S&C has a deep understanding of the cybersecurity risks companies face in today's global environment. We use this insight to advise institutions on best practices in cyber preparedness. This includes advising boards of directors on cybersecurity governance; coordinating cyber crisis planning exercises for management and boards of directors; working with clients to review and implement suitable and actionable cyber policies, procedures and incident response plans; assess cyber insurance coverage; and ensure that clients have appropriate vendor relationships so that the best resources are in place in the event of a cybersecurity incident.
Incident Response Experience
S&C draws on its unparalleled experience in corporate crisis management to provide clients with comprehensive advice to manage and resolve cyber incidents. S&C's Cybersecurity Group advises clients on all aspects of cyber incident response, including containing and investigating a breach; coordinating among different internal and external stakeholders; communicating with clients and customers, regulators, law enforcement, insurers and other external parties; notifying affected individuals or entities; and remediation planning.
Post-Breach Investigation and Litigation Expertise
S&C's Cybersecurity Group regularly advises clients on post-breach investigations, coordinating with external cyber forensics experts to ensure a thorough investigation. S&C also provides clients with an effectively orchestrated, multidisciplinary response to complex litigation, offering creative strategies and problem solving for our clients' most significant challenges.
S&C also has deep experience in transactions involving businesses that depend fundamentally on the integrity and security of their systems and data. S&C regularly advises companies in assessing and mitigating information security risks in the context of strategic transactions such as mergers and acquisitions, joint ventures, restructurings and financings.
SELECTED REPRESENTATIONSRecent Sullivan & Cromwell cybersecurity experience includes:
- Advice to public and private company boards of directors on their responsibilities for cybersecurity governance.
- Coordination and implementation of cybersecurity “tabletop exercises” for public and private company boards of directors and senior management.
- Advice and assistance to public and private companies and hedge funds in drafting and assessing cyber incident response plans.
- Advice to public and private companies on planning for communications with law enforcement and regulators about a cyber incident.
- Advice to companies on cyber insurance coverage.
- Advice to companies on use of customer information for data analytics purposes, including whether certain uses would comply with federal and state privacy and other laws.
- Advice and assistance to a financial institution in responding to a brute force attack on its network, including coordinating and communicating with regulators.
- Advice and assistance to Scottrade with respect to the exposure of unencrypted files containing customers’ personal data, including on state privacy law issues and nationwide customer notification.
- Advice and assistance to a public company regarding a potential state-sponsored cybersecurity breach of its systems, including coordinating with federal law enforcement and intelligence agencies.
- Advice and assistance to a public company retailer regarding a potential cybercriminal compromise of its payment processing platform resulting in unauthorized charges on customers’ credit cards.
- Advice and assistance to owners of a privately held company in responding to a cyber-fraud, as a result of which the client successfully recovered nearly $20 million transferred to Hong Kong without authorization.
- Advice and assistance to numerous other companies and individuals targeted in cyber-fraud schemes, including coordination with federal and international law enforcement, and coordination of overseas litigation resulting in substantial recoveries for our clients.
- Advice and assistance to a financial institution that transferred millions of dollars in client funds in response to unauthorized, “spoofed” wire transfer requests that falsely appeared to be from its customer.