top of page

The AI Risk Blog

A place for users to talk about our platform.

Search

SEC 2024 Triple-Threat: AI, Cyber, and Climate Risk Rules

Updated: May 17

Alec Crawford Founder & CEO of Artificial Intelligence Risk, Inc.


The White House is pushing the SEC to wrap up AI, cyber, and climate risk rules for financial institutions and corporate America this spring. Last week saw the final release of the climate risk rule, and the others are slated for the second quarter of this year. We summarize some of the potential requirements and encourage affected companies to start planning now! Resources will be scarce as thousands of companies scramble to comply.



Executive Summary

Some key rules for are slated to be finalized as early as April, according to the Fall 2023 Regulatory Agenda. The SEC climate risk rule was finalized early, on March 6. What has not been picked up is how these rules relate to each other and create some urgency in terms of compliance and the necessity of acquiring data, software, and the expertise to comply. (Reference:  https://www.whitehouse.gov/omb/briefing-room/2023/12/06/the-2023-fall-regulatory-agenda/)


New SEC Rules for 2024

The following SEC rules were slated to be finalized in the second quarter, but the climate risk rule was finalized on March 6, a bit early.


  • The Predictive Data Analytics Rule.  This is a very broad rule, including AI and algorithms, that will require new written policies and procedures for the majority of investment advisors, broker dealers, and other investors, plus third-party software to facilitate compliance (for most entities).

  • Cybersecurity Enhancements for Investment Advisers, Registered Investment Companies, and Business Development Companies. Companies like https://www.aicrisk.com provide cybersecurity specifically for using AI, which is different from other cybersecurity.

  • The Climate Risk Rule (finalized March 6, 2024). This rule applies to all of corporate America (unless you are private or tiny.) It required scenarios testing. The SEC may eliminate scope 3 emissions (unless they are already included in a company’s GHG reduction plan).


Rule 1: Predictive Data Analytics

Otherwise known as the “artificial intelligence” rule, this rule received lots of comments saying it was too broad. While it is unclear at this time, here is our best guess at the final rule.


  • Finalizing soon: The SEC predictive analytics rule will be finalized in the second quarter of 2024 with compliance probably starting in January, 2025 for larger institutions.

  • Preparing policies: Written policies and procedures for AI and predictive data analytics (PDA).

  • Narrowing the scope somewhat: Narrow the scope to focus more on roboadvisors, other tools that select investments using algorithms, “AI chats” with customers and employees, and perhaps less on other uses. This reflects many of the comments received.

  • Identifying conflicts of interest: Testing the above pieces of software for conflicts of interest

  • Mitigating risk: Mitigating conflicts of interest

  • Recording testing and communications: Recording testing and all “communications” with LLMs.

Nevertheless, this is still a very broad rule that will require software and deep expertise to facilitate compliance. Best practices also require a third-party to validate the testing and make sure that communications with the LLM and all tests are recorded and saved in an immutable database.


Rule 2: Cybersecurity Enhancements for Investment Advisers, Registered Investment Companies, and Business Development Companies

This rule focuses on enhancing cybersecurity for affected organizations:


  • Write your policies and procedures: Organizations must create a resilient cybersecurity program that operates effectively in the face of incidents and routinely adjusts to new threats and technologies (at least annually).

  • Address new technology, like LLMs: Affected institutions using new technologies, e.g. LLMs, should have cybersecurity in place to address cybersecurity for those technologies.

  • Monitor and manage third-party provider risks: Institutions are expected to monitor external cybersecurity resources and manage associated risks from third-party providers, including LLM providers such as OpenAI, ensuring that these risks are mitigated and data can be recovered if compromised.

  • Increase transparency and disclosures: The SEC's proposed regulatory changes focus on regular reviews of cybersecurity practices and reporting significant incidents, aiming to enhance investor protection and provide better investment-related information through improved disclosures.

Rule 3: Climate Risk

This rule applies to all of Corporate America (unless you are a private company or very tiny.)


  • Create risk scenarios: Risk scenarios for material events will need to be constructed and impact estimated for the future.

  • Calculate GHG emissions: GHG calculations will be required, but scope 3 emissions for most institutions will probably be exempted (unless they explicitly form part of an institution’s GHG reduction plan).

  • Disclose Scope 1 and 2 GHG emissions and plan: Disclosures for fiscal 2025 will be required, at least for large companies. Any GHG reduction plan, targets, and dates must be disclosed in detail.

  • Mandating assurance: The SEC will require third-party assurance, but probably limited assurance from a third party on those disclosures in the first year.

Conclusion

As most of you know, I believe AI will become foundational to business in the next few years. Nevertheless, we need to do it safely in order to gain the benefits for people, companies, and society. Artificial Intelligence Risk, Inc. already has software written to comply with the first two rules for AI. We would be more than happy to show you a free demo or speak about my thoughts on the upcoming rules.

82 views0 comments

Comments


bottom of page