff Robins.
Bottom row from left to right: Kristin Snyder, Charu A. Chandrasekhar, Sheena Paul, Suchita Brundage, Michael R. Roberts, and Mengyi Xu.
(Photos courtesy of Debevoise & Plimpton LLP)

On March 15, 2023, the U.S. Securities and Exchange Commission (the “SEC”) released a suite of proposed new rules (the “Proposed Rules”) that include:

  • Proposed new cybersecurity rules for broker-dealers, security-based swap dealers, major security-based swap participants, transfer agents, a variety of market infrastructure providers (national securities exchanges, clearing agencies, and security-based swap data repositories), and securities SROs (collectively, “Market Entities”) that would impose new policies and procedures requirements and incident notification obligations (“BD Cyber Proposal”);
  • Amendments to Regulation S-P (“Reg S-P”) that would require the implementation of an incident response program, including a new customer notification obligation; expand the scope of the existing requirements relating to the safeguarding of “customer” information and the disposal of “consumer” information relating to individuals (the “Safeguards and Disposal Rules”); and impose new recordkeeping requirements (“Reg S-P Proposal”); and
  • Amendments to Regulation SCI (“Reg SCI”) to expand the scope of covered entities to cover certain broker-dealers without an ATS and security-based swap data repositories and to update requirements relating to policies and procedures, incident notification, and other compliance obligations (“Reg SCI Proposal”).

Continue reading

It’s Time to Take Credential Stuffing Seriously

by Jeremy Feigelson, Avi Gesser, Norma Angelica Freeland, Marc Ponchione, Gregory T. Larkin, and Robert Maddox

We have recently written about the persistence of the three most common cyber attacks: Ransomware, Phishing and Business Email Compromises (BECs) and the increased regulatory scrutiny that companies face when they fall victim to these attacks. Two recent developments demonstrate that credential stuffing is yet another serious cybersecurity risk that is on the rise and has the attention of regulators. First, on September 15, 2020, New York’s Attorney General, Letitia James, announced a $650,000 settlement with Dunkin’ Donuts, stemming from a 2015 security breach that targeted almost 20,000 customers using credential stuffing. Second, on the same day, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) issued a risk alert (the “Risk Alert”) on observed best practices by registered investment advisers and broker-dealers (together, “firms”) to protect customer accounts against credential stuffing. In this client update, we will discuss the cybersecurity and regulatory risks posed by credential stuffing and several ways to mitigate these risks.

Continue reading