Tag Archives: Mengyi Xu

Maturing Compliance with the Bulk Sensitive Data Rule before the July 8, 2025 Safe Harbor Expires

by Luke Dembosky, Avi Gesser, Erez Liebermann, Rick Sofield, Johanna N. Skrzypczyk, and Mengyi Xu

Top left to right: Luke Dembosky, Avi Gesser, Erez Liebermann, Rick Sofield, Johanna N. Skrzypczyk, and Mengyi Xu (photos courtesy of Debevoise & Plimpton LLP)

All eyes are on the DOJ Bulk Sensitive Data Rule (28 C.F.R. Part 202) and July 8, 2025, when the recently announced good-faith safe harbor expires. The rule, which the Department of Justice now refers to as the Data Security Program (the “DSP”), creates a comprehensive export control regime to restrict the transfer of bulk sensitive personal and government-related data to foreign adversaries deemed threats to U.S. national security. On April 11, 2025, shortly after the first effective date of the DSP, the National Security Division (“NSD”) of DOJ issued a suite of three policy and guidance documents to facilitate compliance with the DSP, including a 90-day civil enforcement safe harbor for good-faith compliance. As previously discussed, the DSP seeks to address the bipartisan concern that sensitive datasets could be exploited by foreign adversaries for espionage, cyberattacks, malign influence, and coercion, which would undermine the United States’ national security interests.

Continue reading

FTC’s Consent Order Against Marriott: Expectations for Reasonable Security

by Erez LiebermannJim PastoreChristopher S. FordMichael BloomMengyi XuAchutha Raman, and Michelle Shen  

Photos of the authors

Top left to right: Erez Liebermann, Jim Pastore, Christopher S. Ford, Michael Bloom.
Bottom left to right: Mengyi Xu, Achuta Raman and Michelle Shen. (Photos courtesy of the authors.)

Introduction

On December 20, 2024, the Federal Trade Commission (the “FTC”) finalized a consent agreement (“Consent Order”) with Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC (collectively, “Marriott”) to settle allegations that Marriott failed to implement reasonable data security measures, resulting in three large data breaches from 2014 to 2020 and affecting more than 344 million customers worldwide. With obligations extending 20 years, the Consent Order requires Marriott to, among other remedial steps, implement a comprehensive information security program (“ISP”) with prescribed security measures, the effectiveness of which will be subject to a third-party independent biennial assessment. Key elements of the required ISP include multi-factor authentication (“MFA”), encryption, asset inventory, written documentation, and vulnerability and patch management. The final Consent Order is materially identical to the proposal announced on October 9, 2024.

Continue reading

CPPA Proposed Rulemaking Package Part 1 – Cybersecurity Audits

by Avi Gesser, Matt Kelly, Johanna N. Skrzypczyk, H. Jacqueline Brehmer, Ned Terrace, Mengyi Xu, and Amer Mneimneh

Photos of the authors

Top: Avi Gesser, Matt Kelly, and Johanna N. Skrzypczyk,. Bottom: H. Jacqueline Brehmer, Ned Terrace, and Mengyi Xu. (Photos courtesy of Debevoise & Plimpton LLP)

Key Takeaways

  • On November 22, 2024, the California Privacy Protection Agency (CPPA) launched a formal public comment period on its draft regulations addressing annual cybersecurity audits and other privacy obligations under the California Consumer Privacy Act (CCPA).
  • These proposed rules aim to establish robust standards for thorough and independent cybersecurity audits, delineating both procedural and substantive requirements for businesses processing personal information.
  • In this update, we provide an overview of the new cybersecurity audit provisions, including key thresholds for applicability, detailed audit expectations, and the evolving regulatory landscape shaping cybersecurity compliance.

Continue reading

Managing Cybersecurity Risks Arising from AI — New Guidance from the NYDFS

by Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Erez Liebermann, Marshal Bozzo, Johanna Skrzypczyk, Ned Terrace, and Mengyi Xu.

Photos of the authors

Top left to right: Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, and Erez Liebermann. 
Bottom left to right: Marshal Bozzo, Johanna Skrzypczyk, Ned Terrace, and Mengyi Xu. (Photos courtesy of Debevoise & Plimpton LLP)

On October 16, 2024, the New York Department of Financial Services (the “NYDFS”) issued an Industry Letter providing guidance on assessing cybersecurity risks associated with the use of AI (the “Guidance”) under the existing 23 NYCRR Part 500 (“Part 500” or “Cybersecurity Regulation”) framework. The Guidance applies to entities that are covered by Part 500 (i.e., entities with a license under the New York Banking Law, Insurance Law or Financial Services Law), but it provides valuable direction to all companies for managing the new cybersecurity risks associated with AI.

The NYDFS makes clear that the Guidance does not impose any new requirements beyond those already contained in the Cybersecurity Regulation. Instead, the Guidance is meant to explain how covered entities should use the Part 500 framework to address cybersecurity risks associated with AI and build controls to mitigate such risks. It also encourages companies to explore the potential cybersecurity benefits from integrating AI into cybersecurity tools (e.g., reviewing security logs and alerts, analyzing behavior, detecting anomalies, and predicting potential security threats). Entities that are covered by Part 500, especially those that have deployed AI in significant ways, should review the Guidance carefully, along with their current cybersecurity policies and controls, to see if any enhancements are appropriate.

Continue reading

30 Days to Form ADV: Have You Reviewed Your AI Disclosures?

by Charu ChandrasekharAvi GesserKristin SnyderJulie M. RieweMarc PonchioneMatt KellySheena PaulMengyi Xu, and Ned Terrace

Photos authors

Top left to right: Charu Chandrasekhar, Avi Gesser, Kristin Snyder, Julie M. Riewe, and Marc Ponchione.
Bottom left to right: Matt Kelly, Sheena Paul, Mengyi Xu, and Ned Terrace. (Photos courtesy of Debevoise & Plimpton LLP)

Registered investment advisers (“RIAs”) have swiftly embraced AI for investment strategy, market research, portfolio management, trading, risk management, and operations. In response to the exploding use of AI across the securities markets, Chair Gensler of the Securities and Exchange Commission (“SEC”) has declared that he plans to prioritize securities fraud in connection with AI disclosures and warned market participants against “AI washing.” Chair Gensler’s statements reflect the SEC’s sharpening scrutiny of AI usage by registrants. The SEC’s Division of Examinations included AI as one of its 2024 examination priorities, and also launched a widespread AI sweep of RIAs focused on AI in connection with advertising, disclosures, investment decisions, and marketing. The SEC previously charged an RIA in connection with misleading Form ADV Part 2A disclosures regarding the risks associated with its use of an AI-based trading tool.

Continue reading

SEC Proposes Rule to Eliminate or Neutralize Conflicts in the Use of “Predictive Data Analytics” Technologies

by Andrew J. Ceresney, Charu A. Chandrasekhar, Avi Gesser, Jeff Robins, Matt Kelly, Gary E. Murphy, Jarrett Lewis, Robert B. Kaplan, Marc Ponchione, Sheena Paul, Catherine Morrison, Julie M. Riewe, Kristin A. Snyder, and Mengyi Xu

Photos of the authors

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Avi Gesser, Jeff Robins, Matt Kelly, Gary E. Murphy, and Jarrett Lewis.
Bottom left to right: Robert B. Kaplan, Marc Ponchione, Sheena Paul, Catherine Morrison, Julie M. Riewe, Kristin A. Snyder, and Mengyi Xu.
(Photos courtesy of Debevoise & Plimpton LLP)

On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) issued proposed rules (the “Proposed Rules”) that would require broker-dealers and investment advisers (collectively, “firms”) to evaluate their use of predictive data analytics (“PDA”) and other covered technologies in connection with investor interactions and to eliminate or neutralize certain conflicts of interest associated with such use. The Proposed Rules also contain amendments to rules under the Securities Exchange Act of 1934[1] (“Exchange Act”) and the Investment Advisers Act of 1940[2] (“Advisers Act”) that would require firms to have policies and procedures to achieve compliance with the rules and to make and maintain related records.

In this memorandum, we first discuss the scope of the Proposed Rules and provide a summary of key provisions. We also discuss some key implications regarding the scope and application of the rules if adopted as proposed. The full text of the proposal is available here.

Continue reading

SEC Adopts New Cybersecurity Rules for Issuers

by Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Matthew E. Kaplan, Erez Liebermann, Benjamin R. Pedersen, Paul M. Rodel, Steven J. Slutzky, Matt Kelly, Kelly Donoghue, John Jacob, Amy Pereira, Mengyi Xu, and Chris Duff 

Photos of the authors

Top left to right: Charu A. Chandrasekhar, Luke Dembosky, Avi Gesser, Matthew E. Kaplan, Erez Liebermann, Benjamin R. Pedersen, and Paul M. Rodel.
Bottom left to right: Steven J. Slutzky, Matt Kelly, Kelly Donoghue, John Jacob, Amy Pereira, Mengyi Xu, and Chris Duff.
(photos courtesy of authors)

On July 26, 2023, the SEC adopted the long-anticipated final rules on cybersecurity risk management, strategy, governance, and incident disclosure for issuers. The new rules are part of the SEC’s larger efforts focused on cybersecurity regulation with a growing universe of rules aimed at different types of SEC registrants, including: (i) its proposed cybersecurity rules for registered investment advisers and funds and market entities, including broker-dealers, (ii) its proposed amendments to Reg S-P and Reg SCI and (iii) existing cybersecurity obligations under SEC regulations, including Reg S-P, Reg S-ID, and the recently amended Form PF.

Continue reading

A Late Winter Blizzard of SEC Cybersecurity Rulemaking: the Proposed BD Cybersecurity Rules and Expanded Reg S-P and Reg SCI Obligations

by Luke Dembosky, Avi Gesser, Erez Liebermann, Marc Ponchione, Julie M. Riewe, Jeff Robins, Kristin Snyder, Charu A. Chandrasekhar, Sheena Paul, Suchita Brundage, Michael R. Roberts, Mengyi Xu, and Ned Terrace

Photos of the authors

Top row from left to right: Luke Dembosky, Avi Gesser, Erez Liebermann, Marc Ponchione, Julie M. Riewe, and Jeff Robins.
Bottom row from left to right: Kristin Snyder, Charu A. Chandrasekhar, Sheena Paul, Suchita Brundage, Michael R. Roberts, and Mengyi Xu.
(Photos courtesy of Debevoise & Plimpton LLP)

On March 15, 2023, the U.S. Securities and Exchange Commission (the “SEC”) released a suite of proposed new rules (the “Proposed Rules”) that include:

  • Proposed new cybersecurity rules for broker-dealers, security-based swap dealers, major security-based swap participants, transfer agents, a variety of market infrastructure providers (national securities exchanges, clearing agencies, and security-based swap data repositories), and securities SROs (collectively, “Market Entities”) that would impose new policies and procedures requirements and incident notification obligations (“BD Cyber Proposal”);
  • Amendments to Regulation S-P (“Reg S-P”) that would require the implementation of an incident response program, including a new customer notification obligation; expand the scope of the existing requirements relating to the safeguarding of “customer” information and the disposal of “consumer” information relating to individuals (the “Safeguards and Disposal Rules”); and impose new recordkeeping requirements (“Reg S-P Proposal”); and
  • Amendments to Regulation SCI (“Reg SCI”) to expand the scope of covered entities to cover certain broker-dealers without an ATS and security-based swap data repositories and to update requirements relating to policies and procedures, incident notification, and other compliance obligations (“Reg SCI Proposal”).

Continue reading

NYDFS Publishes Official Amendments to Its Cybersecurity Regulation

by , and

On November 9, 2022, the New York Department of Financial Services (“NYDFS”) announced the publication of the official proposed amendments to its 2017 Cybersecurity Regulation 23 NYCRR 500 (“Proposed Amendments”). This announcement follows a highly active pre-proposal comment period, during which industry stakeholders shared their thoughts with the NYDFS on the changes under consideration, which we covered here for an Overview, here for a Q and A, and during a webcast. The 60-day public comment period to the Proposed Amendments ends on January 9, 2023. In this blog post, we discuss our initial observations on significant changes between the new release and the pre-proposal.

Highlights of what we learned from the revisions:

  1. NYDFS took the time to ingest comments and clarify interpretations, so the next round of comments is very important.
  2. The Revised Proposal softens the definition of Class A companies.
  3. The Revised Proposal softens the prescriptive requirements around key controls, bringing back some of the risk-based elements of the existing Part 500.
  4. NYDFS understands that the implementation periods for some technical elements were too aggressive and has softened those requirements.

Continue reading

NYDFS Proposes Significant Changes to Its Cybersecurity Rules

by Luke Dembosky, Avi Gesser, Erez Liebermann, Jim Pastore, Charu A. Chandrasekhar, H. Jacqueline Brehmer, Michelle Huang, and Mengyi Xu.

On July 29, 2022, the New York Department of Financial Services (“NYDFS”) released Draft Amendments to its Part 500 Cybersecurity Rules, which include a mandatory 24‑hour notification for cyber ransom payments, annual independent cybersecurity audits for larger entities, increased expectations for board expertise, and tough new restrictions on privileged accounts. There will be a very short 10-day pre-proposal comments period (ending August 8, 2022), followed by the publishing of the official proposed amendments in the coming weeks, which will start a 60-day comment period.
Continue reading