Latest Posts
Search for:
Author

Jerome Tomas

Browsing
In Artificial Intelligence

Recent SEC Actions Highlight Increased Regulatory Scrutiny over Artificial Intelligence and “AI Washing”

by , , , and 5 Mins Read

On March 18, 2024, the United States Securities and Exchange Commission (the “SEC“) announced that it settled charges against two investment advisers for making false and misleading statements about their purported use of artificial intelligence (AI). This SEC enforcement action marks the latest efforts by securities regulators to combat the adverse effects of “AI washing” and confirms that AI, and particularly “AI washing”, is at the forefront of securities regulators’ minds. What is “AI washing”? “AI washing”…

In Cybersecurity

The 2024 Baker McKenzie “Top 10” Predictions on Global Data Privacy and Cybersecurity Risks

by , , , , , , , , , , , , , , , , , , , , and 5 Mins Read

This past year brought the rapid rise of ChatGPT and other generative AI platforms, accompanied by several noteworthy legal and regulatory developments. 2024 promises to continue with technology advances, making it a pivotal year for businesses navigating global data privacy and cybersecurity risks. Our Baker McKenzie Top 10 predictions for 2024 follow. AI-enhanced cyber threats will increase globally. Threat actors will continue to leverage AI for increasingly sophisticated attacks, exploiting new technologies to enable highly-personalized…

In Cybersecurity

Hacker attempts to use SEC rules to further exploit victims

by , , and 2 Mins Read

In a shocking show of gumption, a ransomware gang has reportedly not only hacked a US public company’s (MeridianLink) IT systems, but also filed a complaint on the SEC’s Tips, Complaints, and Referrals page, regarding Meridian Link’s claimed failure to disclose the incident in an 8-K in violation of the SEC’s new cybersecurity rules. Even though public companies are not yet required to comply with the new cybersecurity disclosure rules (8-K requirement goes effective on…

In Cybersecurity

CISOs, Internal Accounting Controls, Crown Jewels and Disclosure Procedures:  Peeling Back The Onion of the Solar Winds Enforcement Action

by , , , , , , and 12 Mins Read

In many ways, the Securities and Exchange Commission’s (“SEC”) October 30, 2023 enforcement action against software company SolarWinds Corporation (“SolarWinds”) and its chief information security officer (“CISO”) is a typical securities case. The first four counts involve alleged material misstatements by the public company related to widely reported operational turmoil that allegedly materially impacted the company. But aspects of the case may signal a change in how the SEC looks at cyber incidents, including internal…

In Cybersecurity

Podcast Episode: The SEC’s Final Cybersecurity Rules – A Look at Evolving Risks in the New Age

by and 1 Min Read

In this episode, Cynthia Cole, IP & Technology Partner based in Palo Alto, is joined by Jerome Tomas, Chair of the Firm’s Securities and Exchange (SEC) and Financial Institutions Enforcement Group based in Chicago, as the two discuss the SEC’s recently issued Final Rules for Cyber and what this means for public companies. Listen in to learn more about: Why should you care? The SEC has brought enforcement actions before based on data breach disclosure-what’s different…

In Cybersecurity

SEC Adopts Final Cybersecurity Rules

by , , , , , , , , , , , , , , , , , , , and 8 Mins Read

In brief On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) approved the final rules for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (“Final Rules”). As previously reported, the SEC first proposed amendments to its rules on disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies on March 9, 2022 (“Proposed Rules”). Similar to the Proposed Rules, the Final Rules, broadly speaking, require (i) issuers to make disclosures…

In Cybersecurity

Congress Publishes “Game-Changer” Breach Reporting Law, Compliance Requirements Unclear

by , , , , , , , , and 6 Mins Read

After years of legislative debate, Congress passed a new law requiring key businesses to report certain data breaches—or “covered incidents”—to the government. Signed by President Biden on March 15, 2022, the law, part of the Strengthening American Cybersecurity Act, requires companies that operate critical infrastructure—financial institutions, utilities, and other organizations—to share information with the Cybersecurity and Infrastructure Security Agency (CISA) about certain cybersecurity incidents within 72 hours and ransomware payments to cyber criminals within 24…

In Data Privacy

SolarWinds Fallout Warrants Vendor Pulse Check

by , , , and 4 Mins Read

Disruptive cyber-attacks aimed at supply chains are on the rise, as the recent SolarWinds security breach has so prominently brought to light. While your immediate IT infrastructure may not have been directly impacted by that breach, now may be a good time to check-in with you key service providers. If they host or in any way process digital assets on your behalf, there is reason for concern in light of the devastating SolarWinds security breach.…

In Data Privacy

SEC Signals Heightened Scrutiny of Cybersecurity Practices

by , , , , , and 5 Mins Read

On January 7, 2020, the U.S. Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) announced its 2020 Examination Priorities that included cybersecurity practices. Soon after the publication of the OCIE Examination Priorities, on January 27, 2020, OCIE followed-up with a report entitled Cybersecurity and Resiliency Observations These two OCIE releases, along with prior SEC alerts and actions, provide strong indications that the SEC, in 2020, will be ramping up its focus…