Regulatory Security Explanation (Firefighters’ Pension Fund v. Sorenson — derivative oversight)¶
Use this to explain security and board-level cyber oversight in Delaware derivative or books-and-records contexts.
Purpose¶
This explanation frames the organization’s security posture for regulator, examiner, or counsel review in light of Firefighters’ Pension Fund of the City of Kansas City Trust Fund v. Sorenson, C.A. No. 2019-0963 (Del. Ch.). It connects governance, technical controls, and evidence practices to the relevant legal or enforcement context so external stakeholders can assess control reasonableness and implementation maturity.
Hallucinated writing examples¶
Scenario: In an illustrative period during Delaware Chancery derivative litigation over Marriott–Starwood cyber oversight (time), Marriott International, Inc. — Chief Information Security Officer (role) prepares a regulatory security explanation (type) for special litigation committee technical advisors (audience).
REGULATORY SECURITY EXPLANATION
Introduction: This submission describes the company’s information security program and the governance and evidence trail supporting board and committee oversight of cybersecurity risk in connection with the 2018 Starwood reservation database incident and subsequent public reporting. The Court of Chancery’s opinion (publicly available through Delaware courts) addresses demand futility and oversight claims in the derivative context—issues that turn on the quality of board processes and the reliability of information presented to directors. The scope of this letter includes governance cadence, risk reporting, control domains material to guest and loyalty data, and evidence of operation suitable for oversight review. It is illustrative and supportable by the attached evidence index.
Governance: The board (and relevant committees) receives periodic cybersecurity briefings including material incidents, control testing, regulatory inquiries, and remediation status. Minutes, charters, and escalation protocols document how cybersecurity risk is elevated and considered at the board level.
Risk Management: Material themes include legacy system integration after acquisitions, privileged access to reservation and loyalty systems, third-party and franchise connectivity, and incident detection and disclosure coordination. Risks are prioritized with owners, milestones, and measurable outcomes.
Control Environment and Evidence Of Operation: Key controls by domain: (1) Enterprise identity and access. MFA expansion, PAM for privileged access, periodic access reviews. Evidence: IAM reports, PAM samples, review attestations. (2) Logging and monitoring. Centralized security logging for critical guest and payment flows; SOC procedures. Evidence: architecture docs, alert samples, IR tickets. (3) Vulnerability and patch management. Enterprise scanning; prioritization for internet-facing assets. Evidence: scan results, remediation metrics. (4) Third-party and franchise connectivity. Security requirements and monitoring for connected properties and vendors. Evidence: contracts, assessments, connection reviews. (5) Assurance and testing. Independent assessments and penetration tests tracked to closure. Evidence: reports, remediation evidence.
Incidents and Remediation: The 2018 Starwood incident involved unauthorized access to a guest reservation database; remediation and regulatory engagement proceeded on parallel tracks. This response summarizes control and governance evidence relevant to oversight narratives in derivative litigation and is supported by the attached evidence index.
Document-type guide: Regulatory Security Explanation
Writing tips: Writing best practices — Regulatory Security Explanation