Category: Corporate law

SEC Issues Long-Awaited Climate Risk Disclosure Rule

INTRODUCTION

On Wednesday, 6 March 2024, the Securities and Exchange Commission (SEC) approved its highly anticipated final rules on “The Enhancement and Standardization of Climate-Related Disclosures for Investors” by a vote of 3-2, with Republican Commissioners Hester Peirce and Mark Uyeda dissenting. Accompanying the final rules was a press release and fact sheet detailing the provisions of the rulemaking. The final rules will go into effect 60 days after publication in the Federal Register and will include a phased-in compliance period for all registrants.

This is likely to be one of the most consequential rulemakings of Chairman Gary Gensler’s tenure given the prioritization of addressing climate change as a key pillar for the Biden administration. However, given the significant controversy associated with this rulemaking effort, the final rules are likely to face legal challenges and congressional oversight in the coming months. As such, it remains unclear at this point whether the final rules will survive the forthcoming scrutiny.

WHAT IS IN THE RULE?

According to the SEC’s fact sheet:

  • “The final rules would require a registrant to disclose, among other things: material climate-related risks; activities to mitigate or adapt to such risks; information about the registrant’s board of directors’ oversight of climate-related risks and management’s role in managing material climate-related risks; and information on any climate-related targets or goals that are material to the registrant’s business, results of operations, or financial condition.
  • Further, to facilitate investors’ assessment of certain climate-related risks, the final rules would require disclosure of Scope 1 and/or Scope 2 greenhouse gas (GHG) emissions on a phased-in basis by certain larger registrants when those emissions are material; the filing of an attestation report covering the required disclosure of such registrants’ Scope 1 and/or Scope 2 emissions, also on a phased-in basis; and disclosure of the financial statement effects of severe weather events and other natural conditions including, for example, costs and losses.
  • The final rules would include a phased-in compliance period for all registrants, with the compliance date dependent on the registrant’s filer status and the content of the disclosure.”

NEXT STEPS

The final rules are likely to face significant opposition, including legal challenges and congressional oversight. It is expected that there will be various lawsuits brought against the final rules, which are likely to receive support from several industry groups, or potentially GOP-led state attorneys general who have been active in litigating against environmental, social and governance (ESG) policies and regulations. It is also possible that the final rules could face criticism from some climate advocates that the SEC did not go far enough in its disclosure requirements.

Further, it is expected that the House Financial Services Committee (HFSC) will conduct oversight hearings, as well as introduce a resolution under the Congressional Review Act (CRA), to attempt to block the regulations from taking effect. HFSC Chairman Patrick McHenry (R-NC) indicated that the Oversight and Investigations Subcommittee will hold a field hearing on March 18 and the full Committee will convene a hearing on April 10 to discuss the potential implications of the rules. If a CRA resolution were to pass the House and garner sufficient support from moderate Democrats in the Senate to pass, it would likely be vetoed by President Biden.

Ultimately, the SEC climate risk disclosure rules are unlikely to significantly change the trajectory of corporate disclosures made by multinational companies based in the U.S., most of whom have already been making sustainability disclosures in accordance with the Financial Stability Board’s Task Force on Climate-Related Financial Disclosures. The ongoing problem for investors is that such disclosures are not standardized and therefore are not comparable. Consequently, many of these large issuers may continue to enhance their sustainability disclosures in accordance with standards issued by the International Sustainability Standards Board and the Global Reporting Initiative as an investor relations imperative notwithstanding the SEC’s timetable for implementation of these final rules.

A more detailed analysis of the SEC rules is forthcoming from our Corporate and Asset Management and Investment Funds practices in the coming days.

Copyright 2024 K & L Gates
For more news on the SEC’s Climate Disclosure Rule, visit the NLR Environmental, Energy & Resources section.

U.S. Corporate Transparency Act: CTA is Declared Unconstitutional in U.S. District Court Case

The Corporate Transparency Act has been declared unconstitutional. On March 1, 2024, U.S. District Court Judge Liles C. Burke issued a 53-page opinion[1] granting summary judgment for the National Small Business Association and held that the Corporate Transparency Act “exceeds the Constitution’s limits on the legislative branch and lacks a sufficient nexus to any enumerated power to be a necessary or proper means of achieving Congress’ policy goals.”

As a result, Judge Burke found the CTA to be unconstitutional because it exceeds the Constitution’s limits on Congress’ power, without even reaching a decision on whether it violates the First, Fourth, and Fifth Amendments. The Court then permanently enjoined the government from enforcing the CTA against the named plaintiffs and ordered a further hearing on the award of costs of litigation.

While it is likely that this litigation will continue to play out in the federal court system, the initial victory has gone to small business and importantly that means that compliance with this now unconstitutional regulatory regime can be set aside for the current time being.

[1] Nat’l Small Bus. United v. Yellen, No. 5:22-cv-01448-LCB (N.D. Ala. 2022)

Copyright ©2024 Nelson Mullins Riley & Scarborough LLP
For more on the Corporate Transparency Act, visit the NLR Corporate & Business Organizations section.

Federal Court Strikes Down the Corporate Transparency Act as Unconstitutional

On March 1, 2024, the federal judge presiding over the lone case testing the validity of the Corporate Transparency Act (CTA) struck down the CTA as unconstitutional. As we have explained, through the CTA, Congress imposed mandatory reporting obligations on certain companies operating in the United States, in an effort to enhance corporate transparency and combat financial crime. Specifically, the CTA, which took effect on January 1, 2024, requires a wide range of companies to provide personal information about their beneficial owners and company applicants to the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). More than 32.5 million existing entities are expected to be subject to the CTA, and approximately 5 million new entities are expected to join that number each year. By mid-February, approximately a half million reports had been filed under the CTA according to FinCEN.

The CTA’s enforceability is now in doubt. In National Small Business United d/b/a National Small Business Association v. Yellen, the Honorable Liles C. Burke of the United States District Court for the Northern District of Alabama held that the CTA exceeded Congress’s authority to regulate interstate commerce, and that the CTA was not necessary to the proper exercise of Congress’ power to regulate foreign affairs or its taxing power. The Court issued a declaratory judgment—stating that the CTA is unconstitutional—and enjoined the federal government from enforcing the CTA’s reporting requirements against the plaintiffs in that litigation. A nationwide injunction, which would have raised its own enforceability concerns, was not included in the Court’s ruling.

The Court focused on three aspects of the CTA. First, the Court highlighted that the CTA imposes requirements on corporate formation, which is traditionally left to state governments as matters of internal state law. Second, the Court observed that the CTA applies to corporate entities even if the entity conducts purely intrastate commercial activities or no commercial activities at all. Third, the Court concluded that the CTA’s disclosure requirements could not be justified as a data-collection tool for tax officials as that would raise the specter of “unfettered legislative power.”

What the Decision Means for Entities Subject to the CTA

The Court’s decision creates uncertainty on entities’ ongoing obligations under the CTA. Although the Court purported to limit its injunction to the parties in the litigation before it, the lead plaintiff in the suit is the National Small Business Association (NSBA). In its opinion, the Court held that the NSBA had associational standing to sue on behalf of its members. Based on precedent, this means the Court’s injunction likely benefits all of the NSBA’s over 65,000 members. If so, the government is prevented from enforcing the CTA’s reporting requirements against any entity that is a member of the NSBA.

Regardless of membership in the NSBA, however, the Court’s declaratory judgment that the CTA is unconstitutional also raises serious doubts about the government’s ability to enforce the CTA’s reporting requirements. This could amount to a de facto moratorium on CTA enforcement, depending on the government’s view of the decision.

What Happens Next

The government will likely appeal this decision, but the Court’s injunction and declaration will remain in effect unless a stay is granted. To receive a stay, the government will first likely need to file a motion in the district court, which will consider (1) how likely it is that the government will succeed on appeal; (2) whether the government will be irreparably harmed without a stay; (3) whether a stay will injure other parties interested in the litigation; and (4) whether a stay would benefit the public interest. If the district court denies a stay, the government will be able to seek a stay from the Atlanta-based United States Court of Appeals for the Eleventh Circuit.

The government has 60 days to appeal, though it will likely file its appeal sooner given the grant of an injunction and decision’s far-reaching consequences. The grant or denial of stay should be resolved in the coming weeks, but the timing of any final decision from the Court of Appeals is uncertain. In 2023, the median time for the Eleventh Circuit to resolve a case was over 9 months. However, the key deadline by which tens of millions of companies otherwise must file their initial report under the CTA is January 1, 2025.

© 2024 Varnum LLP
For more news on the Constitutionality of the Corporate Transparency Act, visit the NLR Corporate & Business Organizations section.

An Update on the SEC’s Cybersecurity Reporting Rules

As we pass the two-month anniversary of the effectiveness of the U.S. Securities and Exchange Commission’s (“SEC’s”) Form 8-K cybersecurity reporting rules under new Item 1.05, this blog post provides a high-level summary of the filings made to date.

Six companies have now made Item 1.05 Form 8-K filings. Three of these companies also have amended their first Form 8-K filings to provide additional detail regarding subsequent events. The remainder of the filings seem self-contained such that no amendment is necessary, but these companies may amend at a later date. In general, the descriptions of the cybersecurity incidents have been written at a high level and track the requirements of the new rules without much elaboration. It is interesting, but perhaps coincidental, that the filings seem limited to two broad industry groups: technology and financial services. In particular, two of the companies are bank holding companies.

Although several companies have now made reports under the new rules, the sample space may still be too small to draw any firm conclusions or decree what is “market.” That said, several of the companies that have filed an 8-K under Item 1.05 have described incidents and circumstances that do not seem to be financially material to the particular companies. We are aware of companies that have made materiality determinations in the past on the basis of non-financial qualitative factors when impacts of a cyber incident are otherwise quantitatively immaterial, but these situations are more the exception than the rule.

There is also a great deal of variability among the forward-looking statement disclaimers that the companies have included in the filings in terms of specificity and detail. Such a disclaimer is not required in a Form 8-K, but every company to file under Item 1.05 to date has included one. We believe this practice will continue.

Since the effectiveness of the new rules, a handful of companies have filed Form 8-K filings to describe cybersecurity incidents under Item 8.01 (“Other Events”) instead of Item 1.05. These filings have approximated the detail of what is required under Item 1.05. It is not immediately evident why these companies chose Item 8.01, but presumably the companies determined that the events were immaterial such that no filing under Item 1.05 was necessary at the time of filing. Of course, the SEC filing is one piece of a much larger puzzle when a company is working through a cyber incident and related remediation. It remains to be seen how widespread this practice will become. To date, the SEC staff has not publicly released any comment letters critiquing any Form 8-K cyber filing under the new rules, but it is still early in the process. The SEC staff usually (but not always) makes its comment letters and company responses to those comment letters public on the SEC’s EDGAR website no sooner than 20 business days after it has completed its review. With many public companies now also making the new Form 10-K disclosure on cybersecurity, we anticipate the staff will be active in providing guidance and commentary on cybersecurity disclosures in the coming year.

Copyright © 2024, Hunton Andrews Kurth LLP. All Rights Reserved.
For news on SEC Cybersecurity Regulations, visit the NLR Securities & SEC section.

Commerce Department Launches Cross-Sector Consortium on AI Safety — AI: The Washington Report

  1. The Department of Commerce has launched the US AI Safety Institute Consortium (AISIC), a multistakeholder body tasked with developing AI safety standards and practices.
  2. The AISIC is currently composed of over 200 members representing industry, academia, labor, and civil society.
  3. The consortium may play an important role in implementing key provisions of President Joe Biden’s executive order on AI, including the development of guidelines on red-team testing[1] for AI and the creation of a companion resource to the AI Risk Management Framework.

Introduction: “First-Ever Consortium Dedicated to AI Safety” Launches

On February 8, 2024, the Department of Commerce announced the creation of the US AI Safety Institute Consortium (AISIC), a multistakeholder body housed within the National Institute of Standards and Technology (NIST). The purpose of the AISIC is to facilitate the development and adoption of AI safety standards and practices.

The AISIC has brought together over 200 organizations from industry, labor, academia, and civil society, with more members likely to join in the coming months.

Biden AI Executive Order Tasks Commerce Department with AI Safety Efforts

On October 30, 2023, President Joe Biden signed a wide-ranging executive order on AI (“AI EO”). This executive order has mobilized agencies across the federal bureaucracy to implement policies, convene consortiums, and issue reports on AI. Among other provisions, the AI EO directs the Department of Commerce (DOC) to establish “guidelines and best practices, with the aim of promoting consensus…[and] for developing and deploying safe, secure, and trustworthy AI systems.”

Responding to this mandate, the DOC established the US Artificial Intelligence Safety Institute (AISI) in November 2023. The role of the AISI is to “lead the U.S. government’s efforts on AI safety and trust, particularly for evaluating the most advanced AI models.” Concretely, the AISI is tasked with developing AI safety guidelines and standards and liaising with the AI safety bodies of partner nations.

The AISI is also responsible for convening multistakeholder fora on AI safety. It is in pursuance of this responsibility that the DOC has convened the AISIC.

The Responsibilities of the AISIC

“The U.S. government has a significant role to play in setting the standards and developing the tools we need to mitigate the risks and harness the immense potential of artificial intelligence,” said DOC Secretary Gina Raimondo in a statement announcing the launch of the AISIC. “President Biden directed us to pull every lever to accomplish two key goals: set safety standards and protect our innovation ecosystem. That’s precisely what the U.S. AI Safety Institute Consortium is set up to help us do.”

To achieve the objectives set out by the AI EO, the AISIC has convened leading AI developers, research institutions, and civil society groups. At launch, the AISIC has over 200 members, and that number will likely grow in the coming months.

According to NIST, members of the AISIC will engage in the following objectives:

  1. Guide the evolution of industry standards on the development and deployment of safe, secure, and trustworthy AI.
  2. Develop methods for evaluating AI capabilities, especially those that are potentially harmful.
  3. Encourage secure development practices for generative AI.
  4. Ensure the availability of testing environments for AI tools.
  5. Develop guidance and practices for red-team testing and privacy-preserving machine learning.
  6. Create guidance and tools for digital content authentication.
  7. Encourage the development of AI-related workforce skills.
  8. Conduct research on human-AI system interactions and other social implications of AI.
  9. Facilitate understanding among actors operating across the AI ecosystem.

To join the AISIC, organizations were instructed to submit a letter of intent via an online webform. If selected for participation, applicants were asked to sign a Cooperative Research and Development Agreement (CRADA)[2] with NIST. Entities that could not participate in a CRADA were, in some cases, given the option to “participate in the Consortium pursuant to separate non-CRADA agreement.”

While the initial deadline to submit a letter of intent has passed, NIST has provided that there “may be continuing opportunity to participate even after initial activity commences for participants who were not selected initially or have submitted the letter of interest after the selection process.” Inquiries regarding AISIC membership may be directed to this email address.

Conclusion: The AISIC as a Key Implementer of the AI EO?

While at the time of writing NIST has not announced concrete initiatives that the AISIC will undertake, it is likely that the body will come to play an important role in implementing key provisions of Biden’s AI EO. As discussed earlier, NIST created the AISI and the AISIC in response to the AI EO’s requirement that DOC establish “guidelines and best practices…for developing and deploying safe, secure, and trustworthy AI systems.” Under this general heading, the AI EO lists specific resources and frameworks that the DOC must establish, including:

It is premature to assert that either the AISI or the AISIC will exclusively carry out these goals, as other bodies within the DOC (such as the National AI Research Resource) may also contribute to the satisfaction of these requirements. That being said, given the correspondence between these mandates and the goals of the AISIC, along with the multistakeholder and multisectoral structure of the consortium, it is likely that the AISIC will play a significant role in carrying out these tasks.

We will continue to provide updates on the AISIC and related DOC AI initiatives. Please feel free to contact us if you have questions as to current practices or how to proceed.

Endnotes

[1] As explained in our July 2023 newsletter on Biden’s voluntary framework on AI, “red-teaming” is “a strategy whereby an entity designates a team to emulate the behavior of an adversary attempting to break or exploit the entity’s technological systems. As the red team discovers vulnerabilities, the entity patches them, making their technological systems resilient to actual adversaries.”

[2] See “CRADAs – Cooperative Research & Development Agreements” for an explanation of CRADAs. https://www.doi.gov/techtransfer/crada.

Raj Gambhir contributed to this article.

©1994-2024 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.
For more on AI Safety, visit the NLR Communications, Media & Internet section.

SEC Enforcement Targets Anti-Whistleblower Practices in Financial Firm’s Settlement Agreements with Retail Clients by Imposing Highest Penalty in Standalone Enforcement Action Under Exchange Act Rule 21 F-17(a)

As the year gets underway, the Securities and Exchange Commission (SEC or Commission) is continuing its ongoing enforcement efforts to target anti-whistleblower practices by pursuing a broader range of entities and substantive agreements, including the terms of agreements between financial institutions and their retail clients. The most recent settlement with a financial firm signifies that the SEC is imposing increasingly steep penalties to settle these matters while focusing on confidentiality provisions that do not affirmatively permit voluntary disclosures to regulators. We discuss below the latest SEC enforcement actions in the name of whistleblower protection and offer some practical tips for what firms and companies may do to proactively mitigate exposure.

On 16 January 2024, the SEC announced a record $18 million civil penalty against a dual registered investment adviser and broker-dealer (the Firm), asserting that the use of release agreements with retail clients impeded the clients from reporting securities law violations to the SEC in violation of Rule 21F-17(a) of the Securities Exchange Act of 1934 (Exchange Act).1

The SEC found that from March 2020 through July 2023, the Firm regularly required its retail clients to sign confidential release agreements in order to receive a credit or settlement of more than $1,000. Under the terms of these releases, clients were required to keep confidential the existence of the credits or settlements, all related underlying facts, and all information relating to the accounts at issue, or risk legal action for breach of the agreement. The agreements “neither prohibited nor restricted” the clients from responding to any inquiries from the SEC, the Financial Industry Regulatory Authority (FINRA), other regulators or “as required by law.” However, the agreements did not expressly allow the clients to initiate voluntary reporting of potential securities law violations to the regulators. The SEC found that this violated Rule 21F-17(a) “which is intended to ‘encourag[e] individuals to report to the Commission.’”While the Firm did report a number of the underlying client disputes to FINRA, the SEC found this insufficient to mitigate the lack of language in the release agreements that expressly permitted the clients to report potential securities law violations to the SEC.

The SEC initiated a settled administrative proceeding against the Firm, which neither admitted nor denied the SEC’s findings. In addition to the $18 million civil monetary penalty, the settlement requires that the Firm cease and desist from further violations of Rule 21F-17(a). Notably, the SEC credited certain remedial measures promptly undertaken by the Firm, including revising the at-issue release language and affirmatively alerting affected clients that they are not prohibited from communicating with governmental and regulatory authorities.

This enforcement action is significant for several reasons. First, it signals a broader enforcement focus by the SEC with respect to Rule 21F-17(a) in that this is the first action involving the terms of agreements between a financial institution and its retail clients, which are prevalent throughout the financial services industry. Previously, enforcement had focused squarely on restrictive confidentiality provisions involving employees, such as those found in employment or severance agreements or in connection with internal investigation interviews.

Second, the unprecedented magnitude of the penalty in a standalone Rule 21F-17(a) case underscores the SEC’s emphasis on preventing practices that it views as obstructions of whistleblower rights. SEC Enforcement Director Gurbir Grewal’s statement announcing the settlement reflects this position, “Whether it’s in your employment contracts, settlement agreements or elsewhere, you simply cannot include provisions that prevent individuals from contacting the SEC with evidence of wrongdoing.” Companies (public and private), broker-dealers, investment advisers, and other market participants should expect to see continued enforcement investigations in connection with the SEC’s ongoing attention toward compliance with Rule 21F-17(a), as discussed further below.

The SEC’s Whistleblower Protection Program

Established in 2011 pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, the SEC Whistleblower Program provides monetary awards to individuals who “tip” the SEC with original information that leads to an enforcement action resulting in monetary sanctions that exceed $1 million. Through the end of the SEC’s FY2023, the SEC has awarded almost $2 billion to 385 whistleblowers.In FY2023 alone, the SEC received over 18,000 whistleblower tips and awarded more than $600 million in whistleblower awards to 68 individuals.4

In furtherance of the Whistleblower Program, the SEC also issued Exchange Act Rule 21F-17(a), which provides that “no person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications.”5

SEC Struck Several Blows in 2023 Against Companies that Failed to Carve out Whistleblower Protections in Their Confidentiality Agreements

The SEC has been aggressively enforcing Rule 21F-17(a) since its first enforcement action in 2015 with respect to that Rule,through several waves of enforcement actions. During 2023, the SEC was especially active with a number of settled enforcement actions asserting violations of Rule 21F-17(a) in which the respondents neither admitted nor denied the SEC’s findings:

  • In February 2023, the SEC fined a video game development and publishing company $35 million for violating federal securities laws through its inadequate disclosure controls and procedures. The settled action also included a finding that the company had violated Rule 21F-17(a) by executing separation agreements in the ordinary course of its business that required former employees to provide notice to the company if they received a request for information from the SEC’s staff.7
  • In May 2023, the SEC imposed a $2 million fine on an internet streaming company for: (i) retaliating against an employee who reported misconduct to the company’s management prior to and after filing a complaint with the SEC; and, (ii) impeding the reporting of potential securities law violations, by including provisions in employee severance agreements requiring that departing employees waive any potential right to receive a whistleblower award, in violation Rule 21F-17(a).8
  • In September 2023, in another standalone enforcement action for violations of Rule 21F-17(a), the SEC imposed a $10 million civil monetary penalty on a registered investment adviser (RIA) for requiring that its new employees sign employment agreements that prohibited the disclosure of “Confidential Information” to anyone outside of the company, without an exception for voluntary communications with the SEC concerning possible securities laws violations.Further, the RIA required many departing employees to sign a release in exchange for the receipt of certain deferred compensation and other benefits affirming that, among other things, the employee had not filed any complaints with any governmental agency. Although the RIA later revised its policies and issued clarifications to employees that they were not prevented from communicating with the SEC and other regulators, the RIA failed to amend its employment and release agreements to provide the carve out.
  • Also in September 2023, the SEC charged two additional firms with violations of Rule 21F-17(a). In one case imposing a $375,000 civil penalty, the SEC found that a commercial real estate services and investment firm impeded whistleblowers by requiring its employees, as a condition of receiving separation pay, to represent that they had not filed a complaint against the firm with any federal agency.10 In another case, the SEC imposed a $225,000 civil penalty against a privately-held energy and technology company for requiring certain departing employees to waive their rights to monetary whistleblower awards.11 This particular action underscores that Rule 21F-17 applies to all entities, and not only to public companies.

Mr. Grewal, in an October 2023 speech before the New York City Bar Association Compliance Institute, emphasized that potential impediments to the SEC’s Whistleblower Program would be a continued focus of the agency’s enforcement efforts, stating, “we take compliance with Rule 21F-17 very seriously, and so should each of you who work in a compliance function or advise companies. You need to look at these orders and the violative language cited by the Commission and think about how those actions may impact your firms. And if they do, then take the steps necessary to effect compliance.”12

Key Take-Aways

The SEC’s recent enforcement actions demonstrate that violations of Rule 21F-17(a) can carry significant fines and reach virtually any confidentiality agreement that does not carve out communications between a firm’s current or former employees or customers and the SEC or other regulators about potential securities violations. Moreover, although many of the enforcement actions relate to language in agreements, Rule 21F-17 is not so limited and can also apply to language in internal policies, procedures, guidance, manuals, or training materials. The message from the SEC is clear: it will continue to enforce Rule 21F-17 with respect to public companies, private companies, broker-dealers, investment advisers, and other financial services entities.

The SEC in its recent orders has provided credit to companies for cooperation as well as for instituting remedial actions.13 Being proactive in identifying and correcting potential violations in advance of any investigation by the SEC can result in mitigation of any action or penalties.

Legal and compliance officers may want to consider the following steps in order to evaluate and potentially mitigate any potential exposure to an enforcement action:

  • Conduct a review of all employee-facing and client-facing documents or contracts with confidentiality provisions and remove or revise any content that may be viewed as impeding (even unintentionally) a person’s ability to report potential securities law violations to the SEC. Depending on the circumstances, this may involve including a reference expressly permitting communications with the SEC and other government or regulatory entities without advance notice or disclosure to the company.
  • Remove any language from the templates that could be interpreted as hindering an employee’s or client’s ability to communicate with the SEC concerning potential securities law violations, including language threatening disciplinary action against employees for disclosing confidential information in their communications with government agencies when reporting potential violations.
  • Prepare addenda or updates to current employee- and client-facing agreements that reflect the revised confidentiality clauses.
  • Include reference in written anti-retaliation policies that employees’ communications and cooperation with the SEC and other government agencies will not result in retaliation from the company.
  • Conduct trainings for company managers and supervisors regarding appropriate communications to employees regarding their interactions with the government.
  • Implement policies that prevent any company personnel from taking steps to block or interfere with an employee’s use of company platforms or systems to communicate with the SEC and other government agencies.14

In the Matter of JP Morgan Securities LLC, Admin. Proc. No. 3-21829 (Jan. 16, 2024), https://www.sec.gov/files/litigation/admin/2024/34-99344.pdf.

Id. (quoting Securities Whistleblower Incentives and Protections Adopting Release, Release No. 34-63434 (June 13, 2011)).

SEC Office of the Whistleblower Annual Report to Congress for Fiscal Year 2023 (Nov. 14, 2023), https://www.sec.gov/files/2023_ow_ar.pdf; SEC Whistleblower Office Announces Results for FY 2022 (Nov. 15, 2022), https://www.sec.gov/files/2022_ow_ar.pdf; 2021 Annual Report to Congress Whistleblower Program (Nov. 15, 2021), https://www.sec.gov/files/owb-2021-annual-report.pdf; 2020 Annual Report to Congress Whistleblower Program (Nov. 16, 2020), https://www.sec.gov/files/2020_owb_annual_report.pdf.

SEC Office of the Whistleblower Annual Report to Congress for Fiscal Year 2023 (Nov. 14, 2023), https://www.sec.gov/files/2023_ow_ar.pdf.

17 C.F.R. § 240.21F-17.

In the Matter of KBR, Inc., Admin. Proc. No. 3-16466 (Apr. 1 2015), https://www.sec.gov/files/litigation/admin/2015/34-74619.pdf (imposing a US$130,000 fine on a company in a settled enforcement action for requiring that witnesses in certain internal investigations sign confidentiality agreements warning that they could be subject to discipline if they discussed the matters at issue outside the company without prior approval of the company’s legal department).

In the Matter of Activision Blizzard, Inc. Admin. Proc. No. 3-21294 (Feb. 3, 2023), https://www.sec.gov/files/litigation/admin/2023/34-96796.pdf.

In the Matter of Gaia, Inc. et. al., Admin. Proc. No. 3-21438 (May 23, 2023), https://www.sec.gov/files/litigation/admin/2023/33-11196.pdf.

In the Matter of D.E. Shaw & Co., L.P., Admin. Proc. No. 3-21775 (Sep. 29, 2023), https://www.sec.gov/files/litigation/admin/2023/34-98641.pdf.

10 In the Matter of CBRE Inc., Admin. Proc. No. 3-21675  (Sept. 19, 2023), https://www.sec.gov/files/litigation/admin/2023/34-98429.pdf.

11 In the Matter of Monolith Res., LLC, Admin. Proc. No. 3-21629 (Sept. 8, 2023), https://www.sec.gov/files/litigation/admin/2023/34-98322.pdf.

12 Gurbir S. Grewal, Remarks at New York City Bar Association Compliance Institute (Oct. 24, 2023), https://www.sec.gov/news/speech/grewal-remarks-nyc-bar-association-compliance-institute-102423.

13 See, e.g., In the Matter of CBRE Inc., Admin. Proc. No. 3-21675  (Sept. 19, 2023), https://www.sec.gov/files/litigation/admin/2023/34-98429.pdf (crediting respondent’s remediation program, which included, among other measures, an audit of relevant agreements, updates to policies with respect to Rule 21F-17, and mandatory trainings); In the Matter of Monolith Res., LLC, Admin. Proc. No. 3-21629 (Sept. 8, 2023), https://www.sec.gov/files/litigation/admin/2023/34-98322.pdf (crediting respondent’s prompt remedial acts including revisions to the at-issue release language and affirmatively alerting affected clients that they are not prohibited from communicating with governmental and regulatory authorities.)

14 Cf.  In the Matter of David Hansen, Admin Proc. 3-20820 (Apr. 12, 2022), https://www.sec.gov/enforce/34-94703-s (settled SEC enforcement action against former Chief Information Officer of a technology company for violating Rule 21F-17(a) by, among other things, removing an employee’s access to the company’s computer systems after the employee raised concerns regarding misrepresentations contained in the company’s public disclosures).

Copyright 2024 K & L Gates
For more news on SEC enforcement, visit the NLR Securities and SEC section.

Supreme Court Upholds Corporate Whistleblower Protections in Landmark Ruling

Today, the U.S. Supreme Court issued a unanimous ruling holding that whistleblowers do not need to prove that their employer acted with “retaliatory intent” to be protected under the Sarbanes-Oxley Act (SOX). The decision in the case, Murray v. UBS Securities, LLC, has immense implications for a number of whistleblower protection laws.

“This is a major win for whistleblowers and thus a huge win for corporate accountability,” said leading whistleblower attorney David Colapinto, a founding partner of Kohn, Kohn & Colapinto.

“A ruling in favor of UBS would have overturned more than 20 years of precedent in SOX whistleblower cases and made it exceedingly more difficult for whistleblowers who claim retaliation under many similarly worded federal whistleblower statutes,” Colapinto continued.

“Thankfully, the Court was not swayed by UBS’ attempt to ignore the plain meaning of the statute and instead upheld the burden of proof that Congress enacted to protect whistleblowers who face retaliation,” added Colapinto.

In an amicus curiae brief filed in the case on behalf of the National Whistleblower Center, the founding partners of Kohn, Kohn & Colapinto outlined the Congressional intent behind the burden of proof standard in SOX.

“In crafting the unique ‘contributing factor’ test for whistleblowers, Congress left an incredibly straight-forward legislative history documenting the value of whistleblowers’ contributions, the risks and retaliation whistleblowers faced, the barriers the previous burden of proof presented for whistleblowers, and Congress’ explicit intention to lower that burden of proof for whistleblowers,” the brief states.

In the Court’s opinion, Justice Sonia Sotomayor likewise pointed to the Congressional intent of SOX’s contributing-factor burden of proof standard:

“To be sure, the contributing-factor framework that Congress chose here is not as protective of employers as a motivating-factor framework. That is by design. Congress has employed the contributing-factor framework in contexts where the health, safety, or well-being of the public may well depend on whistleblowers feeling empowered to come forward. This Court cannot override that policy choice by giving employers more protection than the statute itself provides.”

This article was authored by Geoff Schweller.

Copyright Kohn, Kohn & Colapinto, LLP 2024. All Rights Reserved.
For more news on Supreme Court Whistleblower Rulings, visit the NLR Labor & Employment section.

Three Individuals Sentenced for $3.5 Million COVID-19 Relief Fraud Scheme

Three Individuals Sentenced for $3.5 Million COVID-19 Relief Fraud Scheme

On February 6, three individuals were sentenced for fraudulently obtaining and misusing Paycheck Protection Program (PPP) loans that the US Small Business Administration (SBA) guaranteed under the Coronavirus Aid, Relief, and Economic Security (CARES) Act.

According to court documents and evidence presented at trial, in 2020 and 2021, defendants Khadijah X. Chapman, Daniel C. Labrum, and Eric J.O’Neil submitted falsified documents to financial institutions for fictitious businesses to fraudulently obtain $3.5 million in PPP loans intended for small businesses struggling with the economic impact of COVID-19. Chapman was convicted in November 2023 of bank fraud. Labrum and O’Neil pleaded guilty in 2023 to bank fraud. Following their convictions, Chapman was sentenced to three years and 10 months in prison, Labrum was sentenced to two years in prison, and O’Neil was sentenced to two years and three months in prison.

Read the US Department of Justice’s (DOJ) press release here.

False Claims Act Complaint Filed Against Former President and Co-Owner of Mobile Cardiac PET Scan Provider

The DOJ filed a complaint in the US District Court for the Southern District of Texas under the False Claims Act (FCA) against Rick Nassenstein, former president, chief financial officer, and co-owner of Illinois-based Cardiac Imaging Inc. (CII), which provides mobile cardiac positron emission tomography (PET) scans.

The complaint alleges that Nassenstein caused CII to pay excessive, above-market fees to doctors who referred patients to CII for cardiac PET scans. The government alleges that the compensation arrangements violated the Stark Law, which prohibits health care providers from billing Medicare for services referred by a physician with whom the provider has a compensation arrangement unless the arrangement meets certain statutory and regulatory requirements. Claims knowingly submitted to Medicare in violation of the Stark Law also violate the federal FCA.

The complaint alleges that CII provided cardiac PET scans on a mobile basis and paid the referring physicians, usually cardiologists, to provide physician supervision as required by Medicare rules. From at least 2017 through June 2023, Nassenstein allegedly caused CII to enter into compensation arrangements with referring cardiologists that provided for payment to the cardiologists as if they were fully occupied supervising CII’s scans, even though they were actually providing care to other patients in their offices or patients who were not even on site. CII’s fees also allegedly compensated the cardiologists for additional services the physicians did not actually provide. The complaint alleges that CII paid over $40 million in unlawful fees to physicians and submitted over 75,000 false claims to Medicare for services provided pursuant to referrals that violated the Stark Law.

The lawsuit was originally a qui tam complaint filed by a former billing manager at CII, and the United States, through the DOJ, filed a complaint in partial intervention to participate in the lawsuit.

The case, captioned US ex rel. Pinto v. Nassenstein, No. 18-cv-2674 (S.D. Tex.), follows an $85.5 million settlement in October 2023 by CII and its current owner, Sam Kancherlapalli, for claims arising from this conduct.

Read the DOJ’s press release here.

San Diego Restaurant Owner Charged with Tax and COVID-19 Relief Fraud Schemes

On February 2, a federal grand jury in San Diego returned a superseding indictment charging a California restaurant owner with wire fraud, conspiracy to commit wire fraud, tax evasion, filing false tax returns, conspiracy to defraud the United States, conspiracy to commit money laundering, and failing to file tax returns.

According to the indictment, Leronce Suel, the majority owner of Rockstar Dough LLC and Chicken Feed LLC, conspired with a business partner to underreport over $1.7 million in gross receipts on Rockstar Dough LLC’s 2020 federal corporate tax return. From March 2020 to June 2022, Suel and the business partner then allegedly used this fraudulent return to qualify for COVID-19-related loans pursuant to the PPP and Restaurant Revitalization Funding program. In connection with those loans, Suel also allegedly certified falsely that he used the loan money for payroll purposes only. The indictment alleges that Suel and his business partner laundered the fraudulently obtained funds through cash withdrawals from their business bank accounts and stashed more than $2.4 million in cash in their home.

The indictment further charges that Suel failed to report millions of dollars received in cash and personal expenses paid for by his businesses as income, in addition to reporting false depreciable assets and business losses.

If convicted, Suel faces prison sentences up to 30 years for each count of wire fraud and conspiracy to commit wire fraud, 10 years for each count of conspiracy to commit money laundering, five years for tax evasion and conspiracy to defraud the United States, three years for each count of filing false tax returns, and one year for each count of failing to file tax returns.

Read the DOJ’s press release here.

© 2024 ArentFox Schiff LLP
For more on Regulated Industries, visit the NLR Biotech, Food, Drug section.

Client Alert: New Reporting Requirements Under the Corporate Transparency Act

On January 1, 2024, the Corporate Transparency Act (CTA) took effect. This new federal anti-money laundering law obligates many corporations, limited liability companies and other business entities to report to the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN), certain information about the entity, the entity’s beneficial owners and the individuals who created or registered the entity to do business. This client alert summarizes the CTA’s key requirements and deadlines. For more detailed information, please review the official “Beneficial Ownership Information Reporting FAQs” and the “Small Entity Compliance Guide” published by FinCEN.

Frequently Asked Questions

WHO MUST REPORT INFORMATION UNDER THE CTA?

The following “reporting companies” are subject to the CTA’s reporting requirements: (a) any U.S. corporation, limited liability company or other entity created by the filing of a document with a state or territorial government office; and (b) any non-U.S. entity that is registered to do business in any U.S. jurisdiction.

The CTA provides for 23 types of entities that are exempt from its reporting requirements, including companies that currently report to the U.S. Securities and Exchange Commission, insurance companies and tax-exempt entities, among others. Most notably, a company does not need to comply with the CTA if it has more than $5,000,000 in gross receipts for the previous year (as reflected in filed federal tax returns), at least one physical office in the U.S. and at least 20 employees in the U.S. For a full list of exemptions, including helpful checklists, please see Chapter 1.2, “Is my company exempt from the reporting requirements?”, of the Small Entity Compliance Guide.

A subsidiary of an exempt entity also will enjoy exempt status.

WHAT INFORMATION MUST BE REPORTED?

A reporting company is required to report the following information to FinCEN, and to keep the information current with FinCEN on an ongoing basis:

  1. The reporting company’s full legal name;
  2. Any trade name or “doing business as” (DBA) name of the reporting company;
  3. The reporting company’s principal place of business;
  4. The reporting company’s jurisdiction of formation (and, for non-U.S. reporting companies, the jurisdiction where the company first registered to do business in the U.S.); and
  5. The reporting company’s Employer Identification Number (EIN).

A reporting company also is required to identify its “beneficial owners” and “company applicant.” A beneficial owner is an individual who either: (a) exercises “substantial control” over the reporting company; or (b) owns or controls at least 25 percent of the ownership interests of the reporting company. A company applicant is an individual who directly files or is primarily responsible for filing the document that creates or registers the reporting company.

A reporting company must report and keep current the following information for each beneficial owner and company applicant:

  1. Full legal name;
  2. Date of birth;
  3. Complete current address;
  4. Unique identifying number and issuing jurisdiction from, and image of, one of the following non-expired documents:
    a. U.S. passport;
    b. State driver’s license; or
    c. Identification document issued by a state, local government or tribe.

WHEN ARE REPORTS DUE?

A reporting company that was first formed or registered to do business in the United States before January 1, 2024 will need to file its initial report with FinCEN no later than January 1, 2025.

A reporting company that is first formed or registered to do business in the United States between January 1, 2024 and January 1, 2025 will need to file its initial report with FinCEN within 90 calendar days after the effective date of its formation or registration to do business.

A reporting company that is first formed or registered to do business in the United States on or after January 1, 2025 will need to file its initial report with FinCEN within 30 calendar days after the effective date of its formation or registration to do business.

HOW DOES MY COMPANY FILE REPORTS WITH FINCEN?

Reports must be filed electronically through the BOI E-Filing System. For additional instructions and other technical guidance, please see the Help & Resources page.

WHAT HAPPENS IF MY COMPANY DOES NOT COMPLY WITH THE CTA?

At the time the filing is made, a reporting company is required to certify that its report or application is true, correct, and complete. Therefore, it is the reporting company’s responsibility to identify its beneficial owners and verify the accuracy of all reported information.

A person or reporting company who willfully violates the CTA’s reporting requirements may be subject to civil penalties of up to $500 for each day that the violation continues, plus criminal penalties of up to two years’ imprisonment and a fine of up to $10,000.

In the case of an accidental violation – for instance, if an initial report inadvertently contained a typo or outdated information – the CTA provides a safe harbor for reporting companies to correct the original report within 90 days after the deadline for the original report. If this safe harbor deadline is missed, the reporting company and individuals providing inaccurate information may be subject to the CTA’s civil and criminal penalties.

OTHER THAN FILING ACCURATE REPORTS, HOW CAN MY COMPANY STAY COMPLIANT?

A reporting company should consider taking the following actions to facilitate compliance with the CTA’s reporting requirements:

  • Amending existing governing documents, such as LLC or stockholder agreements, to require beneficial owners to promptly provide required information and otherwise cooperate in the company’s compliance with the CTA;
  • Designating an officer to oversee the company’s initial and ongoing CTA reporting;
  • Maintaining, reviewing and updating records on a regular cadence to reflect equity transfers, option grants and other transactions that affect ownership interest calculations; and
  • Developing a secure process for collecting and storing a beneficial owner’s photo identification and other sensitive information for CTA reporting purposes.
© Copyright 2024 Stubbs Alderton & Markiles, LLP
For more news on CTA Reporting Requirements, visit the NLR Financial Institutions & Banking section.

Top Risks for Businesses in 2024

Just weeks into 2024, it is already clear that uncertainty will be the watchword. Will the economic soft landing of 2023 persist into 2024? Will labor unrest, strong in 2023, settle down as inflation cools? Will inflation remain tamed? Will the U.S. elections bring continuity or a new administration with very different views on the role of the U.S. in the world and in regulating business?

Uncertainty is also fueling a complex risk environment that will require monitoring global developments more so than in the past. As outlined below, geopolitical risks are present, multiple, interconnected and high impact. International relations have traditionally fallen outside the mandate of most C-Suites, but how the U.S. government responds to geopolitical challenges will impact business operations. Beyond additional disruptions to global trade, businesses in 2024 will face risks associated with expanding protectionist economic policies, climate change impacts, and AI-driven disruptors.

Geopolitical Tensions Disrupting Global Trade

The guardrails are coming off the international system that enshrines the ideals of preserving peace and security through diplomatic engagement, respecting international borders (not changing them through military might) and ensuring the free flow of global trade. In 2022, the world was shocked by Russia’s invasion of Ukraine, but it has taken time for the full impact to reverberate through the international system. While political analysts write on a “spillover of conflict,” the more insidious impact is that more leaders of countries and non-state groups are acting outside the guardrails because they are no longer deterred from using military force to achieve political goals, making 2024 ripe for new military conflicts disrupting global trade beyond the ongoing war in Europe.

In October 2023, Hamas launched a war from Gaza against Israel. Thus far, fighting has spread to the West Bank, between Israel and Lebanese Hezbollah in the north, and to the Red Sea, with Iranian-backed Houthis attacking shipping through the strategic Bab al Mandab strait. Container ships and oil tankers, to avoid the risks, are re-routing to the Cape of Good Hope, adding two weeks of extra sailing time, with the associated costs. Insurance premiums for cargo ships sailing in the eastern Mediterranean have skyrocketed, with some no longer servicing Israeli ports. Companies and retailers with tight delivery schedules are switching to airfreight, which is expected to drive up airfreight rates.

Iran, emboldened by its blossoming relationship with Russia as one of Moscow’s new arms suppliers, is activating its proxy armies in Yemen, Iraq, Syria and Lebanon to attack Western targets. In a two-day period in January 2024, the Iran Revolutionary Guards directly launched strikes in Syria, Iraq and Pakistan. Nuclear-armed Pakistan retaliated with a cross border strike in Iran. While there are many nuances to these incidents, it is evident that deterrence against cross-border military conflict is eroding in a region with deep, festering grievances among neighbors. Iran is in an escalatory mode and could resume harassing shipping in the Persian Gulf and the strategic Strait of Hormuz, where about a fifth of the volume of the world’s total oil consumption passes through on a daily basis.

In East Asia, North Korea is also emboldened by the changing geopolitical environment. Pyongyang, too, has become a major supplier of weaponry to Moscow for use in Ukraine. While Russia (and China) in the past have constructively contained North Korean predilection for aggression against its neighbors, Supreme Leader Kim Jong Un may believe the time is ripe to change the status quo. Ominously, in a Jan. 15 speech before the Supreme People’s Assembly (North Korea’s parliament), Kim rejected the policy of reunification with South Korea and proposed incorporating the country into North Korea “in the event of war.” While North Korean leaders frequently revert to brinksmanship and aggressive language, Kim’s speech reflects confidence of a nuclear power, aligned with Russia against a shared adversary – South Korea, which is firmly aligned with the G7 consensus on Russia. A war in the Korean peninsula would be felt around the world because East Asia is central to global shipping and manufacturing, disrupting supply chains, as well as the regional economy.

China is also waiting for the right moment to “unite” Taiwan with the mainland. Beijing has seen the impact of Western sanctions on Russia over Ukraine and has been deterred from aiding the Russian war effort. In many ways, China has benefited from these sanctions and the reorientation of global trade. Also, Russia, with its far weaker economy, has proven surprisingly resilient to sanctions, another lesson for China. Meanwhile, the Taiwanese people voted in January and returned for a third time the ruling party that strongly rejects Chinese territorial claims. Tensions are high, with the Chinese military once again harassing Taiwanese defenses. For Beijing, the “right moment” could fall this year should conflict break out on the Korean peninsula, which would tie the U.S. down because of the Mutual Defense Treaty.

The uncertainty here is not that there are global tensions, but how the U.S. will respond as they develop and how U.S. businesses can navigate external shocks. Will the U.S. be drawn into a new war in the Middle East? Can the U.S. manage multiple conflicts, already deeply involved in supporting Ukraine? Is the U.S. economy resilient enough to withstand trade disruptions? How can businesses strengthen their own resiliency?

Economic Protectionism Increasing Costs and Risks

Geopolitical tensions, the global pandemic and the unequal benefits of globalization are impacting economic policies of the U.S. and the political discourse around the merits of unrestrained free trade. Protectionist economic policies are creeping in, under the nomenclature of “secure supply chains,” “friend-shoring” and “home-shoring.” The U.S. has imposed tariffs on countries (even allies) accused of unfair trade practices and has foreclosed access to certain technologies by unfriendly countries, namely China.

While the response to some of these trade restrictions are new trade agreements with “friends” to regulate access under preferred terms, in essence creating multiple “friends” trade blocs for specific sectors, other responses are retaliatory, including counter tariffs and export restrictions or outright bans. In 2024, the U.S. economy will see the impact of these trade fragmentation policies in acute ways, with upside risks of new business opportunities and downside risks of supply chain disruptions, critical resource competition, increased input costs, compliance risks and increased reputational risks.

Trade with China, which remains significant and important to the stability of the U.S. economy, will pose new risks in 2024. While Washington and Beijing have agreed to some political and security guardrails to manage the relationship, economic competition is unrestrained and stability in the bilateral relations is not guaranteed. The December 2023 bipartisan report by the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party, with its 150 recommendations on fundamentally resetting economic and technological competition with China, if even partially adopted, risks reigniting the trade war.

2024 is a presidential election year for the U.S. A change of control of the executive branch could result in many economic and regulatory policy reversals. The definition of “friend” could shift or narrow. Restrictions on trade with China could accelerate.

Impacts of Climate Change and Sustainability Policies

2023 was the hottest year on record, and El Niño conditions are expected to further boost the warming trend. Many regions experienced record-breaking wildfire activity in 2023, including Canada where 18 million hectares of land burned. Extreme storms caused life-threatening flooding in Europe, Asia and the Americas. 2024 is expected to bring even more climate hazards. The impacts will be physical and financial, including growing insurance losses and adverse impacts on operations and value chain. Analysts expect that in 2024, the economic and financial costs of adverse health impacts from climate change will increase, with risks related to the spread of infectious disease, insufficient access to clean water, and physical harm to the elderly and vulnerable. The direct economic effect will be on health systems, but also loss of productivity due to extreme weather incidents and effects of epidemics.

Energy transition to low-carbon emissions is underway in the U.S., but it is uneven and still uncertain. The financial market is investing in an impressive number of startups and large-scale projects revolving around cleantech. Still, there is hesitancy on the opportunity and risks of sustainability. Thus far, progress towards sustainability goals has been private sector-led and government-enabled. There is a risk that government incentive programs encouraging the transition to low-carbon energy could be reversed or curtailed under a new administration.

In 2024, some companies will face more climate disclosure compliance requirements. The Securities and Exchange Commission (SEC) is expected to release its final rule on climate change disclosures. The final action has been delayed several times because of pushback by public companies on some of the requirements, including Scope 3 greenhouse gas emission disclosures (those linked to supply chains and end users). California has not waited for the SEC’s final rule: In October 2023, Gov. Gavin Newsom signed into law legislation that will require large companies to disclose greenhouse gas emissions. The California climate laws go into effect in 2026, but companies will need to start much earlier to build the capabilities to plan, track and report their carbon footprint. For U.S. companies doing business in the European Union, they will need to comply with the EU Corporate Sustainability Reporting Directive, with the rules coming into force mid-2024.

Disruptive Technology

In 2023, generative AI was the talk of the town; in 2024, it will be the walk. Companies are popping up with new tools for every imaginable sector, to increase efficiency, task automation, customization, personalization and cost reduction. Business leaders are scrambling to integrate AI to gain a competitive edge, while navigating the everyday risks related to privacy, liability and security. While there are concerns that AI will displace humans, there is a growing consensus that while some jobs will disappear, people will focus on higher value work. That said, new rounds of labor disruptions linked to workforce transition are likely in 2024.

2024 will also bring AI-generated misinformation and disinformation. Bad actors will spread “synthetic” content, such as sophisticated voice cloning, doctored images and counterfeit websites, seeking to manipulate people, damage companies and economies, and foment dissent.

In 2024, around 2 billion people in more than 50 countries will vote in elections at risk of manipulation by misinformation and disinformation, which could destabilize the real and perceived legitimacy of newly elected governments, risking political unrest, violence, terrorism and erosion of democratic processes. Large democracies will hold elections in 2024, including the U.S., the EU, Mexico, South Korea, India, Pakistan, Indonesia and South Africa. Synthetic content can be very difficult to detect, while easy to produce with AI tools.

This is not a theoretical threat; synthetic content is already being disseminated in the U.S., targeting New Hampshire voters with robocalls that share fake recorded messages from President Biden encouraging people not to vote in the primary election. The U.S. is already polarized with citizens distrustful of the government and media, a ready vulnerability. Businesses are not immune. Notably, CEOs have stood apart, with higher ratings for trustworthiness and risk being called upon to vouch for “truth” (and becoming collateral damage in the fray).

AI-powered malware will make 2023 cyber risks look like child’s play. Attackers can use AI algorithms to find and exploit software vulnerabilities, making attacks precise and effective. AI can help hackers quickly identify security measures and evade them. AI-created phishing attacks will be more sophisticated and difficult to detect because the algorithms can assess larger amounts of piecemeal information and craft messages that mimic communication styles.

The role of states backing cyber armies to spread disinformation or steal information is growing and is part and parcel of the erosion of the existing international order. States face little deterrence from digital cross-border attacks because there are yet to be established mechanisms to impose real costs.

© 2024 Bradley Arant Boult Cummings LLP
For more on Business Risks, visit the NLR Corporate & Business Organizations section.