Michael W. Peregrine

On Monday, the National Association of Corporate Directors released a Blue Ribbon Commission Report providing substantive guidance for corporate directors on board oversight of artificial intelligence. In the following guest post, Michael W. Peregrine, a partner at the McDermott Will & Emery law firm, reviews the Blue Ribbon Commission report and summarizes

At this point, there is nearly universal agreement that artificial intelligence (AI) is (or at least will be) transformative. It is also clear that as companies struggle to adapt to the new technology, they also face a host of challenges, including disclosure and regulatory risks, and the related risk of litigation. As a result, AI poses an exceptionally difficult set of circumstances for corporate directors, as discussed in an August 14, 2024, Wall Street Journal article entitled “Why AI Risks Are Keeping Board Members Up at Night” (here). As the article makes clear, while many directors recognize the importance of getting a handle on AI and how it might affect their companies, they are struggling to find the right approach even as AI-related questions become more pervasive.Continue Reading Boards of Directors and AI-Related Concerns

On July 26, 2023, a divided SEC adopted, by a 3-2 vote, final rules for cybersecurity disclosures. The final rules are based on proposed rules the agency first introduced in March 2022. The rules require companies to disclose material cybersecurity incidents they experience, and also to disclose on an annual basis material information regarding their cybersecurity risk management and governance. The rules will have a significant impact on reporting companies’ disclosure practices and could present a challenge for some companies. A copy of the final cybersecurity disclosure rules can be found here. The SEC’s July 26, 2023, press release about the final cybersecurity disclosure rules can be found here. The SEC’s two-page fact sheet about the new rules can be found here.Continue Reading SEC Adopts Final Cybersecurity Disclosure Rules

On March 9, 2022, the SEC finally released its long-anticipated updated cybersecurity disclosure requirements. The proposed rules, inclusive of specifications both for incident reporting and for risk management and governance disclosure, were adopted by a 3-1 vote and are now subject to a public reporting period. The new rules, which the Commission’s press release says are “designed to better inform investors about a registrant’s risk management, strategy, and governance and to provide timely notification of material cybersecurity incidents,” underscore the Commission’s emphasis on cybersecurity reporting and disclosure issues.

The SEC’s March 9, 2022 press release about the proposed new rules can be found here. The Commission’s two-page “fact sheet” about the new rules can be found here. The Commission’s 129-page proposing release can be found here. Cydney Posner’s March 9, 2022 post on the Cooley law firm’s PubCo blog about the proposed rules can be found here.
Continue Reading SEC Proposes New Rules for Cybersecurity Disclosure and Incident Reporting Rules

Increased stakeholder expectations have made corporate governance more important than ever, with important implications for companies and their executives. The following guest post examines the ways that sound corporate governance structures and practices can help position companies to be able to defend themselves in the event of litigation. This paper was written by Suzanne H. Gilbert is a member of the Board of Advisors of Grace & Co. Consultancy, Inc.; H. Stephen Grace Jr., Ph.D. President of H.S. Grace & Company, Inc.; Joseph P. Monteleone, a partner with Weber Gallagher Simpson Stapleton Fires and Newby LLP law firm; and S. Lawrence Prendergast is a member of the Board of Advisors of Grace & Co. Consultancy, Inc. and is Chairman of the Turrell Fund. A version of this article previously was published in the American Bar Association’s Business Law Today. I would like to thank the authors for allowing me to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. The authors’ article follows.
Continue Reading Guest Post: Stress Testing Your Corporate Governance Structure

In February 2018, the SEC updated its cybersecurity disclosure guidelines for reporting companies, emphasizing the importance to investors and markets for prompt and robust disclosure relating to cyber issues. Indeed, in April, the agency brought its first enforcement action relating to cybersecurity enforcement issues. In its recent annual report, the agency’s enforcement division emphasized that cybersecurity disclosure is a priority issue. Clearly, public company’s cybersecurity-related disclosure practices are receiving a great deal of attention and scrutiny.

But what are public companies actually doing in terms of cybersecurity disclosures? A recent study by EY took a look at the actual cybersecurity disclosure practices. Their analysis shows that cybersecurity-related disclosure practices “vary widely,” suggesting there is an “opportunity for enhancement.” The October 22, 2018 report, entitled “Cybersecurity Disclosure Benchmarking,” can be found here.
Continue Reading Cybersecurity Disclosure Practices and Standards

It is now well known and understood that cybersecurity is a board level issue. This generalization is true not just for companies in the United States but for all companies around the world. In the following guest post, Joel Pridmore, Asia Pacific Underwriting Manager, Specialty, Corporate Insurance Partner, Munich Re Group, Saket Modi, CEO of Lucideus Technologies Pvt Ltd, and Richa Shukla, Partner, Khaitan Legal Associates take a look at this issue, with a particular focus on concerns for Indian companies. I would like to thank the authors for allowing me to publish their article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is the authors’ guest post.
Continue Reading Guest Post: Cyber Risk: A Board Level View

Stark Photo
John Reed Stark

Fontaine
David Fontaine

In this day and age, the members of the boards of directors of most companies understand that cybersecurity issues are both important and should be a board-level priority. But while these issues and responsibilities are now well-recognized, many boards still struggle to translate these issues into action. In the following guest post from John Reed Stark, President, John Reed Stark Consulting LLC, and David R. Fontaine, President, Corporate Risk Holdings[1] take a look at these challenges and propose that in addressing their cybersecurity-related responsibilities boards should draw upon the same governance procedures they have longed used for with respect to financial accounting and reporting. The authors suggest well-advised boards will take this approach in light of the very real, difficult to control and ever increasing enterprise threat that cyber-attack represent for their organizations.
Continue Reading Guest Post: Boards of Directors and Cybersecurity: Applying Lessons Learned From 70 Years of Financial Reporting Oversight