In connection with the previously announced 44th Annual Small Business Forum on April 10 (with options to participate in-person or virtually), the Office of the Advocate for Small Business Capital Formation is asking the public to register in advance and submit suggestions ahead of the Forum. Public input will help shape the capital-raising policy recommendations that the Office will deliver to the Commission and to Congress. Here’s the process detailed in the Office’s outreach email:
– Submit your policy recommendations ahead of the Forum via our submission portal. This allows you time to be thoughtful with your recommendations and allows all voices to be heard.
– We will compile the recommendations from all participants and share at the live event.
– We will reserve time at the end of the event to allow in-person attendees to address the audience briefly to discuss any recommendations submitted. Following this discussion, the recommendations will be opened for voting via our online polling for all participants (including those via webcast).
– Voting allows you to rank the policy recommendations based on what you think is a priority for the Commission and Congress.
– After the event, a report will be delivered to Congress highlighting the event’s discussions and the prioritized policy recommendations, based on participant voting.
If you’d like to submit a recommendation (or two or three), the submission portal is open until April 9.
A week ago, PwC released the results of its 2025 Global Compliance Survey (available for download) that asked 1,802 executives from 63 territories across a wide range of industry sectors about their companies’ current compliance challenges and practices and how they hope to evolve them. Not surprisingly:
– 85% stated that compliance requirements have become more complex in the last three years
– 77% said that their company has been negatively impacted by compliance complexity in several areas that drive growth
– Only 7% consider themselves to be leading in compliance right now
That said, the survey shared some good news too:
– 59% had greater confidence in compliance decision-making due to better coordination
– Respondents cited investments in compliance to take advantage of new technology (32%), enhance effectiveness (30%) and reduce costs (21%)
– 82% plan to invest more in technology to drive compliance activities
– Respondents are already leveraging compliance technology for better visibility of risks and risk management activities (64%), faster identification and proactive response to compliance issues (53%), higher quality/more insightful reporting (48%), and increased productivity and cost savings (43%)
– 71% believe that AI will have a net positive impact overall on compliance
Clearly, the adoption of emerging technologies was an area of focus for survey questions. The report says this will be necessary to keep up with the pace of change. “The level of regulatory change, shifting stakeholder expectations, and changes in industry ecosystems and macro risks, means that responding in a ‘traditional way’ – more people, more controls – is unlikely to be sustainable.”
Speaking of keeping up with the pace of change, this recent KPMG regulatory alert includes a table detailing what it calls “regulatory signals” of the Trump Administration’s mandate for de-regulation. This table is a really helpful tool for compliance professionals who may be struggling to stay on top of developments. Here are the types of “regulatory signals” identified:
– Executive actions (like Executive Orders)
– The use of the Congressional Review Act
– Workforce and organization changes across the federal government
– Pressure on global regulation
– Agency rule or guidance modifications or withdrawals
– Agency withdrawals from legal actions
– Agencies redefining their enforcement focus
It lists specific examples (and descriptions) for each of these to better understand the current regulatory environment. For example, with respect to agencies redefining their enforcement focus, it cites the following:
– Implementation of the Executive Order pausing investigations and enforcement of the FCPA and directing review/revision of the related guidelines and policies.
– Implementation of the DOJ Memo re-prioritizing enforcement focus of FCPA to foreign bribery that facilitates the criminal operations of Cartels and Transnational Criminal Organizations.
– Increased application/ enforcement under the False Claims Act (e.g., DOJ).
– Focus on the “letter of the law”.
– Flexibility toward innovation and technology, including digital assets/crypto and AI.
– Introduction of a framework to assess self-reporting, cooperation, and remediation in investigations and enforcement actions (e.g., CFTC).
– Determination not to enforce fines/ penalties associated with rulemaking (e.g., FinCEN Beneficial Ownership Information reporting requirements).
What does all this mean (at a high level) for compliance professionals? The memo includes these reminders:
– ‘Deregulation’ is not ‘No Regulation’: Despite new directives, shifts in enforcement intensity and priority, and select rule recissions, existing regulations stand and require ongoing adherence.
– New Rulemaking to Plummet: Expect ongoing withdrawals of proposed rules, modifications to existing regulations, and the increasing use of statements versus guidance.
– Quick Investigation/Enforcement Shifts: Expect enforcement activities to focus on the “letter of the law”, and cases to include those deemed “egregious” under the new Administration’s directives and to be impacted by workforce reductions and mission/enforcement shifts (e.g., FCPA, CTA).
– Global Pressures: Expect the Administration to continue pressure globally to “de-regulate”, including but not limited to technology regulations (e.g., DSA, AI Act).
Now that we better understand the shifting regulatory environment, how should companies be responding to change through their compliance programs — beyond investing in technology for process and automation improvements? This Freshfields blog walks through four regulatory areas of interest — including FCPA compliance, newly designated terrorist organizations, DEI policies and tariffs. The blog then shares some actionable steps compliance professionals should consider to enhance their companies’ compliance programs in light of current federal regulatory priorities.
Here they are:
– Conduct ongoing assessments of legal and compliance risks to business operations in light of these new enforcement priorities, so that corporations may deploy compliance resources appropriately, particularly where there may be differences in applicable laws, policies and enforcement priorities across different jurisdictions relevant to multinational corporations (e.g., with regard to anti-bribery and corruption, DEI, and international trade and sanctions).
– Evaluate existing due diligence processes and KYC protocols, and whether any such processes should be amended to reflect evolving priorities, including for instance:
enhancing due diligence of vendors, suppliers, and other third party intermediaries in Mexico and other Latin American countries to address potential exposure to sanctioned parties including newly designated terrorist organizations; and
reviewing global supply chain due diligence and monitoring processes, particularly relating to suppliers located in jurisdictions that have been targeted by recently announced tariffs.
– Enhance compliance policies and trainings for relevant employees in jurisdictions or business functions potentially subject to increased risk, such as by providing specific training for identifying and mitigating potential risks associated with conducting business operations in Latin American countries and along trade routes where recently designated terrorist organizations (cartels and transnational criminal groups) are perceived to be embedded in the local economies.
– Update compliance hotlines and internal communication pathways so that relevant stakeholders may raise any concerns, and legal and compliance teams may promptly and appropriately triage, investigate, and address such matters.
We’ve been posting tons of memos in our “Regulatory Reform” Practice Area on TheCorporateCounsel.net. Also, be sure to check out our “Compliance Programs” Practice Area.
On Monday at the Investment Company Institute’s 2025 Investment Management Conference, Acting SEC Chair Mark Uyeda shared his thoughts on what a “robust and informed rulemaking process” should look like. He notes that one of his objectives is to “set forth a blueprint for restoring the Commission’s rulemaking processes to the ‘gold standard’ among regulatory agencies,” noting “the Commission should act like a super-sized freighter, not a speed boat.”
Here are some practices he promotes in his remarks:
– Restore historical comment periods — i.e., a 60-day minimum and even 90 days for more complex rulemakings.
– Avoid over-broad or dense rulemaking proposals. When rulemaking tackles too many topics, commentators may focus on one area and other aspects of the rule may get adopted with little public input.
– Re-propose rules or re-open the comment file, which may be appropriate to take into account issues commenters raised in iterating on the prior rule proposal, to respond to changed conditions or when significant time has passed since the original proposal.
– Identify the rule’s purpose and the problem it’s trying to solve upfront.
– Provide additional means for obtaining feedback to help shape proposals — including public roundtables, requests for information, concept releases, advance notices of proposed rulemaking and investor testing.
– Improve the Commission’s analysis of rules’ economic impacts by ensuring cost estimates are as up-to-date as possible and considering the impact on small entities.
– Respect the limits of the Commission’s statutory authority.
With respect to that last point, Acting Chair Uyeda notes, “We must be clear-eyed about how existing proposals fare under this rubric.” He notes that the Staff is considering withdrawing proposals, pausing recently-adopted rules or extending or delaying compliance dates — although the rules cited relate to the Division of Investment Management.
I think it’s safe to say that Item 1.05 cyber incident Form 8-Ks have evolved during the last 15 months or so — particularly following the May 2024 Corp Fin statement regarding voluntary disclosure of an immaterial incident or early disclosure while a materiality determination is still being made. This Debevoise alert shares some granular statistics from the 26 companies (as of February 11) that had reported a cybersecurity incident under Item 1.05 since the effective date of the newly required 8-K disclosure. For example, there was a notable shift to Item 8.01 after the Corp Fin Statement — with 28 companies using Item 8.01 thereafter.
Here are some other key stats from the article:
– The average time between detection and disclosure has been 7.88 business days, and the median length has been 4.5 business days. Nearly half have filed within 4 business days of detecting the cybersecurity incident. (Reminder that the disclosure is required within 4 business days of determining that the incident is material — not the initial detection.)
– 65% of companies disclosed an operational disruption related to the incident (which may be more readily identifiable in early stages compared to financial or more qualitative (like reputational) impacts). For 14 of those companies, the operational impacts were caused, at least in part, by remediation or mitigation efforts.
– 77% of companies disclosed that the incident resulted in access to or exfiltration of data (e.g., client or customer data, or information contained within corporate email accounts). Of those, 6 disclosed the nature of the exfiltrated data or targeted information in the initial Form 8-K and 9 disclosed this information in an amendment.
– 23% of companies identified the threat actor by name or nature.
– No companies disclosed payment of a ransom.
– 50% of companies filed 8-K amendments (required by the rule to the extent any required information is not determined or unavailable at the time of the initial filing).
– Those amendments disclosed “remediation of the relevant cybersecurity incident, details regarding the impact of the incident (including the material or immaterial nature of certain impacts), further actions taken by the threat actor and details regarding the nature of the incident.”
– Three companies initially disclosed cybersecurity incidents on Item 8.01 (all following the Corp Fin statement) before subsequently filing on Item 1.05.
According to the December 2024 Semi-Annual Report to Congress Regarding Public and Internal Use of Machine-Readable Data for Corporate Disclosures, there are currently 55 forms, schedules and statements containing disclosures required under Securities Act Section 7 and Exchange Act Section 13 or 14 and approximately 75% of those require some machine-readable data. Compliance with all of these tagging requirements — like the new insider trading policy disclosure required by Item 408(b) of Regulation S-K and cybersecurity disclosures required Item 106 of Regulation S-K (which just became subject to Inline XBRL tagging requirements after a one-year phase in) — is important because missing them has consequences.
We’ve posted a new checklist to assist you in this effort. Our “Checklist: Corporate Disclosures Tagged in Inline XBRL” includes the list of corporate disclosures required to be tagged in Inline XBRL identified on an individual form, schedule and statement basis — pulled from the appendix to the SEC’s Semi-Annual Report to Congress. Pulling this existing list as a form-check tool was a no-brainer, but we’ll endeavor to pull our weight around here and update this more often than semi-annually.
The FactSet team reviewed S&P 500 earnings calls from December 15 through March 14 to look for comments on AI. In those fourth-quarter earnings calls, 241 S&P 500 companies cited AI. To give context to this number, this FactSet article gives these comparator stats:
– This is the highest number over the past 10 years
– The 5-year average is 105 and 10-year average is 67
– The previous record over the past 10 years was 212
– This is the fourth straight quarter in which more than 200 S&P 500 companies cited “AI” on earnings calls
As Liz recently shared, “When it comes to AI-related opportunities, ‘anything you say can and will be held against you.’” And AI is certainly still an area of focus for the SEC. For example:
– The SEC recently announced the formation of a new Cyber and Emerging Technologies Unit to “root out those seeking to misuse innovation to harm investors and diminish confidence in new technologies”
– In January, the SEC (while still under Chair Gensler) announced what seems to be the first “AI washing” case against a public company
While we continue to cover SEC compliance and board governance issues associated with AI on this blog and in our “Artificial Intelligence” Practice Area on TheCorporateCounsel.net, we know that many of our members are not just dealing with board-level issues like these but also with more granular aspects of the AI & EmTech risk management and compliance process. On our new “AI Counsel” blog, John and Zachary are highlighting useful resources and sharing guidance on best practices for front-line risk management and compliance professionals who are dealing with the challenges of artificial intelligence, cyber, and other emerging technologies.
The blogs run Monday through Thursday of each week. You can subscribe to get free blog notifications in your inbox! The site also includes a “blog roll” featuring blogs and resource pages that they think readers will find useful. John and Zachary encourage readers to reach out with blog topics and suggestions.
This Freshfields blog discusses a December 2024 S.D.N.Y. decision addressing whether Section 10(b) of the Exchange Act reaches extraterritorial transactions. This decision is the first in the 2nd Circuit since Morrison v. Nat’l Australia Bank Ltd., 561 U.S. 247 (2010) in which SCOTUS overturned the 2nd Circuit. Here’s background from the blog (citations omitted):
Before the Supreme Court’s ruling in Morrison, courts in the Second Circuit applied “conduct” and “effects” tests, under which Section 10(b) applied to extraterritorial transactions involving conduct that “occurred in the United States” or “had a substantial effect in the United States or upon United States Citizens.” SEC v. Berger, 322 F.3d 187, 192-93 (2d Cir. 2003).
Morrison rejected the conduct and effects tests, holding that Section 10(b) reached “only transactions in securities listed on domestic exchange, and domestic transactions in other securities.” Within weeks of the Supreme Court’s decision in Morrison, Congress passed the Dodd-Frank Act [. . . a subsection of which] provides that U.S. courts shall have jurisdiction over actions initiated by the SEC or the United States alleging violations of the Exchange Act’s antifraud provisions that involve “conduct occurring within the United States” or “conduct occurring outside the United States that has a foreseeable substantial effect within the United States.”
In short, the Dodd-Frank Act revived the conduct and effects tests for assessing jurisdiction over actions brought by the SEC. Because Dodd-Frank amended the Exchange Act’s jurisdictional provision rather than Section 10(b) itself, which Morrison held was limited to “domestic transactions,” [it was an open question in the Second Circuit whether SEC enforcement of Section 10(b) was limited to domestic transactions.
United States Sec. & Exch. Comm’n v. Passos (S.D.N.Y.; 12/24) involved a public Brazilian company whose stock trades on a Brazilian exchange. After a short seller report was published and the company’s stock price dropped, the company’s EVP of Finance and IR allegedly created a false story with fake supporting documents and shared them with journalists. The SEC brought an action against the executive under Section 10(b) of the Exchange Act alleging that U.S.-based investors bought shares while the company’s stock price was artificially inflated due to the fraudulent story. The executive moved to dismiss, arguing that the claim was barred under Morisson because the company’s stock traded exclusively on a Brazilian exchange and the SEC did not allege any related U.S. transactions.
The district court denied Passos’s motion to dismiss, holding that Section 10(b) reached Passos’s conduct even though the relevant transactions were extraterritorial. The Court found, first, that the text of the Exchange Act was broad enough to encompass extraterritorial misconduct, and second, that Congress’s amendment of the Exchange Act in Dodd-Frank provided the “affirmative indication” of extraterritorial application that did not exist when the Supreme Court decided Morrison.
What does this mean? The blog continues:
Passos clarifies the SEC’s ability to bring enforcement actions related to extraterritorial transactions, buttressing the Commission’s expansive view of its reach. Whether, as a policy matter, the Trump-era SEC will continue to investigate extraterritorial transactions or will instead take a narrower approach to extraterritoriality remains to be seen.
Nonetheless, non-U.S. public companies, including those listed on non-U.S. exchanges, should be cognizant of the increased risk of SEC enforcement, take steps to ensure their conduct complies with antifraud provisions of the Exchange Act, and include potential enforcement actions in their legal risk management plans.
This is particularly true of companies whose executives conduct business while in the United States or who have a broad base of U.S. shareholders, either of which might, under the right circumstances, permit the SEC to pursue an enforcement action concerning conduct related to a wholly extraterritorial transaction.
Check out John’s latest “Timely Takes” Podcast featuring Cleary’s J.T. Ho and his monthly update on securities & governance developments. In this installment, J.T. reviews:
The SEC’s recission of SLB 14L and adoption of SLB 14M
Corp Fin’s exempt solicitation CDIs
President Trump’s DEI executive orders
Proxy advisor and institutional investor policy updates
Corp Fin’s 13G/13D CDIs
As always, if you have insights on a securities law, capital markets or corporate governance issue, trend or development that you’d like to share in a podcast, we’d love to hear from you. You can email me at mervine@ccrcorp.com or John at john@thecorporatecounsel.net.