Risks to the integrity and security of vital systems and information are complex and evolving, and have become a key component of effective enterprise risk management. Identifying and mitigating these risks—whether arising from hacking, malware, cyberespionage, denials-of-service, human error, data theft or other unauthorized access to systems or information—are now a top priority for boards of directors, management, regulators and law enforcement.

Interdisciplinary Cybersecurity Team
Sullivan & Cromwell is ideally positioned to assist clients who are preparing for cybersecurity risks or responding to systems or data breaches once they occur. Effective preparation and response require companies to integrate a diverse array of governance, regulatory, technology, investigations, risk management and communications considerations into a cohesive and evolving strategy and action plan. The S&C Cybersecurity Group mirrors the interdisciplinary nature of this challenge and includes leading practitioners with deep expertise in each of these key areas. In addition, the Group includes former senior government officials from the Justice Department, including the Chief of the Complex Frauds and Cybercrime Unit of the Office of the U.S. Attorney for the Southern District of New York, and the Board of Governors of the Federal Reserve System, including those who regularly worked on cybersecurity, cybercrime and regulatory enforcement issues in those roles. Together, the S&C Cybersecurity Group has experience advising companies on how to address data and system security risks, including counseling boards of directors in the context of data systems failures and breaches, as well as related privacy and consumer issues.

Preparedness and Response Planning 
The S&C Cybersecurity Group assists clients in developing action plans for mitigating and responding to cybersecurity risks, including:

  • advising on corporate governance, board duties and best practices relating to preparedness;
  • preparing data breach response plans;
  • reviewing and analyzing customer and vendor agreements;
  • evaluating communications readiness, engagement and management;
  • coordinating technical, public relations and government specialists, both internal and external;
  • managing regulatory cybersecurity compliance audits (such as the SEC's Office of Compliance Inspections and Examinations);
  • overseeing securities law disclosure regarding information security management and risk;
  • assessing information security frameworks and data-handling policies under applicable regulatory requirements and guidelines set forth by the SEC and other agencies; and
  • responding to legislative and regulatory trends and developments.
  • advising on corporate governance, board duties and best practices relating to data breaches;
  • providing risk and crisis management related to data breaches, including coordinating public responses, considering related consumer and client issues, and interacting with regulators;
  • managing compliance with regulatory requirements, including federal and state privacy and other laws and regulations governing notice to affected parties;
  • managing communications with appropriate regulatory authorities;
  • conducting internal investigations relating to data breaches and incidents, including coordinating with technical experts;
  • liaising and coordinating with civil and criminal enforcement officials from multiple agencies;
  • advising on enforcement considerations, including government investigations arising from data breaches;
  • responding to government requests for information, including from federal regulators and state attorneys general; and
  • managing and defending litigation stemming from data breaches, including class actions, shareholder derivative actions and securities fraud cases.
Regulatory, Enforcement and Litigation Expertise 
Cybersecurity threats raise particularly serious concerns among businesses that collect and process personal information, including financial information. S&C is widely recognized as a leader in advising on regulatory, enforcement and consumer matters affecting financial institutions and their systems and data, as well as the governance considerations in structuring and implementing complex and mission-critical compliance programs. S&C's Litigation Group has extensive experience guiding companies through multifaceted, enterprise-level crises that demand a combination of rapid reaction and strategic thinking.

Transactional Expertise
S&C also has deep experience in transactions involving businesses that depend fundamentally on the integrity and security of their systems and data, including in the fields of consumer Internet, payment processing and security technology. S&C regularly advises companies in these fields and others in assessing and mitigating information security risks in the context of strategic transactions such as mergers and acquisitions, joint ventures, restructurings and financings.


Recent Sullivan & Cromwell cybersecurity experience includes providing:
  • advice on responses to unauthorized access to investment account information.
  • advice in connection with catastrophic software failure that threatens the ability to conduct fundamental business operations.
  • advice regarding systems errors and the collateral consequences for customers and other constituencies.
  • advice regarding governance and compliance in designing and implementing fundamental changes to systems and processes for handling personal financial data, including with respect to cross-border transfers.
  • advice on the permissible handling of customer data in connection with mobile phone applications, including the sharing of customer data with third-party service providers.
  • representations in disputes relating to U.S. federal legal regimes governing the privacy of privately held personal and financial data, state-law analogues, and federal and state data-protection regimes.
  • representations in responding to government and regulatory requests for confidential customer and employee information.
  • advice in managing conflicting national information-security requirements, including in response to unilateral government demands for out-of-jurisdiction information.