Global Tech Risk Bulletin - March 2026
Powered by Lockton's Global Technology Risk Practice, March
To our clients and friends:
This newsletter focuses on several important regulatory updates relevant to legal counsels, financial professionals and other risk managers.
TL;DR
Foreign private issuers face new SEC Section 16(a) reporting obligations under the Holding Foreign Insiders Accountable Act—significantly expanding disclosure requirements for directors and officers of FPIs listed on U.S. exchanges.
The SEC published the first update to its Enforcement Manual since 2017, signaling a more transparent and procedurally balanced process that rewards self-reporting and proactive remediation.
The SEC and CFTC jointly released a landmark token taxonomy materially reducing securities-law risk for issuers and intermediaries.
The White House released a proposed legislative blueprint for AI, following President Trump’s December executive order on AI regulation.
The EU is escalating enforcement of the Digital Markets Act and Digital Services Act against American tech companies, while the Trump administration mounts diplomatic and trade counterpressure, creating bifurcated compliance risks.
Nvidia has begun shipping H200 AI chips to China under a new 25% tariff regime, underscoring the volatility of export controls and the need for scenario planning around geopolitical risk.
The Supreme Court will decide in Sripetch v. SEC whether the SEC must prove actual investor harm to obtain disgorgement—a ruling that could reshape D&O insurance coverage.
California’s SB 371 slashed rideshare UM/UIM coverage from $1 million to $60,000/$300,000, fundamentally altering the risk landscape for mobility platforms and corporate travel policies.
Foreign Private Issuers Face New Disclosure Regime
President Trump signed the “Holding Foreign Insiders Accountable Act” into law on December 18, 2025. The Act extends US Securities Exchange Act Section 16(a) reporting requirements to directors and officers of foreign private issuers (FPIs), effective March 18, 2026.
This represents the most significant expansion of FPI disclosure obligations in over a decade, including many foreign domiciled technology companies listed on U.S. exchanges.
New Reporting Requirements
Beginning last Wednesday, March 18, 2026, directors and executive officers of FPIs must file beneficial ownership reports with the SEC on the same timeline as their U.S. counterparts, including:
Form 3 (initial statement) must be filed within 10 days of becoming a director or officer
Form 4 (changes in beneficial ownership) must be filed within two business days of any transaction
Form 5 (annual statement) must be filed within 45 days after fiscal year end for deferred transactions
The definition of “officer” is expansive, covering not only individuals identified as executive officers for annual reporting purposes but also the principal financial officer and principal accounting officer.
On March 5, 2026, the SEC provided conditional relief from these reporting requirements for directors and officers of FPIs organized or incorporated in Canada, Chile, the EU, Korea, Switzerland the UK if those they report under local regulation in a manner that is publicly available in English two days after posting.
Legal departments and corporate secretaries typically coordinate Section 16 compliance for U.S. domestic issuers. FPIs should establish similar internal processes. Companies should also revisit insider trading policies to require directors and officers to report transactions internally with sufficient lead time to ensure timely SEC filings.
For legal counsel, chief financial officers or risk managers of foreign private issuers listed on US exchanges, or those foreign companies seeking a listing in the US, this new law represents a significant expansion of US reporting obligations and a compliance risk that may effect directors and officers of such entities.
SEC Updates Enforcement Manual for First Time Since 2017
On February 24, 2026, the SEC's Division of Enforcement published the first update to its Enforcement Manual since 2017. The revisions, described by SEC Chairman Atkins as “long-overdue,” go beyond previously announced procedural reforms to impose new approval layers before Staff can issue so-called “Wells notices”, direct Staff to share "salient, probative evidence" from investigative files with notice recipients, and allow a four-week response period followed by a mandatory senior-level meeting. The Manual also formalizes the restoration of simultaneous consideration of settlement offers and statutory disqualification waiver requests, reducing the risk that settling parties face unexpected collateral consequences such as loss of WKSI status. For organizations whose shares are registered on US exchanges, the reforms collectively signal a more transparent and procedurally balanced enforcement process, one that rewards self-reporting, robust internal controls, and proactive remediation with the possibility of reduced or forgone civil penalties. This is generally good news for risk professionals.1
SEC and CFTC Unveil Formal Token Taxonomy, Interpretation of How Federal Securities Laws Apply to Crypto
On March 17, 2026, the SEC — in coordination with the CFTC — published a landmark 68-page interpretive release that establishes a five-category token taxonomy for crypto assets: digital commodities, digital collectibles, digital tools, stablecoins, and digital securities. The release explicitly names 18 tokens — including Bitcoin, Ether, Solana, XRP, Cardano, and Dogecoin — as digital commodities, defined as crypto assets “intrinsically linked to and deriv[ing] their value from the programmatic operation of a crypto system that is functional, as well as supply and demand dynamics.” Critically, the SEC states that the first four categories (commodities, collectibles, tools, and stablecoins) are not, in and of themselves, securities — though they can become securities if offered or sold under an investment contract, which in turn generally requires an issuer’s “representation or promises to engage in managerial efforts from which a purchaser would reasonably expect to derive profits”. The guidance took effect immediately and reflects the updated SEC-CFTC Memorandum of Understanding signed on March 11, 2026, under their Joint Harmonization Initiative.
For risk professionals, this taxonomy represents a meaningful inflection point. Tokens that were the subject of enforcement actions or open investigations just months ago now carry a digital commodity designation. That means many activities for these assets no longer carry securities-law risk, materially reducing the compliance burden for issuers and intermediaries operating in these markets. Tokens not explicitly named in the release may still qualify as digital commodities on a case-by-case basis if they meet the stated criteria, so the door is open well beyond the initial 18. As SEC Chair Paul Atkins put it: “This is what regulatory agencies are supposed to do: draw clear lines in clear terms”. For firms recalibrating their crypto risk frameworks, clearer lines have finally arrived.
AI Regulatory Developments
As noted in our previous bulletin, on December 11, 2025, President Trump signed an executive order, “Ensuring a National Policy Framework for Artificial Intelligence.” On March 20th, the White House released a legislative blueprint for a National Artificial Intelligence Policy Framework (the “Framework”).2 Generally, the Framework favors a unified federal, “light-touch” AI regime centered on preempting state AI laws while promoting innovation. The Framework lays out recommendations across seven areas: protecting children online, supporting communities and infrastructure while managing AI-driven energy and security risks, addressing creators’ rights and digital replicas without preempting ongoing copyright litigation, safeguarding free speech from government-driven censorship, boosting U.S. competitiveness through sandboxes and data access rather than a new AI regulator, expanding AI-focused workforce and education initiatives, and establishing broad federal preemption of state AI rules.
Strategic Response for Technology Companies
As with the December executive order, the Framework changes nothing immediately. Companies should continue compliance planning for existing state AI laws, including the Colorado AI Act (effective February 1, 2026), California’s various AI statutes, and other state requirements. Legal counsel, financial professionals and risk managers should monitor developments closely but avoid compliance investments based on speculative scenarios. Still, companies should consider the potential implications of standards based on federal, rather than state, regulation.
EU Escalates Tech Enforcement Amid Transatlantic Tensions
The European Union has entered what Brussels officials characterize as the “most sensitive phase” of its digital policy, shifting from legislative negotiation to aggressive enforcement against American technology companies. This collision between European regulatory ambition and American political pressure creates risks for technology companies operating transatlantically.3
The Enforcement Pipeline
After years of legislative development, the European Commission is operationalizing two landmark regulatory frameworks with potentially significant financial consequences.4
The Digital Markets Act (DMA), fully applicable since May 2023, has designated six companies as “gatekeepers” controlling market access across core platform services. Many of these companies have been subject to significant EU fines.5
The Digital Services Act (DSA), governing content moderation and online safety, imposes demanding operational requirements: platforms must conduct risk assessments, publish transparency reports, explain content moderation decisions, and provide researchers with data access.
The American Counterpressure Campaign
The Trump administration has characterized EU digital regulations as “economic warfare” and mounted a response:6
Visa Bans and Diplomatic Retaliation: In December 2025, the U.S. imposed entry bans on former EU Commissioner Thierry Breton and four other European officials, citing “censorship” and coercion of American social media platforms. Secretary of State Marco Rubio explicitly framed the action as targeting “leading figures in the global censorship-industrial complex” and warned of readiness to expand the list.7
Trade Threats: The Office of the U.S. Trade Representative confirmed preparations for a “Section 301” investigation that could lead to tariffs, characterizing EU digital rules as discriminatory. In December, U.S. Trade Representative Jamieson Greer warned European tech firms including SAP, Spotify, and Mistral of potential “fees or restrictions” unless the EU relaxed regulatory actions against American companies.8
Regulatory Rollback Demands: The administration has explicitly called for modifications to EU digital rules and threatened tariffs in response to enforcement actions. President Trump signed a memorandum in February 2025 directing his administration to investigate and potentially impose tariffs on foreign governments that implement policies “encouraging censorship.”9
Strategic Implications for Technology Companies
The transatlantic regulatory divergence creates operational and strategic challenges that extend beyond compliance costs:
Bifurcated Product Development: Companies must now wrestle with the prospect of designing fundamentally different product architectures for European and non-European markets. The DMA requires designated gatekeepers to allow third-party apps and app stores, enable cross-platform messaging, prohibit self-preferencing in search and advertising, and provide business users with access to platform-generated data.10
Reputational and Political Risk: Technology executives find themselves navigating not only regulatory compliance but also geopolitical risk. Companies perceived as aligning too closely with American political pressure risk regulatory retaliation in Europe, while those seen as acquiescing to European demands face political backlash in Washington.11
Nvidia’s China Exports
Nvidia has indicated that it now has China’s approval to sell its H200 AI chips, marking the first delivery of advanced chips under President Trump’s policy. This policy shift reverses the Biden administration’s restrictive approach, which banned advanced AI chip exports to China on national security grounds.12
Strategic Implications
Chinese technology giants including Alibaba and ByteDance are monitoring developments closely, given that the H200 offers approximately six times the performance capacity of the H20—the chip Nvidia specifically designed for the Chinese market under previous export restrictions. The H200, though part of Nvidia’s older Hopper series, remains critical for many AI systems even as Nvidia transitions focus to newer architectures.
For U.S. technology companies and their boards, this development underscores the volatility of export control regimes and the risks of depending on certain regulatory frameworks for international operations. In a recurring theme, companies with China-dependent supply chains or customer bases should conduct scenario planning for both tightening and loosening of export restrictions, recognizing that policy can shift dramatically with administration changes.
Supreme Court to Clarify SEC Disgorgement Powers: D&O Insurance Implications
On January 9, 2026, the Supreme Court granted certiorari in Sripetch v. SEC, agreeing to resolve a circuit split that has created significant uncertainty regarding the SEC’s ability to obtain disgorgement in civil enforcement actions. The Court’s ruling—expected before the term ends in June—could fundamentally alter the financial exposure landscape for public companies, senior executives, and the D&O insurance market.13
The Question Before the Court
The core issue is whether the SEC must demonstrate that investors suffered actual pecuniary harm to obtain disgorgement, or whether it is sufficient to show that a defendant received ill-gotten gains from securities law violations. This seemingly technical question carries profound practical consequences: in fiscal year 2024, disgorgement and prejudgment interest accounted for nearly 75% of the financial remedies obtained by the SEC—$6.1 billion of $8.2 billion total.14
The D&O Insurance Dimension
This case carries significant implications for directors and officers liability coverage. D&O policies typically define “loss” to explicitly exclude “disgorgement” or “restitution,” on the theory that returning funds that were never rightfully the insured’s cannot constitute insurable loss. The Seventh Circuit’s Level 3 Communications v. Federal Insurance decision established that insurance is intended to protect against actual financial harm, not to enable insureds to retain fraudulent gains.15 However, the term “disgorgement” itself is typically not defined in policy language, creating ambiguity that can result in coverage disputes.16
Potential Outcomes and Strategic Implications
If the Court rules that pecuniary harm is required, companies and individuals facing SEC enforcement may have a new defense against disgorgement demands, potentially limiting the SEC’s leverage in settlement negotiations. Conversely, a ruling supporting the SEC’s position could embolden the agency to bring more enforcement actions and seek disgorgement more aggressively, even where no specific investor harm is alleged.17
Recommended Actions18
Review current policies: Understand whether your D&O policy’s definition of “loss” explicitly or implicitly addresses disgorgement and restitution
Assess negotiation opportunities: Work with brokers to determine whether improvements to policy wording regarding disgorgement are achievable
Monitor market trends: Watch for insurers adding specific disgorgement exclusions or otherwise narrowing terms in response to the Supreme Court’s ruling
Evaluate coverage across lines: The Court’s ruling could influence disputes involving employment practices liability, fiduciary liability, errors and omissions, and cyber insurance
California Slashes Rideshare Insurance: SB 371 Takes Effect
Effective January 1, 2026, California’s Senate Bill 371 dramatically reduced the uninsured/underinsured motorist (UM/UIM) coverage that transportation network companies (TNCs) must provide—dropping protection from $1 million to $60,000 per person and $300,000 per incident. This reduction in coverage fundamentally alters the risk landscape for mobility platforms, their drivers, and passengers.
The Coverage Reduction
The legislation emerged from a September 2025 compromise between Governor Newsom, legislative leaders, rideshare companies, and SEIU California. Proponents argue that the previous $1 million UM/UIM requirement—which applied only to rideshare, not to taxis, buses, or personal vehicles—contributed to California having among the highest rideshare costs in the country.
Implications for Technology Companies
For mobility platforms and technology companies operating in California, SB 371 prompts several considerations:
Reduced liability exposure: TNCs face lower coverage costs and reduced claim severity exposure for UM/UIM incidents
Regulatory review: The California Public Utilities Commission and Department of Insurance will study the impacts of the new coverage requirements, with findings due by 203019
National precedent: California’s shift may influence other states considering rideshare insurance reform
Conclusion
This edition underscores a theme we have been tracking throughout 2025 and into the new year: the regulatory ground beneath technology companies is shifting on multiple fronts simultaneously. Risk professionals are navigating an environment where policy changes are arriving faster than many compliance frameworks can adapt. Whether you are reassessing D&O coverage in light of Sripetch, recalibrating crypto risk after the SEC-CFTC taxonomy, or scenario-planning around AI export controls and state-level AI laws, the throughline is the same—proactive risk management has never been more critical.
As always, Lockton’s Global Tech Risk Practice is here to help you stay ahead of what is coming. Reach out to your Lockton team with questions about any of the developments covered in this bulletin.
https://www.gibsondunn.com/sec-division-of-enforcement-updates-its-enforcement-manual-for-first-time-since-2017/
https://www.sullcrom.com/insights/memo/2026/March/White-House-Releases-National-Policy-Framework-AI
https://www.ft.com/content/c4e769c8-edf7-46ab-a208-eb33385fb93a
European Business Magazine, covering enforcement of the Digital Markets Act and Digital Services Act against American technology companies (2025).
https://www.csis.org/analysis/implications-digital-markets-act-transatlantic-cooperation
https://prospect.org/2026/01/13/trump-big-tech-tax-cuts-deregulation-europe-digital-networks-act/
https://www.ft.com/content/c4e769c8-edf7-46ab-a208-eb33385fb93a
https://www.cnn.com/2025/12/11/tech/ai-trump-states-executive-order
https://www.iss.europa.eu/publications/commentary/trump-takes-aim-overseas-extortion-american-tech-companies-eu-us-rift
https://europeanbusinessmagazine.com/european-news/eu-prepares-tougher-tech-enforcement-in-2026-as-trump-warns-of-retaliation/
https://prospect.org/2026/01/13/trump-big-tech-tax-cuts-deregulation-europe-digital-networks-act/
Nvidia gets Beijing's nod for H200 chip sales, adapts Groq chip for China, sources say | Reuters
https://global.lockton.com/us/en/news-insights/supreme-courts-ruling-on-disgorgement-and-your-d-and-o
https://www.jdsupra.com/legalnews/supreme-court-to-review-limits-on-sec-2138585/
https://andersonkill.com/wp-content/uploads/2023/09/Insurance-Industrys-Disgorgement-Defense-Hits-A-Wall.pdf
https://europeanbusinessmagazine.com/european-news/eu-prepares-tougher-tech-enforcement-in-2026-as-trump-warns-of-retaliation/
https://www.hklaw.com/en/insights/publications/2026/01/certainly-getting-interesting-supreme-court-again-to-address
https://europeanbusinessmagazine.com/european-news/eu-prepares-tougher-tech-enforcement-in-2026-as-trump-warns-of-retaliation/
https://trackbill.com/s3/bills/CA/2025/SB/371/analyses/assembly-floor-analysis.pdf
Fantastic coverage, Preet! Subscribed and will be sitting down with some coffee to read this!