An organization’s board of directors assumes ultimate accountability for governing cybersecurity risk. Chief information security officers (CISOs) play an increasingly indispensable role in enabling board members and senior executives to engage in appropriate cyber risk management, communicate using cyber metrics with business objectives in mind, and facilitate proper oversight of the company’s cyber program. Among
David A. Simon
David Simon is a partner in Mayer Brown's Washington DC office and a leading member of the global Cybersecurity & Data Privacy practice. He is also a member of the firm's National Security and Government Contracts practices. A former special counsel at the US Department of Defense (DoD) and chief cyber counsel to the US Cyberspace Solarium Commission, David has deep experience advising victims of ransomware attacks and state-sponsored cyber activity. Named as a Cybersecurity Trailblazer by The National Law Journal, David has also been named to Cybersecurity Docket’s “Incident Response 40,” a collection of 40 of the “best and brightest” incident response attorneys in the country. David regularly supports clients as the lead investigator and crisis manager for cross-border cyber incidents, including data breaches involving personal data, nation-state threats targeting intellectual property, state-sponsored theft of sensitive U.S. government information, and destructive attacks. David has directed and advised on dozens of complex cyber incident and data breach investigations in the last few years alone. He has counseled companies on major cyber incidents and incident preparedness across virtually every sector of the economy. David represents financial institutions, automotive manufacturers and self-driving car companies, tech companies, telecommunications companies, healthcare companies, insurance companies, defense and aerospace companies, private equity firms and their portfolio companies.
Webinar: Cyber Spotlight: Ransomware 3.0 War Stories – Triple Extortion, Sanctions Risks, and Best Practices from the Trenches
Ransomware attacks continue to cause serious disruption to organizations and show no signs of slow-down. What starts as a security failure quickly becomes a serious business risk, requiring decision-making at the board level. Our speakers will touch on various legal and technical factors impacting a company’s response to a ransomware attack and provide practical advice…
President Biden Signs Executive Order on U.S. Intelligence Activities to Implement EU-U.S. Data Privacy Framework
On October 7, 2022, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities,1 which is intended to implement U.S. commitments under the Trans-Atlantic Data Privacy Framework (DPF) announced in March 2022. With the new executive order, the Biden administration aims to strengthen the legal foundation for trans-Atlantic…
NIS2 Directive New Cybersecurity Rules Expected in the EU
The European Council and European Parliament recently reached a provisional agreement on the text for the EU’s proposed Directive on minimum cybersecurity standards to be implemented across the EU (NIS2). The text is expected to be formally adopted in the coming months. NIS2 seeks to replace and strengthen the EU’s current Network and Information Society…
BIS Revises Export Controls on Cybersecurity Items Used for Malicious Cyber Activity
On May 26, 2022, the US Department of Commerce’s Bureau of Industry and Security (“BIS”) published a final rule revising the restrictions on the export, reexport and transfer (in-country) of certain “cybersecurity items” used for malicious cyber activities (“final rule”). Effective immediately upon publication, the final rule amends the October 21, 2021, interim final rule…
OFAC Imposes First-Ever Sanctions Against Virtual Currency Mixer
On May 6, 2022, the US Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) designated crypto mixer Blender.io as a Specially Designated National (“SDN”), marking the first time a virtual currency mixer has been sanctioned. The move is the latest in a series of sanctions designations and enforcement actions in the virtual currency…
Happy EOnniversary: One Year of Action Since President Biden’s Cybersecurity Executive Order
Strengthening the nation’s cybersecurity has been a top priority for the Biden administration, as reflected in its collaboration with industry, regulatory actions, and the legislation it has supported in Congress, including the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Executive action has been a key tool in the Biden administration’s cyber policymaking toolkit.…
US SEC Cyber Risk Management Proposed Rules: Analysis for Investment Advisers, Investment Companies, BDCs and Broader Implications for Private Sector
On February 9, 2022, the Securities Exchange Commission (“SEC” or “Commission”) voted 3-1 to propose rules, forms and amendments concerning cybersecurity risk management, as well as registered investment adviser and fund disclosures. As we have previously discussed, the proposal under the Investment Advisers Act of 1940 (Advisers Act) and the Investment Company Act of…
Filing Instructions Released for New US Bank Incident Reporting Requirement
On March 29, 2022, the US federal banking regulators released instructions on how financial institutions should comply with recently adopted computer-security incident notification requirements.1 These instructions will assist financial institutions in satisfying their obligations under the new requirements once compliance is required on May 1, 2022.
US and EU Announce New Trans-Atlantic Data Privacy Framework
On March 25, 2022, the United States and the European Union jointly announced an “agreement in principle” to a new trans-Atlantic data privacy framework to facilitate the cross-border transfer of personal data (the “Framework”).1 As part of the Framework, the US has made “unprecedented commitments” related to intelligence collection and surveillance practices.2 The…