• |

    Dec. 10, 2025

What to Know About the Sleeping Giant That Is the SEC’s Amended Reg S‑P

The time to comply with the SEC’s amendments to Regulation S‑P (Amendments), adopted in May 2024, has arrived. The Amendments substantially expand requirements for safeguarding customer information, with mandates around the incident response program, customer notice, service provider oversight and recordkeeping. The changes pertaining to notice and incident response program requirements will prove particularly challenging for covered institutions, including investment advisers. In this guest article, Goodwin partner Kaitlin Betancourt examines those challenges and offers practical compliance guidance. See “What Regulated Companies Need to Know About the SEC’s Final Amendments to Regulation S‑P” (Jul. 24, 2024).

Gen AI Chats Becoming Evidence: How Businesses Can Prepare for Requests

Generative AI (Gen AI) chats have begun to show up as evidence in both criminal and civil cases – a development that will affect many companies, not only big AI chat providers. As Gen AI features integrate into everyday interfaces for customers and employees, companies should consider preparing for at least four types of situations where they will need to disclose AI chat logs, Google’s former director of law enforcement and information security told the Cybersecurity Law Report. This second article in a series on Gen AI chats as possible evidence examines the types of requests that companies might receive and provides steps they can take to manage responses to those requests, with insights from practitioners from Integreon and Loeb & Loeb as well as Google’s former legal director. Part one of the series reviewed the use of AI chat evidence in three criminal cases and the unsettled law around external requests for such evidence. See our two-part series on managing legal issues arising from use of ChatGPT and Gen AI: “E.U. and U.S. Privacy Law Considerations” (Mar. 15, 2023), and “Industry Considerations and Practical Compliance Measures” (Mar. 22, 2023).

Guidance From NYDFS in Industry Letter Stressing Vendor Risk Management and Oversight

Detailing best practices related to managing third-party service provider risk, the New York State Department of Financial Services (NYDFS) issued guidance in the form of an industry letter at the end of October 2025 (Guidance). Entities subject to NYDFS’s groundbreaking cybersecurity regulation must employ a “proactive, risk-based, and continuously adaptive approach to third-party governance,” according to the Guidance. This article parses the Guidance, with insights from Norton Rose Fulbright partner David Kessler and Clifford Chance partner Celeste Koeleveld, who formerly served as Deputy Superintendent and Special Counsel at the NYDFS. See our two-part series “Amendment to NYDFS Cyber Regulation Brings New Mandates”: Governance Provisions (Dec. 13, 2023), and First Compliance Steps (Jan. 3, 2024).

Most-Read Articles

Women to Watch: Contributions, Achievements and Observations of Outstanding Female Professionals

To mark International Women’s Day, women editors and reporters at ION Analytics interviewed outstanding women in the industries and jurisdictions we cover. In this part, Law Report Group editors Jill Abitbol, Robin L. Barton and Megan Zwiebel profile notable women in data privacy, cybersecurity, private funds and anti-corruption law, including Anne-Gabrielle Haie, Jessica Lee, Micaela McMurrough, Laura Perkins, Amanda Raad, Madelyn Calabrese, Ranah Esmaili and Genna Garver. Enjoy reading their inspiring remarks here.

Celebrating Data Privacy Day 2025

Read the full brief here.

Cybersecurity Awareness Month

Read the full brief here.