Posts Tagged ‘Risk management’

Changing the Cyber Security Playing Field in 2015

Posted by Paul Ferrillo, Weil, Gotshal & Manges LLP, on Tuesday January 20, 2015 at 8:36 am
  • Print
  • email
  • Twitter
Editor’s Note: Paul A. Ferrillo is counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation. This post is based on a Weil Alert authored by Mr. Ferrillo; the complete publication, including footnotes, is available here.

“If this incident [Sony] isn’t a giant wake-up call for U.S. corporations to get serious about cybersecurity, I don’t know what is. I’ve done more than two dozen speaking engagements around the world this year, and one point I always try to drive home is that far too few organizations recognize how much they have riding on their technology and IT operations until it is too late. The message is that if the security breaks down, the technology stops working—and if that happens the business can quickly grind to a halt. But you would be hard-pressed to witness signs that most organizations have heard and internalized that message, based on their investments in cybersecurity relative to their overall reliance on it.”

— Author Brian Krebs, Dec. 20, 2014.

“For those worried that what happened to Sony could happen to you, I have two pieces of advice. The first is for organizations: take this stuff seriously. Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.”

— Professor Bruce Schneier, Dec. 19, 2014.

Without a doubt, the last month in the world of cyber security has been tumultuous. It has now been confirmed that two companies in the United States have potentially been the subject of cyber-terrorism. Servers have been taken down or wiped out. Businesses have been significantly disrupted. Personally identifiable employee information has been shoveled by the pound onto Internet credit card “market” sites. The cyber security world has changed. And two of the most respected men in cyber security have both iterated similar messages: it is time for U.S. corporations to take this stuff seriously.

…continue reading: Changing the Cyber Security Playing Field in 2015

Top 10 Topics for Directors in 2015

Posted by Yaron Nili, Co-editor, HLS Forum on Corporate Governance and Financial Regulation, on Wednesday December 24, 2014 at 9:08 am
  • Print
  • email
  • Twitter
Editor’s Note: The following post comes to us from Kerry E. Berchem, partner and co-head of the corporate practice group at Akin Gump Strauss Hauer & Feld LLP. This post is based on an Akin Gump corporate alert; the full publication, including footnotes, is available here.

U.S. public companies face a host of challenges as they enter 2015. Here is our list of hot topics for the boardroom in the coming year:

  • 1. Oversee strategic planning in the face of uneven economic growth and rising geopolitical tensions
  • 2. Oversee cybersecurity as hackers seek to infiltrate even the most sophisticated information security systems
  • 3. Assess the impact of advances in technology and big data on the company’s business plans
  • 4. Cultivate shareholder relations and assess company vulnerabilities as activist investors target more companies
  • 5. Consider the impact of M&A opportunities
  • 6. Oversee risk management as newer and more complex risks emerge
  • 7. Ensure appropriate board composition in light of increasing focus on diversity, director tenure and board size
  • 8. Explore new trends in reducing corporate health care costs
  • 9. Set appropriate executive compensation
  • 10. Ensure the company has a robust compliance program as the SEC steps up its enforcement efforts and whistleblowers earn huge bounties.

…continue reading: Top 10 Topics for Directors in 2015

The Importance of a Battle-Tested Cyber Incident Response Plan

Posted by Paul Ferrillo, Weil, Gotshal & Manges LLP, on Friday December 19, 2014 at 9:00 am
  • Print
  • email
  • Twitter
Editor’s Note: The following post comes to us from Paul A. Ferrillo, counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation, and is based on a Weil Alert authored by Mr. Ferrillo.

“The scope of [the Sony Pictures Entertainment (SPE)] attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public…. The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared.”

— Remarks by Kevin Mandia, “Sony Investigator Says Cyber Attack ‘Unparalleled’ Crime,” Reuters, December 7, 2014. [1]

“The days of the IT guy sitting alone in a dark corner are long gone. Cybersecurity has become an obvious priority for C-Suites and boardrooms, as reputations, intellectual property and ultimately lots of money are on the line.”

— Priya Ananda, “One Year After Target’s Breach: What Have We Learned?” November 1, 2014. [2]

“Resiliency is the ability to sustain damage but ultimately succeed. Resiliency is all about accepting that I will sustain a certain amount of damage.”

— NSA Director and Commander of U.S. Cyber Command Admiral Mike Rogers, September 16, 2014. [3]

We have definitively learned from the past few months’ worth of catastrophic cyber security breaches that throwing tens of millions of dollars at “preventive” measures is simply not enough. The bad guys are too far ahead of the malware curve for that. [4] We have also learned that there are no such things as quick fixes in the cyber security world. Instead, the best approach is a holistic approach: basic blocking and tackling such as password protection, encryption, employee training, and strong, multi-faceted intrusion detection systems [5] really trump reliance on a “50 foot high firewall” alone. But there are also two more things that are critical to a holistic cyber security approach: a strong, well-practiced Incident Response Plan (IRP), and, as Admiral Rogers noted above, the concept of cyber-resiliency, i.e., the ability to take your lumps, but continue your business operations unabated.

In this post, we tackle two questions: (1) What are the essential elements of a Cyber IRP? and (2) Why are IRPs so important to your organization?

…continue reading: The Importance of a Battle-Tested Cyber Incident Response Plan

Some Thoughts for Boards of Directors in 2015

Editor’s Note: Martin Lipton is a founding partner of Wachtell, Lipton, Rosen & Katz, specializing in mergers and acquisitions and matters affecting corporate policy and strategy. This post is based on a Wachtell Lipton memorandum by Mr. Lipton, Stephen A. Rosenblum, and Karessa L. Cain.

The challenges that directors of public companies face in carrying out their duties continue to grow. The end goal remains the same, to oversee the successful, profitable and sustainable operations of their companies. But the pressures that confront directors, from activism and short-termism, to ongoing shifts in governance, to global risks and competition, are many. A few weeks ago we issued an updated list of key issues that boards will be expected to deal with in the coming year (accessible at this link: The Spotlight on Boards, and discussed on the Forum here). Highlighted below are a few of the more significant issues and trends that we believe directors should bear in mind as they consider their companies’ priorities and objectives and seek to meet their companies’ goals.

…continue reading: Some Thoughts for Boards of Directors in 2015

Protecting the Technological Infrastructure of Our Capital Markets

Posted by Luis A. Aguilar, Commissioner, U.S. Securities and Exchange Commission, on Tuesday November 25, 2014 at 9:19 am
  • Print
  • email
  • Twitter
Editor’s Note: Luis A. Aguilar is a Commissioner at the U.S. Securities and Exchange Commission. This post is based on Commissioner Aguilar’s remarks at a recent open meeting of the SEC; the full text, including footnotes, is available here. The views expressed in the post are those of Commissioner Aguilar and do not necessarily reflect those of the Securities and Exchange Commission, the other Commissioners, or the Staff.

Today [November 19, 2014], the Commission considers adopting Regulation Systems, Compliance, and Integrity (or Regulation SCI). These rules and amendments are intended to establish a foundational regulatory framework for the technological market infrastructure that has become increasingly intertwined with the functioning of our securities markets. The rules being considered for adoption today represent a clear improvement over the proposed version, which offered only a hollow promise that our markets would be safer, more resilient, and more stable.

…continue reading: Protecting the Technological Infrastructure of Our Capital Markets

Cyber Security, Cyber Governance, and Cyber Insurance

Posted by Paul Ferrillo, Weil, Gotshal & Manges LLP, on Thursday November 13, 2014 at 9:07 am
  • Print
  • email
  • Twitter
Editor’s Note: Paul A. Ferrillo is counsel at Weil, Gotshal & Manges LLP specializing in complex securities and business litigation. This post is based on an article authored by Mr. Ferrillo and Christine Marciano, President of Cyber Data Risk Managers.

JP Morgan Chase. Community Health Systems. The Home Depot. Kmart. There has been no shortage of data breaches in recent weeks—with new developments on an almost daily basis. The age of cyber hactivisim, cyber extortion, and cyber terrorism is here, and it is not going away any time soon.

Data security issues are no longer just an IT Department concern. Indeed, they have become a matter of corporate survival, and therefore companies should incorporate them into enterprise risk management and insurance risk transfer mechanisms, just as they regularly insure other hazards of doing business. As the number of data breaches has increased, the demand for cyber insurance has likewise dramatically increased more than that for any other insurance product in recent years. Every board of directors should be questioning its officers and management as to “whether or not its company should be purchasing cyber insurance to mitigate its cyber risk.” If management answers, “Oh, it costs too much,” or “Oh, it will never pay off,” second opinions should be obtained. Rapidly. Because neither answer is correct.

…continue reading: Cyber Security, Cyber Governance, and Cyber Insurance

The Risky Business of Cybersecurity

Posted by David A. Katz, Wachtell, Lipton, Rosen & Katz, on Wednesday November 5, 2014 at 9:02 am
  • Print
  • email
  • Twitter
Editor’s Note: David A. Katz is a partner at Wachtell, Lipton, Rosen & Katz specializing in the areas of mergers and acquisitions and complex securities transactions. The following post is based on an article by Mr. Katz and Laura A. McIntosh that first appeared in the New York Law Journal; the full article, including footnotes, is available here.

The national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk. Similar to financial and reputational risk, cybersecurity risk affects a company’s bottom line. It can drive up costs and impact revenue. It can harm an organization’s ability to innovate and to gain and maintain customers.

—National Institute for Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0

In today’s technology driven environment, public companies must constantly confront the challenge of cybersecurity, in its complex, varied, and ever-adapting forms. Cybersecurity breaches regularly fill the headlines, the costs of cybercrime are skyrocketing, and the repercussions of corporate cyber-attacks are felt all the way from chief executives to retail customers. President Barack Obama has stated that “the private sector and the government can, and should, work together to meet this shared challenge,” while FBI Director Robert S. Mueller has described “the critical role the private sector must play in cyber security.” As companies become increasingly dependent on networked technology, and as an expanding number of people conduct transactions and other activities online, cybersecurity will continue to grow in importance for the business community, for the global economy, and for society at large.

…continue reading: The Risky Business of Cybersecurity

2014 Annual Corporate Directors Survey

Editor’s Note: Mary Ann Cloyd is leader of the Center for Board Governance at PricewaterhouseCoopers LLP. The following post is based on the executive summary of PwC’s Annual Corporate Directors Survey; the complete publication is available here.

Over the last several years, we’ve observed certain trends that are shaping corporate governance and which we believe will impact the board of the future. We structured our 2014 Annual Corporate Directors Survey to get directors’ views on these trends and other topics including:

…continue reading: 2014 Annual Corporate Directors Survey

Governance, Risk Management, and Risk-Taking in Banks

Posted by René Stulz, Ohio State University Fisher College of Business, on Wednesday October 8, 2014 at 9:00 am
  • Print
  • email
  • Twitter
Editor’s Note: René Stulz is Professor of Finance at Ohio State University.

One might be tempted to conclude that good risk management in banks reduces the exposure to danger. However, such a view of risk management ignores that banks cannot succeed without taking risks that are ex ante profitable. Consequently, taking actions that reduce risk can be costly for shareholders when lower risk means avoiding valuable investments and activities that have higher risk. Therefore, from the perspective of shareholders, better risk management cannot mean risk management that is more effective at reducing risk in general since reducing risk in general would mean not taking valuable projects. If good risk management does not mean low risk, then what does it mean? How is it implemented? What are its limitations? What can be done to make it more effective? In my article, Governance, Risk Management, and Risk-Taking in Banks, which was recently made publicly available on SSRN, I provide a framework to understand the role, the organization, and the limitations of risk management in banks when it is designed from the perspective of increasing the value of the bank for its shareholders and review the existing literature.

…continue reading: Governance, Risk Management, and Risk-Taking in Banks

Risk Governance: Banks Back to School

Posted by Kobi Kastiel, Co-editor, HLS Forum on Corporate Governance and Financial Regulation, on Sunday September 14, 2014 at 9:00 am
  • Print
  • email
  • Twitter
Editor’s Note: The following post comes to us from Dan Ryan, Leader of the Financial Services Advisory Practice at PricewaterhouseCoopers LLP, and is based on a PwC publication.

On September 2, 2014, the Office of the Comptroller of the Currency (“OCC”) finalized its risk governance framework for large banks and thrifts (“Guidelines”) that was proposed in January 2014. [1] The Guidelines formalize the heightened risk management standards that the OCC has been communicating through the supervisory process for several years, but do so somewhat more flexibly than the January proposal (“proposal”) did. Although many firms have been working to enhance their risk management programs to meet the proposal and supervisory communications, most still have work to do in order to meet the Guidelines’ requirements.

The Guidelines maintain the proposal’s emphasis on risk governance at the bank level to ensure safety and soundness, and affords the OCC greater flexibility (prescribed under regulations) to take enforcement actions in response to a bank’s compliance failure. The responsibility to oversee risk management remains with the Board of Directors which retains its ultimate risk governance oversight role; however, the Guidelines clarify that the Board need not take on responsibility for day-to-day managerial duties as the proposal had suggested.

…continue reading: Risk Governance: Banks Back to School

Next Page »
 
  •  » A "Web Winner" by The Philadelphia Inquirer
  •  » A "Top Blog" by LexisNexis
  •  » A "10 out of 10" by the American Association of Law Librarians Blog
  •  » A source for "insight into the latest developments" by Directorship Magazine