An Approach to Cybersecurity Risk Oversight for Corporate Directors

Apr 23 2018
and

*This article first appeared in In-House Defense Quarterly on April 3, 2018

The growing volume and severity of cyber-attacks directed against public companies has caught the attention of federal regulators and investors. Recent guidance from the Securities and Exchange Commission (SEC) on disclosure and enforcement actions by the Federal Trade Commission (FTC) make clear that cybersecurity is no longer a niche topic, but a concern significant enough to warrant the oversight of corporate boards of directors. A high-profile cyber incident may cause substantial financial and reputational losses to an organization, including the disruption of corporate business processes, destruction or theft of critical data assets, loss of goodwill, and shareholder and consumer litigation. More and more, directors are viewing cyber-risk under the broader umbrella of corporate strategy and searching for ways to help mitigate that risk. Increasingly, thought leaders, professional organizations, and government agencies are beginning to provide answers.

Read More

EmailPrintShare
, , , , ,

NIST Updates Cybersecurity Framework

Apr 18 2018

*This article first appeared on Law360 on April 17, 2018

On April 17, the National Institute for Standards and Technology (NIST) released an updated version of its standard-setting Cybersecurity Framework.  Commerce Secretary Wilbur Ross announced the new release with a statement saying the “Cybersecurity Framework should be every company’s first line of defense” and “adopting version 1.1 is a must do for all CEO’s.”  Version 1.1 is dated April 16, 2018, and is available at: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

Read More

EmailPrintShare
,

Hong Kong Issues EU Data Privacy Law Guidance on the upcoming GDPR

Apr 16 2018
, and

The Hong Kong Office of the Privacy Commissioner for Personal Data (the “Hong Kong Data Privacy Commissioner”) has recently published compliance guidance on the upcoming GDPR to raise awareness in Hong Kong companies about the potential effects and reforms needed in order to comply with the new GDPR requirements.

Read More

EmailPrintShare
, , , , ,

The British Private Equity & Venture Capital Association issues “Guide to GDPR for the Funds Industry”

Apr 12 2018

The British Private Equity & Venture Capital Association has issued a Guide to GDPR for the Funds Industry focusing on practical guidance, including explanations of what the GDPR is and why it is relevant for the funds industry.  Authors included Sidley lawyers William RM Long, Geraldine Scali, Vishnu Shankar, Francesca Blythe, Denise Kara and Eleanor Dodding.

The GDPR, or the General Data Protection Regulation, is a new EU data privacy law that comes into force on 25 May 2018. The GDPR is intended to provide a single harmonised data privacy law that applies across the EU and is appropriate for the use of Personal Data in the 21st century. The GDPR imposes many new data protection requirements on the collection, use and disclosure of Personal Data which will be relevant to firms and imposes significant fines of up to 4% of annual worldwide turnover.

The Guide describes how key parts of the GDPR will apply to firms and key obligations and issues for firms to consider in dealing with the GDPR.  Read more.

EmailPrintShare
, , ,

Financial Crimes Enforcement Network Issues New Frequently Asked Questions on Customer Due Diligence Requirement

Apr 10 2018
, , and

On April 3, 2018, the Financial Crimes Enforcement Network (FinCEN) issued new frequently asked questions (FAQs) regarding its customer due diligence rule (CDD Rule).

The CDD Rule applies to banks, broker-dealers in securities, mutual funds, futures commission merchants and introducing brokers in commodities (collectively, covered financial institutions or CFIs).

The CDD Rule includes four core elements of customer due diligence, each of which should be included in the anti-money-laundering (AML) program of a CFI: (1) customer identification and verification, (2) beneficial ownership identification and verification, (3) understanding the nature and purpose of customer relationships to develop a customer risk profile and (4) ongoing monitoring for reporting of suspicious transactions and, on a risk basis, maintaining and updating customer information. The second element — the beneficial ownership requirement — is new. FinCEN has described the other elements as preexisting AML program requirements for CFIs, although the third and fourth prongs were, at most, implicit requirements.

FinCEN issued new FAQs on the CDD Rule on July 19, 2016. These FAQs are timely because the May 11, 2018 compliance date for the CDD rule is fast approaching.

Here, we summarize several key takeaways regarding the beneficial owner requirement from the new FAQs.

Read More

EmailPrintShare
,

Belgian Privacy Commission Issues Guidance on Data Protection Impact Assessments Under the GDPR

Apr 05 2018
and

On 28 February 2018, the Belgian Commission for the Protection of Privacy (the “Privacy Commission”) published a recommendation setting out its approach to Data Protection Impact Assessments (“DPIAs”), and in doing so published a “White List” and a “Black List” of processing operations, pursuant to the General Data Protection Regulation (“GDPR”).  Organisations subject to the GDPR are required to assess whether they need to undertake a DPIA when undertaking new processing operations. However under the GDPR, member state data protection authorities:

  • are required to publish a “Black List” of processing operations which are always subject to the requirement to undertake a DPIA; and
  • are permitted to publish a “White List” of processing operations which are not subject to the requirement to undertake a DPIA.

Read More

EmailPrintShare
, , ,

Sidley’s Fourth Annual Privacy and Cybersecurity Roundtable

Apr 04 2018

Sidley hosted the firm’s fourth annual Privacy and Cybersecurity Roundtable in the DC office on Monday, March 26, 2018.

Following an introduction by Sidley partner Alan Raul,  Giovanni Buttarelli, European Data Protection Supervisor, and Helen Dixon, Data Protection Commissioner for Ireland, discussed the EU General Data Protection Regulation which will go into effect on May 25, 2018. Both Helen Dixon and Giovanni Buttarelli shared their insights on preparation for, and life after May 25. Following their remarks, Sidley Partner and Privacy practice Co-Leader, Ed McNicholas (D.C.) moderated a lively discussion that included Cam Kerry, Senior Counsel (D.C./Boston) and new Sidley Partner, Wim Nauwelaerts (Brussels).

Read More

EmailPrintShare
, , , , , , , , ,
1 2 3 52
EmailPrintShare

Categories

Archives

Contacts


Colleen Theresa Brown
Washington, D.C.
ctbrown@sidley.com


John M. Casanova
Singapore, London
jcasanova@sidley.com


Cameron F. Kerry
Boston, Washington, D.C.
ckerry@sidley.com


William RM Long
London
wlong@sidley.com


Edward R. McNicholas
Washington, D.C.
emcnicholas@sidley.com


Wim Nauwelaerts
Brussels
wnauwelaerts@sidley.com


Alan Charles Raul
Washington, D.C.
araul@sidley.com


Yuet Ming Tham
Hong Kong
Singapore
yuetming.tham@sidley.com


John K. Van De Weert
Washington, D.C.
jvandeweert@sidley.com

Click here to view all of Sidley's Privacy and Cybersecurity professionals.

To receive email alerts when we post a blog entry, please provide your name and email address.

XSLT Plugin by BMI Calculator