As cyber threats targeting critical infrastructure escalate in scale and sophistication, organizations face pressure to strengthen defenses, comply with regulatory mandates, and manage third-party risk. Morgan Lewis has more than a decade of experience advising critical infrastructure owners and operators on these issues. Our team has extensive knowledge and regulatory insight to help clients proactively manage the unique cybersecurity risks facing critical infrastructure sectors.
We advise critical infrastructure owners and operators on cybersecurity compliance, supply chain risk management, architecture design and vulnerability assessment reviews, incident response plans, and cybersecurity rulemaking and regulatory proceedings. We help clients through the full lifecycle of cyber issues, from regulatory preparedness and compliance to enforcement defense and incident response affecting critical infrastructure. Our lawyers combine legal and technical knowledge, addressing operational technology cybersecurity, power system engineering, transmission planning, and related technical matters.
Regulatory Policy, Advocacy, Compliance, and Enforcement
Building on our experience shaping the NERC CIP Reliability Standards, our lawyers advise critical infrastructure owners and operators on cybersecurity regulatory compliance, policy, and enforcement matters before key agencies, providing services as follows:
- Represent and advocate before FERC, NERC, DHS, DOE, CISA, TSA, FAA, DOT, USCG, DOD, NRC, EPA, NYDFS, and state commissions
- Help shape cybersecurity regulations issued by agencies
- Guide critical infrastructure owners on compliance with cybersecurity regulatory regimes, including NERC CIP standards
- Defend compliance programs in enforcement inquiries
- Advise boards and executives on cybersecurity governance and SEC reporting
Cybersecurity Diligence for Financing, Mergers, and Acquisitions
Our lawyers advise entities acquiring equity interests or lending to companies in the critical infrastructure sector to understand the cyber risks faced by those businesses and the extent to which those targets or borrowers have cyber controls in place to manage those risks.
Cybersecurity Programs and Privileged Assessments
Understanding the controls and processes in place to manage cyber risk and protect critical infrastructure is critical to management’s understanding of whether its protections are working as intended. We evaluate cybersecurity programs in a privileged manner, often in conjunction with technical consultants, to provide a complete assessment and recommendations on these legal risks.
Cybersecurity in Commercial Contracts and Supply Chain
Our firm advises on negotiating cybersecurity terms in commercial contracts, including supply chain, cloud services, and offtake agreements such as power purchase agreements. We help allocate risk, define security obligations, ensure regulatory alignment, and address incident response, data protection, and liability provisions to safeguard data and operations, and to support resilient, compliant business relationships.
Crisis Management Implementation and Preparedness
We support crisis management implementation and preparedness, including for cybersecurity events. During a crisis, we draw on our decades of combined knowledge in crisis response to manage ongoing workstreams to help companies successfully navigate crises and mitigate legal, financial, and reputational risks to ensure effective responses. We provide the following services:
- Crisis response planning and tabletop exercises
- Coordination with key partners, insurers, regulators, and law enforcement
- Advice on legal requirements and preservation of privilege
- Direction of the forensic and/or internal investigation
- Guidance on communications claims management, and overseeing notification
- Facilitation of business continuity and disaster recovery
