Top Stories of 2024

(Last updated at 12:25 p.m. Dec. 11, 2024)

Jump ahead to topic:

• Trump wins re-election
• Supreme Court scales back agency authority
• AI revolution continues
• Court pauses CTA reporting
• DOJ corporate enforcement updates
• Court blocks FTC’s noncompete ban
• ESG falls out of favor
• Boeing saga enters another chapter
• Healthcare CEO murdered
• CrowdStrike crisis
• SEC urges self-reporting

Trump wins re-election, threatens to upend corporate regulation

Republican former President Donald Trump was swept back into office, setting him up to be the second president since Grover Cleveland to serve two non-consecutive terms. Trump’s reelection came after an election season filled with upheaval, including a late-in-the-game change at the top of the Democratic ticket and an assassination attempt on Trump.

Those who might wish to see a period of stability or a boon to businesses in light of Trump’s anti-regulation agenda could be disappointed, as many observers expect change to be the only constant of a second Trump Administration.

Dusting off an article archive we’d last updated in January 2021, we shared several updates on what corporate integrity professionals can expect in the next four years:

• What Will Trump 2.0 Mean for Compliance & Ethics?
• Compliance Under the Second Trump Administration: The Only Thing Certain Is Uncertainty by Keith Rosen
• How Will Trump II Change DOJ’s Corporate Enforcement Priorities?

As for what we can expect in 2025, if Trump’s Cabinet nomination process is any indication, the only thing we may be able to predict with any certainty is uncertainty. Still, experts and observers shared their expectations of how the second Trump presidency will impact compliance, risk and governance professionals.

What can we expect in 2025?

Kathy Malone, head of U.S. compliance and regulatory services at IQ-EQ

[The appointment of Paul Atkins as SEC chair] has certainly sparked concern around ESG and climate efforts and reforms. Many are expecting Atkins to prioritize corporate return over ESG considerations. While current SEC Chair Gary Gensler has put ESG at the forefront of his platform, it’s quite likely that Atkins will take a differing approach on ESG-related policies, although specifics remain to be seen. During Atkins’ time serving as an SEC commissioner from 2002 to 2008 during the Bush administration, we saw a preference for a lighter-touch approach to regulation. Atkins was also known to be critical of many reforms and regulations, specifically the Dodd-Frank legislation as it was seen as too burdensome on the banking industry. Historically, he has taken a pro-crypto stance, which may impact the overall regulatory landscape if he were to be appointed. We may see some changes in the role of the SEC chair, with the potential implementation of the Department of Government Efficiency. While this mandate is still relatively unclear, it could certainly entail a number of changes to the current way the government does business. We can likely expect the SEC to stray from the current agenda and avoid regulation on digital assets and new rules in general.

Matthew Prewitt, co-leader of the trade secrets, noncompetes & employee mobility group at ArentFox Schiff

President-elect Trump’s anticipated tariff and immigration policies may be significant for trade secrets and noncompetes in ways that may not be immediately apparent. 

The H-1B visa program is an important part of the talent market for technology and engineering-driven industries. If it becomes more difficult to obtain an H-1B visa or to receive an extension, then this could increase reliance by U.S.-based employers on talent working beyond the U.S. borders. Effective cross- border enforcement of trade secret protections against disloyal employees or consultants can be very challenging even in jurisdictions with sophisticated judicial systems and well-established trade secrets laws. Employers who anticipate increased use of a global talent workforce should consider trade secret protections that do not rely on robust judicial enforcement and broad discovery in litigation.

An aggressive tariff policy may have sudden and dramatic impacts on the business partnerships of U.S. companies with their foreign suppliers who manufacture under confidentiality and IP licensing agreements. Disruptions in these relationships put trade secrets at risk. Suppliers who lose access to the U.S. market may face strong economic incentives to misappropriate their U.S. customers’ IP in order to replace the lost business in other markets and may be less concerned about potential legal remedies in the U.S. if they are driven out of the U.S. by US-imposed tariffs. 

Joe Whitley, chair of the white collar defense, investigations and regulatory enforcement practice at Womble Bond Dickinson

We will likely see a temporary pause in enforcement activity as the Trump Administration overhauls DOJ leadership and nominates its slate of new U.S. attorneys. However, I believe the newly installed prosecutors will hit the ground running and we are likely to see increased enforcement activity toward the end of the second quarter of 2025 in a number of areas, such as healthcare fraud, Bank Secrecy Act and sanctions. The groundwork that was laid on new policies marrying corporate criminal enforcement with national security concerns will likely pay dividends later on in 2025 when we likely also see a number of enforcement actions in this area.  

As with any change in administrations, there will be a reevaluation and a reestablishment of priorities, but white-collar enforcement will remain a top priority despite an anticipated surge of resources to combat unlawful entry into the United States, cartel and gang violence, fentanyl and drug cases and anticipated significant organizational reforms. Under the first Trump Administration, FCPA cases were at a record high, so I believe we will continue to see white collar enforcement rise. A significant increase in sanctions enforcement and export controls will likely result as well, particularly as applied to Iran, Venezuela and North Korea. 

Allison Raley and Mike Burke of Arnall Golden Gregory

A reallocation of resources may occur, with a focus on areas like immigration and trade, potentially leading to reduced emphasis on current enforcement industries of interest. This shift could alter the risk landscape for businesses operating in regulated industries. These anticipated changes should prompt businesses to reassess their governance and risk management strategies to address regulatory changes.

Andrew Waters, TradingHub global head of regulatory affairs

The United States has shown over the last several years that it is not afraid to strike a muscular pose in cracking down on instances of manipulation and fraud more broadly. This includes during the first Trump Administration, when the CFTC showed notable interest in spoofing and emerging manipulation activity, doling out over $400 million in enforcement actions in fiscal year 2018 alone, and the SEC posted record enforcement numbers related to spoofing in 2018-19 as well. Nonetheless, with the new administration ushering in a new bench of regulatory chairpersons and a rebalancing of voting power at commissioner level at the CFTC, much is still to be known about what oversight priorities and trends will ultimately take shape.

BACK TO TOP

Supreme Court scales back federal agency power

As legal observers had expected, the U.S. Supreme Court in its 6-3 Loper Bright decision held that executive agencies would no longer receive deference in lawsuits over rules they issue, doing away with the Chevron doctrine, which had been in place since the 1980s. 

And on the next business day, the same conservative majority also held in Corner Post that the six-year deadline for businesses to challenge regulations in court starts not when the rule is adopted but when the regulation first affects the company. The session also saw the court strike down the SEC’s use of administrative courts in certain cases and halted the EPA’s “good neighbor” pollution rule. 

The long and short of the expected impact of these rulings is deep uncertainty about federal agencies’ rule-making ability, we wrote in July, which was months before Trump’s re-election, an event that also promises to increase regulatory uncertainty.

What can we expect in 2025?

Yvonne Hennessey, partner and chair of environmental lobbying & election law at Barclay Damon

We can expect even more litigation seeking closer scrutiny of administrative agencies’ interpretation of federal law and their regulatory authority. This litigation will cover a myriad of regulatory areas, ranging from federal financial and tax laws to environmental statutes, such as the Clean Air Act and Clean Water Act to the Affordable Care Act. The result, at least in the near term, is likely inconsistent statutory interpretations of federal laws as lawsuits work their way through the courts. Courts will now be interpreting statutory provisions perhaps never judicially construed before, and judges may or may not agree with judges in other jurisdictions or even ones with different political leanings. Because of this, expect forum shopping. The abandonment of Chevron deference may also trickle down to the doctrine of administrative deference in states with administrative procedures acts similar to that at the federal level.

Trump’s reelection, along with the incoming Republican-controlled Congress, effectively doubles down on reining in administrative agencies. President Trump will continue to appoint federal judges that will narrowly construe federal laws as well as reduce the footprint of federal administrative agencies. All in all, the combined effect will be the narrowing of federal administrative agency authority.

John Wood, member of Holland & Knight’s public policy & regulation group and its Chevron deference working team

The Trump Administration will likely have a deregulatory agenda. Thus, they are likely to revisit regulations that have been upheld under Chevron to assess whether those regulations would be upheld under the more stringent Loper Bright statute. The Trump Administration might even change the federal government’s position in some pending lawsuits and admit that certain agency regulations cannot be upheld under the new Loper Bright standard.

BACK TO TOP

AI continues to revolutionize every aspect of work — or threatens to

As companies adopt artificial intelligence (AI) for a variety of uses, corporate integrity professionals continue to try to get their arms around the risks and benefits. No other topic in 2024 drew more consistent attention on our pages than AI, and few promise to have the kind of revolutionary impact many expect this technology to have.

In March, I wrote about the fractured nature of laws governing AI, and in August, Jonathan Armstrong wrote about the EU’s landmark AI regulation, which offers risk-based prohibitions that will begin being phased in next year. 

Indeed, many contributors highlighted the various ways in which AI looks to introduce new heights and types of risk: Christopher Mason and Ian Oxnevad addressed the risk of AI-powered disinformation; Scott Allendeveaux talked about the potential privacy implications; Shayna Grife tackled the double-edged-sword aspects of the technology; a group of authors from Littler Mendelson offered a comprehensive look at workplace risk; and Alastair Parr offered guidance on third-party risk management issues. 

Generative AI, such as that offered by OpenAI’s ChatGPT or Anthropic’s Claude, got special attention this year. Jim DeLoach offered 10 questions for boards and management about this revolutionary technology, while Joshua Tucker, Paul Connolly and George Vlasto explored the potential for GenAI to disrupt corporate credibility with things like deepfakes.

Some contributors focused on corporate policy-making with regard to AI: Katie Twomey addressed aspects around ethics, quality, regulations and more in the journey from AI theory to practice; Peter K. Jackson shared a hypothetical object lesson in building a responsible AI tool; Sarah F. Hutchins and Robert M. Botkin helped readers understand which AI uses need a governance policy and which don’t; and Kapish Vanvaria and Sarah Y. Liang discussed how proactive AI governance can help build stakeholder trust. Meanwhile, Lauren Kornutick and Asha Palmer both encouraged companies to focus on workers as they weigh their AI options.

James Briggs warned about AI washing, and Sophie Luskin shared fears about the potential for AI to have a chilling effect on whistleblowers. Mark S. Nelson talked about the brewing AI crackdown at the SEC, while Karen Schuler suggested the EU’s new AI rules could have a bigger global impact than the GDPR. And the DOJ also got in on the AI party, though more about that later.

What can we expect in 2025?

Mike Cullen, principal at Baker Tilly

While AI adoption will become more common, we still lack a breakthrough application or program that fully leverages the potential of the technology. In 2024, we saw AI programs operate under two models: chatbots and specific use-case solutions. In 2025, expect both models to evolve through AI agents that can accomplish specific tasks on a human’s behalf and other AI solutions targeted at specific organizational problems.

There is likely to be a continued lack of U.S. federal regulation around the use of AI in business for the foreseeable future. As a result, states, specific industries and non-U.S. countries will likely continue to lead AI regulations in 2025, with a continued focus on high-risk use cases. 

Renato Smith-Bornfreedom, partner and co-chair of Barclay Damon’s data security & technology practice area, and associates Celine Dorsainvil and Kat Delos Reyes

Businesses should not only expect further advancements in AI technology but also a growing number of compliance risks, bias and discrimination claims and the erosion of consumer trust and safety. Social media channels and platform providers will likely increase self-regulation as well as “AI-generated” label requirements and related terms. There will likely also be increased efforts to protect vulnerable populations from the detrimental impacts of AI. 

Amber Foster, consultant, legal counsel at Lawyers on Demand

I think (and hope) that many regulators will adopt a risk-based approach along the lines of the EU approach. Otherwise, companies with a global reach will find adoption of AI difficult (and be at a disadvantage) due to the different compliance requirements in different countries. We saw this with GDPR, where many jurisdictions followed the EU model with some local changes. In the absence of regulation, companies outside of the EU are already following the EU model as a guide and adopting risk-based frameworks, such as the NIST AI Risk Management Framework, to complement it and fill in the gaps.

Companies that adopt AI in a smart way will have a competitive advantage. I think companies which adopt a total “ban” on AI are being naive — their staff are using it anyway. They are using the consumer versions of tools where data is often used to improve the AI model — company confidential info and personal data are being input into these tools — and this is not a good place to be.

Xavier Diokno, senior vice president of solutions & innovation at Consilio

Companies will have to identify use cases within their businesses and the ROI for using AI. When a company determines that the ROI is worth the cost and risk, they will likely move forward with applying AI for specific use cases. The alternative is to accept the status quo but risk falling behind competitors that do adopt AI.

Lauren Kornutick, Gartner

Regulations will likely only get more fragmented in the future. In the U.S., we have already observed a shift to increased regulatory fragmentation at the state level. The Loper Bright SCOTUS decision, which overturned the Chevron deference doctrine, has caused increased uncertainty regarding whether federal agencies, like the FTC, SEC and DOJ, have the ability to enforce rules. I would expect this shift to continue as the incoming administration is likely to continue to prioritize letting the states handle regulations while enacting its goals to shrink the federal government. 

Mark McKinney, vice president of market intelligence and innovation at Gryphon.ai

Over the next few years, regulation and enforcement in areas like telemarketing compliance and privacy protection will increasingly be shaped by state-level initiatives, beyond just federal leadership. It’s the states that are positioned closer to their constituents’ interests and more responsive to the growing demand for privacy and protections. This shift will likely lead to more targeted and active enforcement strategies that reflect the needs and concerns of local populations. A key challenge for regulators will be effectively distinguishing between bad actors — organizations who knowingly and deliberately violate laws — and legitimate businesses that may unintentionally fall out of compliance due to a lack of clarity or understanding. This distinction is critical to ensure that enforcement efforts focus on curbing fraudulent activities, such as robocalls and scam texts, while supporting companies that are working to build trust and operate within the law. 

Beth George, partner at Freshfields

Boards have a crucial role in ensuring that companies can manage the risks and seize the opportunities of AI — and have fiduciary duties to do so. The first step is to ensure the board itself has the appropriate skills to engage with AI and understand its challenges and potential benefits. At present, only around 13% of S&P 500 companies have at least one director with AI expertise, so most boards have a lot of catch-up to do.

Companies should brace for intense regulatory focus on AI, building on some strong enforcement actions already taken in the U.S., EU and elsewhere. Compliance professionals should stay informed about the latest regulatory requirements and actions and — above all — prioritize the adoption of appropriate risk management and governance frameworks. 

Jisha Dymond, chief ethics & compliance officer at OneTrust

AI is high-stakes — high risk, high cost and high reward, naturally elevating it to the board level. The extent to which the board has a role in AI governance, however, will likely depend on how much of the organization’s strategy and vision is tied to AI. Smaller, ad-hoc implementations may remain just a line item on a budget sheet, but when entire products and services are being built on AI, you can expect it to reach the board’s agenda.

Mike DeKock, founder & CEO of MJD Advisors

The technology is moving so quickly and is such an incredibly nuanced and complex area that it seems impossible to regulate and allow for innovation without using risk-based governance frameworks. Attempting anything else would be like overseeing financial fraud without using an accounting ledger, which will certainly not change in the foreseeable future. 

At this point, the only meaningful change in the regulatory environment would be a centralized standard, and there is no evidence that the incoming administration will prioritize that approach. That would lead one to assume we will continue to see new requirements from individual regulatory bodies that will likely grow in scope and complexity, especially as we venture into automated decision-making and start to have more conversations about regulating bias, which are issues that can only be managed through formal methodologies and compliance programs. 

Manish Mehta, chief product officer at Ontic

Many SaaS-based companies are under pressure to deploy AI. AI requires mountains of data for training. Will SaaS-based companies use client data to train AI? Could that use result in inadvertent exposure? The ascent of AI is raising uncomfortable questions for CIOs about their use of SaaS-based software, and addressing these questions will become more urgent in 2025. As a result, we expect more companies to explore using private clouds for software containing particularly sensitive data. 

Bion Behdin, co-founder of FirstAML

AI works like the human mind, mimicking thinking abilities in identifying patterns or making decisions and recommendations. It has become an extension of what we do and increased the capacity of what we can achieve. Criminals are using generative AI by creating seemingly genuine documentation, including invoices, receipts and communication, as well as difficult-to-distinguish deepfakes. In the fight against money laundering, more tools are also using AI to help compliance professionals with their work. For example, AML platforms are using AI to monitor transactions at scale to establish a baseline for normal behavior, making it easier to spot anomalies that might indicate money laundering. When onboarding clients, AI can also be used to link related entities and uncover complex ownership structures, as well as giving an indication of risk. This makes it easier for humans to understand complex information and make informed decisions without getting lost in the details.

BACK TO TOP

Court pauses Corporate Transparency Act

In a timely intervention, a federal court in Texas issued a preliminary injunction Dec. 3 to halt enforcement of a landmark anti-money laundering law, the Corporate Transparency Act (CTA), enacted with bipartisan support in 2021.

Under the CTA, it’s estimated that more than 30 million U.S.-based corporate entities would have been required to file beneficial ownership (BOI) reports with FinCEN — though many exemptions exist. The Texas court’s ruling followed a March opinion from an Alabama court that cast some doubt on whether the CTA would remain in effect; both courts found the law unconstitutional, determining that Congress exceeded its authority.

But the breadth of the Texas court’s ruling was surprising, wrote a group of attorneys at King & Spalding. 

“The Court granted that broad relief, even though Plaintiffs did not request a nationwide injunction,” they wrote in a client alert. “Drawing on the government’s own arguments, however, the Court reasoned that it ‘could not provide Plaintiffs with meaningful relief without, in effect, enjoining the CTA and Reporting Rule nationwide.’”

Reporting had been slow, according to testimony from Treasury Secretary Janet Yellen, who told Congress in July that only about 10% of covered entities had filed their reports halfway through the year. And now it’s possible that those stragglers may never have to file, as other challenges to the CTA are still working their way through the court system.

While the Texas preliminary injunction remains in effect, covered entities that have yet to file will not be penalized, FinCEN said, but companies may still choose to file BOI reports. The Treasury Department has appealed the Texas ruling, but depending on how long the process takes to play out, it’s possible the incoming Trump Administration could choose not to defend the rules in court.

The CTA was part of the National Defense Authorization Act for fiscal year 2021, which went into effect over a Trump veto, though it’s believed his veto was not related directly to the CTA. 

“Because the CTA was part of a law passed by Congress (and the beneficial ownership reporting regulations in large measure track the terms of the law) rather than a regulation issued by the executive branch of the government expanding or interpreting a law, I would expect that FinCEN will continue to appeal the nationwide preliminary injunction order until President Trump’s administration provides guidance as to whether it supports the CTA in its present form,” said Larry Laubach, co-chair of law firm Cozen O’Connor’s corporate practice group.

For covered entities that were in the process of gathering the required information, it may be wise to continue with that process, especially if certain beneficial owners are difficult to communicate with or track down. While most observers expect a compliance delay if the court injunction is lifted, should the requirements go back into effect, leaders would not want to be caught flat-footed.

The potential high costs for noncompliance could be an argument all on their own for a deadline delay, said Angela Gamalski, a partner at Honigman and chair of the firm’s CTA task force.

“Given the many cases filed disputing the extreme penalties for noncompliance with the rules, it is hard to imagine that this injunction would be lifted without a change in deadline or any grace period,” she said.

The Treasury Department’s desire to avoid hard feelings also speak in favor of a delay, assuming the requirements stand, said Jamie Schafer, a partner at Perkins Coie.

“I suspect Treasury would not want to create any further public discontent around CTA compliance and would attempt to be fair-minded,” Schafer said. “Even if no delay were granted, if a reporting company were to document its good-faith efforts to comply and truly were unable to reasonably prepare its filings on a timely basis in light of the injunction, the likelihood of Treasury enforcement for a late filing seems incredibly low, particularly given the agency’s frequent statements that this is not intended to be a ‘gotcha game.’”

While a compliance delay seems likely, it probably would not be long enough to give companies time to tarry, said Sarah Paul, executive committee member and co-global head of corporate crime and investigations at Eversheds Sutherland.

“It is likely that there would be some sort of grace period for companies to file if the preliminary injunction is lifted and the law is allowed to take effect. However, it is difficult to predict how much additional time would be granted. This is another reason for owners and compliance professionals to gather the necessary information now, so that they are prepared to file if the preliminary injunction is lifted.”

Meagan Davis, an associate at Baker Donelson, says businesses hoping for a complete CTA reversal under a corporate-friendly Trump Administration may be out of luck.

“We do expect some form of the CTA to remain,” Davis said. “Other countries have a type of CTA reporting scheme, so it is highly unlikely that this will vanish completely.”

BACK TO TOP

DOJ launches whistleblower pilot program & updates ECCP

A pair of developments at the DOJ look to impact corporate compliance for years to come. First, in August, the DOJ officially launched a pilot program for corporate whistleblowers offering up to $50 million in rewards for certain insiders who present the department with information about corporate misdeeds. Then, about a month later, the DOJ updated its “Evaluation of Corporate Compliance Programs” guidance to cover, among other things, how companies are addressing risks related to new technology like AI, as well as whether compliance teams have access to resources commensurate with other areas of corporate operations.

Chris Hoyle talked about the whistleblower pilot program’s intent to fill gaps left by other agencies’ whistleblower programs, while a group from Cadwalader, Wickersham & Taft discussed how companies should respond to the almost certain increase in employees reporting alleged misconduct to the government.

We wrote about the DOJ’s ECCP updates shortly after they were announced in September, Jacquelyn Pruet shared her insights as a former Texas state regulatory policy writer, and a group from King & Spalding wondered whether companies have answers to the AI questions the DOJ is asking.

What can we expect in 2025?

Joe Whitley, chair of the white collar defense, investigations and regulatory enforcement practice at Womble Bond Dickinson

Companies should assess the risks posed by the use of new and emerging technologies, including AI, and determine whether existing compliance policies sufficiently address that risk. DOJ is also looking to see if compliance policies address whistleblower protections and detail treatment for those who report misconduct. Any policies that don’t address AI or do not have anti-retaliation policies are behind the curve. Compliance staffing should be commensurate with a company’s risk profile: DOJ expects compliance to have an equal seat at the table with access to equivalent or reasonably similar resources as other key company functions and teams.

According to Nicole Argentieri, principal deputy assistant attorney general in the Criminal Division, the DOJ has received over 100 tips to date, “with more coming in every day” [as part of the whistleblower award pilot program]. This puts companies in a tricky position: Companies must decide whether to come forward or risk enforcement action, and the practical effect is that internal investigations, outside counsel and stakeholders need to move a lot faster. It is likely that the three-year pilot program will be extended beyond August 2027. As a consequence, there could be greater financial recoveries for the U.S. government in 2025 with increasing whistleblower activity.

David Burch, partner and co-chair of Barclay Damon’s white-collar & government investigations practice area 

In 2025, I expect the whistleblower program will continue to grow and gain prominence at the federal level. The program will likely attract more whistleblowers given its clear financial incentives to whistleblowers, the protections provided to whistleblowers and the expanding scope of corporate misconduct it addresses. Businesses in regulated industries should expect to deal with an uptick of investigations based on whistleblowers and will need to be vigilant about defending when inquiries come in from the DOJ.

The first Trump administration generally favored deregulation and reducing government oversight of businesses, and statements during the campaign and by Cabinet appointees over time would suggest this focus on deregulation will continue in his second term. The result could be either a reduction in funding or a scaling back of enforcement efforts against corporate misconduct and will also have the potential to reduce regulatory violations overall over time. Ultimately, time will tell whether the results in Year One and public sentiment will cause the Trump-appointed DOJ leadership to continue the pilot.

BACK TO TOP

Court blocks FTC’s new noncompete ban

In August, a federal judge in Texas ruled the FTC’s ban on noncompete clauses in most employment contracts was unconstitutional and could not be enforced, just a few weeks before the ban was set to take effect.

Hannah Addison and Michael Twomey offered insight into how to interpret the FTC’s ban, while a group from Baker Donelson celebrated the power of audits to help ensure trade secrets are protected, regardless of whether a noncompete ban is in place. But it seems likely that none of that will matter, as various forces combine to imperil the ban, says David Santeusanio, co-chair of Holland & Knight’s trade secrets and restrictive covenants team, who warns that federal rules aren’t the only game in town.

“The successful legal challenges to the rule, the election of President Trump and a Republican-led Congress have placed the future of the rule in peril,” Santeusanio said. “If the FTC abandons the rule or the rule otherwise does not go into effect, then government regulation in the next four years on issues involving noncompetes will likely be at the state level.”

Brian Markovitz, principal at Joseph Greenwald & Laake, similarly believes the ban won’t last.

“To the extent the FTC’s ban had a difficult path before the election with the Supreme Court most likely against it, the ban is now dead. I expect revocation of the ban will be one of the first actions taken by the FTC in 2025 under the new administration.”

BACK TO TOP

ESG falls out of favor, but not off the radar

After a lengthy and contentious rulemaking process, the SEC issued a final rule requiring some large companies to report certain greenhouse gas emissions. But even with a scaled-back version of the rule that differed significantly from what was originally proposed, the commission has faced multiple court challenges and voluntarily suspended the rule pending the outcome of those cases.

And in a divisive presidential election year, the corporate ESG movement, and DEI in particular, took a great deal of flak, with some high-profile companies walking back their diversity promises and others rebranding their ESG programs to focus on responsibility and sustainability.

But, as I reported in May, regardless of the PR messaging surrounding the movement, or even whether the SEC will be able to compel certain companies to report their emissions, ESG and DEI will remain important in corporate America. For one, many of the same companies that would have been bound by the SEC’s rule will have to comply with new EU rules that are much more expansive than those in the U.S. anyway.

In January, the EU’s Corporate Sustainability Reporting Directive (CSRD) entered into force, requiring covered companies to report the sustainability-related risks and opportunities that have or are expected to have a financially material effect on the company.

As with its data privacy cousin GDPR, CSRD promises to create another Brussels effect in which a law or regulation in the EU, because of the global nature of modern business, must also be followed outside the bounds of the European Union.

CSRD is just one part of the EU’s focus on corporate sustainability; the European Parliament this year also formally adopted the Corporate Sustainability Due Diligence Directive, which requires companies not only to report data but to take steps to eliminate or mitigate their environmental and human rights impacts.

And even without formal regulation requiring it, workers, consumers, shareholders and other stakeholders are supremely interested in knowing how companies’ activities affect the planet and people who live on it.

What can we expect in 2025?

Natalia Gindler Corsini, founder and managing director of Prae Venire

Based on the incoming administration’s messaging, compliance professionals are unlikely to prioritize ESG initiatives. Efforts on ESG investing and climate-related disclosures are expected to be scaled back or reversed. ESG risks and stock exchange diversity mandates may be deprioritized or rescinded. While DEI efforts may receive less regulatory focus under the new administration, compliance leaders in multinational companies should not overlook this area. Regulatory support for DEI may decrease, and policies could be deprioritized. However, private-sector DEI efforts are likely to persist, driven by market forces and reputational considerations, with global companies continuing to prioritize DEI to align with international standards and consumer expectations.

Hooman Yazhari, impact investment fund founder and restructuring and corporate partner at Michelman & Robinson

Impact investing, despite the anti-ESG sentiment in 2024 (after much euphoria in the preceding years), will continue its longer-term growth trajectory as wealth is transferred from male Baby Boomers to women and younger generations. Asset owners will be increasingly aware of the impact their investments and consumer choices make. Asset allocators will continue to have opportunities to tap into the demand for ESG. However, to satisfy growing demand, rigor in impact measurement and skepticism of ESG, they have to up their game and offer more authentic and well-thought-through products.

As the space moves toward maturity in 2025, the vague and unhelpful catch-all umbrella phrase of ESG will be replaced with more granular and clear terminology that sheds light on the specific impacts or goals of any investment. Impact will be defined in the eyes of investors and implemented in the way they want to measure. Impact is personal and can take many shapes. As a result, authenticity is key to defining impact.

BACK TO TOP

Boeing agrees to corporate monitorship before judge tosses out plea deal

American aerospace giant Boeing in July agreed to plead guilty to charges that it conspired to defraud the federal government in a case related to violations of a deferred prosecution agreement (DPA) the company reached with the DOJ in 2021. As part of its guilty plea, Boeing said it would invest nearly half a billion dollars in safety and compliance improvements and retain an outside compliance monitor. But in early December, a judge rejected the DOJ-Boeing agreement, giving the parties a month to provide an update on how they plan to proceed. 

Attorney and podcaster Tom Fox dug into the saga at Boeing and urged the government to, in his words, go big with Boeing’s monitorship, encouraging an omnibus monitor in light of the staggering failures at Boeing and its importance to the global economy.

BACK TO TOP

CrowdStrike failure sows chaos around the globe

A massive outage of computer systems across the world caused a multi-day meltdown that affected hospitals, airlines, banks, emergency services and other industries. But unlike many of the major outages the world has seen in recent years, this summer’s chaos wasn’t because of an external force like a cyber attack. In this case, the call came from inside the house, as the issue was traced back to a faulty software update released by cybersecurity provider CrowdStrike. Delta Air Lines, the company most affected by the bad update, and CrowdStrike have each sued each other, and those cases were pending as of early December, but observers expect companies to increase their due diligence of technology vendors and to redouble their cybersecurity efforts, though the CrowdStrike outage was not a cybersecurity issue per se.

What can we expect in 2025?

Kevin Szczepanski, partner and co-chair of Barclay Damon’s data security & technology practice, and partner Charles Nerko

Delta Air Lines’ lawsuit against CrowdStrike challenges pro-vendor contractual shields. The airline accuses CrowdStrike of misrepresentation, gross negligence and even computer trespass. Delta argues that CrowdStrike acted so irresponsibly that its contractual liability limits and disclaimers should not apply. A victory for Delta could weaken the protections tech companies have long relied upon.

In response, companies are likely to ramp up due diligence when selecting technology vendors, scrutinizing their operational reliability and cybersecurity practices. Businesses will also push for more balanced tech contracts, particularly in sectors where system failures or data breaches can paralyze operations, such as healthcare, finance and transportation. Businesses should also consider whether over-relying on a single vendor like CrowdStrike creates excessive risk that could be managed by expanding their lists of potential vendors.

In 2025, litigation over technology failures and data breaches is expected to rise, with businesses increasingly using lawsuits as a strategic tool to hold tech vendors accountable for the damages they cause. These cases will set new precedents for assigning liability to technology providers.

Jeff Krull, principal at Baker Tilly

CrowdStrike’s outage quickly demonstrated the severe risk associated with heavily integrating large service providers into an organization’s operations. Organizations are now starting to evaluate their recovery strategies, pinpointing where they have single points of failure.

While organizations may start recognizing and mitigating resiliency and recovery issues, cyber incidents continue to be on the rise with no signs of a slowdown. In 2025, there will inevitably be a massive critical infrastructure outage related to a cyber attack, and companies must prepare for such an event. Stronger security standards and more high-risk attacks will continue propelling cybersecurity into the forefront. As a result, expect cybersecurity to play a larger role in an organization’s overall business posture in 2025. 

BACK TO TOP

Healthcare CEO gunned down in Manhattan

UnitedHealthcare CEO Brian Thompson was shot to death in Manhattan shortly before a scheduled shareholders meeting, and just under a week later, police announced they’d arrested a suspect in the killing. With signs pointing to the murder as being motivated by Thompson’s role as the CEO of a large health insurance company, executive protection has taken center stage, alongside what many described as a surprising public reaction to the event, including people offering sarcastic comments about their sympathy being “out of network.”

What can we expect in 2025?

Fred Burton, executive director, protective intelligence at Ontic

Most CEOs rebuff the traditional close-protection models, thinking they are either unnecessary, bad for business and optics or undercut their reputation. Many executives still deny that they are at risk or may have enemies. But I’ve been in this business long enough to know that it takes tragedy to force change in our industry. It’s always been that way. The shooting of UnitedHealthcare’s CEO is a watershed moment for executive protection teams. 

The threat landscape has changed to include the possibility of copycat attacks and doxxing of CEOs on social media. In the year ahead, the protection model will likely shift and adapt accordingly. We will see a shift toward a counter-surveillance model of protection — discreet shadowing and aggressive protective intelligence monitoring for threats. 

BACK TO TOP

SEC urges self-reporting as it cracks down on messaging apps

The SEC pressed on with its crackdown of improper use of ephemeral messaging apps like WhatsApp and continued to incentivize self-reporting. In August, it levied fines of nearly $400 million against 26 firms, while three that self-reported received lower fines.

In April, Sanjay Wadhwa, who is now acting enforcement chief, shared several factors the SEC considers when it issues fines, including things like company size, compliance efforts and cooperation; none matter more in fine reductions than self-reporting, Wadhwa said.

But self-reporting isn’t always the right move, wrote Lindi Jarvis and Edurne Sistiaga, as they offered insights about all the carrots and sticks the SEC has thrown out over the years.

What can we expect in 2025?

Harriet Christie, chief operating officer at MirrorWeb

It’s been another huge year of enforcement around “off-channel” communications, and one where the SEC has been very vocal about the benefits of proactive compliance. We’ve seen significantly reduced fines simply because firms have shown a willingness to adapt to modern compliance demands. That willingness ranges from more drastic measures like prohibiting “off-channel” communications altogether, to more progressive options. 

Some have assumed that the change of leadership will affect this probe in 2025. However, acting enforcement chief Sanjay Wadhwa has repeatedly stressed the value of robust enforcement since the election, signaling that these foundational principles will continue to be upheld.

BACK TO TOP