S&C has a deep understanding of the cybersecurity risks companies face in today's global environment. We use this insight to advise institutions on best practices in cyber preparedness. This includes advising boards of directors on cybersecurity governance; coordinating cyber crisis planning exercises for management and boards of directors; working with clients to review and implement suitable and actionable cyber policies, procedures and incident response plans; assess cyber insurance coverage; and ensure that clients have appropriate vendor relationships so that the best resources are in place in the event of a cybersecurity incident.
Incident Response Experience
S&C draws on its unparalleled experience in corporate crisis management to provide clients with comprehensive advice to manage and resolve cyber incidents. S&C's Cybersecurity Group advises clients on all aspects of cyber incident response, including containing and investigating a breach; coordinating among different internal and external stakeholders; communicating with clients and customers, regulators, law enforcement, insurers and other external parties; notifying affected individuals or entities; and remediation planning.
Post-Breach Investigation and Litigation Expertise
S&C's Cybersecurity Group regularly advises clients on post-breach investigations, coordinating with external cyber forensics experts to ensure a thorough investigation. S&C also provides clients with an effectively orchestrated, multidisciplinary response to complex litigation, offering creative strategies and problem solving for our clients' most significant challenges.
S&C also has deep experience in transactions involving businesses that depend fundamentally on the integrity and security of their systems and data. S&C regularly advises companies in assessing and mitigating information security risks in the context of strategic transactions such as mergers and acquisitions, joint ventures, restructurings and financings.
SELECTED REPRESENTATIONSRecent Sullivan & Cromwell cybersecurity experience includes advising:
- Public and private company boards of directors on their responsibilities for cybersecurity governance.
- Public and private company boards of directors and senior management on the coordination and implementation of cybersecurity “tabletop exercises”.
- Public and private companies and hedge funds in drafting and assessing cyber incident response plans.
- Public and private companies on planning for communications with law enforcement and regulators about a cyber incident.
- Companies on cyber insurance coverage.
- Companies on use of customer information for data analytics purposes, including whether certain uses would comply with federal and state privacy and other laws.
- Airbnb in obtaining a preliminary injunction preventing the City of New York from implementing a new ordinance intended to collect personal data about the users of short-term rental platforms, which Airbnb argues is invalid under the Fourth Amendment of the U.S. Constitution. This case has significant implications, not just for Airbnb, but potentially for any business concerned about protecting the privacy of its users.
- A retailer in connection with a cybersecurity breach at its third-party e-commerce platform.
- A retailer regarding an ongoing breach of customer credit card information.
- A financial institution in responding to a brute force attack on its network, including coordinating and communicating with regulators.
- Scottrade with respect to the exposure of unencrypted files containing customers’ personal data, including on state privacy law issues and nationwide customer notification.
- A public company regarding a potential state-sponsored cybersecurity breach of its systems, including coordinating with federal law enforcement and intelligence agencies.
- A public company retailer regarding a potential cybercriminal compromise of its payment processing platform resulting in unauthorized charges on customers’ credit cards.
- Owners of a privately held company in responding to a cyber-fraud, as a result of which the client successfully recovered nearly $20 million transferred to Hong Kong without authorization.
- Numerous other companies and individuals targeted in cyber-fraud schemes, including coordination with federal and international law enforcement, and coordination of overseas litigation resulting in substantial recoveries for our clients.
- A financial institution that transferred millions of dollars in client funds in response to unauthorized, “spoofed” wire transfer requests that falsely appeared to be from its customer.
- Multiple acquirors in connection with material cybersecurity breaches, attacks and vulnerabilities discovered at targets during M&A diligence or negotiations.