An organization’s board of directors assumes ultimate accountability for governing cybersecurity risk. Chief information security officers (CISOs) play an increasingly indispensable role in enabling board members and senior executives to engage in appropriate cyber risk management, communicate using cyber metrics with business objectives in mind, and facilitate proper oversight of the company’s cyber program. Among the keys to success for CISOs are regular access to the board, the requisite authority to implement cyber programs, and sufficient resources to fulfill their critical mission.

Please join us for a discussion with distinguished CISOs from leading global private equity firms to discuss:

  • The evolving role of cybersecurity Leaders
  • Cyber metrics for board communications
  • Insider threat risk management
  • Third-party vendor security
  • Addressing ransomware and other trends in incident preparation and response

Additional Speakers

Bethany De Lude
Carlyle Group

João Pedro Gonçalves
EQT Group AB

To request a link to a recording of this program, please contact us.

Ransomware attacks continue to cause serious disruption to organizations and show no signs of slow-down.  What starts as a security failure quickly becomes a serious business risk, requiring decision-making at the board level. Our speakers will touch on various legal and technical factors impacting a company’s response to a ransomware attack and provide practical advice on what companies should do before, during and after an attack occurs, including:

  • Conducting a privileged forensic investigation
  • Deciding whether to pay a ransom payment and conducting the necessary sanctions checks
  • Engaging with law enforcement and other state/federal regulators
  • Understanding common pitfalls
  • Staying up-to-date on current best practices

To request a link to a recording of this program, please contact us.

The California Privacy Rights Act (CPRA) will go into effect on January 1, 2023, even though the draft regulations remain unsettled, leaving companies questioning their ability to comply. In this talk with Jennifer Barrera of CalChamber, we’ll discuss some of the outstanding issues that will have impacts in the state, across the country, and, indeed, around the world.

Please join us for a discussion designed to help you understand:

  • What will be required by the CPRA draft regulations
  • Which issues the business community is trying to address during the comment period
  • What strategies businesses should consider for compliance

View the webinar.

To view the California Chamber of Commerce Comments to Draft California Privacy Rights Act Regulations, which are discussed in the webinar, please follow the link below:

View Comments.

As cybersecurity and privacy risks mount, financial services companies face new concerns about compliance and enforcement as well as the risk of business interruption and costly litigation. In this Cybersecurity Awareness Month program, our lawyers will discuss the recent regulatory developments from the New York Department of Financial Services (NYDFS) that are presenting real-world challenges and, in particular, what these developments mean for covered entities, their C-suites, and their boards.

Please join us for a discussion designed to help you:

  • Stay abreast of evolving regulatory expectations
  • Get a picture of the current enforcement environment
  • Understand new proposed board responsibilities

View the webinar.

On October 7, 2022, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities,1 which is intended to implement U.S. commitments under the Trans-Atlantic Data Privacy Framework (DPF) announced in March 2022. With the new executive order, the Biden administration aims to strengthen the legal foundation for trans-Atlantic data flows following the 2020 Schrems II decision in which the Court of Justice of the European Union (CJEU) struck down the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield framework self-certification scheme. The executive order creates additional privacy and civil liberties safeguards for U.S. signals intelligence collection activities, as well as a new “Signals Intelligence Redress Mechanism,” which includes a new “Data Protection Review Court.” The European Commission is next expected to prepare a draft adequacy decision to adopt the DPF as a valid transfer mechanism for transfers of personal data from the European Union to the United States.

This Legal Update summarizes the key developments under the executive order, what will come next from the EU, and alternative bases for EU-U.S. data transfers while the EU evaluates the DPF as implemented through the executive order.

Continue reading.

The European Council and European Parliament recently reached a provisional agreement on the text for the EU’s proposed Directive on minimum cybersecurity standards to be implemented across the EU (NIS2). The text is expected to be formally adopted in the coming months. NIS2 seeks to replace and strengthen the EU’s current Network and Information Society Directive (NIS Directive) and applies to certain essential and important entities operating in a defined list of sectors, including commonly considered critical infrastructure entities.

Continue reading.

On September 14, 2022, the US Office of Management and Budget (OMB) published a memorandum, M-22-18, requiring federal agencies to comply with previously announced guidelines for ensuring the integrity of third-party software on an agency’s information systems or that otherwise affects government information. Applicable to firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software, this memorandum gives practical force to previously issued guidance for software producers1 to the federal government.

Continue reading.

Software security is a critical issue for multinational businesses. Highlighted as a top priority by the Biden administration and other governments worldwide, software security is a central pillar of effective cybersecurity—and managing associated legal risk. But developing and maintaining secure software is challenging, including to the extent that companies manage complex software development lifecycles, face the threat of sophisticated supply chain attacks, and rely on open source software. In this Cybersecurity Awareness Month program, our panel will explore legal risks associated with threats to software security and tools companies can use to mitigate these risks as they develop and maintain software. Topics will include:

  • New requirements for secure software development
  • Security threats to software development
  • Emerging best practices and market expectations
  • Internal governance of software security
  • Effective collaboration between the legal team and software developers


Sam Kaplan
Palo Alto Networks

Aaron Cooper

Maria Garzaro

View the webinar.

Companies that rely on standard contractual clauses for transferring personal data from the United Kingdom to jurisdictions not considered to offer an adequate level of data protection under the UK General Data Protection Regulation can no longer use the old EU standard contractual clauses in new contracts as of today, Wednesday 21 September 2022.

Instead, businesses must use the international data transfer agreement (the “IDTA”) or the international data transfer addendum to the European Commission’s standard contractual clauses (the “UK Addendum”) which were approved by the UK Information Commissioner’s Office for this purpose and entered into force on 21 March 2022. You can read more information about both documents in our client alert.

Practically, businesses need to update any template contracts (e.g. with customers or suppliers) which incorporate the old EU’s standard contractual clauses and replace them with the IDTA or the UK Addendum.

Businesses should also review their existing contracts which still use the old EU standard contractual clauses and identify those that will need be renegotiated by 27 December 2022 (to include the new European Commission’s standard contractual clauses for personal data transfers outside the European Economic Area) and 21 March 2024 (to include the IDTA or the UK Addendum for personal data transfers outside the United Kingdom).

On September 15, 2022, President Biden issued an executive order (the “Order”) to provide further detail and expand on the factors that the Committee on Foreign Investment in the United States (“CFIUS”) uses to evaluate whether a foreign investment provides a risk to US national security. The Order1 is the first executive order to provide direction to CFIUS on the risks to be considered when evaluating transactions and comes against a backdrop of numerous actions to sharpen and focus the applications of several regulatory regimes to emerging technologies and present-day threats.

Continue reading.