Posts Tagged ‘Paul Ferrillo’

The Importance of a Battle-Tested Cyber Incident Response Plan

Posted by Paul Ferrillo, Weil, Gotshal & Manges LLP, on Friday December 19, 2014 at 9:00 am
  • Print
  • email
  • Twitter
Editor’s Note: The following post comes to us from Paul A. Ferrillo, counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation, and is based on a Weil Alert authored by Mr. Ferrillo.

“The scope of [the Sony Pictures Entertainment (SPE)] attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public…. The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared.”

— Remarks by Kevin Mandia, “Sony Investigator Says Cyber Attack ‘Unparalleled’ Crime,” Reuters, December 7, 2014. [1]

“The days of the IT guy sitting alone in a dark corner are long gone. Cybersecurity has become an obvious priority for C-Suites and boardrooms, as reputations, intellectual property and ultimately lots of money are on the line.”

— Priya Ananda, “One Year After Target’s Breach: What Have We Learned?” November 1, 2014. [2]

“Resiliency is the ability to sustain damage but ultimately succeed. Resiliency is all about accepting that I will sustain a certain amount of damage.”

— NSA Director and Commander of U.S. Cyber Command Admiral Mike Rogers, September 16, 2014. [3]

We have definitively learned from the past few months’ worth of catastrophic cyber security breaches that throwing tens of millions of dollars at “preventive” measures is simply not enough. The bad guys are too far ahead of the malware curve for that. [4] We have also learned that there are no such things as quick fixes in the cyber security world. Instead, the best approach is a holistic approach: basic blocking and tackling such as password protection, encryption, employee training, and strong, multi-faceted intrusion detection systems [5] really trump reliance on a “50 foot high firewall” alone. But there are also two more things that are critical to a holistic cyber security approach: a strong, well-practiced Incident Response Plan (IRP), and, as Admiral Rogers noted above, the concept of cyber-resiliency, i.e., the ability to take your lumps, but continue your business operations unabated.

In this post, we tackle two questions: (1) What are the essential elements of a Cyber IRP? and (2) Why are IRPs so important to your organization?

…continue reading: The Importance of a Battle-Tested Cyber Incident Response Plan

Cyber Security, Cyber Governance, and Cyber Insurance

Posted by Paul Ferrillo, Weil, Gotshal & Manges LLP, on Thursday November 13, 2014 at 9:07 am
  • Print
  • email
  • Twitter
Editor’s Note: Paul A. Ferrillo is counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation. This post is based on an article authored by Mr. Ferrillo and Christine Marciano, President of Cyber Data Risk Managers.

JP Morgan Chase. Community Health Systems. The Home Depot. Kmart. There has been no shortage of data breaches in recent weeks—with new developments on an almost daily basis. The age of cyber hactivisim, cyber extortion, and cyber terrorism is here, and it is not going away any time soon.

Data security issues are no longer just an IT Department concern. Indeed, they have become a matter of corporate survival, and therefore companies should incorporate them into enterprise risk management and insurance risk transfer mechanisms, just as they regularly insure other hazards of doing business. As the number of data breaches has increased, the demand for cyber insurance has likewise dramatically increased more than that for any other insurance product in recent years. Every board of directors should be questioning its officers and management as to “whether or not its company should be purchasing cyber insurance to mitigate its cyber risk.” If management answers, “Oh, it costs too much,” or “Oh, it will never pay off,” second opinions should be obtained. Rapidly. Because neither answer is correct.

…continue reading: Cyber Security, Cyber Governance, and Cyber Insurance

Cyber Security and Cyber Governance: Federal Regulation and Oversight—Today and Tomorrow

Posted by Paul Ferrillo, Weil, Gotshal & Manges LLP, on Wednesday September 10, 2014 at 9:00 am
  • Print
  • email
  • Twitter
Editor’s Note: Paul A. Ferrillo is counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation. This post is based on an article authored by Mr. Ferrillo and David J. Schwartz.

In our June 4, 2014 article on cyber security and cyber governance [1] we noted that for many reasons, boards of directors and executives of U.S. companies needed to reexamine how they protect (and respond to the successful hacking of) their most critical intellectual property and customer information. One of the reasons was that all signs out of Washington, D.C. pointed towards increasing federal regulation and oversight of cyber security for public and private companies, and particularly for those in the financial services sector. Further, we foresaw not only heightened scrutiny from regulators, but increasing class action litigation, with plaintiffs accusing boards and management of not taking the appropriate steps to protect company and client data. Our predictions were correct on all fronts.

…continue reading: Cyber Security and Cyber Governance: Federal Regulation and Oversight—Today and Tomorrow

Understanding and Implementing the NIST Cybersecurity Framework

Posted by Yaron Nili, Co-editor, HLS Forum on Corporate Governance and Financial Regulation, on Monday August 25, 2014 at 9:03 am
  • Print
  • email
  • Twitter
Editor’s Note: The following post comes to us from Paul A. Ferrillo, counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation, and is based on an article authored by Mr. Ferrillo and Tom Conkle.

Why the Cybersecurity Framework was created and why it is so important

Despite the fact that companies are continuing to increase spending on cybersecurity initiatives, data breaches continue to occur. According to The Wall Street Journal, “Global cybersecurity spending by critical infrastructure industries was expected to hit $46 billion in 2013, up 10% from a year earlier according to Allied Business Intelligence Inc.” [1] Despite the boost in security spending, vulnerabilities, threats against these vulnerabilities, data breaches and destruction persist. To combat these issues, the President on February 12, 2013 issued Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity.” [2] The EO directed NIST, in cooperation with the private sector, to develop and issue a voluntary, risk-based Cybersecurity Framework that would provide U.S. critical infrastructure organizations with a set of industry standards and best practices to help manage cybersecurity risks.

…continue reading: Understanding and Implementing the NIST Cybersecurity Framework

Cloud Cyber Security: What Every Director Needs to Know

Posted by Yaron Nili, Co-editor, HLS Forum on Corporate Governance and Financial Regulation, on Wednesday August 6, 2014 at 9:00 am
  • Print
  • email
  • Twitter
Editor’s Note: The following post comes to us from Paul A. Ferrillo, counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation, and is based on an article authored by Mr. Ferrillo and Dave Burg and Aaron Philipp, both of PricewaterhouseCoopers LLP.

There are four competing business propositions affecting most American businesses today. Think of them as four freight trains on different tracks headed for a four-way stop signal at fiber optic speed.

First, with a significant potential for cost savings, American business has adopted cloud computing as an efficient and effective way to manage countless bytes of data from remote locations at costs that would be unheard of if they were forced to store their data on hard servers. According to one report, “In September 2013, International Data Corporation predicted that, between 2013 and 2017, spending on pubic IT cloud computing will experience a compound annual growth of 23.5%.” [1] Another report noted, “By 2014, cloud computing is expected to become a $150 billion industry. And for good reason—whether users are on a desktop computer or mobile device, the cloud provides instant access to data anytime, anywhere there is an Internet connection.” [2]

…continue reading: Cloud Cyber Security: What Every Director Needs to Know

Cyber Governance: What Every Director Needs to Know

Posted by Kobi Kastiel, Co-editor, HLS Forum on Corporate Governance and Financial Regulation, on Thursday June 5, 2014 at 9:23 am
  • Print
  • email
  • Twitter
Editor’s Note: The following post comes to us from Paul A. Ferrillo, counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation, and is based on an article authored by Mr. Ferrillo.

The number, severity, and sophistication of cyber attacks—whether on our retail economy, our healthcare sector, our educational sector or, in fact, our government and defense systems—grows worse by the day. [1]

Among the most notable cyber breaches in the public company sphere was that hitting Target Corporation (40 million estimated credit and debit cards allegedly stolen, 70 million or more pieces of personal data also stolen, and a total estimated cost of the attack to date of approximately $300 million). [2] Justified or not, ISS has just issued a voting recommendation against the election of all members of Target’s audit and corporate responsibility committees—seven of its ten directors—at the upcoming annual meeting. ISS’s reasoning is that, in light of the importance to Target of customer credit cards and online retailing, “these committees should have been aware of, and more closely monitoring, the possibility of theft of sensitive information.” [3]

…continue reading: Cyber Governance: What Every Director Needs to Know

The SEC’s Refocus on Accounting Irregularities

Posted by Noam Noked, co-editor, HLS Forum on Corporate Governance and Financial Regulation, on Monday January 27, 2014 at 9:14 am
  • Print
  • email
  • Twitter
Editor’s Note: The following post comes to us from Paul A. Ferrillo, counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation, and is based on an article by Mr. Ferrillo, Christopher Garcia, and Matthew Jacques of AlixPartners that first appeared in D&O Diary.

On July 2, 2013, the United States Securities and Exchange Commission (the SEC) announced two new initiatives aimed at preventing and detecting improper or fraudulent financial reporting. [1] We previously noted that one of these initiatives, a computer-based tool called the Accounting Quality Model (AQM, or “Robocop”), [2] is designed to enable real-time analytical review of financial reports filed with the SEC in order to help identify questionable accounting practices.

…continue reading: The SEC’s Refocus on Accounting Irregularities

M&A Representations and Warranties Insurance: Tips for Buyers and Sellers

Posted by Noam Noked, co-editor, HLS Forum on Corporate Governance and Financial Regulation, on Wednesday May 1, 2013 at 9:14 am
  • Print
  • email
  • Twitter
Editor’s Note: The following post comes to us from Paul A. Ferrillo, counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation, and is based on an article by Mr. Ferrillo and Joseph T. Verdesca that first appeared in D&O Diary.

No less than two years ago, had one tried to initiate a conversation with a Private Equity Sponsor or an M&A lawyer regarding M&A “reps and warranties” insurance (i.e., insurance designed to expressly provide insurance coverage for the breach of a representation or a warranty contained in a Purchase and Sale Agreement, in addition to or as a replacement for a contractual indemnity), one might have gotten a shrug of the shoulders or a polite response to the effect of “let’s try to negotiate around the problem instead.” Perhaps because it was misunderstood or perhaps because it had not yet hit its stride in terms of breadth of coverage, reps and warranties insurance was hardly ever used to close deals. Like Harry Potter, it was the poor stepchild often left in the closet.

Today that is no longer the case. One global insurance broker with whom we work notes that over $4 billion in reps and warranties insurance worldwide was bound last year, of which $1.4 billion thereof was bound in the US and $2.1 billion thereof was bound in the EU. Such broker’s US-based reps and warranties writings nearly doubled from 2011 and 2012. Reps and warranties insurance has become an important tool to close deals that might not otherwise get done. This post is meant to highlight how reps and warranties insurance may be of use to you in winning bids and finding means of closing deals in today’s challenging environment.

…continue reading: M&A Representations and Warranties Insurance: Tips for Buyers and Sellers

A New Playbook Part 2 — Global Securities Enforcement Stepping Up

Posted by Noam Noked, co-editor, HLS Forum on Corporate Governance and Financial Regulation, on Monday April 1, 2013 at 9:21 am
  • Print
  • email
  • Twitter
Editor’s Note: The following post comes to us from Paul A. Ferrillo, counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation, and is based on an article by Mr. Ferrillo, Robert F. Carangelo, and Hannah Field-Lowes. [1]

About a year ago, we published A New Playbook for Global Securities Litigation and Regulation, in which we detailed dramatic changes in the global securities regulatory and litigation arena driven by various factors, including not only the financial crisis of 2007-2008, but also changes in tolerance in the United States to litigation brought by foreign investors against public companies listed on non-U.S. exchanges.

One year later, the regulatory environment continues to revamp with new rules being issued constantly in the United States to conform to the legislative mandates set forth in the Dodd Frank Act. The United Kingdom and European Union also seek to reinforce previous global initiatives to reform and strengthen the Pan-European financial markets.

What is more ever-present, however, is the marked increase in global enforcement activities by regulators in the United Kingdom, Canada, and the European Union, which are attempts to give teeth to the global financial reforms each jurisdiction felt necessary to potentially prevent a “repeat” of the financial crisis. This article seeks to address the increase in global securities enforcement activity and concludes that continued cooperation and coordination in enforcement activities will be required to seamlessly address the desire to strengthen global regulatory initiatives aimed at harmonizing and centralizing international securities regulation to create safer, more fundamentally sound financial markets for investors.

…continue reading: A New Playbook Part 2 — Global Securities Enforcement Stepping Up

Collateral Consequences of the UBS and RBS LIBOR Settlements

Posted by Noam Noked, co-editor, HLS Forum on Corporate Governance and Financial Regulation, on Tuesday March 12, 2013 at 8:21 am
  • Print
  • email
  • Twitter
Editor’s Note: The following post comes to us from Paul A. Ferrillo, litigation counsel at Weil, Gotshal & Manges LLP. This post is based on an article by Christopher Garcia, Steven Tyrrell, Jill Baisinger, and Matthew Howatt.

In 2002, Arthur Andersen LLP collapsed in the wake of an obstruction of justice conviction. Since then, conventional wisdom has been that the U.S. Department of Justice (DOJ) resists filing criminal charges against large business entities because of fears of another similar failure. Indeed, the DOJ has consistently acknowledged that it considers such risks, and the U.S. Attorneys’ Manual expressly identifies “collateral consequences” as a factor that should be weighed in making charging decisions. In the wake of the Great Recession, however, the DOJ has been faced with competing pressures, especially with respect to financial institutions. On the one hand, the Lehman Brothers bankruptcy, among other bank failures and near-failures, suggested vulnerability on the part of some financial institutions and illustrated the potentially grave consequences that the collapse of a financial institution can have on the broader economy. The DOJ clearly does not want to cause a financial institution to fail. On the other hand, there is a pervasive public sentiment that large financial institutions were responsible for the economic collapse from which the country is only now emerging. Particularly in recent months, the DOJ has been criticized for its decision not to bring criminal charges against any major financial entity.

…continue reading: Collateral Consequences of the UBS and RBS LIBOR Settlements

Next Page »
 
  •  » A "Web Winner" by The Philadelphia Inquirer
  •  » A "Top Blog" by LexisNexis
  •  » A "10 out of 10" by the American Association of Law Librarians Blog
  •  » A source for "insight into the latest developments" by Directorship Magazine