On March 11, the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) signed a memorandum of understanding (MOU) that both agencies describe as “historic.” The MOU is intended to reset the relationship between the agencies by reducing turf battles, avoiding duplicative regulation, and providing clearer, technology-neutral oversight — particularly in markets where securities and derivatives regimes overlap, including crypto. While it does not change either agency’s statutory authority, it creates a formal framework for coordination that will materially affect how policy, examinations, and enforcement play out in practice.

Background

The SEC and CFTC share oversight of increasingly convergent markets such as trading venues, clearinghouses, data repositories, pooled vehicles, intermediaries, and products that sit at the intersection of securities and derivatives. For years, market participants, especially dual registrants, have faced duplicative registrations, overlapping rules, and parallel exams or investigations. The agencies expressly acknowledge that this fragmentation has at times “stifled innovation and pushed market participants to other jurisdictions.”

To combat these challenges, the new MOU replaces the 2018 coordination MOU and builds on earlier efforts to forge a partnership between the agencies (including the 2004 security futures MOU). The new MOU emphasizes “minimum effective dose” regulation that supports lawful innovation, fair notice (as opposed to “regulation by enforcement), and a renewed commitment to collaboration. It is accompanied by a Joint Harmonization Initiative co-led by Robert Teply of the SEC and Meghan Tente of the CFTC, which will carry the coordination into concrete workstreams.

Key Points

  • No Change to Statutory Authority, But Clearer Coordination Commitments
    The MOU repeatedly states that it does not alter, expand, or limit either agency’s statutory jurisdiction. Instead, it commits each to abandon a “turf war” mentality and to coordinate where responsibilities intersect, with regular senior-level engagement and designated points of contact.
  • Guiding Principles: Efficiency, Clarity, Risk Focus, and Fair Notice
    The agencies commit to regulatory efficiency (reducing gaps and duplication), regulatory clarity and consistency, and functional, risk-based oversight that focuses on economic reality rather than labels. They also emphasize fair notice and expressly commit to “not regulating through enforcement,” signaling more transparent rulemaking and guidance.
  • Joint Harmonization Initiative and Six Priority Areas
    Through the Joint Harmonization Initiative, the SEC and CFTC will coordinate in six key areas: (1) clarifying product definitions via joint interpretations and rules; (2) modernizing clearing, margin, and collateral frameworks; (3) reducing frictions for dually registered venues and intermediaries; (4) providing fit-for-purpose frameworks for crypto and emerging technologies; (5) streamlining regulatory reporting; and (6) coordinating cross-market exams, economic analysis, risk monitoring, surveillance, and enforcement.
  • Impact on Dual Registrants and “Covered Firms”
    The MOU focuses heavily on “covered firms,” including dual-registrant investment advisers/commodity pool operators or CTAs, broker-dealers/FCMs or introducing brokers, clearing agencies/DCOs, swap and security-based swap infrastructures, and swap dealers/security-based swap dealers. For these firms, the agencies will share exam information, coordinate exam planning, and consider joint or aligned exams to reduce burdens and inconsistent expectations.
  • Crypto, Onchain Systems, and “Super-Apps”
    The MOU explicitly recognizes crypto assets, on-chain and automated systems, and new trading models as blurring traditional lines. The agencies commit to a “fit-for-purpose” framework for crypto and other emerging technologies and to exploring “alternative compliance” and appropriately regulated “super apps” where they can achieve regulatory objectives more efficiently while preserving investor and customer protection.
  • Data Sharing, Analytics, and Procurement Coordination
    Subject to confidentiality and information security standards, the agencies will share data and analyses on matters of common interest, including direct access to swap and security-based swap data from repositories under appropriate arrangements. They also plan to coordinate procurement (e.g., on-chain market data and analytical tools) and develop complementary analytical capabilities to improve cross-market risk monitoring.
  • Coordinated Enforcement to Avoid Duplicative Outcomes
    In enforcement, the SEC and CFTC will seek consultation in overlapping matters (including, where appropriate, before Wells notices), coordinate charges and remedies where parallel actions are filed, and align public communications. The aim is to promote consistent and proportional outcomes while avoiding conflicting obligations, though each agency retains full autonomy to enforce its own laws.
  • Robust Confidentiality Framework for Shared Information
    The MOU sets detailed rules for handling “nonpublic information,” preserving privilege, and responding to FOIA requests, subpoenas, and congressional demands. Information shared under the MOU is not deemed publicly disclosed and is intended not to waive confidentiality or privilege, while still allowing each agency to use it for exams, enforcement, risk analysis, and rulemaking.
  • Non-Binding Document With Practical Significance
    The MOU is expressly nonbinding and does not create enforceable rights for private parties. Nonetheless, by replacing the 2018 MOU and embedding recurring processes such as regular meetings, cross-training, and senior-level coordination, it is likely to shape how both agencies exercise their authority day to day.

Our Take

For firms active in both SEC and CFTC markets, this MOU is a signal that overlapping oversight will become more coordinated, more data-driven, and less duplicative. Dual registrants should anticipate closer alignment in exams and enforcement and fewer instances of inconsistent messaging between the agencies. At the same time, the emphasis on “minimum effective dose” regulation, fair notice, and fit-for-purpose frameworks opens the door for constructive engagement on streamlining requirements and designing compliant, innovative products and platforms, particularly in crypto and other technology-heavy areas.

State attorneys general (AGs) from across the political spectrum have refused to join the U.S. Department of Justice’s (DOJ) midtrial settlement with Live Nation. The bipartisan multistate coalition vowed to “keep fighting this case without the federal government,” underscoring that state AGs are increasingly prepared to part with the DOJ and take the lead in complex enforcement actions.

DOJ Reaches a Mid-Trial Settlement With Live Nation

On May 23, 2024, the DOJ and a coalition of state AGs jointly filed an antitrust suit against Live Nation and its wholly owned subsidiary, Ticketmaster, alleging monopolization and anticompetitive conduct driving up ticket prices in live entertainment markets. Days into trial, the DOJ announced a settlement with Live Nation that would impose structural relief and establish a $280 million settlement fund to compensate the multistate coalition. Notably, it has been publicly reported that the settlement terms were negotiated behind closed doors and without meaningful state AG involvement.

The States Move Forward Undeterred

Rather than follow the DOJ’s lead, a bipartisan state coalition publicly rejected the deal as inadequate. According to New York AG Letitia James, the proposed DOJ settlement “fails to address the monopoly at the center of this case, and would benefit Live Nation at the expense of consumers.”

More than two dozen states and the District of Columbia remain in the case, including at least seven Republican‑led states. Two days after the DOJ settlement was announced, the states engaged prominent outside antitrust counsel, Jeffrey Kessler of Winston & Strawn LLP, to represent the multistate coalition. The decision to bring in Winston & Strawn reflects a broader pattern of state AGs frequently partnering with private counsel and devoting substantial resources to pursue complex, multiyear matters on their own terms.

The court scheduled a status hearing for March 13, 2026, at 3 p.m. to address potential resolution discussions and trial logistics. The Troutman Pepper Locke State Attorneys General Team will continue to monitor material developments in the case.

Why It Matters

For companies facing federal and state scrutiny, Live Nation is another clear signal that state AGs no longer see themselves as “second fiddle” to federal enforcers. Bipartisan coalitions of AGs, often backed by seasoned outside counsel, are increasingly willing to break from their federal counterparts and drive national enforcement through multistate actions, as seen in the recent challenges involving social media platforms and opioid manufacturers. Businesses in highly regulated or concentrated markets should plan for parallel — but not always aligned — federal and state enforcement paths, potentially lengthening timelines, complicating resolution strategies, and elevating overall risk.

This article was originally published by Virginia Lawyers Weekly and is republished with permission.

Upon taking office Jan. 17, Democratic Virginia Attorney General Jay Jones issued a series of pronouncements in quick succession that signal his administration’s core priorities, and that are sure to reverberate through Virginia’s legal landscape. They include actions involving consumer protection, health data privacy, immigration, education, and environmental issues.

Although hundreds of career assistant attorneys general perform most of the office’s legal duties and maintain office continuity, new attorneys general appoint a chief deputy attorney general, solicitor general, and deputy attorneys general who, in addition to administering the office, implement politically sensitive initiatives that align with that AG’s vision. Virginia attorneys, their clients and the citizenry are thus wise to heed new AG pronouncements to assess potential business and legal impacts, including associated opportunities and hurdles.

Consumer Protection

Consumer protection is a key function of the attorney general’s office and a special focus of AG Jones, who previously focused on consumer protection as an assistant attorney general in the Washington, D.C., attorney general’s office. Virginia’s attorney general’s office has long maintained a dedicated section tasked with enforcing Virginia’s consumer protection laws and handling consumer complaints. To augment those efforts, Jones has reorganized this consumer protection section along with the civil rights and utilities regulation and insurance sections into a new Public Advocacy Division.

Jones also announced that Virginia would join New York v. Vought, 0:25-cv-02384 (D. Ore. 2025), a multistate lawsuit involving 20 other state attorneys general suing the Trump administration over its decision to stop requesting operating funds for the Consumer Financial Protection Bureau (CFPB), which the lawsuit characterizes as an unlawful attempt to shut the agency down.

The congressionally established CFPB writes and enforces federal consumer financial laws, supervises certain financial institutions for compliance, handles consumer complaints, conducts investigations and enforcement actions, issues guidance and regulations aimed at preventing unfair, deceptive or abusive acts or practices, and promotes transparency in consumer financial products. The Trump administration views the CFPB as overly aggressive against the financial industry, and asserts that its funding mechanism, based on Federal Reserve earnings, is unlawful and unsustainable, particularly in the wake of recent Fed losses.

The Vought lawsuit alleges that the defunding attempt violates separation of powers principles and that the Dodd-Frank Act requires the CFPB director to seek funding from the Federal Reserve to carry out its statutory duties. Already, the Trump administration’s emphasis on deregulation and efforts to restructure the CFPB have resulted in a significant decrease in enforcement actions, including dismissal and reduction of some settlements and consent orders, and reduced overall budgetary resources.

Attorneys with a stake in these matters should closely monitor this suit as the outcome is likely to significantly affect consumers (as it relates to resources and recourse) and the financial industry (as it relates to regulatory risk).

Privacy and Immigration

Privacy and immigration have become flashpoints in recent years among state AGs, and Jones is redirecting the Commonwealth’s efforts in these areas as well.

The AG announced Virginia would join California v. U.S. Department of Health and Human Services, 3:25-cv-05536 (N.D. Cal. 2025), a multistate lawsuit challenging the federal government’s use and sharing of state Medicaid data with the U.S. Department of Homeland Security (DHS), including Immigration and Customs Enforcement for immigration enforcement purposes.

The plaintiff states allege that the Department of Health and Human Services and the Centers for Medicare and Medicaid Services abruptly changed longstanding confidentiality and data-use practices by transferring protected Medicaid health information to DHS for non-health care purposes, violating the Administrative Procedure Act, statutory privacy protections and constitutional limits on federal conditions attached to Medicaid funding. They seek declaratory and injunctive relief to stop the federal agencies from using this data for purposes unrelated to administering Medicaid, arguing that the practice harms state programs, undermines public trust and deters eligible individuals — particularly noncitizens and mixed-status families — from seeking necessary medical care. Attorneys involved in health care and immigration practices should stay tuned for further developments at this intersection of sensitive information and immigration enforcement.

Education

In United States v. Commonwealth of Virginia, No. 3:25cv01067 (E.D. Va. 2025), the U.S. Department of Justice (DOJ) is challenging Virginia’s 2020 law allowing Virginia students to qualify for instate tuition at public colleges regardless of immigration status if they meet certain residency and schooling requirements. The DOJ asserts the law conflicts with federal immigration law and violates the Supremacy

Clause.

Jones announced that he will reverse the position of his Republican predecessor, former Attorney General Jason Miyares, who aligned with the DOJ and argued that federal immigration law preempted Virginia’s law. Jones has indicated that he will “fully defend” the law, and his office has already withdrawn the state’s previous filing and filed opposition pleadings. The federal district court’s decision in this case could have lasting import for hundreds of Virginia students.

Further along the education front, Jones indicated that he would be “reviewing” Miyares’ 2023 opinion advising that a state college or university board of visitors’ primary duty is to the Commonwealth and not the school. In the wake of several controversies involving boards of visitors upon former Gov. Glenn Youngkin taking office, Miyares argued that boards of visitors are state agencies and the “vehicle by which the General Assembly has chosen to exercise control over its colleges and universities.”

Jones has asserted that the opinion threatens the autonomy of colleges and universities and subjects them to political control. Both of Jones’ education-related actions could have a material effect on higher education enrollment and governance in Virginia.

Environmental Policy

Finally, the new AG has waded into environmental controversy by pausing the Commonwealth’s appeal in the case challenging Virginia’s 2023 withdrawal from the Regional Greenhouse Gas Initiative (RGGI), Virginia State Air Pollution Control Board, et al., v. Association of Energy Conservation Professionals, 114 Va. Cir. 264 (2024).

RGGI is an agreement of 11 Northeast and mid-Atlantic states mandating that power plants of a certain size buy allowances for their carbon dioxide emissions. The resulting collections are then funneled into conservation, sustainability and disaster prevention programs around the state. The General Assembly voted to join the RGGI in 2020.

After the Air Pollution Control Board withdrew from RGGI, the Association of Energy Conservation Professionals sued the board, and a Floyd County judge ultimately ruled that the Youngkin administration lacked authority to withdraw from RGGI by regulation without legislative approval. The Commonwealth appealed the decision under AG Miyares, and the case remained pending when Jones took office.

Jones’ pause of the appeal comes as part of an effort to foster alternative energy sources and to maintain RGGI funding, which is currently playing out in the legislature. This interplay between legislation and litigation is likely to affect energy costs and sustainability initiatives in the short term across the state.

Virginia attorneys general wield significant influence over the state’s legal and business landscape as they direct the state’s legal efforts, impacting a significant swath of the citizenry. Their power is often most evident when a newly elected AG takes office, particularly in transitions between political parties. And indeed, AG Jones’ early actions portend an administration that starkly contrasts with his predecessor. Virginia attorneys should monitor developments from the AG’s office to stay abreast of a rapidly shifting legal environment and adjust accordingly.

On January 22, 2026, in Pres v. Sensys Gatso USA, Inc., a Massachusetts trial court ruled that the Massachusetts Wage Act (the Wage Act) encompasses quarterly bonuses not conditioned on defined contingencies. This decision highlights the importance of Massachusetts employers identifying and addressing explicit conditions or contingencies in employee bonus agreements. The draconian ramifications of failing to abide by the Wage Act include unpaid wages, mandatory treble damages, and attorneys’ fees.

The Wage Act

The Wage Act does not explicitly define the term “wages.” It provides that wages include “any holiday or vacation payments due an employee under an oral or written agreement,” and “commissions when the amount of such commissions, less allowable or authorized deductions, has been definitely determined and has become due and payable.”

Massachusetts appellate courts have uniformly concluded that conditional or contingent compensation falls outside the scope of the Wage Act. Indeed, last October, the Massachusetts Supreme Judicial Court held that retention bonuses, which are conditioned on an employee’s employment through an established target date, are not Wage Act “wages.”

Background

In Pres, the defendant employer, Sensys, hired the plaintiff as a senior accountant. The employee’s offer letter provided for a $92,000 annual salary and four quarterly bonus payments “against measured objectives.” The offer letter did not define “measured objectives,” and the employer never paid the employee quarterly bonuses.

During the plaintiff’s employment, Sensys offered the employee a written retention bonus, which it paid the plaintiff after he remained employed through the required retention date. When the plaintiff inquired later about the unpaid quarterly bonus payments, Sensys asserted that the retention bonus agreement had modified the terms of the offer letter.

The plaintiff sued, asserting a claim under the Wage Act for the failure to pay the quarterly bonuses. After a two-day trial, a jury determined that: (1) the parties did not mutually agree to modify the offer letter to eliminate the quarterly bonuses; and (2) the quarterly bonuses were not contingent on the plaintiff performing duties beyond the regular duties of a senior accountant. The question remaining for the court to determine was whether the quarterly bonuses qualified as “wages” under the Wage Act.

The District Court’s Decision

The court concluded that the quarterly bonuses were “wages” under the Wage Act because they were not contingent on anything other than the plaintiff’s normal duties.

In reaching that conclusion, the court noted that as the employer and drafter of the offer letter, it was up to Sensys to define the “measured objectives” that the employee needed to satisfy to earn the quarterly bonuses, which it had failed to do. Without a defined contingency, it opined that the quarterly bonuses were “akin to ordinary payment from an employer to an employee in exchange for labor or services,” and, therefore, they were “wages encompassed by the Wage Act.”

The court awarded the plaintiff treble damages and set a briefing schedule to determine attorneys’ fees and costs.

Takeaways

The Pres decision should serve as a reminder to Massachusetts employers to review their bonus agreements to ensure that those arrangements condition payment on explicit contingencies. Employers should use contingencies, such as continued employment and good standing, and avoid conditions such as sales output that could be viewed as connoting compensation for work normally performed and, therefore, a wage under the Wage Act. Massachusetts employers also should consider language explaining that bonuses are in addition to base salaries and not earned pro rata for services performed.

Multistate employers should review their agreements as well, as many states have similar wage payment laws that provide for attorneys’ fees and liquidated damages, including Pennsylvania, New Jersey, New York, and California.

If you have questions about the Massachusetts Wage Act or other wage payment laws, please reach out to your Troutman Pepper Locke employment counsel.

In a recent decision, the Delaware Court of Chancery held on summary judgment that a borrower’s grant of a security interest in substantially all of its assets, including its rights under a license agreement, constituted an “assignment” or “transfer” of such rights that triggered the license agreement counterparty’s contractual right of first negotiation (ROFN) and right of first refusal (ROFR). The decision has implications beyond the pharmaceutical licensing context in which it arose, and should prompt careful review of transfer restriction provisions in any agreement where a party may later seek to pledge its contractual rights as collateral.

Background

Two businesses were parties to a license agreement under which the licensee held the exclusive right to develop and commercialize certain pharmaceutical products. Section 15.5(c) of the license agreement restricted the licensor from making a “payment assignment,” defined to include any decision to “sell, assign, contribute, convey, grant or otherwise transfer to any Third Party” all or any of the licensor’s rights to receive payment under the agreement, without first providing the licensee with written notice and complying with a 30-day right of first negotiation and a subsequent right of first refusal to match the terms of any third-party transaction.

In 2024, the licensor entered into a credit agreement with third-party lenders, granting them a first-priority perfected lien on, and security interest in, substantially all of its assets, including all license agreements. The licensor failed to notify the licensee or comply with the ROFN/ROFR procedures before executing the credit agreement. The licensee sued, alleging the licensor breached Section 15.5(c).

Holding

The court granted summary judgment to the licensee on liability. The court’s analysis rested on two complementary grounds.

First, the court held that the grant of a security interest fell within the contractual definition of payment assignment because the license agreement’s transfer restriction was not limited to outright sales or assignments. The catchall language (or otherwise transfer) was broad enough to encompass the creation of a lien. The court relied on the ordinary meaning of “transfer,” which includes parting with an interest in an asset, such as the creation of a lien or other encumbrance. The court reasoned that by pledging all license agreements as collateral, the licensor necessarily transferred an interest in the payment rights arising from those contracts.

Second, and critically, the court found structural confirmation in the license agreement itself. Section 15.5(c) specifically carved out a prior collateral assignment to a lender from the definition of payment assignment. Applying the canon of expressio unius est exclusio alterius,[1] the court reasoned that the parties’ decision to exclude one specific collateral assignment implied that other collateral assignments were included within the general rule. If security interests were categorically outside the scope of the transfer restriction, the prior lender carve-out would be surplusage.

The Court Rejected Four Defenses

The licensor raised four legal defenses, each of which the court rejected:

  • Security interest versus assignment. The licensor argued that the credit agreement created a security interest, not an assignment, and that the two are legally distinct. The court acknowledged that commercial law generally distinguishes between the two but held that the parties’ bespoke contractual definitions controlled over common-law defaults. The broad definition of payment assignment, particularly the “otherwise transfer” catchall, captured the grant of a security interest.  
  • Delaware UCC preemption. The licensor argued that the ROFN and ROFR were unenforceable under Section 9-406(d) of the Delaware UCC, which invalidates contract terms that “prohibit, restrict, or require the consent of the account debtor” to an assignment. The court disagreed, drawing a distinction between legal prohibitions and practical impairments. The ROFN and ROFR did not prohibit the licensor from assigning its rights or require the licensee’s consent; they established procedural requirements that the licensor had to satisfy before completing the transaction. The court warned that adopting the licensor’s reading would sweep in all ROFN and ROFR provisions in commercial contracts, a result inconsistent with the UCC’s text and purpose.  
  • Excluded property. The credit agreement contained a saving clause that carved out from the collateral pool any contract where granting a security interest was “prohibited.” The licensor argued that if the license agreement restricted the pledge, then the saving clause excluded it from the collateral, meaning no breach occurred. The court rejected this circular argument, finding that the license agreement did not prohibit the grant of a security interest; it required the licensor to follow procedural steps before doing so.  
  • Null and void provision. The licensor argued that Section 15.5(d) of the license agreement, which rendered any assignment in violation of Section 15.5 “null, void and of no legal effect,” meant the pledge was functionally nonexistent, and therefore could not support a breach claim. The court held that a provision designed to protect the non-breaching party could not be used as a shield by the breaching party.  

Takeaways for Financing Transactions

This decision has direct implications for borrowers, lenders, and counterparties to agreements containing transfer restrictions:

  • Security interests can trigger transfer restrictions. Parties should not assume that a pledge of collateral falls outside the scope of contractual restrictions on “transfers” or “assignments.” Where the transfer restriction includes catchall language such as “or otherwise transfer,” or where the contract carves out specific security interests (implying others are covered), a collateral pledge may trigger notice obligations, ROFNs, ROFRs, or consent requirements.  
  • Borrowers must diligence their existing contracts before granting security interests. Before entering into a credit facility with a blanket collateral pledge, borrowers should review their material contracts for transfer restrictions that may be triggered by the grant of a security interest. Failure to comply with notice or procedural requirements can give rise to breach of contract liability, as the licensor discovered, even if the borrower does not default on the underlying loan.  
  • Lenders should assess transfer restriction risk in collateral. Lenders relying on blanket security interests should evaluate whether the borrower’s key contracts contain transfer restrictions that could impair the lender’s ability to enforce against the collateral or could expose the borrower to breach claims that diminish the value of the collateral.  
  • “Excluded property” saving clauses may not save you. Standard saving clauses that carve out contracts where a security interest is “prohibited” may not function as expected. As this decision illustrates, a court may find that the underlying contract does not “prohibit” the security interest (it merely imposes procedural conditions), meaning the saving clause is never triggered and the contract remains in the collateral pool.  
  • The Delaware UCC does not preempt ROFN/ROFR provisions. Borrowers and lenders should not rely on UCC Section 9-406(d) to override contractual ROFN or ROFR provisions. The court drew a clear line between legal prohibitions (which the UCC invalidates) and procedural requirements (which it does not) and cautioned against reading the statute to sweep in all such provisions.  
  • Specific carve-outs create interpretive risk. The prior lender carve-out was central to the court’s reasoning. Parties who negotiate specific exclusions for particular security interests should understand that those exclusions may be read, under expressio unius, as confirmation that all other security interests are covered by the restriction.  

[1] Meaning, “one thing is the exclusion of the other.”

This article was originally published on The Legal Intelligencer and is republished here with permission as it originally appeared on March 12, 2026.

In this third and final article in a three-part series on the FirstEnergy decision, we turn to what happens when litigation arrives and privilege is challenged.

Over the past several years, district courts have been skeptical of privilege claims over forensic investigation materials in the cybersecurity context. FirstEnergy provides a framework for defending those materials. Every cyber investigation serves two purposes. From a legal perspective, the investigation informs litigation exposure and defense strategy. But the same investigation also identifies compromised systems, drives remediation and supports business operations. After FirstEnergy, those dual purposes do not defeat privilege, provided the investigation was initiated because of legal risk and directed by counsel. This article also examines how the lessons of FirstEnergy apply in cases involving multiple defendants that may have both a desire and need—for both business and legal purposes—to work together to understand an incident and share information.

Anticipating How Plaintiffs Will Challenge Privilege After ‘FirstEnergy’

Before the FirstEnergy decision, federal district courts often ordered production of forensic reports that defense counsel argued were protected by privilege. See, e.g., In re Premera Blue Cross Customer Data Security Breach Litigation, 296 F. Supp. 3d 1230 (D. Or. 2017); Wengui v. Clark Hill, 2021 WL 106417 (D.D.C. Jan. 12, 2021).

One exception is In re Target Customer Data Security Breach Litigation, 2015 WL 6777384 (D. Minn. Oct. 23, 2015), where the court upheld privilege over materials produced through a genuine “two-track” investigation, one for the business response and a separate track directed by counsel to inform legal advice and prepare for litigation.

Despite FirstEnergy’s protective reasoning and affirmance of privilege, plaintiffs will continue to challenge privilege in post-breach litigation, including by reference to contrary authority. Preparing a defense starts with anticipating how plaintiffs will challenge privilege and constructing a protective regime from the very beginning of an incident.

‘The Investigation Was Business-Led, Not Legal Tactic’

Pre-FirstEnergy, courts first focused on investigations that serve both legal and business purposes. The decisions principally analyzed whether a forensic report would have been created in substantially similar form, regardless of litigation. FirstEnergy addresses this concern by highlighting when and why investigations were commissioned. The court concluded that materials are protected “even if they also serve business or compliance purposes, so long as they would not have been generated in substantially similar form in the absence of the threat of litigation.”

Plaintiffs will attempt to distinguish FirstEnergy on the ground that cyber incidents typically begin as business events. Security teams often detect security incidents. IT triages them, and management is generally notified before counsel is called. Plaintiffs will argue the response was business-led, not legal. The strength of the privilege argument credited by FirstEnergy will depend on the factual record. If the organization delayed engaging counsel, or if early forensic work was initiated and directed solely by IT or security teams, then the anti-privilege argument gains traction. Organizations that treat the incident as a legal event from the start, engage counsel immediately, and document counsel’s direction of the investigation will be best positioned to rely on FirstEnergy’s legal framework.

‘The Role of Counsel Was Nominal, Not Substantive’

Even when papered appropriately, plaintiffs will argue that counsel’s name may have been on the engagement letter, but in practice the forensic vendor reported to the security team that set the scope of work, and that counsel merely received copies of reports. If counsel’s involvement was cosmetic rather than substantive, then the investigation may not qualify for protection under FirstEnergy.

To assess privilege, courts will analyze the contemporaneous record: engagement letters, statements of work, emails, meeting notes, and counsel declarations. Evidence that counsel played a passive or after-the-fact role will weaken the privilege claim. To invoke the FirstEnergy holding, counsel should take active roles in defining the forensic scope, reviewing and shaping deliverables, participating in investigative briefings, and translating forensic findings into legal analysis.

‘The Forensic Report Is a Business Record, Not Work Product’

Plaintiffs will argue that the forensic report was created to understand and fix any security issues and restore operations—not because of anticipated litigation—and that a substantially similar report would have been created regardless of any legal proceeding, thereby defeating the claimed privilege.

FirstEnergy’s reasoning provides a strong counter to the line of precedent holding that forensic reports are business-related documents and not privileged. But the privilege argument is strongest when the organization can show a clear split between the counsel-led investigation and the subsequent operational response. A FirstEnergy approach recognizes that investigations ensuring business continuity operate differently than investigations triggered by litigation threats. The differentiating factor is whether the probe would have taken this form without the prospect of litigation.

‘Privilege Was Waived by Disclosure’

The widespread distribution of forensic findings has proven fatal in several district court cases. In Clark Hill, sharing the report with IT personnel and the FBI was cited as evidence that it served nonlitigation purposes. But FirstEnergy takes a more nuanced view of third-party disclosures, holding that sharing factual findings with nonadverse third parties does not automatically waive privilege over the underlying communications or counsel’s mental impressions. And the court emphasized that sharing bare factual conclusions is of a different nature than revealing the mental impressions and thought process behind counsel’s litigation strategy.

Plaintiffs will still contend that even if privilege existed, it was waived by the organization’s post-incident disclosures. Common targets include disclosures to regulators, insurers, and auditors, or public statements and SEC filings. Plaintiffs may also point to broad internal distribution of forensic findings as evidence that the materials were not treated as privileged.

FirstEnergy’s framework is helpful here. The court distinguished factual conclusions from privileged legal analysis, holding that releasing “ultimate findings” does not waive the privilege protecting the underlying analysis. The court also reaffirmed that work product protection is generally waived only by disclosure to an adversary, and that disclosures to auditors and regulators do not automatically trigger waiver.

FirstEnergy does not eliminate the risk that sharing the details of forensic reports with broad audiences will waive privilege, particularly if the disclosed materials contain counsel’s mental impressions or legal analysis. Post-FirstEnergy, litigators must show that disclosures contained only facts, went to non adverse parties bound by confidentiality, and excluded privileged analysis.

Protecting Privilege Across Multiple Parties

Unlike the situation in FirstEnergy where the defendant sought privilege of its own internal investigation, cybersecurity incidents increasingly implicate multiple parties, including when the customers of a breached entity are also named as defendants. Co-defendants may form a joint defense group to pool resources and coordinate litigation strategy. The FirstEnergy conceptual framework also is helpful for protecting privilege in these multi-party scenarios.

Protecting Privilege in Joint Defense Groups

The common interest doctrine permits parties that share a common legal interest to exchange privileged materials, disclose litigation strategy, and share experts and reports under a joint defense agreement (JDA) without waiving the underlying privilege. FirstEnergy’s treatment of third-party disclosures support the use of a JDA to share otherwise privileged materials. Under FirstEnergy, a shared forensic expert retained by counsel for a joint defense group would qualify for work-product protection, provided the engagement is structured to inform litigation strategy. And because disclosures among co-defendants who share a common legal interest are, by definition, nonadversarial, there would be no privilege waiver under the FirstEnergy framework.

That said, the common interest doctrine requires that an underlying privilege exist before any sharing occurs, that the parties share a common legal interest and not merely a commercial one, and that the exchange of information is made in furtherance of that shared legal interest. FirstEnergy’s emphasis on the contemporaneous record applies with equal force to multi-party arrangements. A written agreement articulating the shared legal interest and the group’s commitment to confidentiality should be in place before materials are exchanged. Counsel, not the business, should retain any shared experts, and the experts’ scope of work should make clear that the purpose is to inform legal strategy, not just to share in costs. Communications with the expert should be routed through counsel and documented. Reports and documents circulated within the group should be clearly marked as privileged and confidential, and restricted from further distribution where possible. Because the potential exists for members of the group to become adversarial to one another at a later date—for example, if crossclaims get filed or an indemnification dispute arises—the JDA should also address a departing member’s obligation to keep privileged documents confidential.

Sharing Incident Response Reports With Customers

Another multi-party example occurs when the vendor that suffers a breach discloses information it learned from the forensic experts to its affected customers seeking that information. If the vendor and its customers are defending against claims by the same class of plaintiffs, materials exchanged in furtherance of that shared legal interest should remain protected under the common interest doctrine.

But vendor-customer relationships can be trickier than joint defense groups. The customer may blame the vendor for the breach, for instance. Courts have held that parties negotiating or potentially in dispute with each other cannot claim a common legal interest. In one recent example, a district court found that production of a shorter forensic analysis to “third-parties that themselves were potential litigants and adversaries” constituted a waiver of work product protection over the full forensic report, because the shorter document “revealed the goals, scope, methodology, and findings” of the broader investigation. See In re American Medical Collection Agenc, Customer Data Securities Breach Litigation, MDL No. 19-MD-2904, 2023 WL 8595741, at *12 (D.N.J. Oct. 16, 2023). Thus, potential indemnification claims and adversity should be considered before materials are shared.

FirstEnergy’s distinction between factual conclusions and privileged analysis provides a workable framework here too. Vendors can share factual findings about what happened, when, and what data was affected, but should withhold the litigation risk assessments or strategies. The shared information should be in a separate, non-privileged summary prepared specifically for customer distribution. A summary that discloses mental impressions related to the potential legal fallout of the incident, however, may be treated as a waiver of the privilege for the underlying report, even if the summary itself is shorter and less detailed.

Conclusion

FirstEnergy is a significant development for organizations seeking to protect post-breach investigations. It strengthens the privilege framework even when materials flow between multiple parties, but whether the privilege holds depends on the same factors as the single party context. Counsel must lead, the investigation must be structured for litigation, the evidentiary record must be built contemporaneously, and the sharing of privileged materials must be controlled, documented, and confined to parties with a genuine common legal interest.

FirstEnergy’s protections depend on active, written, and tested policies (through regular tabletop exercises) being implemented in real time. Organizations that use the structure described across this three-part series—engaging counsel early, directing investigations through counsel, structuring vendor relationships to support privilege, and building the evidentiary record in real time—will be best positioned to defend their privilege claims when those claims are challenged in post-breach litigation. And, those same considerations will extend to multi-party actions where co-defendants will often have both a business and legal need to share information and work together.

Sadia Mirza, a partner with the Troutman Pepper Locke, leads the firm’s incidents + investigations team, advising clients on all aspects of data security and privacy issues. She is the first point of contact when a security incident or data breach is suspected, and plays a central role in her clients’ cybersecurity strategies.

Tim St. George,a partner with the firm, defends institutions nationwide facing class actions and individual lawsuits. He has particular experience litigating consumer class actions, including industry-leading expertise in cases arising under the Fair Credit Reporting Act and its state law counterparts, as well as litigation arising from data breaches.

Kaitlin Clemens, an associate based in the firm’s Philadelphia office, handles ransomware and data extortion cases, and advises on compliance with state and federal laws, including HIPAA, FERPA, and GLBA, as well as development of privacy programs and pre-incident response strategies, as well as creating and delivering comprehensive training for attorneys who are new to cybersecurity.

Jennifer Brumfield, an associate with the firm, represents clients in complex cybersecurity and privacy class actions that involve emerging legal questions related to statutory interpretation, jurisdiction, and standing. She manages all phases of litigation from case assessment through discovery, dispositive motions, settlement and appeals.

Reprinted with permission from the March 12, 2026, edition of The Legal Intelligencer. © 2026 ALM Global Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For permission to reprint or license this article, please contact 877-256-2472 or asset-and-logo-licensing@alm.com.

State attorneys general increasingly impact businesses in all industries. Our nationally recognized state AG team has been trusted by clients for more than 20 years to navigate their most complicated state AG investigations and enforcement actions.

State Attorneys General Monitor analyzes regulatory actions by state AGs and other state administrative agencies throughout the nation. Contributors to this newsletter and related blog include attorneys experienced in regulatory enforcement, litigation, and compliance. Also visit our State Attorneys General Monitor microsite.

Contact our State AG Team at StateAG@troutman.com.

Troutman Pepper Locke Spotlight

Cyber Threats – Are You Prepared?

By Gene Fishel

Register Here
Thursday, March 26 • 12:00 – 1:00 p.m. ET

Gene Fishel will be speaking on the “Cyber Threats – Are You Prepared?” webinar, being held on March 26.

Read more

Multistate AG News

Virginia AG Joins Multistate Suit Over CFPB Funding Signaling More Aggressive Enforcement in the Commonwealth

By Troutman Pepper Locke State Attorneys General Team

Virginia Attorney General (AG) Jay Jones has joined an ongoing lawsuit by 23 Democratic AGs challenging Consumer Financial Protection Bureau (CFPB) Acting Director Russell T. Vought’s interpretation of the CFPB’s statutory funding mechanism that would leave the agency without operating funds.

Read more

Federal Judge Holds Generative AI Communications Are Not Privileged in Decision Likely to Impact Litigation and Regulatory Enforcement

By Troutman Pepper Locke State Attorneys General Team and Lauren Hancock Miller

As the use of artificial intelligence (AI) becomes more prevalent in day-to-day life and in the legal field, in particular, thorny questions arise regarding the implications of that use. One such question is whether exchanges with a publicly available generative AI platform in connection with pending litigation are protected by the attorney-client privilege or the work product doctrine. In a matter of first impression nationwide, U.S. District Judge Jed S. Rakoff of the Southern District of New York answered that question in the negative and required a defendant to provide the prosecution documents memorializing litigation-related communications with a generative AI platform.[1] Applying traditional principles governing the attorney-client privilege and the work product doctrine, the court reasoned that the communications did not involve an attorney-client relationship, were not confidential, were not made for the purpose of obtaining legal advice, and did not reflect an attorney’s trial strategy.[2] The ruling will likely impact whether legal protections are afforded to AI communications, prompts, and output in both litigation and regulatory inquiries, including state attorneys general (AG) investigations.

Read more

Single State AG News

New York AG Settles Ghost Network Investigation

By Troutman Pepper Locke State Attorneys General Team

New York Attorney General (AG) Letitia James reached a $2.5 million settlement with health insurer EmblemHealth following an investigation of the behavioral health provider “ghost networks.” “Ghost networks” are provider networks in which many of the providers listed in the insurer’s directory of “in-network” providers are actually unavailable, not accepting new patients, or not actually participating in the network. The investigation also focused on compliance with state and federal behavioral health parity laws. As part of the settlement, the insurer will pay more than $2.5 million and undertake changes to its policies and procedures.

Read more

AG of the Week

Mike Hilgers, Nebraska

Mike Hilgers was elected Nebraska attorney general (AG) in 2022 and took office in 2023. He previously served in the Nebraska Legislature representing the 21st District from 2017 to 2023, where he served as rules chair, chair of the Executive Board, and speaker of the 107th Legislature.

Before his public service, Hilgers spent more than 15 years in private practice handling complex litigation in state and federal courts. He practiced at a large law firm before founding a litigation boutique that was named to Inc. Magazine’s list of fastest-growing private companies in the U.S. for three consecutive years.

He began his legal career clerking for Judge Edith Brown Clement of the U.S. Court of Appeals for the Fifth Circuit. Hilgers earned a degree in economics from Baylor University and a J.D. from the University of Chicago Law School, where he was an editor of the Law Review.

A Nebraska native, he lives in Lincoln with his wife and four children.

Nebraska AG in the News:

  • Hilgers, leading a 15-state coalition, filed a U.S. Supreme Court amicus brief arguing that federal law preempts state-imposed warning labels on glyphosate, urging a uniform national labeling standard to preserve farmers’ access to this widely used herbicide and avoid increased costs, supply disruptions, and reliance on more toxic alternatives.
  • Hilgers joined an amicus brief supporting the U.S. Supreme Court review to overturn Department of Energy (DOE) efficiency rules that effectively ban common noncondensing natural gas appliances, arguing the District of Columbia Circuit wrongly deferred to DOE in violation of Loper Bright and the Energy Policy and Conservation Act (EPCA) consumer and federalism protections, which would otherwise prevent costly harms to consumers.
  • A coalition of 19 state AGs, including Hilgers, has asked the U.S. Department of Justice to investigate more than 150 U.S.-based climate activist nonprofits for allegedly acting as unregistered foreign agents under Foreign Agents Registration Act (FARA) by accepting nearly $2 billion from five foreign climate organizations to influence U.S. energy policy and undermine American energy independence.

Upcoming AG Events

  • March: RAGA | Spring Meeting | New Orleans, LA  
  • April: NAAG | Annual Meeting | Charleston, SC  
  • April: AGA | International Delegation | TBD  

For more on upcoming AG Events, click here.

Troutman Pepper Locke’s State Attorneys General team combines legal acumen and government experience to develop comprehensive, thoughtful strategies for clients. Our attorneys handle individual and multistate AG investigations, proactive counseling and litigation, and manage ancillary regulatory issues. Our successful approach has been recognized by Chambers USA, which ranked our practice as a leader in the industry.

On December 5, 2025, the Office of the Comptroller of the Currency (OCC) issued OCC Bulletin 2025-45, “Commercial Lending: Venture Loans to Companies in an Early, Expansion, or Late Stage of Corporate Development,” which rescinds OCC Bulletin 2023-34, “Commercial Lending: Venture Loans to Companies in an Early, Expansion, or Late Stage of Corporate Development.” The OCC’s message in issuing the new bulletin to replace the prior bulletin is straightforward: the agency does not want to discourage prudent venture lending. At the same time, it expects banks to recognize that venture loans carry materially higher default risk than conventional commercial loans and to manage that risk through disciplined underwriting, realistic risk ratings, and appropriate reserves.[1]

Brief Reminder of What a ‘Venture Loan’ Is and Who This OCC Bulletin Applies To

The OCC defines “venture loans” as commercial loans to companies in an early, expansion, or late stage of corporate development that often are high‑growth or technology‑oriented and may be pre‑product, pre‑revenue, pre‑positive cash flow, or pre‑profit. These “venture borrowers” typically rely on external equity financing and balance‑sheet liquidity to fund operating losses, have limited operating histories, and may lack sufficient collateral or sustainable cash flow to support conventional repayment structures.

Bulletin 2025-45 applies to all OCC‑regulated banks that make, or are considering making, such loans, including community banks. It covers loans to early‑ and expansion‑stage companies that are in the concept, planning, or rapid‑growth phases and often depend heavily on future equity raises, as well as late‑stage companies that may be scaling rapidly but still have negative or intermittent cash flow and rely on secondary sources of repayment such as additional private equity, public capital markets, or asset sales. Bulletin 2025-45 excludes loans that primarily rely on internally generated cash flow, loans under government programs where guarantees materially mitigate credit risk (e.g., Small Business Administration (SBA)‑guaranteed loans), and fully controlled and monitored asset‑based loans (ABL) to early‑, expansion‑, and late‑stage companies — though facilities that lack typical ABL controls may still fall within the venture‑loan framework.[2]

Quick Recap of the Risks Unique to Venture Loans

The OCC stresses that venture borrowers often lack proven, sustainable cash flow, have untested business models, and exhibit high cash‑burn and liquidity needs. Their operating histories may be short, their future cash flows difficult to forecast, and their ability to refinance or execute an orderly exit uncertain. As a result, default risk is materially higher than for mature‑company commercial loans.

Common risk characteristics the OCC highlights include incomplete management teams or infrastructure, undeveloped or unproven products or services, declining or insufficient liquid assets and working capital, negative or inadequate operating cash flow to service or repay debt, limited collateral or reluctance to restrict cash for repayment purposes, reliance on uncommitted equity funding as a primary repayment source, and uncertainty about long‑term viability.[3]

Bulletin 2025-45 Builds on and Departs From the OCC’s 2023 Venture Lending Guidance

Bulletin 2025‑45 formally rescinds and replaces its Bulletin 2023‑34 issued in 2023,[4] but largely preserves its core framework. Like Bulletin 2023-34, the new bulletin defines “venture loans” as commercial loans to early‑, expansion‑, or late‑stage companies that are often high‑growth or technology‑oriented, may be pre‑product, pre‑revenue, pre‑positive cash flow, or pre‑profit, and typically depend on external equity and balance‑sheet liquidity to fund operating losses. It continues to distinguish these loans from conventional cash‑flow‑based commercial credit, fully controlled and monitored ABL facilities, and government‑guaranteed loans where the guarantee materially mitigates credit risk. At the same time, Bulletin 2025-45 clarifies that “venture loans” may be scattered across multiple internal portfolios and labels, and that banks are expected to identify and aggregate these exposures regardless of how they are booked.

Where market participants sometimes read Bulletin 2023-34 as a warning against venture lending, Bulletin 2025-45 is more explicit about the OCC’s posture: the agency does not seek to discourage prudent venture lending that is conducted in a safe and sound manner and fits within a bank’s risk appetite. The new bulletin reaffirms that venture loans are a higher‑risk subset of commercial lending — with elevated default probabilities, short or unproven operating histories, high cash‑burn, and heavy reliance on external capital — but it frames the guidance as providing transparency into the OCC’s supervisory expectations rather than as a signal to exit or shrink the business. It calls on boards and senior management to adopt a clear venture‑lending risk appetite, establish limits and concentration controls (including meaningful sublimits by stage of development, sector, and other risk drivers), staff the activity with experienced personnel, and embed venture portfolios into enterprise‑wide stress testing, capital and liquidity planning, and allowance for credit losses (ACL) methodologies.

Bulletin 2025‑45 places particular emphasis on how banks should evaluate repayment sources, assign risk ratings, and determine accrual status for venture loans. Among other points, the bulletin states that: (i) uncommitted future equity infusions are not a satisfactory primary repayment source; (ii) unrestricted and declining cash balances are generally not a sustainable primary repayment source unless realistic projections show that all cash burn can be funded without relying on debt and that sufficient cash will remain at maturity to repay the loan; (iii) remaining‑months‑liquidity (RML) covenants, even with short tenors, often do not ensure full repayment; and (iv) risk ratings for recurring‑revenue facilities should be based on realistic going‑concern cash‑flow projections, with “harvest” or wind‑down analyses playing a central role only when default is highly probable and the loan is already under stress.

Finally, Bulletin 2025-45 operationalizes what “safe and sound” venture lending should look like inside an institution. It segments early/expansion‑stage versus late‑stage borrowers more clearly, recognizes that some facilities labeled as ABL or leveraged loans may in substance be venture loans if they lack full ABL‑style controls, and expects management information systems to aggregate venture exposures across business lines. It also raises the bar for governance and infrastructure by calling for board‑approved policies, defined risk‑appetite and concentration limits specific to venture lending, robust monitoring and reporting, and ACL segmentation that reflects the higher and more volatile loss experience of venture portfolios. In doing so, the bulletin preserves the risk‑focused posture of Bulletin 2023-34 but provides a sharper, more detailed roadmap for banks that wish to continue or expand venture‑lending activities within supervisory guardrails. [5]

Practical Takeaways for Venture Lenders/Banks and Borrowers

For banks and venture lenders, Bulletin 2025‑45 translates into concrete expectations around governance, underwriting, structure, monitoring, and risk ratings. Boards should approve a clear statement of risk appetite for venture lending, supported by policies that define eligible borrowers, acceptable structures, underwriting standards, and concentration limits (including meaningful sublimits by stage of development, sector, and other risk drivers) that align with the bank’s size, complexity, and capital position. Banks should staff venture‑lending activities with personnel experienced in startup and high‑growth lending and maintain management information systems that can aggregate venture exposures across business lines and products. Enterprise‑wide risk‑management functions should incorporate venture portfolios into stress testing, capital and liquidity planning, and ACL methodologies.

Underwriting should focus on realistic, base‑case projections of the borrower’s ability to generate cash flow sufficient to service and repay debt and delever over a reasonable timeframe, supported by analysis of liquidity, cash burn, and RML. Lenders should require robust and timely financial reporting, including audited or reviewed financial statements where appropriate, interim cash reporting, and updated projections. Loan structures should align with the borrower’s risk profile and stage of development, using tenor, amortization, covenants, collateral, and tools such as cash sweeps or controlled accounts to help ensure that liquidity remains available for repayment and to allow for early intervention when performance deteriorates. With respect to repayment sources, banks should not treat uncommitted future equity infusions as a primary repayment source and should recognize that unrestricted, declining cash balances normally do not constitute a sustainable primary source either; committed funding and controlled, pledged cash are stronger primary sources. For recurring‑revenue facilities, banks should anchor risk ratings in realistic cash‑flow‑based analyses rather than relying solely on contracted revenue or low churn, using “harvest” or wind‑down scenarios primarily when the primary repayment source is already under stress.

For venture‑backed borrowers and their sponsors, the bulletin implies a need to demonstrate a credible path toward sustainable cash flow, to align capital‑raising plans with the bank’s expectations around reliable repayment sources, and to engage constructively on covenant and structural features that protect the lender while still preserving sufficient runway to execute the business plan. Borrowers should anticipate closer scrutiny of liquidity, cash burn, and RML metrics, and should be prepared to provide more frequent and detailed reporting. The earlier the company’s stage and the further it is from generating positive free cash flow sufficient to repay debt, the more weight the OCC places on structural protections and credit enhancements such as liquidity cushions, collateral controls, and enforceable funding commitments.

Conclusion

OCC Bulletin 2025‑45 does not recharacterize venture lending as impermissible or unduly constrained; instead, it clarifies and sharpens the OCC’s expectations while expressly affirming that banks should not be discouraged from engaging in prudent venture lending that fits within their risk appetite and is managed in a safe and sound manner. By recognizing that venture loans carry materially higher default risk than traditional commercial loans, the bulletin emphasizes the need for tailored governance, concentration management, underwriting, structural protections, monitoring, risk ratings, capital and liquidity planning, and ACL practices. Banks that invest in the people, systems, and disciplines necessary to meet these expectations will be better positioned to maintain or expand venture‑lending strategies without undue supervisory friction, and venture‑backed borrowers and sponsors that understand and align with this framework will be better positioned to obtain and sustain bank financing.

[1] OCC Bulletin 2025‑45, Summary, p. 1.

[2] OCC Bulletin 2025‑45, Background, pp. 2-3.

[3] OCC Bulletin 2025‑45, Ventured Lending Risks, p. 5.

[4] OCC Bulletin 2025‑45, Rescissions, p. 2.

[5] OCC Bulletin 2025‑45, Risk-Rating Venture Loans and Evaluating Repayment Sources pp 11-18

In 2026, public companies are facing a rapidly shifting economic, regulatory, geopolitical, and technological landscape. While these changes create meaningful opportunities, they also introduce new and often interrelated risks that must be incorporated into existing governance, risk management, and disclosure processes. Against this backdrop, boards of directors are increasingly expected to exercise more proactive, informed, and agile oversight. Oversight by active, engaged directors is critical to help companies navigate this changing environment, ensuring that their governance models, risk management frameworks, and strategic planning processes are well-positioned to support long-term value creation, growth, and resilience.

Set forth below are significant corporate governance trends and developments that we expect to impact board oversight and actions throughout 2026.

I. Focus on Macroeconomic Conditions

Geopolitical tensions and conflicts, shifting trade policies, evolving sanctions regimes, and supply chain constraints continue to add complexity and risk for companies. These developments are becoming structural features of the operating environment, rather than discrete or episodic issues. Boards must now integrate these factors into recurring strategic and risk discussions, rather than addressing them only as specific situations arise.

Boards should therefore review how these factors are included in companies’ enterprise risk management frameworks. Management teams should also give periodic updates on developments and risks with respect to these factors, rather than limiting updates to ad hoc crisis briefings. In addition, boards should consider how these factors impact companies’ liquidity planning, funding strategy, and capital allocation decisions.

By embedding a focus on macroeconomic conditions into their regular oversight responsibilities, including through strategy sessions, risk reviews, and committee work, boards can better ensure that companies remain resilient, compliant, and prepared to pivot as conditions evolve.

II. Recalibration of Stakeholder Engagement

Companies’ engagement with stakeholders is changing in response to regulatory developments, political scrutiny, and changes in how voting decisions are made. Boards should understand how these changes may affect investor relationships, proxy season dynamics, and the channels through which stakeholders seek to influence corporate governance.

Increasing Passivity of Investor Engagement. In 2025, the U.S. Securities and Exchange Commission (SEC) updated its beneficial ownership reporting requirements to emphasize passivity of institutional investors. Previously, SEC guidance indicated that engagement with management on executive compensation, environmental, social, or other public interest issues, or corporate governance topics unrelated to a change of control typically would not, in itself, prevent a stockholder from qualifying as a passive investor. The new guidance, however, broadened the actions that would constitute an attempt to influence control, and, consequently, cause a stockholder to be deemed an “active,” rather than “passive,” investor. Notably, the new guidance states that recommendations to “change…executive compensation practices or undertake specific actions on a social, environmental, or practical policy” coupled with explicitly or implicitly conditioning support of one or more of the company’s director nominees may constitute an attempt to influence control.

This new guidance generally has made investors more cautious with management engagement. As a result, many engagement meetings are shorter and more scripted, with fewer forward-looking or thematic discussions, and feedback often is confined to direct responses to company-prepared questions.

Stockholder engagement strategies under these new parameters are continuing to develop, but companies should review their approaches to stockholder outreach to ensure they continue to receive timely and valuable feedback. In particular, boards should consider whether:

  • Management and the board should more actively set the timing, structure, and substance of engagements.
  • Additional venues for engagement outside of typical proxy season touchpoints would be useful.
  • The board receives regular and adequate information on investor engagements, including areas of concern and emerging expectations.

Investors may increasingly look to boards and management teams to structure engagement opportunities and provide visibility into companies’ approaches to key topics.

Narrowing of Eligible Stockholder Proxy Proposals. Historically, stockholders could make their views on governance matters known to management, the board, and other stockholders through a variety of mechanisms, including by submitting a proposal to the company for inclusion in the company’s annual proxy statement. Although the proposal may not pass, the fact that the proposal would appear in the proxy statement and be subject to a stockholder vote may impact the company’s activities. For example, in advance of the vote, the company may settle with the stockholder proponent by making responsive changes on terms mutually acceptable to the stockholder proponent and the company. However, long-standing SEC rules limit the subjects of stockholder proposals that companies are required to include in their proxy statements. The SEC’s interpretations related to these eligibility rules heavily impact a stockholder’s ability to access a company’s proxy statement and thereby force a stockholder vote on a proposal.

In 2025, the SEC issued guidance narrowing the stockholder proposals that companies are required to include in their proxy statements. In November 2025, the SEC announced that, due to “current resource and timing considerations,” it would not give companies substantive responses to Rule 14a-8 no-action requests to exclude stockholder proposals for the 2026 proxy season, with a limited exception for no-action requests based on certain state law issues. As a result, public companies face a heightened risk of litigation from proponents if the determination is made to exclude the proposal from the proxy statement, which, to date, has been limited. Companies seeking to exclude stockholder proposals during the 2026 proxy season should follow Rule 14a-8’s procedures and bring proposed exclusions to their boards for deliberation regarding the company’s decision, and also consider engaging and negotiating with the stockholder proponent.

Greater Scrutiny of Proxy Advisors and Changing Voting Models. In December 2025, the White House issued an executive order aimed at reducing the influence of proxy advisors, asserting that the policies of these firms, particularly those related to environmental, social, and governance (ESG) and diversity, equity, and inclusion (DEI) matters, advance nonfinancial goals that conflict with investor fiduciary duties. The executive order directs the SEC, Federal Trade Commission, and Department of Labor to review the rules governing the proxy advisory industry.

At the same time, voting programs for retail investors have been shifting, which may reduce reliance on proxy advisory firms. For example, in September 2025, the SEC granted ExxonMobil’s no-action request to establish a new retail stockholder voting program that allows stockholders to authorize standing voting instructions that require ExxonMobil to vote their shares based on the recommendation of the company’s board at each meeting of stockholders. Additionally, over the last several years, large asset managers have continued to roll out or expand “pass-through voting” and “voting choice” programs, allowing underlying investors greater input into how their indirectly held shares are voted.

These programs may decrease the predictability of voting outcomes for companies and increase the importance of stockholder engagement and communication. Boards and management may also need to devote more attention and resources to understanding investor preferences and explaining the company’s position on key matters. Boards should stay apprised of investor engagement plans and feedback.

III. Artificial Intelligence

Artificial intelligence (AI) is rapidly developing and becoming embedded in many aspects of companies’ operations. At the same time, regulation, as well as best practices for oversight and risk identification and management in connection with AI, are still evolving. As AI becomes increasingly important in companies’ businesses, as well as those of their third-party vendors, it is essential that boards have the expertise and structures needed to oversee the risks and opportunities associated with AI.

Boards should consider whether they have the skillset to effectively oversee AI, including the ability to guide and challenge management on these matters. This may mean requiring regular education for directors on AI fundamentals, current and proposed regulatory frameworks, and emerging best practices, or recruiting directors with specific AI experience. Companies should also consider updating their director and officer questionnaires to collect information regarding AI expertise of board members. 

Additionally, stakeholders increasingly expect companies to adopt formal AI governance frameworks as AI becomes more prevalent. The number of S&P 500 companies disclosing that a board committee has AI oversight responsibilities more than tripled in 2025. Audit committees are the primary choice; however, technology committees, nominating and governance committees, and others also are designated to oversee AI. The prevalence of technology committees has also grown in recent years as companies seek structures better suited to ongoing oversight of AI and cybersecurity generally. As AI implementation and use will differ across companies, appropriate governance structures will likewise differ. Boards and management should thoughtfully approach board and management-level governance structures that best support the company’s AI activities. Boards should also consider the type and scope of information delivered by management on AI, including whether it effectively supports the board’s oversight role.

Boards also should consider how AI tools might be used to enhance their own oversight function. AI capabilities can be used by boards to provide analyses, summaries, and comparisons that can contribute to deeper discussions, more insightful questions, and better decision-making. The use of AI can also help overcome the information gap between directors and management. However, appropriate parameters should be put around the use of AI in the boardroom. Confidentiality and data security matters should be carefully considered, as well as potential biases and errors found in AI-generated materials. As in other areas of companies, AI can be a powerful tool in the boardroom, but ultimately, it cannot replace the board’s oversight role or the need for informed, independent judgment.

IV. Finding New Paths for Sustainability

The corporate sustainability landscape has evolved significantly since the beginning of 2025 due to ongoing regulatory divergence at the federal and state levels, increasing public and political scrutiny, and general uncertainty. In 2026, the ESG landscape remains highly politicized and is experiencing significant regulatory fragmentation. Many companies have responded by revisiting their ESG programs and modifying their public-facing communications with respect to ESG topics. This includes shifting toward the term “sustainability” and away from the term “ESG” due to its politicized connotations. At the same time, stakeholders continue to focus on certain ESG issues that may affect long-term value. Boards should recognize that many of these substantive issues remain important, even as terminology and political dynamics shift.

DEI practices and disclosures have also been under increasing scrutiny. As noted above, in early 2025, the White House issued executive orders targeting DEI programs and policies. While these executive orders were aimed at the federal government and government contractors, they have influenced broader public debate and contributed to recalibration of DEI approaches across companies.

Effective February 25, 2025, ISS indefinitely halted consideration of a board’s gender diversity and racial/ethnic diversity when making voting recommendations with respect to the election of directors at U.S. companies. In March 2025, Glass Lewis modified its approach to board diversity so that it flags all director election proposals at U.S. public companies in which its recommendation is based, in part, on considerations of gender or underrepresented community diversity.

In response to the changing environment, many companies have reduced DEI-related disclosures in public-facing documents, including proxy statements. Companies have also expanded their definitions of diversity to encompass varied skills, experiences, and backgrounds in addition to gender and racial/ethnic characteristics.

Finally, the prevalence of greenwashing litigation has continued to increase in the United States, with heightened scrutiny directed at sustainability representations, particularly in marketing and labeling.

Given the new risk dynamics at play in these areas, boards should take an active role in overseeing sustainability programs and disclosures. In particular, boards and management should:

  • Seek to tailor sustainability programs to the company’s business model and operations, prioritizing issues that are most material to long-term value and risk
  • Integrate key sustainability risks into the company’s enterprise risk management framework
  • Coordinate disclosures to mitigate misalignment risks; and
  • Engage with stockholders on sustainability, particularly when making changes to sustainability programs, goals, or disclosures.

V. Revisiting Board Refreshment and Succession Planning

Board refreshment and succession planning are critical to ensure that board composition remains aligned with a company’s evolving strategy, current and emerging needs, risk profile, and stakeholder expectations. Over the last few years, additional emphasis has been placed on companies’ explanations regarding what skills and experiences each director brings to the board and how the board ensures it has the right mix of skills and perspectives.

The SEC’s universal proxy rules further heightened scrutiny of individual directors. In universal proxy contests, activist investors can more easily target specific directors and tend to target directors whose profile may be perceived as misaligned with the company. In this environment, it is important for boards to have robust processes for evaluating directors’ continued service.

While most boards conduct some type of annual evaluation process, those processes may not be as rigorous or actionable as they could be. To enhance their effectiveness, boards should consider:

  • Incorporating individual director evaluations, in addition to board- and committee-level assessments, to provide more specific feedback on performance and engagement.
  • Engaging a third-party facilitator periodically to conduct evaluations. The use of a third-party facilitator can help to promote candid feedback and assist with difficult conversations about board composition and function.

These steps may help drive meaningful improvements in board effectiveness.

Investors are also increasingly expecting disclosures that demonstrate boards are considering succession planning in a structured way, including board leadership, director, and management succession planning. Thoughtful succession planning supports continuity, reduces the risk of disruption, and can enhance confidence in long-term strategy.

Final Thoughts

As boards confront this evolving governance environment, the common thread across these developments is the need for deliberate, forward-looking, and well-documented oversight. In 2026, directors should periodically reassess board and committee structures, risk management frameworks, disclosure controls, engagement strategies, and succession planning processes to ensure they remain fit for purpose in light of changing regulatory expectations, stakeholder dynamics, and technological advances such as AI. Thoughtful calibration of these elements, tailored to the company’s industry, strategy, risk profile, and investor base, can help boards mitigate legal, regulatory, and reputational risks and better position the company to capitalize on emerging opportunities. By approaching these issues in an integrated manner, including engaging proactively with management, advisors, and key stakeholders, boards can strengthen their governance foundations and support companies’ long-term value creation, resilience, and credibility in a period of continued uncertainty.

Political activities sit at the intersection of law, policy, and reputation. Companies operating in highly regulated industries cannot avoid political law issues, and it is frequently more complex than expected.

This quarterly newsletter highlights a few practical issues we are seeing with clients and a handful of developments worth keeping on the radar.

If you would like to receive our next quarterly newsletter and future alerts, please click here to subscribe to our Political Law distribution list.

What Is a Super PAC, Anyways?

Contrary to what its name may imply, a so-called “super PAC” is not a traditional political action committee (PAC) with extra fundraising or spending power. In fact, super PACs are often defined by their limitations. They cannot make direct political contributions to candidates or even coordinate with candidates or political parties. Despite these limitations, super PACs are increasingly common due to a key concept: independent expenditures.

An independent expenditure is a political communication, such as a paid TV ad, that supports or opposes a candidate and is made independently by super PACs (i.e., without any coordination with the candidate’s campaign or political party). Because the expenditures are made without coordination, they are considered a form of protected political speech. As a result, there are far fewer legal restrictions on how super PACs can raise money and how much they can spend advocating for or against candidates. For example, companies are often banned from making direct contributions to candidates from corporate treasury funds, but no such limitation exists for donations to super PACs.

Super PACs are “super” because the unlimited political funds they raise and spend are considered “political speech” and subject to less restrictions.

Compliance Checklist for the Quarter

A few practical reminders as the year begins.

  1. Review Contribution Policies
    Many companies have political contribution policies on paper that are not consistently operationalized. Make sure procedures for pre-clearance and reporting are actually being followed.
  2. Confirm PAC Reporting Calendars
    Corporate PACs often operate on different reporting schedules depending on activity levels. Confirm that reporting calendars reflect current obligations.
  3. Update Lobbying Registrations
    Companies that lobby in multiple states should verify that registration renewals and reporting requirements are current across jurisdictions.
  4. Evaluate Pay-to-Play Exposure
    Companies with government contracts or investment adviser exposure should periodically review political contribution activity for potential pay-to-play implications.
Development to Watch: Expanding State Pay-to-Play Rules

More states are examining restrictions on political contributions tied to government contracting or financial relationships with public entities. While these rules vary widely, the overall trend is toward greater scrutiny.

For companies operating across multiple states, the practical challenge is not a single rule but the patchwork of overlapping regimes.

Where We See Problems Arise

Most compliance issues do not stem from intentional misconduct. They arise from structure.

Typically:

  • Government affairs teams drive political activity.
  • Legal departments manage regulatory risk.
  • Political compliance frequently sits somewhere between those functions.

Without a centralized system, responsibilities can become fragmented and key tasks can slip through the cracks.

Common problem areas include:

  • Missed registration renewals.
  • Untracked executive political contributions.
  • Inconsistent documentation of event sponsorships.
  • Delayed reporting of lobbying activity.

A disciplined process, supported by clear policies and responsibilities, can prevent most of these issues from escalating into enforcement actions, negative press, or business disruptions.

A Final Thought

Political compliance is rarely an area where companies want to spend their time, but in regulated industries, it is part of the operating environment.

Handled well, it becomes routine infrastructure.

Handled poorly, it can quickly become a distraction.

If you have questions about any of the issues above, or if you would like to walk through your current compliance framework, feel free to reach out.

We’re always happy to talk and to partner with you on building a practical political compliance structure that works for your organization.