Sep. 10, 2025

Unpacking the AI Risks Disclosed in 2025 SEC Filings

Visibility into AI’s downside is on the upswing in corporations’ annual SEC filings. Three hundred and eighty of S&P 500 companies added or expanded descriptions of AI as a material risk in their 2025 annual disclosure filings, according to an Autonomy Institute report. Companies have diverged in what risks they cite, but two in five disclosed cyber threats from AI, and at least 100 mentioned bias in AI inputs and outputs. With insights from the report’s author and a Goodwin partner who is an SEC regulatory expert, this article examines the risks that companies have disclosed, the language used and pitfalls around AI disclosures. It also highlights recommended actions for companies. See “Guide to AI Risk Assessments” (Jun. 18, 2025).

Defending Against Faster, Stealthier and More Sophisticated Cyber Adversaries

Attackers are bypassing traditional cybersecurity defenses and exploiting overlooked security weaknesses and vulnerabilities, according to CrowdStrike’s 2025 Threat Hunting Report (Report). They are also working patiently to establish footholds, moving slowly and stealthily over time, making detection more difficult. Moreover, generative AI is helping attackers craft more convincing social engineering ploys and support their attacks in other ways. This article synthesizes the key takeaways from the Report and the additional insights offered in a related Crowdstrike webinar. See “Leading Attack Vectors and Other Key Findings From Verizon 2025 Data Breach Investigations Report” (Jun. 25, 2025).

Four Tips for Effective Privacy Training

It is not enough for small and medium-sized businesses and enterprises to simply offer privacy training to employees; the organization’s leaders must also ensure successful training. This article, synthesizing insights shared in an August 2025 Privacy Ref webinar, details four recommended actions for effective privacy training, including: (1) setting goals; (2) making content engaging; (3) avoiding jargon; and (4) reviewing and improving. See our three-part series “Rethinking Click-Through Training”: The Pluses and Minuses (Mar. 26, 2025), Maximize Effectiveness With Customization (Apr. 16, 2025), and Integration Into a Comprehensive Training Program (May 7, 2025).

JFrog Welcomes New Assistant GC for Privacy, Cyber and AI

Rick Borden has joined software platform JFrog as senior director and assistant GC for privacy, cybersecurity, AI and patents. He arrives from Frankfurt, Kurnit, Klein + Selz. For insights from Borden, see “Fifty-Three Regulators Raise Cyber Expectations With Multi-State Breach Settlement” (Jan. 22, 2025); “What Regulated Companies Need to Know About the SEC’s Final Amendments to Regulation S‑P” (Jul. 24, 2024); and “NYDFS Changes Its Cybersecurity Regulation Requirements Through Enforcement – Again” (Jul. 19, 2023).

Kessler Joins Klaviyo As Privacy, AI and Regulatory Counsel

Klaviyo, a marketing automation platform, has welcomed Kyle Kessler as privacy, AI and regulatory counsel. She arrives from Womble Bond Dickinson.