As we approach the end of the year, here are the Top 10 SEC Cyber/AI posts on the Debevoise Data Blog in 2024 by page views. If you are not already a Blog subscriber, click here to sign up.

1. 100 Days of Cybersecurity Incident Reporting on Form 8-K: Lessons Learned (March 28, 2024). On December 18, 2023, the SEC’s rule requiring disclosure of material cybersecurity incidents became effective. In the first 100 days of mandatory reporting, 11 companies disclosed a cybersecurity incident on Form 8-K, averaging 5.45 days between detection of the incident and disclosure. This post provides several considerations for companies to evaluate when considering Form 8-K disclosure and the timing of such filings. 

2. SEC Charges Four Companies for Misleading Cyber Disclosures (October 28, 2024). On October 22, 2024, the SEC announced settled charges in separate actions against four technology companies that had been downstream victims of the 2020 SUNBURST cyber-attack. These actions represented the SEC’s first resolutions based on its multi-year investigations into the adequacy and accuracy of disclosures made by victims of that attack, and of related compromises believed to be committed by the same state-sponsored threat actors. Although the disclosures and statements in these four matters pre-dated the SEC’s new cybersecurity disclosure rules, this post discusses how these cases may reflect the Commission’s views on materiality assessments and disclosure decisions, and corresponding cybersecurity best practices for issuers.

3. The SEC Adopts Significant Cybersecurity Amendments to Reg S-P (May 17, 2024). On May 16, 2024, the SEC adopted significant cybersecurity amendments to Regulation S-P (“Reg S-P”). Amended Reg S-P represents a substantial expansion of the privacy obligations for broker-dealers and registered investment advisers under the federal securities laws. This post synthesizes key compliance requirements under this expanded regulation.

4. AI Enforcement Starts with Washing: The SEC Charges its First AI Fraud Cases (March 19, 2024). On March 18, 2024, the SEC announced settled charges against two registered investment advisers for making false and misleading statements about their alleged use of AI in connection with investment advice. These settlements were the SEC’s first-ever cases charging violations of the antifraud provisions of the federal securities laws in connection with AI disclosures. The cases also included settled charges involving AI brought under the Marketing and Compliance Rules under the Investment Advisers Act of 1940. This post discusses the charges as well as disclosure and compliance takeaways for SEC registrants.

5. Have You Reviewed Your Form ADV AI Disclosures? (February 26, 2024). AI use has exploded across the securities markets, and the SEC has prioritized examinations and enforcement that target “AI washing” by registered investment advisers. In this post, we discuss best practices for annual Form ADV amendments to meet the SEC’s sharpening scrutiny of AI usage by registrants: (1) be clear on what you do (and don’t) use AI for, (2) avoid using hypothetical language for actual AI practices, and (3) understand and accurately disclose the risks associated with AI use.

6. SEC Releases New Guidance on Material Cybersecurity Incident Disclosure (June 27, 2024). On June 24, 2024, the staff of the Division of Corporation Finance of the SEC released five new Compliance & Disclosure Interpretations (“C&DIs”) relating to the disclosure of material cybersecurity incidents under Item 1.05 of Form 8-K. In this article, we summarize the new C&DIs and address how issuers should consider the guidance more broadly when analyzing disclosure obligations for cybersecurity events.

7. Announcing the Debevoise Tracker for Cybersecurity Incident Disclosure on Form 8-K (March 6, 2024). This post launches the Debevoise tracker of Item 1.05 8-K filings, which requires the disclosure of material cybersecurity incidents. This tracker is continuously updated with links to 8-K cybersecurity filings.

8. SEC Targets AI Washing in Private Capital Markets: “Old School Fraud Using New School Buzzwords” (June 14, 2024). On June 11, 2024, the SEC filed its first litigated AI washing matter involving a private capital markets transaction. This post discusses the SEC’s use of the existing antifraud provisions of the securities to charge AI cases and the importance of clear, accurate and comprehensive statements about the use of technology, automation, and AI.

9. Internal Accounting Controls Claim Rejected in SolarWinds Case (July 23, 2024). On July 18, 2024, a federal district court for the Southern District of New York dismissed the majority of the charges brought by the SEC against SolarWinds, including the SEC’s previously untested claim that alleged deficiencies in the company’s cybersecurity controls could constitute violations of the internal accounting controls requirements of the Securities Exchange Act of 1934. This post explores the court’s reasoning rejecting the SEC’s internal accounting controls claim and the Commission’s novel use of this charge in the cybersecurity context.

10. Incident Response Plans Are Now Accounting Controls? SEC Brings First-Ever Settled Cybersecurity Internal Controls Charges (June 20, 2024). On June 18, 2024, the SEC announced an unprecedented settlement with communications and marketing provider R.R. Donnelley & Sons Co. (“RRD”) in which the firm resolved disclosure controls and internal accounting controls charges arising out of its response to a 2021 ransomware attack. The settlement marks a striking expansion of the SEC’s view of its oversight authority relating to public company cybersecurity policies and procedures. Given this emerging area of public company cybersecurity enforcement risk, this article discusses potential enhancements to cybersecurity policies and procedures for issuers. 

The authors would like to thank Debevoise Law Clerk Achutha Raman for his contribution to this blog post.

This publication is for general information purposes only. It is not intended to provide, nor is it to be used as, a substitute for legal advice. In some jurisdictions it may be considered attorney advertising.