Insights

On November 14, 2025, the U.S. Department of Justice (DOJ) announced a sweeping series of enforcement actions, including four guilty pleas and more than $15 million in civil forfeitures against the  Democratic People’s Republic of Korea (DPRK or North Korea) for remote information technology (IT) worker schemes. These actions underscore the federal government’s escalating focus on the exposure of U.S. companies to North Korean IT worker infiltration, following a series of U.S. Government action against the DPRK.

In a stunning revelation following last month’s jewel heist at the Louvre Museum in Paris, France, a 2014 audit resurfaced, spreading rumors that the password to the museum’s video surveillance system was still “Louvre.”

Researchers have identified a new wave of cybersecurity attacks against European drone makers by the Lazarus Group, a well-known and sophisticated threat actor group, allegedly sponsored by the North Korean government.

Ransomware attacks continue to evolve in frequency, sophistication, and impact. Threat actors are now leveraging artificial intelligence to enhance phishing campaigns, automate data exfiltration, and execute double extortion schemes—where data is both encrypted and stolen for leverage.

U.S. Government and private sector sources continue to report efforts by Democratic People’s Republic of Korea (DPRK) nationals to infiltrate companies around the world by posing as information technology (IT) professionals, in order to get hired by U.S. and other businesses and gain access to sensitive company systems. Crowdstrike, a U.S. cybersecurity company, has reported a 220% increase in the number of companies infiltrated by North Korean threat actors over the last 12 months. In particular, a DPRK-affiliated group known as “Famous Chollima” has leveraged artificial intelligence and deepfake technology to generate synthetic identities, as well as resumes and CVs, draft communications, and conduct job interviews. Enforcement actions brought by the U.S. Department of Justice identify victims in the cryptocurrency sector, including decentralized finance (“DeFi”) projects. In addition, media reports indicate that North Korean hackers are purportedly offering fake job offers targeting employees in the cryptocurrency sector, with the goal of stealing crypto.

Threat actors have targeted insurance companies in a recent string of cyber-attacks, exposing patients’ personal information, including Social Security numbers, claims information, and health reports.

On July 23, 2025, the White House released Winning the Race: America’s AI Action Plan (“the Plan”) the Trump Administration’s most significant policy statement on artificial intelligence to date.

Open source data and software play a foundational role in software development, artificial intelligence (AI), education, and research. Open source AI refers to systems where the source code, model parameters, and related components are freely available for anyone to use, study, modify, and distribute.

In response to the recent U.S. strikes on Iranian nuclear facilities, the New York State Department of Health (“NYS DOH”) issued a cybersecurity advisory (the “Advisory”) that cautions healthcare providers, such as hospitals, treatment centers, and healthcare practitioners, of a high likelihood of increased cyberattacks and heightened cybersecurity threat activity.  The Advisory follows similar announcements and warnings from U.S. Department of Homeland Security (“DHS”), NYS Intelligence Center (NYSIC) and the Health-ISAC (Information Sharing and Analysis Center).

On August 21, 2024, the National Institute of Standards and Technology (NIST) released the Second Public Draft of Digital Identity Guidelines (hereinafter, “Draft Guidelines”) for final review. The Draft Guidelines introduce potentially notable requirements for government contractors using artificial intelligence (AI) systems. Among the most significant draft requirements are those related to the disclosure and transparency of AI and machine learning (ML). By doing so, NIST underscores its commitment to fostering secure, trustworthy, and transparent AI, while also addressing broader implications of bias and accountability. For government contractors, the Draft Guidelines are not just a set of recommendations but a blueprint for future AI standards and regulations.

On Thursday, July 18, 2024, Judge Paul Engelmayer, U.S. District Judge for the Southern District of New York, dismissed the bulk of the Securities and Exchange Commission’s (SEC’s) landmark civil securities law claims against SolarWinds and its Chief Information Security Officer (CISO) Timothy Brown.  The Court dismissed all allegations based on SolarWinds’ public disclosures made after SolarWinds became a victim of the well-publicized SUNBURST cybersecurity attack, and also dismissed the SEC’s claims relating to SolarWinds’ internal accounting controls and disclosure controls and procedures.  However, the Court declined to dismiss claims of securities fraud against SolarWinds and its CISO based on SolarWinds’ pre-SUNBURST disclosures, finding that the SEC had properly pleaded that the company’s publicly-posted “Security Statement” was materially false and misleading. 

Universal Music Group, Sony Music, and Warner Music Group., represented by the Recording Industry Association of America (RIAA), have sued online music AI generators, Suno AI (“Suno”) and Udio AI (“Udio”), for alleged copyright infringement, accusing them of replicating their artists’ music using AI technology. The Suno complaint is filed in the U.S. District Court for the District of Massachusetts, and the Udio complaint is filed in the U.S. District Court for the Southern District of New York.  The lawsuits also target Alphabet Inc., Google's parent company. The RIAA is asking for damages amounting to up to $150,000 per infringing song, which could amount to hundreds of millions of dollars. 

On April 10, 2024, the U.S. House of Representatives, Judiciary Committee Subcommittee on Intellectual Property convened Part III to an ongoing discussion and exploration of artificial intelligence (AI) and intellectual property (IP) rights. The session, “Artificial Intelligence and Intellectual Property: Part III - IP Protection for AI-Assisted Inventions and Creative Works,” delved into the nuanced debate over what IP protections should exist for AI-generated or AI-assisted works.

Public companies now have a pathway to request a delay in their cybersecurity incident disclosure to the U.S. Securities and Exchange Commission (“SEC”). On December 6, 2023, the Federal Bureau of Investigation (“FBI”) Cyber Division published the “Cyber Victim Requests to Delay Securities and Exchange Commission Public Disclosure Policy Notice” (the “Policy Notice”) in response to the SEC’s finalized disclosure rules (the “Final Rules”). Published on July 26, 2023, the Final Rules established guidelines around cybersecurity risk management, strategy, governance, and incidents for public companies subject to the Securities Exchange Act of 1934. Among several requirements under the Final Rules, companies are required to disclose cybersecurity incidents within four days of a materiality determination by filing an SEC Form 8-K.

On October 30, 2023, President Biden released an Executive Order (EO) on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI).  This landmark EO seeks to advance the safe and secure development and deployment of AI by implementing a society-wide effort across government, the private sector, academia, and civil society to harness “AI for good,” while mitigating its substantial risks.

On Tuesday, September 12, a key subcommittee of the Senate Judiciary Committee held a hearing entitled “Oversight of AI: Legislating on Artificial Intelligence” the day before the Senate’s first AI forum.

On July 25, 2023, the Senate Judiciary Committee held its fifth hearing this year on artificial intelligence (AI). This is the second hearing held by the Subcommittee on Privacy, Technology, and the Law, and it highlighted the “bipartisan unanimity” in regulating AI technology.

In an unconventional opening to the normally staid proceedings of the United States Senate, the voice of Frank Sinatra introduced the July 12, 2023 Senate Judiciary Subcommittee hearing on artificial intelligence (AI) and intellectual property. More accurately, an AI-generated version of Frank Sinatra’s voice sang about regulating AI to the tune of New York, New York, which Senator Chris Coons (D-DE), Chairman of the Senate Judiciary Subcommittee on Intellectual Property, used to illustrate both the possibilities and the risks of the use of AI in creative industries.

On June 18, 2023, the Biden-Harris administration announced the launch of a new “U.S. Cyber Trust Mark” program (hereinafter the “Program”). First proposed by Federal Communication Commission (“FCC”) Chairwoman Jessica Rosenworcel, the Program aims to increase transparency and competition across the smart devices sector and to assist consumers in making informed decisions about the security of the devices they purchase.