Articles Posted in Cybersecurity and Privacy


The increasing number of software supply chain compromises represents a significant weakness that should be top of mind for security professionals. Regardless of your firm’s core business, chances are they rely on and are connected to a range of software provider’s electronic distribution channels for acquiring initial licenses or software updates. Any such electronic access, even through authorized and vetted means, poses a risk to the organization. Put simply: your software provider’s vulnerabilities could easily become your next breach.

In “Software Distribution Compromise Tactics,” a blog post on FireEye, Pillsbury counsel Meighan O’Reardon discusses how to limit the risk of exposure to your organization.



A number of major carriers have suffered high-impact IT events in the past several months. Estimates of losses in these cases have exceeded £100m. This is on top of (no doubt significant) remedial costs, reductions in share price and reputational damage.

Such high-impact events are, in theory, unlikely to occur—the result of a series of unlikely events which when taken together have a catastrophic impact. Unfortunately for corporates, the probability of a high impact IT event is increasing. This is partly due to the increasingly interconnected and complex nature of IT infrastructures but also due to heightened cybersecurity risks. Failures tend not to be not localised to a particular geography or business but have global reach.

We advise airlines to consider and revisit their current business continuity and disaster recovery (BCDR) arrangements. In our experience, the reality of BCDR arrangements often falls below the stated requirements or capabilities of such solutions, whether provided by third-party IT providers or in-house.


According to PwC’s latest biennial Global Economic Crime Survey, cyber-crime is up 20 percent since 2014 and more than half of the firms surveyed expect to become the victim of a cyber-crime in the next two years, although a third reported that they have no plan to address a cyber-incident. While we are used to seeing the big cyber-attacks make the news, an attack of any size can have a disastrous effect on a business and within the supply chain and can also have wide-reaching implications: not only for the business targeted, but all those businesses linked to it. In “Protection Planning,” an article in Logistics Business Magazine, Pillsbury partner Tim Wright discusses the steps you should be taking to proof your business from such damaging shocks.


Effective March 1, 2017, first-in-kind regulations issued by the New York Department of Financial Services (New York DFS) will begin to affect a wide array of both depository and non-depository financial institutions. The new regulations will cascade certain requirements upon these financial institutions’ third-party service providers, requiring the financial institutions to take a close look at their vendor relationships.

Who Is Covered?

The new regulations will specifically apply to “Covered Entities,” meaning any financial services firm that operates (or is required to operate) under a “license, registration, charter, certificate, permit, accreditation or similar authorization” by the New York DFS. Just to name a few, this includes banks, credit unions, insurance companies, licensed lenders and loan servicers, money transmitters, and even those operating under New York’s new virtual currency license.


The UK’s financial services regulator, the Financial Conduct Authority (FCA), has recently published summaries of the responses it received to a Call for Inputs (CfI) on the use of big data in the retail general insurance (GI) sector as well as outlining its responses to the issues raised. Insurance companies, which are increasingly using big data (gleaned from social media, loyalty cards, aggregator sites and other such sources) to determine risk profiles and set premiums, can rest a little easier given that the FCA says that it has decided not to undertake a full market study or make a reference to the Competition and Markets Authority.

Continue reading


As stated by Wired, “It’s all the standard advice you’d give a tech novice,” aptly sums up the White House’s Cybersecurity National Action Plan (CNAP) that President Obama unveiled on February 9, 2016. Announced as part of the President’s overall budget proposal, CNAP is a plea within the federal government to implement a sturdier foundation for its cybersecurity strategy. The administration proposes a 35% increase in cybersecurity funding, much of which would go toward creating programs that are intended to leverage private sector expertise to improve the woefully outdated, if not completely nonexistent, federal government cybersecurity infrastructure.

Among other initiatives, CNAP includes an awareness campaign targeted at personal-level cybersecurity habits, a joint government-private sector commission for compiling cybersecurity best practices, and incentives to entice private sector talent to enlist in the government’s ranks. Although these programs anticipate private sector involvement, they are rooted in the government’s pressing concern about its own vulnerabilities to cyberattacks. The standard refrain is that CNAP seeks to raise the level of cybersecurity for the government and the private sector, but the rhetoric around the announcement belies an overwhelming focus on federal government advancement that will likely have little impact on private sector progress, if the program is implemented at all.

Citizens’ Awareness Campaign


Retirement plan sponsors face ever-evolving cyber-related threats to plan assets and participant personal information. To combat such threats, plan sponsors should proactively assess the third-party service providers’ ability to detect, prevent and respond to cyberattacks against the retirement plan. In order to minimize a retirement plan’s overall cyber risk profile, its sponsor(s) must implement a cyber risk management strategy, including focusing on evaluating its third-party service providers’ cybersecurity programs, performing periodic assessments of such programs, and ensuring that the retirement plan has mitigated risks from losses in the event of a cyberattack.

This advisory is the first in a series of advisories dedicated to understanding cybersecurity issues affecting retirement plans.

Read more…


This blog is the second part of a two-part series on key contracting issues with technology service providers, and the focus is specifically geared toward companies doing business in the real estate industry.

As noted in Part 1, technology has infused every sector of society, and the real estate business is no different. Firms running large, complex real estate projects typically do not have the core competency to design, develop, implement, host, and/or maintain the technology applications and systems to run these innovative ideas, which is why these firms typically partner with third party technology service providers to design, develop, and implement their technology needs.

Entering into these partnerships with third party technology providers can come with risk and requires a contracting strategy. In Part 1, I discussed the issues of pricing and service performance. In this Part 2 below, I discuss data protection, infringement, and insurance.


Managed security services are often a natural “add-on” when outsourcing IT services given that data protection is integral to application development, software as a service, and cloud storage, among other services. More recently, managed security services has become a “niche” sourcing alternative that many companies are considering as they seek to leverage supplier’s expertise in cyber threat assessment, detection and response. One critical consideration to keep in mind prior to outsourcing your cybersecurity is that you cannot outsource your regulatory responsibilities. In a sense, you may hire a supplier to protect your and your clients’ data and cyber infrastructure to the degree required of your organization under the law, but if those legal standards are not met by the supplier, your organization remains liable.

Under U.S. laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Federal Information Security Management Act (FISMA), executive orders and state-specific regulations, or the UK Data Protection Act, you may outsource day-to-day information management; you may not outsource your regulatory liability. If a breach occurs, your organization must notify your own clients, state Attorneys General and federal agencies, as applicable. Enforcement actions may be taken against your organization based on violation by a supplier, regardless of your organization’s knowledge, involvement, or lack thereof. For example, the Consumer Financial Protection Bureau (CFPB), a relatively new federal agency formed in 2011 under The Dodd-Frank Act, explicitly targets its enforcement powers at the conduct of both financial institutions and their service providers.

As of 2012, the CFPB announced that it expects “supervised banks and nonbanks to oversee their business relationships with service providers in a manner that ensures compliance with federal consumer financial law” and avoids harm to consumers. And what is one of the biggest risks of harm facing consumers in 2015? Loss or improper disclosure of consumers’ personal and financial data, which may occur over the Internet, via smart-devices and related applications, at merchant points of sale when making card payments, or even at the hands of a rogue employee within your organization or that of your supplier. If the CFPB investigates your organization, as a matter of course they will likely investigate your service provider(s), if any, and focus on areas of consumer data security and risk of identity fraud.


Computer Weekly recently published the article NHS The security concerns by Mike Pierides and Sarah Atkinson, Global Sourcing attorneys in Pillsbury’s London office. In the article, Pierides and Atkinson consider how England’s National Health Service is implementing a controversial programme to share patient data with the private sector, how the programme is intended to work, its legislative background, and the data security concerns that surround it.

Click here to read the full article