AI Cyber Risks Becoming "Huge Discussion Point on Every 10-K"

Companies Weigh AI Cyber Risks in Disclosures to Atkins’ SEC

Publicly-traded companies crafting their approach for SEC filings—from Form 10-K annual reports to breach disclosures—face a new challenge: providing specific details about cyber threats tied to AI in real time as they work to understand emerging tools’ risks. They’re also on high alert for how the SEC will tackle cyber enforcement after the agency in November dropped a case against business software firm SolarWinds Corp. that cyber executives and attorneys broadly criticized as an overreach by the Biden administration.

“It wasn’t a complete retreat, but through that action and some of the other actions that the SEC has taken, it seems like they’re taking a step back from being ‘cyber auditor,’ but not taking a step back from being the enforcer of accurate disclosures around cybersecurity,” said Ilona Cohen, chief legal and policy officer at HackerOne, a security solutions provider.

I’m Being Prosecuted for the Opposite of Insider Trading

The crime of insider trading consists in taking advantage of other investors by buying or selling stock based on material, nonpublic information that could affect its value. I’m being prosecuted for doing the opposite of that. I publicly expressed a sincerely held opinion and later traded on it. Under the Justice Department’s theory, that’s a crime because I made so many people aware of my opinion.

Call it the influencer penalty. Prosecutors are advancing a legal theory that creates two classes of Americans: those who can speak freely and trade freely, and those who have built an audience and therefore can’t.

The individual acts aren’t disputed. I can buy a stock. Legal. I can publicly share my opinion about that stock—constitutionally protected speech. I can sell that stock. Also legal. But do all three with a large social media following? Securities fraud.

SEC and IRS Enforcement Changes Are No Excuse for Lax Behavior

SEC staffing has declined by roughly 15% due to buyouts and early retirements, and the agency is on track for its lowest number of earnings fraud and auditor-liability enforcement actions since the Reagan administration.

But behind these statistics is a deliberate strategic pivot under Commissioner Paul Atkins, who has promised a return to the SEC’s core mission and advocated for an enforcement philosophy centered on:

—Pursuing clear-cut violations that harm investors (insider trading, accounting and disclosure fraud, market manipulation, offering fraud)

—Avoiding regulation by enforcement; that is, refraining from creating new quasi-rules through aggressive policing of gray areas

—Moving away from policing technical violations (for example, books-and-records offenses or administrative process failures) and assessing corporate-level fines

Crypto’s Future Will Be Sabotaged by Feeble Oversight

A different proposal, called the Clarity Act, also attempts to streamline crypto regulation. Yet its criteria may prove hard to apply in practice, and it would explicitly limit the Securities and Exchange Commission’s authority over tokens, deeming most of them “digital commodities” under the purview of the Commodity Futures Trading Commission.

The CFTC, with a budget one-sixth that of the SEC’s, has already slashed enforcement staff and is being led by just one commissioner of the five required by statute. (The new commissioner, Michael Selig, hasn’t committed to raising more funds for the agency by levying fees on crypto companies, as the law would allow.) […]

A better approach would be to create a new legal framework for trading in all digital assets that aren’t easily categorized, such as Bitcoin and Ether. The SEC and CFTC could then jointly draft rules to ensure that all market participants meet basic requirements for safety and soundness, customer protection, and disclosure and governance.