If you’re on the risk management side of the business – like most in-house lawyers – the risks associated with emerging technologies like artificial intelligence are likely taking up an increasing amount of your time & mental energy. Concerns about those emerging technology risks and identifying effective risk management programs to address them aren’t likely to go away anytime soon. Fortunately, over on Radical Compliance, Matt Kelly recently flagged a new “AI Risk Repository” developed by the smarty-pants at MIT that offers assistance in identifying the risks associated with AI.
This excerpt from Matt’s blog provides an overview of what this resource is all about:
A team of MIT researchers known as the FutureTech Group published the catalog, formally known as the AI Risk Repository, earlier this month. It’s free to all and designed to help a wide range of audiences, from academic researchers to policy makers to, yes, corporate risk managers trying to develop risk assessments for the AI systems running at your company. (Credit to compliance consultant Mark Rowe for noting the repository on LinkedIn earlier this week.)
The 700+ risks are organized into seven primary domains, such as discrimination, privacy, and system safety. Those seven primary domains are then split into 23 more precise sub-domains, which are divided again into even more precise risk categories.
The actual repository exists as a Google spreadsheet you can download, with various columns classifying each risk, describing its potential severity, identifying the potential cause (human versus AI itself; accidental versus deliberate action), and otherwise giving you a wealth of context.
Matt goes on to offer some thoughts on how to put the repository to work in your own risk management and compliance program. He points out that the 700+ risks in the repository were pulled together from 43 separate risk management frameworks and asks whether the existing frameworks used by companies to manage AI risks – like the NIST AI Risk Management Framework and the ISO 42001 standard – are sufficient to meet the challenge.
According to a new report from Arize AI, the number of Fortune 500 companies citing AI-related risk factors in their annual reports has increased by nearly 500% since 2022, with 281 companies currently addressing AI in their risk disclosures. The report says that media and entertainment (92%), software and technology (86%), telecommunications (70%), healthcare (65%) and financial services (63%) lead all other industries in disclosing risks from AI.
The report also includes excerpts from various categories of corporate risk factor disclosures, including competitive risks, regulatory risks, security risks, and what the report calls “general harms”. This latter category encompasses “physical, reputational, or other harms to company or its stakeholders from AI”. Here’s an example of this general harm risk disclosure from Motorola’s annual report:
As we increasingly build AI, including generative AI, into our offerings, we may enable or offer solutions that draw controversy due to their actual or perceived impact on social and ethical issues resulting from the use of new and evolving AI in such offerings. AI may not always operate as intended and datasets may be insufficient or contain illegal, biased, harmful or offensive information, which could negatively impact our results of operations, business reputation or customers’ acceptance of our AI offerings.
Although we work to responsibly meet our customers’ needs for products and services that use AI, including through AI governance programs and internal technology oversight committees, we may still suffer reputational or competitive damage as a result of any inconsistencies in the application of the technology or ethical concerns, both of which may generate negative publicity.
If you found today’s AI-related blogs interesting, you won’t want to miss our “In-House Insights: Governing and Disclosing AI” panel at our 2024 “Proxy Disclosure and 21st Annual Executive Compensation Conferences” – and that’s just one of the 15 timely, topical panels you’ll hear from over our two days of programs. As we’ve mentioned before, one of those panels will feature our SEC All-Stars participating in a “Game Show Lightning Round: All-Star Feud” – and we’re back with another request for your responses to one of the survey questions they’ll be asked to address.
Please take a moment to respond to our latest anonymous poll. We’ll gather and rank responses by popularity. Responses will be hidden, so you will have to join day 1 of our Conferences to hear whether your response made the “most popular” list.
If you haven’t done so already, today is a great day to sign up for our Conferences, which are taking place on October 14th & 15th in San Francisco. There is also a virtual option if you are unable to attend in person. You can register by visiting our online store or by calling us at 800-737-1271.
Earlier this month, the CII released a report on what it refers to as “stealth” dual-class structures – alternatives to multi-class capital structures that allow insiders the control benefits associated with owning high-vote stock without the potential investor relations downsides. Here’s the intro:
Traditional dual-class or multi-class stock structures have received significant attention from market participants because of the disconnect they create between voting rights and economic ownership, thereby insulating company insiders from accountability to the company’s owners. However, it is important for investors to understand that companies can deliver substantially similar entrenchment mechanisms without creating multiple classes of common stock or adopting widely understood anti-takeover devices such as poison pills. In fact, there may be an incentive for insiders to achieve the same control enhancing outcomes without adopting a traditional dual-class structure.
By doing so, they may receive the private benefits of outsized decision-making power without receiving the negative attention and stock price discount accompanying dual-class stock. This paper reviews nine examples of arrangements that could constitute “stealth dual class”: identity-based voting power, side agreements with favored shareholders, stock pyramiding/cross-ownership, umbrella partnerships and C corporations (Up-Cs), employees granting irrevocable proxy voting rights transferred from employees to insiders, golden shares, situational super-class issuances, non-equity votes and vote caps.
The article goes on to explain how each of these alternatives replicates the benefits of a dual-class structure and offers some specific real-world examples. It also says that Delaware’s adoption of new Section 122(18) of the DGCL may facilitate their increased usage, which is a topic about which the CII has previously expressed concern.
Given the wailing and gnashing of teeth over dual-class structures in the US by proxy advisors & investor representatives, it may come as a surprise to learn that UK regulators recently adopted a rule change permitting dual-class companies to list on the LSE. An ISS report on the change notes that it was opposed by many prominent UK & European institutional investors, but also acknowledges a big reason why their objections didn’t carry the day:
As others have highlighted, many of the institutional investors and pension funds that have concerns in relation to the so-called watering down of UK shareholder rights and protections do invest in other financial markets with lower corporate governance standards, and often where the use of multiple class share structures has been the norm for many years.
Indeed, this is not the first time that this has been noted by external observers. Earlier in June 2024, the Chair of Marks & Spencer, Archie Norman, blamed UK pension funds for the decline of the LSE on the grounds that they had cut their UK equity exposure to a shadow of what it had been just decades before. According to a release by the Office for National Statistics, published in December 2023, the proportion of UK shares held by UK insurance and pension funds has fallen dramatically since 1997 when the two sectors held a combined total of 45.7% of quoted shares. By 2022, the holdings of the two sectors had fallen to 4.2%, “the lowest proportion jointly held by them on record”.
As a result, it is not surprising that some observers contend that the recent arguments of some UK pension funds regarding the need to retain shareholder rights and protections ring hollow, given their apparent willingness to invest in other international markets despite the lower protections and corporate governance standards, coupled with their reduced ‘skin in the game’ in the UK market.
ISS goes on to argue that UK regulators should’ve paid more attention to investors’ negative reaction to multi-class structures in jurisdictions where they’re permitted when deciding whether to permit listings on the LSE. On the other hand, maybe regulators just paid more attention to investors’ actions than their words, since they still seem to gobble up dual class companies’ IPOs whenever they get the chance.
The SEC issued its first fee rate advisory for the 2025 fiscal year. The bad news is that filing fees are going up for the third straight year, but the good news is that they’re rising at a much slower rate than they have during the past two fiscal years. For fiscal 2025, the SEC says that the filing fees will increase from $147.60 per million dollars to $153.10 per million dollars, effective October 1, 2024. That’s a 3.7% increase, but it’s a lot less than the 34% fee increase for fiscal 2024 and the 19% increase for fiscal 2023.
The fee rate advisory points out that the SEC doesn’t set filing fees arbitrarily:
The securities laws require the Commission to make annual adjustments to the rates for fees paid under Section 6(b) of the Securities Act of 1933, which also adjusts the annual fee rates under Sections 13(e) and 14(g) of the Securities Act of 1934, as well as Rule 24f-2 under the Investment Company Act of 1940. The Commission must set rates for the fees paid under Section 6(b) to levels that the Commission projects will generate collections equal to annual statutory target amounts.
The Commission’s projections are calculated using a methodology developed in consultation with the Congressional Budget Office and the Office of Management and Budget. The Commission determined the statutory target amount for fiscal year 2025 to be $864,721,147 by adjusting the fiscal year 2024 target collection amount of $839,771,535 for the rate of inflation.
Yesterday, the SEC approved several rule changes proposed by the PCAOB. The changes address auditors’ general responsibilities in conducting an audit, the use of technology assisted data analysis in audits, and auditor liability. This excerpt from the SEC’s press release summarizes the new rules:
The Commission approved the PCAOB’s new AS 1000, General Responsibilities of the Auditor in Conducting an Audit, along with related amendments to other PCAOB standards, to reaffirm, consolidate, and modernize the general principles and responsibilities of the auditor when conducting an audit. These standards cover such foundational topics as affirming the auditor’s duty to protect investors through the preparation and issuance of informative, accurate, and independent auditor’s reports; the exercise of due professional care, professional skepticism, and professional judgment when performing audits; and compliance with ethics and independence rules.
In addition, the Commission approved the PCAOB’s amendments to AS 1105, Audit Evidence, and AS 2301, The Auditor’s Response to the Risks of Material Misstatement, and conforming amendments, to address the use of technology-assisted data analysis in audit procedures. The amendments specify and clarify auditors’ responsibilities when the auditor uses such analytical tools in conducting audits.
Finally, the Commission approved the PCAOB’s amendment to Rule 3502, Responsibility Not to Knowingly or Recklessly Contribute to Violations, governing the liability of an associated person of a registered public accounting firm who directly and substantially contributes to that firm’s violations of the laws, rules, and standards that the PCAOB enforces. The amendments to Rule 3502 revise from recklessness to negligence the standard for an associated person’s contributory liability, while maintaining the requirement that to be held liable, an associated person must have contributed to the firm’s violation “directly and substantially.”
Commissioner Peirce issued a dissenting statement with respect to the changes to Rule 3502, and Commissioner Uyeda did as well. Both commissioners supported the other rule changes. PCAOB Chair Erica Williams issued her own statement in response to the SEC’s action.
We’ve blogged about these rule changes several times, and they’re not insignificant. Check out this blog for more on the new AS 1000, this blog for the implications of the amendment to Rule 3502, and this blog for information on the amendments to AS 1105 & AS 2301.
The Society for Corporate Governance & EY recently issued a report addressing the evolution of Disclosure Committees. The report updates their 2021 report, and this excerpt from the press release announcing the issuance of the report highlights some of the key findings:
– 60% of disclosure committees now regularly review cybersecurity risk and governance disclosures and nearly 40% now regularly review human capital disclosures, up from 32% and 13%, respectively, in our 2021 survey, likely reflecting increasing regulatory and stakeholder scrutiny and expectations.
– Nontraditional roles, such as the heads of Risk, Human Resources, and Information Security, are increasingly among the regular members of companies’ disclosure committees.
– Nearly half of respondents involve their disclosure committees in determining whether cyber incidents are material and require Form 8-K disclosure, while the balance look to another individual or group of individuals to make that determination.
This Bloomberg Law article reports that following the SCOTUS’s elimination of Chevron deference, GOP senators are redoubling their efforts to deep six the “Deep State.” This excerpt says that step one has been to bombard agencies with inquiries about how the decision will impact their work:
GOP lawmakers cheered the Loper Bright Enterprises v. Raimondo decision, arguing it will result in fewer burdensome regulations and give Congress more say in how laws are carried out. Their initial response to the ruling has been to overwhelm agencies with inquiries on the ruling’s impact on their day-to-day work.
To prepare for long-term change, 19 GOP senators last month formed a working group to examine how Congress should limit agency power and roll back regulations underpinned by Chevron. The senators themselves haven’t met as a group, but GOP staff from members’ offices and the Judiciary Committee are organizing subgroups and written to over 100 agencies, quizzing them on the decision’s impact in their ongoing rulemaking, civil enforcement actions, and adjudications.
The article says that Republican senators plan to propose more than a dozen bills targeting agency rulemaking, including legislation that would create a “separate regulatory office on Capitol Hill and expanding the statutory exceptions to the filibuster for agency rules.”
Yesterday, the SEC announced settled enforcement proceedings against Carl Icahn and Icahn Enterprises arising out of alleged failures to comply with disclosure requirements in Schedule 13D and Form 10-K applicable to pledging arrangements. Here’s an excerpt from the SEC’s press release:
According to the SEC’s orders, from at least December 31, 2018, through the present, Icahn, who is IEP’s controlling shareholder and Chairman of the board of directors of IEP’s general partner, pledged approximately 51 to 82 percent of IEP’s outstanding securities as collateral to secure personal margin loans worth billions of dollars under agreements with various lenders.
Notwithstanding Icahn’s various margin loan agreements and amendments, IEP failed to disclose Icahn’s pledges of IEP securities as required in its Form 10K until February 25, 2022. Icahn also failed to file amendments to Schedule 13D describing his personal margin loan agreements and amendments, which dated back to at least 2005, and failed to attach required guaranty agreements. Icahn’s failure to file the required amendments to Schedule 13D persisted until at least July 9, 2023.
Without admitting or denying the SEC’s findings, Icahn consented to an order to cease and desist from future violations of Section 13(d)(2) of the Exchange Act and Rule 13d-2(a) thereunder. He also agreed to pay a $500,000 civil money penalty. Icahn Enterprises also consented, on a neither admit nor deny basis, to an order to cease and desist from future violations of Section 13(a) of the Exchange Act and Rule 13a-1 thereunder. The company also agreed to pay a $1.5 million civil money penalty.
Since this involves Carl Icahn, the SEC’s enforcement action has already garnered quite a bit of media attention. If you’re interested in more background on the SEC’s investigation, check out this Reuters’ article.