US Corporate Governance: 2025 Year-End Review

As the new year takes shape, we look back at major changes in corporate governance law over the second half of 2025 as a harbinger of developments to come.

We first describe four cases before the Supreme Court that may have significant implications for governmental administrative enforcement and private investor litigation, as well as two securities cases decided by the Ninth Circuit. Next, we turn to antitrust updates, False Claims Act and federal policy changes that will affect issuers, particularly foreign private issuers. And then we turn to certain developments in Delaware corporate law. We end by discussing federal and state enforcement of cybersecurity and privacy laws, and new laws enacted in the artificial intelligence space — an area that will be rapidly evolving in the coming year.

Securities cases in the Supreme Court

The US Supreme Court to resolve circuit disputes on administrative enforcement powers

In 2026, the Supreme Court will resolve three cases concerning the scope of the SEC’s and FCC’s administrative enforcement powers.

In Sripetch v. SEC,^[1] the Court will resolve a circuit split over whether the SEC must show that investors suffered pecuniary harm before obtaining disgorgement in a civil enforcement action. In Sripetch, as we reported in September, the Ninth Circuit joined the First Circuit, but disagreed with the Second Circuit, in holding that the SEC can obtain such a remedy without showing pecuniary loss. The Court reasoned that disgorgement is meant to deprive a wrongdoer of ill-gotten gains, not compensate a victim for losses.

Second, the Court will consolidate and hear appeals from the Fifth Circuit’s decision in Federal Communications Commission v. AT&T^[2] and the Second Circuit’s decision in Verizon Communications Inc. v. Federal Communications Commission^[3] that pose the same question: whether monetary penalties imposed administratively by the FCC violate the Seventh Amendment and Article III of the Constitution. The two cases originated from alleged failures to adequately protect customer data — location data in AT&T and proprietary network information in Verizon — and resultant administrative fines.

The Supreme Court’s decision to grant certiorari in each of these cases signals its ongoing interest in reviewing the scope of administrative agencies’ enforcement powers. The cases will be briefed over the coming months.

Read more

US Supreme Court grants certiorari to decide whether Section 47(b) of the Investment Company Act allows for a private right of action

On June 30, 2025, the Supreme Court granted certiorari in FS Credit Opportunities Corp., et al. v. Saba Capital Master Fund, Ltd., et al. to resolve a circuit split over whether Section 47(b) of the Investment Company Act (ICA) grants parties a private right of action. The ICA regulates investment entities such as mutual funds and exchange-traded funds and makes contracts formed in violation of the ICA voidable. In FS Credit, the Southern District of New York followed Second Circuit precedent and permitted the plaintiffs, two Saba Capital entities, to sue for rescission of the mutual funds’ governance provisions that allegedly violated the ICA.

The mutual funds petitioned for certiorari, arguing that Section 47(b) does not create a private right of action, so the Saba Capital entities had no right to bring suit. Petitioners noted that the deepening circuit split between the Ninth, Third and Fourth circuits, which have not found a private right of action, and the Second Circuit, which has, could foster forum shopping. The Court heard oral argument in December 2025.

Read more

Securities cases in the Ninth Circuit

SEC ‘No-Deny’ policy survives another challenge, this time in the Ninth Circuit

Under SEC Rule 202.5(e), defendants in civil enforcement proceedings can settle the claims against them without making any admission if — and only if — they agree not to publicly deny the allegations.^[4] This rule has been challenged numerous times in courts across the country and recently survived one more facial challenge that was decided by the Court of Appeals for the Ninth Circuit in August 2025.

In Powell v. S.E.C., the petitioners — most of whom had entered settlements with the SEC requiring them to comply with Rule 202.4(e) — challenged the SEC’s refusal to amend the rule and argued that it is an unconstitutional gag order on protected speech.^[5] The SEC argued that the rule reflects a voluntary agreement that defendants are free to decline. The court of appeals sided with the SEC “on necessarily narrow grounds.” It concluded that the rule is not per se unconstitutional, because constitutional rights are waivable, but left open whether it would survive potential particularized as-applied challenges on First Amendment grounds. Dissenting judges who have heard previous challenges to the rule have criticized it as an unconstitutional prior restraint on free speech and an inhibition of public critique of the government.

Read more

Ninth Circuit addresses the scope of Section 12(a)(2) liability for misleading opinion statements under Omnicare

A case decided by the Ninth Circuit, Pino v. Cardone Capital, LLC,^[6] sheds light on when opinion-based statements included in offering materials may give rise to liability under Section 12(a)(2) of the Securities Act. In Pino, the defendants promoted an annual rate of return on their real estate investment funds that the SEC asked to be withdrawn from their offering documents. While the defendants did so, they continued to use the rate on social media and did not inform investors of the SEC’s concerns.

The Ninth Circuit reversed the Central District of California’s dismissal of the Securities Act claim, concluding that the defendant’s withdrawal of the misleading statement — following an SEC comment letter — could support an inference that the statement lacked a reasonable basis when made. The Ninth Circuit’s reasoning differs from that of the Delaware Court of Chancery in Plug Power, where the court declined to draw such an inference, discussed in more detail here.^[7]

Further, neither the public nature of the SEC letter nor statements in the plaintiff’s complaint specifically disclaiming allegations of fraud automatically defeated the Section 12(a)(2) claims, as these claims do not require intent to defraud under Omnicare, Inc. v. Laborers District Council Construction Industry Pension Fund.^[8]

Read more

Antitrust activity

Section 8 of the Clayton Act and private equity: takeaways from recent enforcement

Private equity firms may face increased scrutiny of potential violations of Section 8 of the Clayton Act, thanks to premerger filing reports that solicit information on overlapping directorates and are now required under the Hart-Scott-Rodino Act (HSR).

Under Section 8, officers and directors of a company are prohibited from serving a competitor in a similar capacity. The HSR-mandated reports now give enforcement agencies clearer views of these overlaps than were previously available, especially concerning private companies. This may entail heightened scrutiny of private equity firms that have a majority interest in two entities in a related business space — for example, a deputization where a private equity firm places an agent as a director of one company and a different agent as a director of a competitor.

In at least two recent cases, the FTC and DOJ have simply obtained resignations, rather than bringing civil enforcement actions; however, the risk of stronger medicine for repeat violations warrants vigilance. Private equity investors need not automatically disqualify any interlocking directors, but they should undertake a Section 8 analysis prior to deploying their appointees to boards of companies in related businesses.

Read more

Antitrust regulation in the marketplace of ideas

Statements of Interest filed by the DOJ in two pending litigations illustrate new arguments that the Trump administration is testing in the realm of antitrust enforcement that may implicate First Amendment rights to free expression and association.

First is Children’s Health Defense v. WP Company LLC. Here, Children’s Health Defense, an anti-vaccine advocacy organization previously chaired by US Health and Human Services Secretary Robert F. Kennedy Jr., brought antitrust claims against four major news outlets that are members of the Trusted News Initiative (TNI), a partnership that aims to combat disinformation. The plaintiffs argued that the defendants directed social media platforms to censor their published information, constituting an illegal group boycott under the Sherman Antitrust Act. The defendants argued that the plaintiffs did not allege an antitrust injury because they did not allege that TNI cut off their access to any media platforms and because antitrust laws do not reach the “marketplace of ideas.”

The DOJ filed a Statement of Interest in July 2025 and took the opposite position: that the Sherman Act covers all forms of competition, “including competition in information quality,” and recognizes that “content competition” is a critical feature of the news industry.

Second, in State of Texas et al. v. BlackRock, Inc., several states sued BlackRock, State Street and the Vanguard Group — the largest asset managers in the US — alleging that they used their substantial holdings in competing coal companies to influence management so as to reduce coal production and therefore carbon emissions, and together, they profited.

The FTC and the Antitrust Division of the SEC filed a Joint Statement of Interest implying that the asset managers were acting out of ideology, not economic interest, and arguing, among other points, that (1) institutional investors cannot use their shares to stifle competition and (2) an exemption under the antitrust statutes for stock acquisitions made “solely for investment” can be lost when the investment is used to harm competition.

These cases ask the courts to examine the line between commercial speech — that intended to further the economic interests of the speaker — and political speech, the most protected category of free expression.

Read more

On the continuing relevance of state antitrust enforcement in the US

State antitrust enforcement activity has rebounded from lulls in 2021 and 2022, with states initiating their own actions and joining federal agency matters as well. States have typically focused on traditional antitrust violations, such as monopolization, merger and acquisition review and price manipulation, and enforcement actions are often directed at local issues such as combinations of regional health care providers or bid-rigging on government construction projects.

States are also passing new antitrust legislation. For example, Colorado and Washington adopted the Uniform Antitrust Pre-Merger Notification Act, which enables them to obtain the same information about anticipated mergers that companies are mandated to disclose to federal agencies under the HSR. California enacted an antitrust statute about artificial intelligence (AI)-driven pricing that prohibits the use of algorithms to set prices to restrain trade.

Read more

Federal policy shifts

Executive order directs review of regulations affecting proxy advisors

On December 11, 2025, President Donald Trump issued an executive order titled Protecting American Investors From Foreign-Owned and Politically-Motivated Proxy Advisors (the Order), which calls for increased federal scrutiny of the proxy advisor industry. The Order focuses on the “significant role” Institutional Shareholder Services and Glass, Lewis & Co. play in shareholder voting and their “enormous influence” over corporate governance matters. The Order posits that proxy advisors have used their power to advance and prioritize considerations such as environmental, social and governance (ESG) and diversity, equity and inclusion (DEI) priorities instead of strictly pursuing investor returns. Therefore, it directs several federal agencies to review and potentially revise existing regulatory frameworks governing proxy advisors and shareholder voting. Among other things:

• The SEC is directed to review all rules, regulations, guidance, bulletins and memoranda relating to proxy advisors and consider revising or rescinding any such items that are inconsistent with the Order, particularly those that implicate DEI and ESG, and consider revising all rules, regulations, guidance, bulletins and memoranda relating to shareholder proposals.

• The FTC is directed to review ongoing state antitrust investigations into proxy advisors and determine if there are related violations of federal antitrust law and to examine whether proxy advisors engage in potential anticompetitive, unfair or deceptive acts or practices.

• The secretary of labor is directed to revise all regulations and guidance regarding the fiduciary status of proxy advisors under the Employee Retirement Income Security Act and to take all appropriate action to enhance transparency concerning the use of proxy advisors, particularly regarding DEI and ESG.

While the Order does not impose immediate changes on proxy advisors or new disclosure requirements for reporting companies, proxy advisors have already adjusted some of their practices, including moving toward more customized, case-by-case voting recommendations. Nevertheless, the Order introduces additional regulatory uncertainty for proxy advisors and increases the likelihood of future developments that may alter their influence. Over time, these developments could reshape proxy voting dynamics, investor engagement and governance outcomes.

SEC issues policy statement on mandatory arbitration provisions

In the fall of 2025, the SEC announced that, when deciding whether to accelerate the effectiveness of a registration statement for a securities offering, its analysis will not be affected by the inclusion of an arbitration provision for investor claims in the registration statement. Instead, its focus will be on the adequacy of the statement’s disclosures.

Typically, a registration statement is effective 20 days after its filing. Under the Securities Act of 1933 (Securities Act), issuers can request that the SEC “accelerate” this timeline and make their statements effective sooner, at a particular date and time. Previously, the SEC would not allow this to occur when the statement required arbitration because it considered such clauses, which preclude judicial actions, to be contrary to the public interest and investor protection. The SEC’s policy statement alters this approach.

Read more

President Trump signs defense authorization bill subjecting FPI insiders to Section 16 reporting obligations

Foreign private issuers (FPIs) face new reporting requirements after the 2026 National Defense Authorization Act implemented the Holding Foreign Insiders Accountable Act on December 18, 2025. Officers and directors of FPIs are now subject to Section 16 of the Securities Exchange Act of 1934 (the Exchange Act) and will need to file ownership reports with the SEC generally within 10 days of becoming an officer or director and generally within two days of acquiring or selling FPI equity securities, including in connection with equity-based compensation.

The short-swing profit recapture provisions of Section 16(b) — which require insiders to return profits made from the purchase and sale of a company’s stock if both transactions occurred within a six-month period — remain inapplicable to FPIs. However, additional SEC oversight of non-US entities seeking access to US capital markets may be forthcoming, as discussed below.

These additional obligations for FPIs come after the SEC issued a concept release on June 4, 2025, concerning potential amendments to the definition of “foreign private issuer” under the Securities Act and the Exchange Act, as previously reported.

Read more

No rest for the caretakers: health care industry in crosshairs for expanded False Claims Act and criminal enforcement activity

Despite widespread staffing disruptions at the DOJ in the past year, the agency has consistently pursued criminal fraud and False Claims Act (FCA) investigations of entities and individuals operating in the health care industry. As of July 2025, the Civil Division of the DOJ had announced $1 billion in recoveries from health care industry entities. For example, Omnicare was ordered to pay $542 million in penalties based on allegations of fraudulently billing Medicare, Medicaid and other government programs. Insurers have also been the targets of investigation for illegal kickbacks, and over 300 individuals were criminally prosecuted for alleged fraud.

The DOJ also announced its intention to use the FCA as a tool to ensure that health care providers and other institutions receiving federal funds fall in line with its priorities on gender and diversity, such as by pursuing cases against institutions that provide gender-affirming care or have internal diversity, equity and inclusion programs. Attempts to use the FCA to further traditional civil rights cases have had limited success.

Read more

Delaware law developments

Delaware Supreme Court reverses controversial Moelis decision amid statutory amendments authorizing shareholder agreements and clarifying other aspects of Delaware corporate law

On January 20, 2026, the Delaware Supreme Court reversed the Court of Chancery’s decision in West Palm Beach Firefighters’ Pension Fund v. Moelis & Co., holding that the challenged provisions of the stockholder agreement were at most voidable, not void, and that the action was time-barred.^[9] The case concerned a stockholder agreement that an independent investment bank had with its CEO, founder and board chair, Ken Moelis, that granted him sweeping approval rights over most company decisions and gave him extensive control over the company’s board composition.

The Court of Chancery had held that the challenged provisions of the agreement violated Delaware General Corporation Law (DGCL) Section141(a), which required that certain board powers be modified only through the corporate charter. In response to this decision, the Delaware legislature amended the DGCL to permit corporate governance changes through a stockholder agreement without an authorizing provision in the corporate charter — essentially allowing for contracts like Moelis’s and nullifying the Court of Chancery’s decision. At the same time, the legislature made amendments to the law applicable to, among other things, controlling shareholder transactions, director independence and books and records requests.

In reversing the Court of Chancery, the Delaware Supreme Court held that even if a corporate action is taken in a manner inconsistent with the DGCL, if it can be accomplished in any lawful manner, it is voidable — not void — and subject to equitable defenses. Here, the challenged provisions could have been lawfully implemented through other means, so were facially valid and subject to equitable defenses such as laches — a defense that the Supreme Court found was satisfied and barred the challenge in this case.

Read more

California Supreme Court confirms general enforceability of Delaware Court of Chancery forum selection clauses

Last summer, California’s highest court shielded mandatory forum selection clauses in corporate bylaws and charters from a facial challenge. In EpicentRx, Inc. v. Superior Ct.,^[10] the lower California courts had concluded that a forum selection clause in the defendant’s articles of incorporation was unenforceable because it operated as a pre-dispute waiver of the right to a jury trial and therefore contravened California’s public policy that favors jury trials in civil cases.

The California Supreme Court reversed, clarifying that the clause did not operate as a jury waiver but instead functioned as a forum selection clause — it reflected where, not how, the dispute would be litigated. The court emphasized that California’s public policy against jury trial waivers concerns enforcement of such waivers solely in California courts, not in foreign forums. It therefore upheld the enforceability of the clause.

Read more

Delaware Supreme Court reverses acquirer’s aiding and abetting liability, setting high bar, following precedent set by its recent decision in Mindbody

In In re Columbia Pipeline Group, Inc. Merger Litigation,^[11] the Delaware Supreme Court, sitting en banc, reversed a Court of Chancery ruling and held that, under In re Mindbody, Inc. Stockholder Litigation, ^[12] the defendant-bidder was not liable for aiding and abetting fiduciary duty breaches because it lacked actual knowledge of their occurrence and mere constructive knowledge was not enough.

In this case, TC Energy Corp. (TransCanada) acquired Columbia Pipeline Group (Columbia). Columbia stockholders sued two Columbia officers for breaching their fiduciary duties of loyalty and disclosure and TransCanada for aiding and abetting those breaches. While the officers had shown TransCanada “subtle” signs of being conflicted, TransCanada lacked actual knowledge of their true conflicts. Therefore, it could not know its own conduct was improper, could not know it was substantially participating in the breaches and could not be liable.

Columbia Pipeline reiterates the high bar for aiding and abetting liability set by Mindbody. However, a bidder, if successful, will own the target and will likely have indemnity obligations to its former officers and directors — creating a strong incentive to ensure that the target board’s process is reasonable, diligent and accurately described.

Read more

Cybersecurity and privacy

DOJ strikes at defense contractors over cybersecurity compliance and pricing issues

The Department of Defense obligates about a half-trillion dollars a year to private contractors for everything from high-end weapons and data systems to basic goods and services like fuel, shipping, food and medical care. This massive procurement chain is heavily scrutinized, including with regard to cybersecurity and pricing issues. Since 2021, seemingly simple contract claims have been relabeled as “fraud” and transformed into FCA cases.

In 2025, the DOJ reached four FCA settlements concerning cybersecurity, which together totaled more than $15 million. In tandem with its enforcement of cybersecurity rules, the DOJ has also heightened the enforcement of rules concerning pricing and cost data under the Truthful Cost or Pricing Data statute (formerly the Truth in Negotiations Act). This requires contractors to submit accurate and complete cost and pricing data when negotiating certain federal contracts. A technology company settled an FCA action relating to this statute for $62 million in May 2025. The DOJ’s focus on pricing corruption and fraud has also included criminal prosecutions against contractors.

Read more

New York’s Department of Financial Services fines eight auto insurance companies over $19M for cybersecurity violations

In October 2025, New York’s Department of Financial Services held eight auto insurance companies responsible for failing to maintain, implement and update cybersecurity programs and policies as required by the state’s “Part 500” cybersecurity regulations. These violations were revealed after the companies suffered data breaches four years prior, in early 2021.

Additionally, amendments to Part 500 took effect in November 2025 that require enhanced multifactor authentication for accessing internal networks and new written policies for maintaining a documented asset inventory of information systems.

Read more

California Privacy Protection Agency drops first-ever enforcement lawsuit, fines Tractor Supply Company $1.35M

On September 26, 2025, the California Privacy Protection Agency (CPPA) entered a stipulated order requiring several injunctive measures and fining Tractor Supply Company (Tractor), a rural lifestyle retailer, $1.35 million for deficient privacy measures. The CPPA fined Tractor for several acts that violated California law, such as providing its website users with the option to request their information not be sold while not actually preventing its sale. Tractor also failed to give job applicants adequate notice of their privacy rights or any description of how to exercise them.

This case resulted in the largest fine that the CPPA has ever issued. It also clarified the scope of the CPPA’s investigatory authority. Tractor objected to the scope of the investigation, which covered conduct occurring in 2020-25, because the relevant regulations were not finalized until 2023. However, the stipulated order acknowledged that the CPPA possesses “broad authority” to investigate potential privacy violations, including those that occurred prior to January 2023.

Read more

Independent cybersecurity audits will be required for ‘significant risk’ under CCPA

Businesses subject to the California Consumer Privacy Act (CCPA) will need to conduct annual audits of their cybersecurity programs beginning as soon as 2028. The new regulations apply to businesses whose processing of personal information presents “significant risk” to consumers’ security. This means businesses (i) whose main revenue comes from selling personal information or (ii) that process the personal information of 250,000 people (for sensitive information, 50,000 people).

These independent audits must assess, in a written report, whether the business’s cybersecurity program fits its size, complexity and activities across a broad range of criteria. The regulated companies need not produce the audit report but must submit a written certification of compliance to the California Privacy Protection Agency by April 1 of each year.

Read more

Connecticut attorney general imposes $85K penalty on TicketNetwork for defects in its privacy notice

In July 2025, Connecticut enforced its first monetary penalty under its comprehensive privacy law enacted in 2023. The state attorney general fined TicketNetwork for failing to fix several privacy notice defects, including unreadable policy sections, missing consumer data rights and inoperable or misconfigured mechanisms for exercising those rights. Although TicketNetwork was given notice and an opportunity to cure, such notices are not guaranteed under the statute.

Read more

Healthline Media agrees to largest CCPA settlement to date

In July 2025, the California Attorney General’s Office entered a $1.55 million settlement with Healthline Media, operator of the popular website Healthline.com. The attorney general alleged that Healthline violated numerous provisions of the CCPA, including by disclosing to advertisers the titles of articles viewed by particular consumers, which could be used to infer that the reader had been diagnosed with a disease. Healthline has agreed to comply with injunctive terms in addition to paying the largest settlement under the CCPA to date.

Read more

Artificial intelligence

California passes broad safety and transparency law for ‘frontier’ AI developers

California’s new, sweeping AI safety law, the Transparency in Frontier Artificial Intelligence Act, was signed into law in September 2025 and requires developers of “frontier” AI foundational models — meaning those above a certain computing power — to engage in novel safety measures.

To start, all covered developers must publish transparency reports and cannot discourage or retaliate against whistleblowers. Large frontier developers also must develop internal anonymous whistleblowing channels, report emergencies to the California Office of Emergency Services and create and publish “AI frameworks” that describe the developer’s internal safety measures. These frameworks should address industry standards, catastrophic risk, cybersecurity and critical safety incidents and governance practices.

In December, New York enacted the Responsible AI Safety and Education Act, which will take effect in 2027, and similarly requires developers to develop safety plans and report emergency incidents.^[13] It also creates a new AI oversight office under the Department of Financial Services.

As both states’ statutes take effect, Trump issued an executive order seeking to consolidate federal AI regulation and limit disparate state regulatory regimes.^[14]

Read more

Federal judges back AI training as fair use — but questions remain

In consecutive decisions published last June, two federal judges in California issued landmark rulings in favor of generative AI developers, finding that their use of copyrighted books to train large language models can qualify as fair use.

Fair use is an affirmative defense to copyright infringement that allows the limited use of copyrighted material without permission in certain contexts. Courts use a flexible test to adjudicate fair-use claims that covers four factors, including the purpose and character of the use — whether the use is transformative — and the effect of the use on the market for the original.

In Bartz et al. v. Anthropic PBC,^[15] the court held that using pirated and scanned books to train an AI chatbot constituted fair use because it was a “transformative use,” meaning that the use was fundamentally different from copying or reading a book. The court in Kadrey v. Meta Platforms Inc.^[16] also found fair use, albeit on narrower grounds: that the plaintiffs had failed to adequately present evidence of market harm, the fourth fair use factor. The court was careful to point out that the ruling hinged on the plaintiff’s failure of proof and did not mean that the defendant’s conduct was lawful.

While these two rulings offer judicial support for the idea that AI training using copyrighted works may be considered fair use, both courts acknowledged the limits of this defense. Many questions about the application of copyright law to AI training remain unanswered. Courts of appeals, and eventually the Supreme Court, will likely need to provide clarity.

Read more

Endnotes

1 No. 25-567, 2026 WL 73090 (U.S. Jan. 9, 2026).

2 149 F.4th 491, 497 (5th Cir. 2025).

3 156 F.4th 86 (2d Cir. 2025).

4 17 C.F.R. Section 202.5(e).

5 149 F.4th 1029 (9th Cir. 2025).

6 139 F.4th 1102 (9th Cir. 2025).

7 In re Plug Power Inc. Stockholder Derivative Litigation, C.A. No. 2022-0569-KSJM, 2025 WL 1277166 (Del. Ch. May 2, 2025).

8 Omnicare, Inc. v. Laborers Dist. Council Constr. Indus. Pension Fund, 575 U.S. 175 (2015).

9 Moelis & Co. v. West Palm Beach Firefighters’ Pension Fund, C.A. No. 2023-0309 (Del. Ch. Ct. Jan. 20, 2026).

10 18 Cal. 5th 58 (2025).

11 No. 281, 2024, 2025 WL 1693491 (Del. June 17, 2025).

12 In re Mindbody’s requirements are discussed in further detail here and here.

13 New York S6953B/A6453B, signed Dec. 19, 2025.

14 Exec. Order No. 14365, 90 FR 58499 (Dec. 11, 2025).

15 787 F.Supp.3d 1007 (N.D. Cal. 2025).

16 788 F.Supp.3d 1026 (N.D. Cal. 2025).

[View source.]