Stamer Conducting Cybersecurity Jedi Skills Training At ISSA Security Summit 2025 CISO Forum On 9/17

July 24, 2025

The Information Systems Security Association (“ISSA”) – Los Angeles Chapter (“ISSA-LA”) recently confirmed that Solutions Law Press publisher and author Cynthia Marcotte Stamer will conduct “Cybersecurity Jedi Skills Training” at the 2025 Annual Security Summit 2025 ISSA-LA is hosting on September 17-18, 2025, at the Annenberg Beach House in Santa Monica, California.

Under constant threat from potentially draconian operational, financial and legal mayhem from cybercriminals’ ransomware and other cyberattacks, organizations, investors, breach victims, business partners, and federal and state regulators increasingly expect cybersecurity and other IT leaders to defend their organization’s proprietary knowledge, workforce, finance, and other mission critical data and systems cyberthreats from dark web with the skill of Jedi knights. While even the most skilled cyberwarriors can’t render their data and operating systems impenetrable against these attacks, cybersecurity professionals and their organizations should engage in constant training and preparation to protect themselves and their organizations from the fallout that commonly follows from a data or systems breach or failure.

The September 17, 2025, “Cybersecurity Jedi Skills Training” workshop that Ms. Stamer will conduct is designed to help CISOs, Directors of Information Security and other leaders strengthen their cybersecurity prevention and response strategies for enhanced defensibility. Drawing from her decades of experience advising and defending data-reliant organizations and their leaders, her workshop will:

  • Arm cybersecurity leaders with knowledge about how data, systems, and technology can either promote or undermine legal defensibility, and share basic principles and strategies for designing and using technology and data to advance legal goals and defensibility.
  • Empower cybersecurity defenders with insights into key cybersecurity, privacy, electronic data, and technology-related traps that impact defense and response strategies.
  • Highlight how cyber events and violations of computer, securities, antitrust, and other laws can expose organizations and their leaders to criminal, civil, and administrative liability.
  • Reveal key evidentiary practices and processes to use during compliance, contracting, audits, investigations, governance, incident management, and response, as well as when dealing with government or other investigations, to promote and strengthen defensibility and mitigate risks.

Ms. Stamer has developed the training from her decades of experience helping highly regulated and other performance and data-sensitive organizations and their leaders use the law, process, technology and other legal, risk management and operational tools to promote defensibility, mitigate risk, enhance operational effectiveness, and manage change and uncertainty. The founding and Managing Member of the Cynthia Marcotte Stamer, P.C. law firm, Ms. Stamer has used her extensive legal and operational knowledge to provide practical, client-centric advice, tools and solutions to help a diverse array of U.S. and multinational business, government, and community organizations, to design, manage and defend their people; compensation and benefits; technology, data privacy and security; regulatory compliance; and other operations-critical risks and performances for more than 35 years.  She is best known for her work with employer and other workforce, health, employee benefits, insurance, data and technology, financial and government organizations, and their technology and other developers and vendors, all of which bear significant data privacy and security obligations.

Longtime Scribe leading the American Bar Association (“ABA”) JCEB Annual Agency Meeting with the HHS Office of Civil Rights; incoming Intellectual Property Section Information Technology Committee  Vice Chair, and a widely published author, speaker and thought leader on cybersecurity and other data and technology use, privacy and protection, Ms. Stamer’s process-oriented work throughout her career continuously has included helping clients use and defend their data and technology practices, investigating and responding to data and technology breaches, events, threats and regulations; and dealing with insurers, federal and state legislators, regulators and investigators on cybersecurity and other data and technology concerns.  Her cutting-edge work, scholarship and thought leadership, advocacy and community service have earned her recognition as a “Top Woman Lawyer;” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; “Best Lawyer” in “Labor and employment,” “Tax: ERISA & Employee Benefits,” “Health Care,” and “Business and Commercial Law.” For additional information about Ms. Stamer or her services, see here or contact Ms. Stamer directly.

Ms. Stamer’s “Cybersecurity Jedi Skills Training” is part of two days of professional training and networking that ISSA-LA is presenting at its Annual Security Summit 2025.  Founded in 1982 by Sandra Lambert and Nancy King, ISSA-LA is the premier catalyst and community resource in Southern California for improving the practice of information security. A 501(c)(3) organization and the founding Chapter of the ISSA®, ISSA-LA provides various training classes and lectures for information Security and IT professionals throughout the year and at the annual Summit. ISSA-LA meets monthly for dinner and regularly collaborates with other IT and Cybersecurity organizations, having joint meetings and social events with the Women’s Society of Cyberjutsu, the Cloud Security Alliance, and the Association of IT Professionals, to name a few.  To register, review the schedule, information about sponsorship, or other details about the Annual Security Summit 2025 or ISSA-LA, see here.

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating in and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Comments Off on Stamer Conducting Cybersecurity Jedi Skills Training At ISSA Security Summit 2025 CISO Forum On 9/17 | Corporate Compliance | Tagged: , , , , | Permalink
Posted by Cynthia Marcotte Stamer

Health Plans & Other HIPAA-Covered Entities Urged To Strengthen HIPAA Risk Analysis Processes & Documentation In Response To Rising Breach & OCR Enforcement Risks

April 22, 2025

With the financial impact to businesses suffering data breaches in 2024 now averaging nearly $5 million and the announcement by the Department of Health and Human Services Office of Civil Rights (“OCR”) two additional Health Insurance Portability & Accountability Act (“HIPAA”) “Risk Analysis Initiative” settlements in seven days, health plans, health care providers, healthcare clearinghouses (“Covered Entities”) and their business associates (collectively “Regulated Entities”) face a growing imperative to act now to promote the defensibility of their practices under the Risk Analysis and other HIPAA Privacy, Security, and Breach Notification Rule requirements. Coupled with OCR’s steady announcement of enforcement actions like those announced this month against NERAD and others under its Risk Analysis Initiative, OCR clearly health plans and other Regulated Entities to clean up and strengthen their Risk Analysis and other HIPAA Security Rule compliance.

HIPAA Risk Analysis Requirement & OCR Risk Analysis Initiative

The need for Regulated Entities to ensure their fulfillment of HIPAA’s Risk Analysis requirements to prevent and mitigate their legal, financial and operational exposures from breaches of electronic protected health information (“ePHI”) and to defend against a potential OCR Risk Analysis enforcement action or audit is demonstrated by OCR’s announcement of HIPAA Security Rule enforcement actions and settlements with Northeast Radiology, P.C. (NERAD) on April 10, 2025, and Guam Memorial Hospital Authority (“GMHA”) on April 17, 2025, the sixth and seventh under OCR’s recently announced HIPAA “Risk Analysis Initiative” .

Risk Analysis Longstanding HIPAA Requirement

The HIPAA Privacy, Security, and Breach Notification Rules Regulated Entities to meet specific standards to protect the privacy and security of protected health information. Since the HIPAA Security Rule first took effect, risk analysis is one of the four required implementation specifications Regulated Entities must meet under the Security Management Process standard in 45 CFR § 164.308.

To fulfill this Risk Analysis requirement, a Regulated Entity must conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI” and “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” 

Additionally, in 45 CFR § 164.402 the HIPAA Breach Notification Rule requires a Regulated Entity that experiences an impermissible acquisition, access, use, or disclosure (“breach”) of unsecured ePHI to conduct a documented risk assessment to determine whether the Regulated Entity must notify affected individuals, OCR and in the case of breaches involving the ePHI of 500 or more individuals, the media. As consistently interpreted and applied by OCR, experiencing a breach or the existence of evidence putting the Regulated Entity on notice of a potential susceptibility creating a risk of a breach triggers a duty by the Regulated Entity to conduct a Risk Assessment to assess the susceptibility of its ePHI to the risk and the actions reasonably necessary to mitigate it under the Security Rule.

OCR views Risk Analysis as foundational to the protection of ePHI. As OCR Acting Director Anthony Archeval recently stated to explain OCR’s emphasis on Risk Analysis compliance and enforcement, “Ransomware and hacking are the primary cyber-threats to electronic protected health information within the health care industry. Failure to conduct a HIPAA risk analysis puts this information at risk and vulnerable to future ransomware attacks and other cyber-threats[.]” Consequently, OCR has constantly has urged Regulated Entities to fulfill their Risk Analysis obligations since the earliest days of HIPAA. To promote compliance, OCR persistently has communicated the necessity and importance of the Risk Analysis in guidance and sought to reinforce the consequences of inadequate Risk Analysis by discussing the role of Risk Analysis deficiencies in creating the circumstances leading to enforcement actions against Regulated Entitles in its civil monetary penalty assessments and HIPAA settlement announcements.

OCR Raising Risk Analysis Expectations & Enforcement

Despite OCR’s constant and ever-rising efforts to promote compliance with the Risk Analysis requirements, however, OCR consistently has found deficiencies in Regulated Entities’ Risk Analysis in its breach investigations and audit findings since these rules became effective. As the number and magnitude of reported breaches of ePHI skyrocketing and massive breaches like those experienced in 2024 by UnitedHealthcare subsidiary Change Health, Ascension and others demonstrating the serious consequences ransomware and other cyberattacks can inflict on health plan claims and payment, health care delivery, payment, and patient privacy, OCR is placing new emphasis on tightening both the requirements for Risk Analysis and its enforcement of compliance with the Risk Analysis requirements.

On December 27, 2024, for instance, OCR published a notice of proposed rulemaking that proposes to clarify and tighten significantly the Risk Analysis requirements and other elements of the HIPAA Security Rule. Along with proposing these heightened Risk Analysis requirements, OCR announced and now is zealously enforcing the current Risk Analysis requirements through its Risk Analysis Initiative to hold Regulated Entities accountable for failing to fulfill their Risk Analysis responsibilities as part of its heightened efforts to improve Regulated Entities’ fulfillment of their Risk Analysis obligations. With OCR’s announcement of the NERAD and GMHA enforcement actions on April 10 and April 17, respectively bringing to seven the number of Risk Analysis Initiative enforcement settlements in recent months, health care providers and other Regulated Entities should heed the schooling these and other similarly sanctioned organizations as a call to action to ensure their own Risk Analysis and other HIPAA Privacy, Security and Breach Rule compliance.

NERAD Enforcement Risk Analysis Initiative Enforcement Action & Settlement

The first of two Risk Analysis Initiative settlements announced in seven days in April and the sixth enforcement action and settlement specifically labeled as taken under the “Risk Analysis Initiative,” the NERAD enforcement action and settlement announced April 10, 2025 resolves liabilities for violation of the Risk Analysis Rule arising from OCR’s investigation of a breach of ePHI stored on NERAD’s Picture Archiving and Communication System (“PACS”) server for storing, retrieving, managing, and accessing radiology images.

OCR initiated its investigation of NERAD after receiving a NERAD breach report that between April 2019 and January 2020, unauthorized individuals accessed radiology images stored on NERAD’s PACS server. NERAD notified the 298,532 patients whose information was potentially accessible on the PACS server of this breach. OCR’s investigation found that NERAD had failed to conduct an accurate and thorough Risk Analysis to determine the potential risks and vulnerabilities to the ePHI in NERAD’s information systems.

To avoid potentially much greater HIPAA civil monetary penalties under the terms of the resolution agreement, NERAD paid OCR $350,000 and agreed to implement a corrective action plan that OCR will monitor for two years. Under the corrective action plan, NERAD will take steps to improve its compliance with the HIPAA Security Rule and protect the security of ePHI, including:

  • Conducting an accurate and thorough Risk Analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
  • Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its Risk Analysis;
  • Developing and implementing a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
  • Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules; and
  • Augmenting its existing HIPAA and security training program to all of its workforce members who have access to PHI.

Guam Memorial Hospital Authority Risk Assessment Initiative & Ransomware Enforcement Action

Seven days after announcing the NERAD Risk Analysis enforcement action and settlement, OCR reaffirmed its commitment to enforcement of the Risk Analysis enforcement when it announced its first HIPAA settlement under the new Trump Administration with GMHA, a public hospital on the U.S. Territory, island of Guam, on April 17, 2025.

The seventh Risk Analysis Initiative enforcement action and eleventh ransomware enforcement action announced by OCR, the GMHA settlement arose from OCR’s investigation of two complaints alleging that GMHA impermissibly allowed the disclosure of ePHI of GMHA patients. OCR originally initiated its investigation in response to a January 2019 complaint alleging that GMHA experienced a ransomware attack affecting the ePHI of approximately 5,000 individuals. During the investigation, OCR received another complaint in March 2023 alleging that hackers accessed patient records. OCR’s investigation determined that GMHA had failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI held by GMHA.

Under the terms of the resolution agreement, GMHA paid OCR $25,000 and agreed to implement a corrective action plan that OCR will monitor for three years. In the corrective action plan, GMHA must take a number of steps to ensure compliance with the HIPAA Security Rule and protect the security of ePHI, including:

  • Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
  • Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
  • Develop a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
  • Develop, maintain, and revise, as necessary, written policies and procedures to comply with the HIPAA Privacy, Security and Breach Notification Rules;
  • Augment its existing HIPAA and security training program so all workforce members with access to PHI understand the HIPAA requirements and GMHA’s HIPAA policies and procedures;
  • Enhance workforce security and information access management by reviewing all access credentials that have been granted access to ePHI; and
  • Conduct breach risk assessments and provide evidence to OCR that all breach notification obligations have been conducted.

Required & Recommended Actions To Promote Defensibility Of Risk Analysis Compliance  

With cyberattacks targeting health plan and other Regulated Entities soaring and OCR stepping up its scrutiny of Regulated Entities’ Risk Analysis compliance in audits and enforcement actions, each health plan and insurer and other Regulated Entity should review and tighten its Risk Analysis practices and documentation to reduce its susceptibility to potential breaches and to promote its ability to defend its compliance with the Risk Analysis requirements in the event of a breach investigation or audit.

Fulfill Current Risk Analysis Standards

To fulfill the “Risk Analysis” implantation specification, the Security Management Process Standard requires Regulated Entities enforce appropriate administrative, physical, and technical safeguards for the confidentiality, integrity, and security of electronic protected health information (“ePHI”) based on an up-to-date conduct of an up-to-date accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by that organization (“Risk Analysis”).

The Security Rule requires Regulated Entities to document each Risk Analysis in writing, to keep Risk Analysis documentation for six years, and to provide Risk Analysis documentation to OCR upon request.

Among other things, the Risk Analysis implementation standard requires regulated entities adequately to:

  • Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
  • Integrate Risk Analysis and risk management into the organization’s business processes.
  • Ensure that audit controls are in place to record and examine information system activity.
  • Implement regular reviews of information system activity.
  • Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
  • Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
  • Incorporate lessons learned from incidents into the organization’s overall security management process.
  • Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.
Use Proposed Rules & Enforcement Actions For Additional Guidance To Mitigate Risks

The proposed rule published by OCR on December 27, 2024, seeks to clarify and expand the original requirements of the Risk Assessment implementation standard based on OCR’s past HIPAA Security and Breach Rule investigation and enforcement experience.  Under the proposed rule, a Regulated Entity’s Risk Analysis also would be required to include:

  • Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
  • Require greater specificity for conducting a risk analysis, including a written assessment that contains, among other things:
    • A review of the technology asset inventory and network map;
    • Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI;
    • Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems;
    • An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities; and
    • A review of the technology asset inventory and network map.

Other changes included in the proposed rule would further heighten the Risk Analysis and other Security Standard requirements for Regulated Entities. For instance, the proposed rule would require Regulated Entities:

  • To establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours;
  • To perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration;
  • To establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents;
  • To implement written procedures for testing and revising written security incident response plans;
  • To conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements;
  • To require business associates to verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate;
  • To encrypt ePHI at rest and in transit, with limited exceptions;
  • To establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner including deployment of anti-malware protection, removal of extraneous software, and disabling network ports in accordance with the regulated entity’s risk analysis;
  • Use of multi-factor authentication, with limited exceptions;
  • Vulnerability scanning at least every six months and penetration testing at least once every 12 months;
  • Network segmentation;
  • Separate technical controls for backup and recovery of ePHI and relevant electronic information systems;
  • To review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures;
  • Business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation;
  • Group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

To help Regulated Entities understand and fulfill these responsibilities, OCR alone and in conjunction with the Office of the National Coordinator for Health Information Technology (“ONC”) also has published guidance like the HIPAA Security Risk Assessment (SRA) Tool.  OCR guidance reflects that fulfillment of the Tool can help Regulated Entities may help defend but does not guarantee fulfillment of the Risk Assessment requirements, as the adequacy of the Risk Assessment always depends upon the unique facts and circumstances of the Regulated Entity at a particular time.  This guidance confirms the importance of conducting timely and appropriate Risk Analysis in a manner that shows the Regulated Entity appropriately evaluated the risks to its e-PHI and acted reasonably in designing, administering, and updating that Risk Analysis to reasonably defend its e-PHI against breaches or other susceptibilities.

Since OCR’s guidance makes clear that the adequacy of a Regulated Entity’s Risk Analysis and other HIPAA Security compliance based on its evaluation and response to known and suspected susceptibility threats as conducted and documented pursuant to the Risk Analysis rule, health plans and other Regulated Entities should view Risk Analysis as a ongoing process. While the Security Rule does not currently dictate how frequently a regulated entity must perform Risk Analysis, a proposed rule published by OCR on December 27, 2024 seeks to amend the existing Security Rule to expand the requirement to require regulated entities to develop and revise a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.  Although OCR has not yet officially adopted this and other changes contained in the proposed rule, substantial evidence exists that it already regularly administers the Risk Analysis requirement with the expectation that regulated entities will perform Risk Analysis at least this frequently. For instance, current OCR resolution agreements require impacted organizations to conduct Risk Analysis to identify and address vulnerabilities at least annually, and more frequently as needed in response to signs of potential breach or susceptibility. Likewise, since OCR developed the proposed rule from its past enforcement experience, wise Regulated Entities also will recognize the value of drawing upon the changes set forth in the proposed rule for helpful insights to strengthen the security of their ePHI generally and promoting the defensibility of the adequacy of their Risk Assessments.

Suggested Process For Updating & Strengthening Risk Analysis

With the continued explosion in ransomware and other cyberthreats heightening the risk of experiencing a breach or other incident likely to draw the attention of OCR, each health plan or other Regulated Entity should take assess and confirm the adequacy of their current Risk Analysis, both to protect its ePHI and to promote its ability to defend its compliance with the HIPAA Security Rule’s Risk Analysis and other requirements in light of OCR’s heightened emphasis on Risk Analysis compliance and enforcement. For purposes of conducting this analysis, Regulated Entities generally will want to use a process like the following to structure their evaluation of their existing Risk Analysis to take advantage of the opportunity to use attorney-client privilege and other evidentiary rules to help protect discoverability of sensitive discussions about possible deficiencies in their existing Risk Analysis and discussions about potential tradeoffs considered in current or future Risk Analysis response:

  • Engage legal counsel experienced with HIPAA and other cybersecurity-related risks and liabilities to advise and assist your organization in designing and administering your Risk Analysis processes and response within the scope of attorney-client privilege;
  • Appoint and designate leadership and technical leadership for team responsible for design and administration of your organization’s initial and ongoing cybersecurity Risk Analysis and response (“Cyber-Risk Team”) and process for board and senior management reporting of the Cyber-Risk Team;
  • Select and engage outside consulting service providers, cyber-liability insurers and other risk service providers expected to participate in the process; work with qualified legal counsel to contract with these business associates to include the business associate agreement and other reassurances required by the HIPAA Privacy, Security and Breach Notification Rule and other performances, cooperation to provide and back services in accordance with agreed-upon protocols in the contract;
  • Train Cyber-Risk Team in the appropriate processes for working with internal teams, outside service providers, leadership, and designated legal counsel to conduct Risk Analysis, investigation and response using attorney-client privilege and other evidentiary tools and processes to maximize defensibility;
  • Require the Cyber-Risk Team conduct an updated, document assessment of cyber-risk within scope of attorney-client privilege and work with legal counsel to develop a documented cyber-risk policy that captures analysis and determinations for your justification for the size, scope and timing of your periodic Risk Analysis and rules and processes for interim risk identification, reassessments and response in reaction to potential cyber-risk signs between periodic Risk Analysis for presentation and approval by the Board taking into account the insights from published final and proposed guidance, enforcement actions and industry standards;
  • Require, oversee and enforce Cyber-Risk Team’s documented administration of the initial and subsequently required Risk Analysis and response pursuant to the adopted cyber-risk policy to identify vulnerabilities and work with legal counsel within the scope of privilege to document your analysis and justifications for addressing identified vulnerabilities and other required actions in response to identified susceptibilities or event;
  • Review adequacy of incident detection and response arrangements, including reporting and response mechanisms, insurance and indemnification protection, and other critical elements for mitigation and recovery; and
  • Other actions as warranted based on advice of counsel taking into account emerging threats, guidance, and risk susceptibility.

Although civil monetary penalties or settlements are the most common sanction imposed for HIPAA Security and Breach Notification rule violations, willful and certain other violations of HIPAA can trigger criminal liability subject to the Federal Sentencing Guidelines. Consequently, beyond fulfilling the specific requirements of HIPAA, an adequate Risk Assessment also can be an invaluable tool for helping mitigate Federal Sentencing Guideline exposures of a Regulated Entity and its leaders under the Federal Sentencing Guidelines Organizational Liability rules.

Beyond these specific HIPAA-associated exposures, Regulated Entities and their leaders should keep in mind that HIPAA is likely only one of many laws that define their responsibilities to secure, report, and respond to breaches of ePHI or other sensitive data. Depending on the location, nature and other circumstances, Regulated Entities and their leaders also may have additional responsibilities and liability exposures under a variety of other federal and state laws, ethical or other professional standards, and contractual obligations. For instance, health plan fiduciaries may risk fiduciary liability under the Employee Retirement Income Security Act of 1974 for failing to prudently secure and protect participate and other health plan data from improper access, use or disclosure. Inadequate data safeguards for ePHI also can trigger liability for brokers, consultants, insurers and others under the Fair and Accurate Credit Transactions Act, the Federal Trade Commission Act, and various electronic crimes statutes. The Securities and Exchange Commission rules can trigger disclosure and other obligations for publicly traded employers and insurers. Regulated Entities and their leaders generally will want to fully evaluate and manage these risks in conjunction with their compliance with the Risk Analysis and other requirements of the HIPAA Security and Breach Notification Rules.

The author of this update, Cynthia Marcotte Stamer is nationally known and celebrated for her experience providing advice and representation to employers, employer and other health plan sponsors, health plans, health plan fiduciaries and administrators, third party administrators, health care and life sciences organizations, human resources and health plan technology, and other businesses about HIPAA and other compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about these or other health or other employee benefits, human resources, or health care developments, please contact the author, Cynthia Marcotte Stamer, via e-mail or telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on HIPAA and other data and technology use, security and compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer works with these and other highly regulated or data and performance reliant businesses to design, risk manage, and defend their employment and other workforce, data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee.

Additionally,more her ABA involvements include than a decade of service as a Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Comments Off on Health Plans & Other HIPAA-Covered Entities Urged To Strengthen HIPAA Risk Analysis Processes & Documentation In Response To Rising Breach & OCR Enforcement Risks | Corporate Compliance | Tagged: , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer

FINRA Warns Brokers, Financial Advisors To Manage Compliance Risks Of AI

July 1, 2024

Brokers, financial advisors and others in the financial industry subject to regulation by the Financial Industry Regulatory Authority (“FINRA”) to document their careful selection and management of any machine learning, deep learning, neural networks, large language model (“LLM”) and other natural language processing (“NLP”), and other generative artificial intelligence tools (“Gen AI”) in their businesses with all relevant FINRA, securities and other laws and regulations.

Gen AI Tool Use Benefits & Risks

As FINRA’s 2024 Annual Regulatory Oversight Report notes, brokers, financial advisors and their organization increasingly are using Gen AI and other similar tools for a wide range of marketing and other operational purposes.

Gen AI technology presents both promising opportunities for investors and member firms and some attendant risks.3 Among other things, properly used Gen AI tools may:

  • Analyze and synthesize vast sets of financial and market data, summarize large and complex documents, and power educational resources that may help investors at all experience levels understand and navigate markets more effectively;
  • Allow an associated person to, for example, easily locate and query a member firm’s policies and procedures or forms, to generate summaries derived from the member firm’s research reports, or to obtain issuer-specific information by drawing on SEC filings and earnings call transcripts.
  • Allow member firms to leverage Gen AI tools to aid in surveillance by, for example, generating reports with summaries for the member firm’s (human) compliance personnel of potential evidence of malfeasance, such as market abuse or insider trading.
  •  

Along with these potentially promising benefits, Gen AI also can create added concerns about accuracy, privacy, bias, intellectual property,         possible exploitation by threat actors, and other risks.

FINRA Warning To Monitor Regulatory Compliance When Using Gen AI Tools

FINRA Regulatory Notice 24-09 published June 27, 2024, warns FINRA members to use care to ensure continued compliance with FINRA and other securities laws and rules when using Gen AI or other similar technologies in their businesses.   

The Notice reminds members that FINRA and other securities laws continue to apply when member firms use Gen AI or similar technologies in their business, just as they apply when member firms use any other technology or tool.4  The Notice notes, for example, that FINRA Rule 3110 requires that a member firm have a reasonably designed supervisory system tailored to its business. If a firm is using Gen AI tools as part of its supervisory system—for the review of electronic correspondence, for instance—the Notice states its policies and procedures should address technology governance, including model risk management, data privacy and integrity, reliability, and accuracy of the AI model.  

Where applicable, the Notice states the FINRA rules apply whether member firms are directly developing Gen AI tools for their proprietary use or when leveraging the technology of a third party, including through embedded features in existing third-party products.

The applicability and implications of FINRA’s rules as applied to the use of Gen AI use depend on how a member firm deploys the AI technology. The Notice warns that depending how a member firm uses Gen AI, Gen AI use could implicate virtually every area of a member firm’s regulatory obligations.6  The Notice warns that as with any technology or tool, a member firm should evaluate Gen AI tools before deploying them to ensure that the member firm will continue to comply with existing FINRA rules applicable to the business when using those tools.

FINRA already has provided some guidance about the use of Gen AI tools by members.  Before publishing the Notice, for example, FINRA already had released guidance discussing the specific application of the content standards of FINRA Rule 2210 (Communications with the Public).  In that guidance, FINRA stated that Rule 2210 applies whether member firms’ communications are generated by a human or technology tool.5 

Beyond the Rule 2210 guidance, the Notice also highlights other FINRA resources that FINRA encourages members to use to help shape and manage their organizations’ Gen AI use in their operations.  These include including:

SEC AI Regulation & Scrutiny

FINRA-regulated individuals and organizations also are reminded that the Security and Exchange Commission (“SEC”) also increasingly is focusing on AI and other data and technology related risks. In recent years, Chairman Gary Gensler and other SEC officials have identified a number of areas of potential securities market threats from the use of AI including tools and practices exposing the market and investors to fraudulent practices and deception; AI bias; and conflicts of interest or intensify existing financial vulnerabilities.

For instance, the SEC has scrutinized broker-dealer and investment advisor digital engagement practices and investment advisors use of technology to develop and provide investment advice for several years. See e.g,. SEC Release No. 34-92766; IA-5833; File No. S7-10-21, The SEC noted that investment advisory
clients may face risks when artificial intelligence models use poor quality, inaccurate or biased data that
produce outputs that are or lead to poor or biased advice whether incorporated unintentionally through use of data sets that include irrelevant or outdated information, including information that exists due to historical practices or outcomes, or through the selection by human personnel of the data or types of data to be incorporated into a particular algorithm. Accordingly, the SEC asked for input on how advisers account for, identify, evaluate and mitigate biases and disparities that raise investor protection issues.

In response to some of these concerns, the SEC Investor Advisory Committee (“IAC”) has proposed the Establishment of an Ethical Artificial Intelligence Framework For Investment Advisors in which the IAC proposed, among other things recommended that the SEC:

  • Increase and enhance SEC staffing and AI expertise;
  • Request and use data, comments and observations from the Division of Examinations in its inspections of advisers using artificial intelligence to draft best practices on the ethical use of artificial intelligence;
  • Consider frameworks developed by regulatory authorities around the world, such as The Monetary Authority of Singapore and organizations such as the CFA Institute to expand and enhance its 2017 Guidance regarding robo-advisers for purposes of developing and providing recommendations on the use of AI by investment advisors and broker-dealers

See IAC letter to SEC Chairman Gary Gensler (April 6, 2023).

In response to growing concerns that broker-dealers might use certain predictive analytics and similar technologies to optimize for, predict, guide, forecast, or direct investment-related behaviors or outcomes in a manner that puts their own interests ahead of investors’, in July 2023 the SEC published a Proposed Rule that if adopted generally would require a firm to evaluate and determine whether its use of certain technologies in investor interactions involves a conflict of interest that results in the firm’s interests being placed ahead of investors’ interests. The proposed rule would require firms to eliminate, or neutralize the effect of, any such conflicts, but firms would be permitted to employ tools that they believe would address these risks and that are specific to the particular technology they use, consistent with the proposal. The proposed rules would require firms to adopt written policies and procedures reasonably designed to achieve compliance with the proposed rules and to make and keep books and records related to these requirements. See also, Fact Sheet.

Managing AI Compliance Risks & Opportunities

All members and their organizations should ensure that they have audit and maintain an inventory of all Gen AI, PDA and other similar tools and conduct documented assessments to confirm the use of these tools does not adversely impact their continued compliance with relevant FINRA and other security rules before its deployment taking into account this and all other relevant FINRA rules and guidance. Because many third-party tools and services may include or incorporate Gen AI tools, FINRA regulated parties should require third party vendors to disclose or establish other processes for reliably determining when third party provided tools or services include or may impact the FINRA regulated party’s compliance and steps for monitoring and managing these impacts.

Moreover, all members using AI will need to establish documented processes and procedures for monitoring the continued appropriateness of the use of these and other Gen AI, PDA and other tools in light of emerging experience and guidance.

Since FINRA and the SEC also have indicated that additional enforcement, guidance or both are likely to emerge, these processes should include a reliable process for monitoring FINRA guidance for updates and timely responding to these developments.

Members and other interested parties with questions and concerns about emerging uses of AI may wish to consider sharing input with FINRA. the SEC and other relevant agencies. In this respect, the FINRA Notice invites members and other interested parties to engage and communicate with FINRA about potential supervisory and compliance implications of evolving Gen AI and other related technology uses as they evolve.  Among other things, the Notice:

  • Invites members and other interested parties to follow FINRA’s process for interpretive requests7 to seek interpretive guidance from FINRA to the extent member firms find ambiguity in the application of FINRA rules based on their specific use of Gen AI or other technology
  • Encourages member firms to have ongoing discussions with their Risk Monitoring Analyst as AI-related issues or other changes in their business arise.8
  • Encourages members to share feedback with FINRA on how its rules might be modernized in light of the use of Gen AI tools or other emerging technologies, consistent with investor protection and market integrity. FINRA will continue engaging with its members, regulators, policymakers and other interested parties on the use of Gen AI, LLMs and other emerging technology. Any parties interested in discussing these matters further with FINRA are welcome to contact our Office of General Counsel for policy and rules-related discussion, and REMA/Office of Financial Innovation for all other Gen AI engagement.

In the face of the Notice and other FINRA guidance on the use of AI in their operations, brokers, financial advisors and other FINRA related parties should use care in selecting, deploying, monitoring and managing any Gen AI or other tools in their businesses. In light of FINRA’s warning about the importance of pre-use compliance evaluation, brokers and financial advisors and their organizations should adopt written policies governing the use of Gen AI and other tools. These policies should prohibit pre-use compliance evaluation and approval before any Gen AI tools are deployed or used within their operations. regardless of whether developed and deployed in house or incorporated into third-party provided tools or services.

FINRA and SEC regulated parties also should monitor and take appropriate steps to guard their organizations and sensitive data, systems and operations against ransomware, cybersecurity and other threats created or enhanced by their own or third parties’ use of Gen AI or other technologies in light of the requirements of the Fair and Accurate Credit Transactions Act, federal and state electronic crimes and cybersecurity statutes, the SEC’s recently adopted cybersecurity rule, and other federal and state laws as well as the demonstrated market and operational risks associated with breaches.

FINRA regulated parties also should take steps to monitor enforcement, audit, and other regulatory and experiential developments potentially impacting on their past or continued use of Gen AI or other similar tools.

Of course, FINRA isn’t the only regulatory agency warning users about AI compliance risks. The Equal Employment Opportunity Commission (“EEOC”) is one of a growing number of other agencies that also have sounded warnings about compliance risks associated with the use of AI technologies. See, e.g. The Americans with Disabilities Act and the Use of Software, Algorithms, and Artificial Intelligence to Assess Job Applicants and Employees (May 12, 2024). FINRA and SEC regulated parties also should be cognizant of their direct compliance obligation and those of their customers and business partners under these and other laws.

For Additional Information

We hope this update is helpful. Solutions Law Press, Inc. invites you to receive future updates by registering on  here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations GroupHR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you need have questions or need assistance with this or other cybersecurity, health, benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, to inquire about arranging for compliance audit or training, or need legal representation on other matters, contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297

About the Author 

Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of cybersecurity, workforce, technology and other compliance, risk management and mitigation, incident and other investigations, regulatory and government affairs, and other strategic, operational, regulatory and legal and consulting management work for insurance, financial services, employee benefits, managed care and other health and life science, technology, government entities and contractors and other public and private businesses. As part of this work, she has extensively worked, spoken and published on the defensible design, use and management of artificial intelligence and other systems and processes throughout her career.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership with healthcare and life sciences, employment and employee benefits, managed care and insurance, data and technology and other related industries and organizations. Known for her skill combined use of her extensive legal and operational knowledge to help these and other clients develop, operationalize and defend employment, employee benefits, compensation and other staffing and workforce; data, systems and other technology; heath benefit and other healthcare and life science, managed care and insurance; employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational actions and practices. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws. 

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here

IMPORTANT NOTICE

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication. 

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™

Comments Off on FINRA Warns Brokers, Financial Advisors To Manage Compliance Risks Of AI | Corporate Compliance | Tagged: , , , , , , , , , , , | Permalink
Posted by Cynthia Marcotte Stamer