One of our recent posts discussed the uptick in AI risks reported in SEC filings, as analyzed by Arize AI. There, we highlighted the importance of strong governance for mitigating some of these risks, but we didn’t address the specific risks identified in those SEC filings. We discuss them briefly here as they are risks

Virtually all organizations have an obligation to safeguard their personal data against unauthorized access or use, and, in some instances, to notify affected individuals in the event such access or use occurs.  Those obligations are, in some instances, relatively nebulous, and organizations—for better or worse—have flexibility to determine what pre-incident safeguards and post-incident responsive actions

In 2021, the Department of Labor (DOL) issued cybersecurity guidance for ERISA-covered retirement plans. The guidance expands the duties retirement plan fiduciaries have when selecting service providers. Specifically, the DOL makes clear that when selecting retirement plan service providers, plan fiduciaries must prudently assess the cybersecurity of those providers.  

On May 15, 2024

As the year comes to a close here are some of the highlights from the Workplace Privacy, Data Management & Security Report with our Top 10 most popular topics from 2023.

  1. States Passing Comprehensive Privacy Laws

There was a landslide of comprehensive state privacy laws passed in 2023, from coast to coast. The laws are

According to a New York Times story this weekend, the Security Exchange Commission’s lawsuit against SolarWinds is driving discussions in boardrooms and corporate security departments of large organizations about the handling and reporting of cybersecurity breaches. It turns out that such boards and departments may not be the only ones following the SEC’s increased focus

When hit with a cybersecurity attack, organizations are often not inclined to bring in federal law enforcement. Recent comments by FBI Director Christopher Wray at Mandiant’s annual mWISE 2023 conference seek to encourage the private sector to reconsider, as reported in CIODive. Doing so is an important consideration and depending on certain factors, it

This summer, the Securities and Exchange Commission (SEC) adopted rules to enhance and standardize disclosures by public companies regarding cybersecurity risk management, strategy, governance, and incidents.  

The rules will impose a number of new requirements, including disclosures regarding:

  • Material cybersecurity incidents, which must be made within four (4) business days – a tight timeline

On February 9, the Securities and Exchange Commission (“SEC”) voted to propose rule 206(4)-9 under the Advisers Act and 38a-2 under the Investment Company Act (collectively, “Proposed Rule”). In general, the Proposed Rule would require all advisers and funds to adopt and implement cybersecurity policies and procedures containing several elements. While acknowledging spending on cybersecurity

Following recent examinations of SEC-registered investment advisers and broker-dealers, the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) published a privacy risk alert on April 16, 2019. OCIE is hoping to remind advisers and broker-dealers about providing compliant privacy and opt-out notices, and adopting and implementing effective policies and procedures for