May 9, 2016

Excessive Incentive Pay: SEC’s 488-Page Proposing Release

On Friday, the SEC became the last of the six financial regulators to approve the 488-page joint agency proposal to prohibit incentive-based compensation that may encourage inappropriate risks by financial institutions under Section 956 of Dodd-Frank. The other agencies are the FDIC, Federal Housing Finance Agency, Federal Reserve Board of Governors, National Credit Union Administration and Office of the Comptroller of the Currency. Here’s the memos I have been posting about the proposal on in our “Financial Firms” Practice Area

Cybersecurity: Another Verizon Report & More

For the 9th year in a row, Verizon has put out a new “Data Breach Investigations Report.” Here’s an excerpt from this Cooley memo about it:

In 2015, more than 90% of incidents and data breaches fell into one of nine categories. Most commonly, security incidents were caused by miscellaneous errors, such as sending emails or paper documents to the wrong recipients (11,347 incidents); insider and privilege misuse, such as an employee using unapproved hardware like a USB drive to store sensitive information (10,490 incidents); and physical theft or loss of laptops and paper documents (9,701 incidents). The most serious incidents—those resulting in the most confirmed data breaches—however, were web app attacks, including hacking using stolen credentials and installing malware (908 confirmed breaches) and point of sale or “POS” attacks against environments where debit and credit card retail transactions are conducted (525 confirmed breaches).

2015 found attackers are getting faster at compromising their victims. For example, the time to compromise was almost always on the order of days or minutes. One particularly fast method of accessing sensitive data is phishing, which accounted for 9,576 security incidents and 916 confirmed data breaches in 2015. Phishing (a form of social engineering) involves sending an email message containing a malicious attachment or link to a victim with the intent of tricking him or her into opening the attachment or clicking on the link. In the majority of phishing cases, that click allows the attacker to install persistent malware on the victim’s computer.

The DBIR analyzes several million results of phishing tests conducted by various information security vendors. Their findings show that we may be getting worse, not better, at recognizing phishing messages; the number of targets who opened the test phishing message rose by 7%, from 23% in 2014 to 30% last year, and about 12% of those who opened the message went further and clicked on the malicious attachment. The median time between sending a phishing message and the first click on its attachment? Under four minutes. In fairness to those who clicked, however, the DBIR notes that the main perpetrators of phishing attacks are sophisticated, with significant time and resources to craft believable “bait”: in 2015, 89% of phishing attacks were perpetrated by organized crime syndicates and 9% were perpetrated by state-affiliated actors.

Insider and privilege misuse was also very common, with insiders most frequently motivated by financial gain, followed closely by espionage. The 2016 DBIR looked at how insiders’ motivations have changed since 2009, and while incidents motivated by espionage have risen, incidents motivated by the prospect of financial gain have fallen. Other inside actors are motivated by grudges, ideology, and even just plain fun. Even more concerning, actions by insiders are some of the hardest for organizations and law enforcement to detect. In fact, 70% of these incidents are taking months or even years to discover.

Also check out our checklists related to incident response planning, disclosure practices and risk management – as well as a chart of state laws related to security breaches. And see this blog about a Congressional bill that would amp up internal controls over cybersecurity…

May-June Issue: Deal Lawyers Print Newsletter

This May-June Issue of the Deal Lawyers print newsletter includes:

– Structuring Considerations for Minority Investments
– Insurance Due Diligence: Three Practical Tips
– Basics: Drafting & Negotiating Disclosure Schedules
– Talent Retention: A Toolkit for M&A
– Which Investors Like Which Risks?

Remember that – as a “thank you” to those that subscribe to both & our Deal Lawyers print newsletter – we are making all issues of the Deal Lawyers print newsletter available online for the first time. There is a big blue tab called “Back Issues” near the top of – 2nd from the end of the row of tabs. This tab leads to all of our issues, including the most recent one.

And a bonus is that even if only one person in your firm is a subscriber to the Deal Lawyers print newsletter, anyone who has access to will be able to gain access to the Deal Lawyers print newsletter. For example, if your firm has a firmwide license to – and only one person subscribes to the print newsletter – everybody in your firm will be able to access the online issues of the print newsletter. That is real value. Here are FAQs about the Deal Lawyers print newsletter including how to access the issues online.

Broc Romanek