The Risky Business of Cybersecurity

Posted by David A. Katz, Wachtell, Lipton, Rosen & Katz, on Wednesday November 5, 2014 at 9:02 am
  • Print
  • email
  • Twitter
Editor’s Note: David A. Katz is a partner at Wachtell, Lipton, Rosen & Katz specializing in the areas of mergers and acquisitions and complex securities transactions. The following post is based on an article by Mr. Katz and Laura A. McIntosh that first appeared in the New York Law Journal; the full article, including footnotes, is available here.

The national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk. Similar to financial and reputational risk, cybersecurity risk affects a company’s bottom line. It can drive up costs and impact revenue. It can harm an organization’s ability to innovate and to gain and maintain customers.

—National Institute for Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0

In today’s technology driven environment, public companies must constantly confront the challenge of cybersecurity, in its complex, varied, and ever-adapting forms. Cybersecurity breaches regularly fill the headlines, the costs of cybercrime are skyrocketing, and the repercussions of corporate cyber-attacks are felt all the way from chief executives to retail customers. President Barack Obama has stated that “the private sector and the government can, and should, work together to meet this shared challenge,” while FBI Director Robert S. Mueller has described “the critical role the private sector must play in cyber security.” As companies become increasingly dependent on networked technology, and as an expanding number of people conduct transactions and other activities online, cybersecurity will continue to grow in importance for the business community, for the global economy, and for society at large.

…continue reading: The Risky Business of Cybersecurity

Understanding and Implementing the NIST Cybersecurity Framework

Posted by Yaron Nili, Co-editor, HLS Forum on Corporate Governance and Financial Regulation, on Monday August 25, 2014 at 9:03 am
  • Print
  • email
  • Twitter
Editor’s Note: The following post comes to us from Paul A. Ferrillo, counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation, and is based on an article authored by Mr. Ferrillo and Tom Conkle.

Why the Cybersecurity Framework was created and why it is so important

Despite the fact that companies are continuing to increase spending on cybersecurity initiatives, data breaches continue to occur. According to The Wall Street Journal, “Global cybersecurity spending by critical infrastructure industries was expected to hit $46 billion in 2013, up 10% from a year earlier according to Allied Business Intelligence Inc.” [1] Despite the boost in security spending, vulnerabilities, threats against these vulnerabilities, data breaches and destruction persist. To combat these issues, the President on February 12, 2013 issued Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity.” [2] The EO directed NIST, in cooperation with the private sector, to develop and issue a voluntary, risk-based Cybersecurity Framework that would provide U.S. critical infrastructure organizations with a set of industry standards and best practices to help manage cybersecurity risks.

…continue reading: Understanding and Implementing the NIST Cybersecurity Framework

White House Releases NIST Cybersecurity Framework

Posted by Holly J. Gregory, Sidley Austin LLP, on Sunday February 23, 2014 at 9:00 am
  • Print
  • email
  • Twitter
Editor’s Note: Holly J. Gregory is a partner and co-global coordinator of the Corporate Governance and Executive Compensation group at Sidley Austin LLP. This post is based on a Sidley update by Alan Raul and Ed McNicholas.

On February 12, the White House released the widely anticipated Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”). Developed pursuant to Executive Order 13636 (issued in February 2013), the Framework strongly encourages companies across the financial, communications, chemical, transportation, healthcare, energy, water, defense, food, agriculture, and other critical infrastructure sectors to implement and comply with its voluntary standards. The provisions set forth in the Framework may establish a new baseline for industry standard practices, and may impact or guide FTC enforcement actions and plaintiff data breach lawsuits.

…continue reading: White House Releases NIST Cybersecurity Framework

Cybersecurity Risks and the Board of Directors

Posted by David A. Katz, Wachtell, Lipton, Rosen & Katz, on Sunday December 16, 2012 at 10:20 am
  • Print
  • email
  • Twitter
Editor’s Note: David A. Katz is a partner at Wachtell, Lipton, Rosen & Katz specializing in the areas of mergers and acquisitions and complex securities transactions. This post is based on an article by Mr. Katz and Laura A. McIntosh that first appeared in the New York Law Journal; the full article, including footnotes, is available here.

As boards of directors examine the risks that their companies face, corporate cybersecurity issues loom large. Forty-eight percent of directors (and 55 percent of general counsel) cited data security as their top concern in a recent study by Corporate Board Member/FTI Consulting. These numbers have roughly doubled since 2008, when only a quarter of directors and general counsel cited data security as a major concern. With revenues, intellectual property, business relationships and customer confidence potentially at stake, directors should consider whether their companies and management teams are adequately addressing the growing threat of cybersecurity in the new high-tech landscape.

Cybersecurity risk is a difficult and intimidating topic for corporate boards to consider. However, it is important to keep in mind that cybersecurity risk is only one of many areas of risk that are overseen by boards of directors and that, in most cases, the usual strategies and procedures for evaluating and managing risk can apply. Directors are not expected to be experts in this area and are entitled to rely upon management and outside experts for information and advice. Nonetheless, directors should request that management reports to the board on the steps the company is taking to mitigate cyber threats, and directors should consider whether the company is appropriately assessing its risks and devoting adequate resources to the issue. The business judgment rule remains the standard for evaluating decisions taken by a board in this area.

…continue reading: Cybersecurity Risks and the Board of Directors

Top 10 Topics for Directors in 2015

Posted by Yaron Nili, Co-editor, HLS Forum on Corporate Governance and Financial Regulation, on Wednesday December 24, 2014 at 9:08 am
  • Print
  • email
  • Twitter
Editor’s Note: The following post comes to us from Kerry E. Berchem, partner and co-head of the corporate practice group at Akin Gump Strauss Hauer & Feld LLP. This post is based on an Akin Gump corporate alert; the full publication, including footnotes, is available here.

U.S. public companies face a host of challenges as they enter 2015. Here is our list of hot topics for the boardroom in the coming year:

  • 1. Oversee strategic planning in the face of uneven economic growth and rising geopolitical tensions
  • 2. Oversee cybersecurity as hackers seek to infiltrate even the most sophisticated information security systems
  • 3. Assess the impact of advances in technology and big data on the company’s business plans
  • 4. Cultivate shareholder relations and assess company vulnerabilities as activist investors target more companies
  • 5. Consider the impact of M&A opportunities
  • 6. Oversee risk management as newer and more complex risks emerge
  • 7. Ensure appropriate board composition in light of increasing focus on diversity, director tenure and board size
  • 8. Explore new trends in reducing corporate health care costs
  • 9. Set appropriate executive compensation
  • 10. Ensure the company has a robust compliance program as the SEC steps up its enforcement efforts and whistleblowers earn huge bounties.

…continue reading: Top 10 Topics for Directors in 2015

The Importance to the Capital Markets of Updating the Rules Regarding Transfer Agents

Posted by Luis A. Aguilar, Commissioner, U.S. Securities and Exchange Commission, on Monday December 22, 2014 at 4:59 pm
  • Print
  • email
  • Twitter
Editor’s Note: Luis A. Aguilar is a Commissioner at the U.S. Securities and Exchange Commission. This post is based on Commissioner Aguilar’s recent public statement; the full text, including footnotes, is available here. The views expressed in the post are those of Commissioner Aguilar and do not necessarily reflect those of the Securities and Exchange Commission, the other Commissioners, or the Staff.

1) Why should the public care about the regulation of transfer agents? Why are they important to the financial system?

Transfer agents play an important role in our capital markets. They act as registrars and keep track of changes in the record ownership of a company’s securities. They ensure that companies’ interest, dividends, and other distributions get paid to the right holders of stocks and bonds. Transfer agents also monitor the restrictive legends and “stop transfer” orders that distinguish restricted securities from freely-tradable securities. This responsibility puts transfer agents in a unique position to identify and potentially prevent unregistered securities from being unlawfully distributed. Indeed, the distribution of unregistered securities is often associated with microcap pump-and-dump schemes and other penny stock fraud. The investing public needs capable, honest, and reliable transfer agents to help the capital markets function properly and effectively.

…continue reading: The Importance to the Capital Markets of Updating the Rules Regarding Transfer Agents

The Importance of a Battle-Tested Cyber Incident Response Plan

Posted by Paul Ferrillo, Weil, Gotshal & Manges LLP, on Friday December 19, 2014 at 9:00 am
  • Print
  • email
  • Twitter
Editor’s Note: The following post comes to us from Paul A. Ferrillo, counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation, and is based on a Weil Alert authored by Mr. Ferrillo.

“The scope of [the Sony Pictures Entertainment (SPE)] attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public…. The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared.”

— Remarks by Kevin Mandia, “Sony Investigator Says Cyber Attack ‘Unparalleled’ Crime,” Reuters, December 7, 2014. [1]

“The days of the IT guy sitting alone in a dark corner are long gone. Cybersecurity has become an obvious priority for C-Suites and boardrooms, as reputations, intellectual property and ultimately lots of money are on the line.”

— Priya Ananda, “One Year After Target’s Breach: What Have We Learned?” November 1, 2014. [2]

“Resiliency is the ability to sustain damage but ultimately succeed. Resiliency is all about accepting that I will sustain a certain amount of damage.”

— NSA Director and Commander of U.S. Cyber Command Admiral Mike Rogers, September 16, 2014. [3]

We have definitively learned from the past few months’ worth of catastrophic cyber security breaches that throwing tens of millions of dollars at “preventive” measures is simply not enough. The bad guys are too far ahead of the malware curve for that. [4] We have also learned that there are no such things as quick fixes in the cyber security world. Instead, the best approach is a holistic approach: basic blocking and tackling such as password protection, encryption, employee training, and strong, multi-faceted intrusion detection systems [5] really trump reliance on a “50 foot high firewall” alone. But there are also two more things that are critical to a holistic cyber security approach: a strong, well-practiced Incident Response Plan (IRP), and, as Admiral Rogers noted above, the concept of cyber-resiliency, i.e., the ability to take your lumps, but continue your business operations unabated.

In this post, we tackle two questions: (1) What are the essential elements of a Cyber IRP? and (2) Why are IRPs so important to your organization?

…continue reading: The Importance of a Battle-Tested Cyber Incident Response Plan

Some Thoughts for Boards of Directors in 2015

Editor’s Note: Martin Lipton is a founding partner of Wachtell, Lipton, Rosen & Katz, specializing in mergers and acquisitions and matters affecting corporate policy and strategy. This post is based on a Wachtell Lipton memorandum by Mr. Lipton, Stephen A. Rosenblum, and Karessa L. Cain.

The challenges that directors of public companies face in carrying out their duties continue to grow. The end goal remains the same, to oversee the successful, profitable and sustainable operations of their companies. But the pressures that confront directors, from activism and short-termism, to ongoing shifts in governance, to global risks and competition, are many. A few weeks ago we issued an updated list of key issues that boards will be expected to deal with in the coming year (accessible at this link: The Spotlight on Boards, and discussed on the Forum here). Highlighted below are a few of the more significant issues and trends that we believe directors should bear in mind as they consider their companies’ priorities and objectives and seek to meet their companies’ goals.

…continue reading: Some Thoughts for Boards of Directors in 2015

Bank Capital Plans and Stress Tests

Posted by Yaron Nili, Co-editor, HLS Forum on Corporate Governance and Financial Regulation, on Tuesday November 18, 2014 at 9:12 am
  • Print
  • email
  • Twitter
Editor’s Note: The following post comes to us from Sullivan & Cromwell LLP, and is based on a Sullivan & Cromwell publication authored by H. Rodgin Cohen, Andrew R. Gladin, Mark J. Welshimer, and Lauren A. Wansor.

On October 16, the Board of Governors of the Federal Reserve System (the “Federal Reserve”) issued its summary instructions and guidance [1] (the “CCAR 2015 Instructions”) for its supervisory Comprehensive Capital Analysis and Review program for 2015 (“CCAR 2015”) applicable to bank holding companies with $50 billion or more of total consolidated assets (“Covered BHCs”). Thirty-one institutions will participate in CCAR 2015, including the 30 Covered BHCs [2] that participated in CCAR in 2014, as well as one institution that is new to the program. [3]

…continue reading: Bank Capital Plans and Stress Tests

2014 Annual Corporate Directors Survey

Editor’s Note: Mary Ann Cloyd is leader of the Center for Board Governance at PricewaterhouseCoopers LLP. The following post is based on the executive summary of PwC’s Annual Corporate Directors Survey; the complete publication is available here.

Over the last several years, we’ve observed certain trends that are shaping corporate governance and which we believe will impact the board of the future. We structured our 2014 Annual Corporate Directors Survey to get directors’ views on these trends and other topics including:

…continue reading: 2014 Annual Corporate Directors Survey

Next Page »
 
  •  » A "Web Winner" by The Philadelphia Inquirer
  •  » A "Top Blog" by LexisNexis
  •  » A "10 out of 10" by the American Association of Law Librarians Blog
  •  » A source for "insight into the latest developments" by Directorship Magazine