Tag Archives: Sabastian V. Niles

NIST Releases an Updated Version of its Cybersecurity Framework

by Sabastian V. NilesMarshall L. Miller, and Jeohn Salone Favors

Last week, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released an updated Cybersecurity Framework that revises NIST’s baseline recommendations for the design of cybersecurity risk management programs.  In announcing its release, Commerce Secretary Wilbur Ross described the updated Framework as “a must do for all CEOs” and recommended that “every company” adopt the Framework as its “first line of defense.”  As with the prior version, the updated NIST Framework provides a useful tool to guide and benchmark company approaches to cybersecurity risk and will impact how regulators evaluate cybersecurity programs and incident responses across sectors. Continue reading

SEC Releases New Guidance on Cybersecurity Disclosures and Controls

by John F. Savarese, David A. Katz, Wayne M. Carlin, David B. Anders, Sabastian V. Niles, Marshall L. Miller, and Jonathan Siegel

Yesterday, in keeping with a heightened governmental focus on cybersecurity, as exemplified by the Justice Department’s formation of a new Cyber-Digital Task Force earlier this week, the Securities and Exchange Commission announced new guidance on cybersecurity disclosures by public companies (the Guidance”).

Much of the Guidance tracks 2011 interpretive guidance from the SEC’s Division of Corporation Finance and retains a focus on “material” cyber risks and incidents.  However, the expanded details and heightened pressure to disclose indicated in the Guidance, along with its issuance by the Commission itself, signal that the SEC expects public companies to consider more detailed disclosure of cyber risks and incidents, and to maintain “comprehensive” policies and procedures in this area.  The SEC is also encouraging, though not requiring, forward-leaning approaches, such as with respect to disclosures about the company’s cyber risk management programs and the engagement of the board of directors with management on cybersecurity issues.  SEC Chairman Jay Clayton has also directed SEC staff to monitor corporate cyber disclosures. Continue reading

Federal Reserve Takes Severe and Unprecedented Action Against Wells Fargo: Implications for Directors of All Public Companies

by Edward D. Herlihy, Richard K. Kim, and Sabastian V. Niles

In a stinging rebuke, the Federal Reserve on February 2nd issued an enforcement action barring Wells Fargo from increasing its total assets and mandating substantial corporate governance and risk management actions.  The Federal Reserve noted in its press release that Wells will replace three current board members by April and a fourth board member by the end of the year.  In addition, the Federal Reserve released three supervisory letters publicly censuring Wells’ board of directors, former Chairman and CEO John Stumpf and a past lead independent director.  These actions are a sharp departure from precedent, both in their severity and their public nature.  They come on the heels of significant actions already taken by Wells, including appointing a former Federal Reserve governor as independent Chair and replacing a number of independent directors as well as its General Counsel.  Continue reading

Insights for All Companies from the SEC’s Cybersecurity Examination of Regulated Financial Entities

by Sabastian V. Niles and Marshall L. Miller

In August 2017, the Office of Compliance Inspections and Examinations (“OCIE”) of the Securities and Exchange Commission released the results of its second Cybersecurity Initiative, which examined cybersecurity-related preparedness and implementation efforts by 75 regulated financial entities.  The resulting OCIE Risk Alert depicts an industry demonstrating heightened sensitivity to cyber risks, but also experiencing gaps between policy ambition and day-to-day execution, and confronting growing pains associated with accelerated change, including the introduction of significant new policies and procedures that may lack focus or consistent implementation.  While the Risk Alert directly addresses the cybersecurity procedures of broker-dealers, investment advisers, and other SEC-regulated entities, companies in all industries should consider assessing their practices with respect to the issues highlighted by the SEC. Continue reading