Cyber Governance and Risk Management
Our attorneys develop and implement comprehensive cybersecurity governance frameworks for clients of all sizes, across industries, and around the world. We work with boards of directors, audit committees, general counsel, and compliance leaders to ensure that cybersecurity is hard coded into enterprise risk management. Our services include advising on board oversight obligations, legal risk exposure, and internal control design.
We regularly support privileged cybersecurity risk assessments, helping clients to understand their current posture and assist in implementing practical improvements. Tailored to each client's risk profile, regulatory environment, and operational scale, our reviews provide legally actionable insight into gaps and potential remediation options.
Regulatory Compliance
Cybersecurity laws are rapidly evolving at the federal and state levels, and compliance is not one-size-fits-all. Our team helps businesses meet the demands of industry-specific regulations such as:
- The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule for financial institutions
- The Health Insurance Portability and Accountability Act (HIPAA) Security Rule for health care providers and business associates
- The U.S. Securities and Exchange Commission's (SEC's) cybersecurity risk disclosure and incident reporting requirements
- Critical infrastructure obligations from agencies such as the Transportation Security Administration (TSA), Federal Energy Regulatory Commission (FERC), and North American Electric Reliability Corporation (NERC)
- State-specific cybersecurity statutes and sectoral frameworks, including New York's Department of Financial Services (DFS) Cybersecurity Regulation and other attorney general mandates.
Third-Party and Supply Chain Risk
The dramatic increase in supply chain attacks in recent years has uncovered one of cybersecurity's best-kept secrets: your biggest vulnerabilities frequently originate with third parties. Our Cybersecurity team helps develop and implement third-party risk management programs that address cybersecurity in the vendor lifecycle, from procurement through performance. Our legal team evaluates vendor cybersecurity controls, supports negotiations of data security clauses, and helps establish contractual protections related to software integrity, remote access, and subcontractor management.
We also advise on governance strategies for managing cyber risk in cloud services, IT outsourcing, managed security services, and critical supply chains. Our team will identify cybersecurity concerns in service provider contracts or master service agreements to minimize your risk and ensure clear delegation of obligations.
Internal Investigations and Cyber Readiness
When cybersecurity concerns arise internally, whether through whistleblower complaints, policy violations, or compliance audits, we help ensure that clients don't waste their good fortune. We assist in conducting internal investigations, protected by attorney-client privilege, working closely with legal, compliance, and IT stakeholders to document findings, recommend corrective actions, and ensure that legal obligations are met.
We also advise clients on improving operational readiness through tabletop exercises, policy reviews, and simulation-based testing of incident response plans (IRPs). These exercises help ensure that cross-functional teams are prepared to respond effectively and compliantly to real-world incidents.
Cybersecurity Litigation and Regulatory Defense
When a company's cybersecurity practices come under scrutiny—whether through regulatory enforcement or civil litigation—our attorneys provide experienced, strategic defense. We represent clients in regulatory inquiries, enforcement actions, and contested proceedings in state and federal court and in numerous alternate dispute resolution forums.
We understand the nuances of defending against claims arising under cybersecurity-specific statutes, public company disclosure obligations, and board fiduciary duties. Our team works closely with public relations and technical experts to manage litigation risk while protecting reputation and emphasizing business continuity.
Employee Training and Board-Level Counseling
Effective cybersecurity training turns your proverbial "weakest link" into your strongest, most valuable cybersecurity asset. Our Cybersecurity Group provides robust, engaging, and impactful employee training for cybersecurity programs of all types, across numerous industries, and for organizations of any size.
Senior leadership is increasingly held accountable for cybersecurity governance. We provide tailored briefings and ongoing advisory services to boards of directors, C-suites, and risk committees. Our services include:
- Training on fiduciary duties related to cybersecurity oversight
- Strategic guidance on integrating cybersecurity into Environmental, Social, and Governance (ESG) and Enterprise Risk Management (ERM) programs
- Updates on emerging regulatory developments and industry-specific expectations
