Matthew B. Welling

Partner

Overview

Matthew B. Welling is a partner in Crowell & Moring's Washington, D.C. office, where he practices in the firm's Privacy and Cybersecurity and Energy groups. Matthew has a deep technical background that he leverages to represent clients in a wide range of counseling and regulatory matters. His experience includes cybersecurity and privacy incident response, compliance reviews, risk assessments, and the development of corporate policies and procedures, such as incident response plans. Matthew has a diverse background in M&A and other corporate transactional issues, with specific recent experience with technology transactions, cybersecurity issues, and critical infrastructure project development.

Matthew is a leader in Crowell & Moring’s Blockchain / Distributed Ledger Technology (DLT) practice and speaks frequently on blockchain and DLT issues. He is currently a vice chair of the ABA’s Privacy and Computer Crime Committee of its Science & Technology Law section.

Prior to practicing law, Matthew was a software developer and management consultant with PricewaterhouseCoopers, IBM, and Accenture.

Cybersecurity and Privacy Counseling & Incident Response

Utilizing his technical background, Matthew advises clients on a wide range of cybersecurity and privacy issues. Matthew regularly counsels clients through responding to and managing cyber incidents and data breaches, and he has experience covering the full incident response lifecycle. Matthew has helped numerous clients develop or modernize their incident response programs and other cyber-related corporate policies and procedures, across industries that include energy & critical infrastructure, finance & banking, government contractors, media, hospitality, and IT service providers. He has also led privileged investigations, conducted tabletop simulations and other training exercises, interacted with regulators and law enforcement, and counseled clients through a diverse range of cybersecurity-related disputes.

M&A and Corporate Transactions

Matthew frequently represents companies in technology-focused M&A activities and has significant experience with cybersecurity and privacy-related transactional due diligence and post-merger integration matters for both buyers and sellers across a broad range of industries. Matthew’s experience also includes helping clients develop novel information technology due diligence programs and counseling clients through incident response and forensic investigations arising in the course of M&A activities. Matthew additionally advises clients on a wide range of commercial transactions involving cybersecurity and other technology-related issues.

Blockchain & Distributed Ledger Technology (DLT)

Matthew is an active leader in the firm’s Blockchain and DLT practice, where he is a Business Lead in Crowell’s Digital Transformation initiative. He advises clients on security and regulatory issues related to blockchain applications, helps clients navigate service provider relationships, and is currently engaged with clients developing novel blockchain and DLT projects in multiple industries. Matthew frequently speaks and conducts trainings on blockchain-related issues, both publicly and for clients.

Energy, Project Development & Appliance Conservation Standards

Matthew also has considerable experience in the energy sector, representing clients in a range of regulatory, transactional, policy, and litigation-related issues at the state and federal levels, including matters before the Federal Energy Regulatory Commission (FERC) and state regulatory commissions. Matthew has significant experience in energy project development, and the projects he has worked on include renewable energy (wind, solar and biomass), energy storage, natural gas, and coal-fired generation facilities. His clients include wind and solar developers, merchant generators, integrated utilities, rural electric cooperatives, municipal utilities, manufacturers of equipment, and industrial wholesale customers. Matthew also counsels clients on NERC reliability standards.

Additionally, Matthew has advised numerous clients on appliance energy conservation standards before the U.S. Department of Energy (DOE), including multiple appeals to FERC under the Energy Policy and Conservation Act (EPCA), and before the California Energy Commission (CEC).

Matthew graduated with honors from Indiana University's Kelley School of Business in 2002 with a B.S. in business administration and a concentration in computer information systems. He also has a minor in Spanish.

Matthew received his law degree from the Georgetown University Law Center in 2010, where he served as the managing editor of the Georgetown Journal of Law and Public Policy. During law school, Matthew twice clerked for Sen. John Cornyn on the United States Senate Committee on the Judiciary.

Career & Education

|
    • Georgetown University Law Center, J.D., 2010
    • Indiana University, B.S., with honors, 2002
    • Georgetown University Law Center, J.D., 2010
    • Indiana University, B.S., with honors, 2002
    • District of Columbia
    • Virginia
    • District of Columbia
    • Virginia

Matthew's Insights

Client Alert | 14 min read | 07.24.24

U.S. Federal District Court Judge Dismisses Much of SEC’s Claims Against SolarWinds and its CISO Relating to SUNBURST Cybersecurity Attack

On Thursday, July 18, 2024, Judge Paul Engelmayer, U.S. District Judge for the Southern District of New York, dismissed the bulk of the Securities and Exchange Commission’s (SEC’s) landmark civil securities law claims against SolarWinds and its Chief Information Security Officer (CISO) Timothy Brown.  The Court dismissed all allegations based on SolarWinds’ public disclosures made after SolarWinds became a victim of the well-publicized SUNBURST cybersecurity attack, and also dismissed the SEC’s claims relating to SolarWinds’ internal accounting controls and disclosure controls and procedures.  However, the Court declined to dismiss claims of securities fraud against SolarWinds and its CISO based on SolarWinds’ pre-SUNBURST disclosures, finding that the SEC had properly pleaded that the company’s publicly-posted “Security Statement” was materially false and misleading. ...

|

Matthew's Insights

Client Alert | 14 min read | 07.24.24

U.S. Federal District Court Judge Dismisses Much of SEC’s Claims Against SolarWinds and its CISO Relating to SUNBURST Cybersecurity Attack

On Thursday, July 18, 2024, Judge Paul Engelmayer, U.S. District Judge for the Southern District of New York, dismissed the bulk of the Securities and Exchange Commission’s (SEC’s) landmark civil securities law claims against SolarWinds and its Chief Information Security Officer (CISO) Timothy Brown.  The Court dismissed all allegations based on SolarWinds’ public disclosures made after SolarWinds became a victim of the well-publicized SUNBURST cybersecurity attack, and also dismissed the SEC’s claims relating to SolarWinds’ internal accounting controls and disclosure controls and procedures.  However, the Court declined to dismiss claims of securities fraud against SolarWinds and its CISO based on SolarWinds’ pre-SUNBURST disclosures, finding that the SEC had properly pleaded that the company’s publicly-posted “Security Statement” was materially false and misleading. ...