In brief In a landmark decision on July 18, 2024, Judge Paul Englemayer of the Southern District of New York dismissed most charges in the SEC’s enforcement action against SolarWinds and its CISO, Timothy Brown. The court ruled that cybersecurity controls are not part of a company’s “system of internal accounting controls” under Section 13(b)(2)(B)(iii) of the Exchange Act, dismissing these claims. However, the court upheld charges that SolarWinds and Brown misled investors with public…
In brief On May 21, 2024, Erik Gerding, Director of the US Securities and Exchange Commission (SEC) Division of Corporate Finance, issued a statement1 clarifying the SEC’s expectations for cybersecurity incident disclosures under the new Form 8-K Item 1.05. Gerding’s statement clarified that Item 1.05 disclosures should be reserved for material cybersecurity incidents, and voluntary disclosures of immaterial incidents, or of incidents before a materiality determination has been made, should be provided under a different item of…
On March 18, 2024, the United States Securities and Exchange Commission (the âSECâ) announced that it settled charges against two investment advisers for making false and misleading statements about their purported use of artificial intelligence (AI). This SEC enforcement action marks the latest efforts by securities regulators to combat the adverse effects of âAI washingâ and confirms that AI, and particularly âAI washingâ, is at the forefront of securities regulatorsâ minds. What is âAI washingâ? âAI washingâ…
This past year brought the rapid rise of ChatGPT and other generative AI platforms, accompanied by several noteworthy legal and regulatory developments. 2024 promises to continue with technology advances, making it a pivotal year for businesses navigating global data privacy and cybersecurity risks. Our Baker McKenzie Top 10 predictions for 2024 follow. As is evident, 2024 will be a critical year for global data privacy and cybersecurity. We welcome your thoughts and predictions. Please feel…
In a shocking show of gumption, a ransomware gang has reportedly not only hacked a US public company’s (MeridianLink) IT systems, but also filed a complaint on the SEC’s Tips, Complaints, and Referrals page, regarding Meridian Link’s claimed failure to disclose the incident in an 8-K in violation of the SEC’s new cybersecurity rules. Even though public companies are not yet required to comply with the new cybersecurity disclosure rules (8-K requirement goes effective on…
In many ways, the Securities and Exchange Commission’s (âSECâ) October 30, 2023 enforcement action against software company SolarWinds Corporation (âSolarWindsâ) and its chief information security officer (âCISOâ) is a typical securities case. The first four counts involve alleged material misstatements by the public company related to widely reported operational turmoil that allegedly materially impacted the company. But aspects of the case may signal a change in how the SEC looks at cyber incidents, including internal…
In this episode, Cynthia Cole, IP & Technology Partner based in Palo Alto, is joined by Jerome Tomas, Chair of the Firm’s Securities and Exchange (SEC) and Financial Institutions Enforcement Group based in Chicago, as the two discuss the SEC’s recently issued Final Rules for Cyber and what this means for public companies. Listen in to learn more about: Read our key takeaways blog post on the Final Rules here for more information. Want to learn more?…
In brief On July 26, 2023, the U.S. Securities and Exchange Commission (âSECâ) approved the final rules for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (âFinal Rulesâ). As previously reported, the SEC first proposed amendments to its rules on disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies on March 9, 2022 (âProposed Rulesâ). Similar to the Proposed Rules, the Final Rules, broadly speaking, require (i) issuers to make disclosures…
After years of legislative debate, Congress passed a new law requiring key businesses to report certain data breachesâor “covered incidents”âto the government. Signed by President Biden on March 15, 2022, the law, part of the Strengthening American Cybersecurity Act, requires companies that operate critical infrastructureâfinancial institutions, utilities, and other organizationsâto share information with the Cybersecurity and Infrastructure Security Agency (CISA) about certain cybersecurity incidents within 72 hours and ransomware payments to cyber criminals within 24…
Disruptive cyber-attacks aimed at supply chains are on the rise, as the recent SolarWinds security breach has so prominently brought to light. While your immediate IT infrastructure may not have been directly impacted by that breach, now may be a good time to check-in with you key service providers. If they host or in any way process digital assets on your behalf, there is reason for concern in light of the devastating SolarWinds security breach.…