Tag Archives: Matt Kelly

Real-Time Deepfakes May Necessitate Enhancements to Wire Transfer BEC Policies

by Charu ChandrasekharLuke DemboskyAvi GesserErez LiebermannMatt Kelly and Karen Joo  

Photos of the Authors

Left to right: Charu Chandrasekhar, Luke Dembosky, Avi Gesser, Erez Liebermann, Matt Kelly and Karen Joo. (Photos courtesy of Debevoise & Plimpton LLP)

The following scenario is no longer science fiction: An employee receives an email from the CEO asking her to join a video call. The CEO directs the employee to send confidential documents to a third party. The request is unusual, but the employee saw the CEO with her own eyes, so she complies. It turns out, however, that it was a real-time deepfake and not the real CEO who gave the instructions on the video call.

We’ve previously written about business email compromise (“BEC”) and wire transfer fraud scams, and the various measures that companies can implement to reduce the associated risks. But in light of recent developments in deepfake technologies, and their increasing use as part of BECs, companies should consider revisiting their BEC mitigation strategies because some existing BEC policies may no longer be sufficient to address these emerging threats.

Continue reading

The EU AI Act – Navigating the EU’s Legislative Labyrinth

by Avi GesserMatt KellyMartha HirstSamuel J. AllamanMelissa Muse, and Samuel Thomson

From left to right: Avi Gesser, Matt Kelly, Martha Hirst, Samuel J. Allaman, and Melissa Muse. Not pictured: Samuel Thomson. (Photos courtesy of Debevoise & Plimpton LLP).

As legislators and regulators around the world are trying to determine how to approach the novel risks and opportunities that AI technologies present, the draft European Union Artificial Intelligence Act (the “EU AI Act” or the “Act”) is a highly anticipated step towards the future of AI regulation. Despite recent challenges in the EU “trilogue negotiations”, proponents still hope to reach a compromise on the key terms by 6th December, with a view to passing the Act in 2024 and most of the provisions becoming effective sometime in 2026.

As one of the few well-progressed AI-specific laws currently in existence, the EU AI Act has generated substantial global attention. Analogous to the influential role played by the EU’s GDPR in shaping the contours of global data privacy laws, the EU AI Act similarly has the potential to influence the worldwide evolution of AI regulation.

This blog post summarizes the complexities of the EU legislative process to explain the current status of, and next steps for, the draft EU AI Act. It also includes steps which businesses may want to start taking now in preparation of incoming AI regulation.

Continue reading

Hackers Turned Whistleblowers: SEC Cybersecurity Rules Weaponized Over Ransom Threat

by Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Matthew E. Kaplan, Erez Liebermann, Benjamin R. Pedersen, Steven J. Slutzky, Jonathan R. Tuttle, Matt Kelly, and Kelly Donoghue

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Matthew E. Kaplan, and Erez Liebermann
Bottom left to right: Benjamin R. Pedersen, Steven J. Slutzky, Jonathan R. Tuttle, Matt Kelly, and Kelly Donoghue (Photos courtesy of Debevoise & Plimpton LLP)

On November 7, 2023, the profilic ransomware group AlphV (a/k/a “BlackCat”) reportedly breached software company MeridianLink’s information systems, exfiltrated data and demanded payment in exchange for not publicly releasing the stolen data. While this type of cybersecurity incident has become increasingly common, the threat actor’s next move was less predictable. AlphV filed a whistleblower tip with the U.S. Securities and Exchange Commission (the “SEC”) against its victim for failing to publicly disclose the cybersecurity incident. AlphV wrote in its complaint[1]:

We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules. It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.

As we have previously reported, the SEC adopted final rules mandating disclosure of cybersecurity risk, strategy and governance, as well as material cybersecurity incidents. This includes new Item 1.05 of Form 8-K, which, beginning December 18,­ will require registrants to disclose certain information about a material cybersecurity incident within four business days of determining that a cybersecurity incident it has experienced is material. Though AlphV jumped the gun on the applicability of new Item 1.05, its familiarity with, and exploitation of their target’s public disclosure obligations is a further escalation in a steadily increasing trend of pressure tactics by leading ransom groups.

Continue reading

The Final Colorado AI Insurance Regulations: What’s New and How to Prepare

by Avi Gesser, Erez Liebermann, Eric Dinallo, Matt Kelly, Corey Jeremy Goldstein, Stephanie D. Thomas, Samuel J. Allaman, and Basil Fawaz

Photo of authors

Top left to right: Avi Gesser, Erez Liebermann, Eric Dinallo and Matt Kelly
Bottom left to right: Corey Jeremy Goldstein, Stephanie D. Thomas, Samuel J. Allaman and Basil Fawaz
(Photos courtesy of Debevoise & Plimpton LLP)

On September 21, 2023, the Colorado Division of Insurance (the “DOI”) released its Final Governance and Risk Management Framework Requirements for Life Insurers’ Use of External Consumer Data and Information Sources, Algorithms, and Predictive Models (the “Final Regulation”). As discussed below, the Final Regulation (which becomes effective on November 14, 2023) reflects several small changes from the previous version of the regulation that was released on May 26, 2023 (the “Draft Regulation”). A redline reflecting these changes can be found here.

The most substantive change is the requirement that insurers must remediate any detected unfair discrimination. This change is especially significant in light of the DOI’s release of its draft regulation on Quantitative Testing for Unfairly Discriminatory Outcomes for Algorithms and Predictive Models Used for Life Insurance Underwriting (the “Draft Testing Regulation”) on September 28, 2023, which requires insurers to estimate the race and ethnicity of all proposed insureds that have applied for life insurance coverage and then conduct detailed quantitative testing of models that use external consumer data and information sources (“ECDIS”) for potential bias. The Testing Regulation provides that certain results of that prescribed testing methodology will be deemed to be unfairly discriminatory and thereby require the insurer to “immediately take reasonable steps . . . to remediate the unfairly discriminatory outcome . . .”  We will be writing much more about our concerns over the Draft Testing Regulation in the coming weeks.

In this Blog Post, we discuss the Final Regulation, how it differs from the Draft Regulation, and what companies should be doing now to prepare for compliance.

Continue reading

SEC Proposes Rule to Eliminate or Neutralize Conflicts in the Use of “Predictive Data Analytics” Technologies

by Andrew J. Ceresney, Charu A. Chandrasekhar, Avi Gesser, Jeff Robins, Matt Kelly, Gary E. Murphy, Jarrett Lewis, Robert B. Kaplan, Marc Ponchione, Sheena Paul, Catherine Morrison, Julie M. Riewe, Kristin A. Snyder, and Mengyi Xu

Photos of the authors

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Avi Gesser, Jeff Robins, Matt Kelly, Gary E. Murphy, and Jarrett Lewis.
Bottom left to right: Robert B. Kaplan, Marc Ponchione, Sheena Paul, Catherine Morrison, Julie M. Riewe, Kristin A. Snyder, and Mengyi Xu.
(Photos courtesy of Debevoise & Plimpton LLP)

On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) issued proposed rules (the “Proposed Rules”) that would require broker-dealers and investment advisers (collectively, “firms”) to evaluate their use of predictive data analytics (“PDA”) and other covered technologies in connection with investor interactions and to eliminate or neutralize certain conflicts of interest associated with such use. The Proposed Rules also contain amendments to rules under the Securities Exchange Act of 1934[1] (“Exchange Act”) and the Investment Advisers Act of 1940[2] (“Advisers Act”) that would require firms to have policies and procedures to achieve compliance with the rules and to make and maintain related records.

In this memorandum, we first discuss the scope of the Proposed Rules and provide a summary of key provisions. We also discuss some key implications regarding the scope and application of the rules if adopted as proposed. The full text of the proposal is available here.

Continue reading

SEC Adopts New Cybersecurity Rules for Issuers – Part 2 Key Takeaways

by Charu A. Chandrasekhar, Avi Gesser, Matthew E. Kaplan, Erez Liebermann, Benjamin R. Pedersen, Paul M. Rodel, Steven J. Slutzky, Matt Kelly, Kelly Donoghue, Chris Duff, John Jacob, Amy Pereira, Ned Terrace, Luke Dembosky, and Mengyi Xu

Photos of the authors

Top left to right: Charu A. Chandrasekhar, Avi Gesser, Matthew E. Kaplan, Erez Liebermann, Benjamin R. Pedersen, Paul M. Rodel, Steven J. Slutzky, and Matt Kelly.
Bottom left to right: Kelly Donoghue, Chris Duff, John Jacob, Amy Pereira, Ned Terrace, Luke Dembosky, and Mengyi Xu.
(Photos courtesy of Debevoise & Plimpton LLP)

On July 26, 2023, the SEC adopted long-anticipated final rules on cybersecurity risk management, strategy, governance and incident disclosure for issuers (“Final Rules”). We summarized the key obligations under the Final Rules, and changes from the Proposing Release,[1] in our July 27, 2023 update. In this companion update, we discuss key takeaways across three areas for issuers to consider:

Continue reading

SEC Adopts New Cybersecurity Rules for Issuers

by Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Matthew E. Kaplan, Erez Liebermann, Benjamin R. Pedersen, Paul M. Rodel, Steven J. Slutzky, Matt Kelly, Kelly Donoghue, John Jacob, Amy Pereira, Mengyi Xu, and Chris Duff 

Photos of the authors

Top left to right: Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Matthew E. Kaplan, Erez Liebermann, Benjamin R. Pedersen, and Paul M. Rodel.
Bottom left to right: Steven J. Slutzky, Matt Kelly, Kelly Donoghue, John Jacob, Amy Pereira, Mengyi Xu, and Chris Duff.
(photos courtesy of authors)

On July 26, 2023, the SEC adopted the long-anticipated final rules on cybersecurity risk management, strategy, governance, and incident disclosure for issuers. The new rules are part of the SEC’s larger efforts focused on cybersecurity regulation with a growing universe of rules aimed at different types of SEC registrants, including: (i) its proposed cybersecurity rules for registered investment advisers and funds and market entities, including broker-dealers, (ii) its proposed amendments to Reg S-P and Reg SCI and (iii) existing cybersecurity obligations under SEC regulations, including Reg S-P, Reg S-ID, and the recently amended Form PF.

Continue reading

Achieving Sensible AI Regulation

by Melissa MacGregor (SIFMA), Avi Gesser, Matt Kelly, Stephanie Thomas, and Ned Terrace

Photos of the authors

Top righ to left: Melissa MacGregor (SIFMA), Avi Gesser, and Matt Kelly.
Bottom right to left: Stephanie Thomas, Ned Terrace, and Esther Tetruashvily.
(Photos courtesy of the authors).

The proliferation of AI tools and rapid pace of AI adoption have led to calls for new regulation at all levels. President Biden recently said “[w]e need to manage the risks [of AI] to our society, to our economy, and our national security.” The Senate Judiciary Subcommittee on Privacy, Technology and the Law recently held a hearing on “Rules for Artificial Intelligence” to discuss the need for AI regulation, while Senate Majority Leader Schumer released a strategy to regulate AI

Continue reading

The Top Eight AI Adoption Failures and How to Avoid Them

by Avi Gesser, Matt Kelly, Samuel J. Allaman, Michelle H. Bao, Anna R. Gressel, Michael Pizzi, Lex Gaillard, and Cameron Sharp

Photos of the authors

Top left to right: Avi Gesser, Matt Kelly, Samuel J. Allaman, and Michelle H. Bao.
Bottom left to right: Anna R. Gressel, Michael Pizzi, Lex Gaillard, and Cameron Sharp.
(Photos courtesy of Debevoise & Plimpton LLP)

Over the past three years, we have observed many companies in a wide range of sectors adopt Artificial Intelligence (“AI”) applications for a host of promising use cases. In some instances, however, those efforts have ended up being less valuable than anticipated—and in a few cases, were abandoned altogether—because certain risks associated with adopting AI were not properly considered or addressed before or during implementation. These risks include issues related to cybersecurity, privacy, contracting, intellectual property, data quality, business continuity, disclosure, and fairness.

In this Debevoise Data Blog post, we examine how the manifestation of these risks can lead to AI adoption “failure” and identify ways companies can mitigate these risks to achieve their goals when implementing AI applications.

Continue reading

The Revised Colorado AI Insurance Regulations: What Was Fixed, and What Still May Need Fixing

by Eric Dinallo, Avi Gesser, Matt Kelly, Samuel J. Allaman, Anna R. Gressel, Melissa Muse, and Stephanie D. Thomas

Photos of the authors

From top left to right: Eric Dinallo, Avi Gesser, Matt Kelly, and Samuel J. Allaman.
From bottom left to right: Anna R. Gressel, Melissa Muse, and Stephanie D. Thomas.
(Photos courtesy of Debevoise & Plimpton LLP)

On May 26, 2023, the Colorado Division of Insurance (the “DOI”) released its Revised Draft Algorithm and Predictive Model Governance Regulation (the “Revised Regulation”), amending its initial draft regulation (the “Initial Regulation”), which was released on February 1, 2023. The Revised Regulation imposes requirements on Colorado-licensed life insurance companies that use external consumer data and information sources (“ECDIS”), as well as algorithms and predictive models (“AI models”) that use ECDIS, in insurance practices. The Revised Regulation comes after months of active engagement between the DOI and industry stakeholders. In this Debevoise In Depth, we discuss the Revised Regulation, how it differs from the Initial Regulation, what additional changes should be considered, and how companies can prepare for compliance.

Continue reading