Cyber risk is increasing . . . and this time it’s personal
For cyber leaders, cyber risks are becoming personal.
In 2023, new US rules around the disclosure of data breaches heaped more pressure on companies’ security staff — in particular, chief information security officers (CISOs) — just as agencies and courts were signalling that individuals could be held liable for incidents.
Last year, for example, Uber’s former chief security officer, Joe Sullivan, was sentenced by US authorities to three years’ probation and fined $50,000 for covering up a data breach from 2016. He had been notified by hackers of a security flaw that exposed the personal information of nearly 60mn drivers and passengers on the ride-hailing platform. It was the first criminal prosecution of a company executive over the handling of a data breach.
Then, just a few months later, the US Securities and Exchange Commission charged SolarWinds’ CISO, Timothy Brown, for fraud and internal control failures, after the IT company was breached by Russian hackers as part of an espionage campaign. The regulator accused both the company and Brown of misleading investors by not disclosing “known risks” and not accurately representing its cyber security measures.
“If you talk within the CISO community, every CISO I know is concerned about this,” says Wagner Nascimento, vice-president and CISO at chip design toolmaker Synopsys.
As a result, some company employees are choosing not to serve as CISOs, or not to sit on their companies’ disclosure committees, in order to avoid taking on the responsibility and the risk themselves. It is a development that is exacerbating the problem of talent shortfalls in cyber security roles.
Nascimento, however, sees the regulatory changes as an opportunity that CISOs should embrace, as a way of carving out a more active and influential role in corporate governance.
“We have been fighting for this spot for a long time,” he argues. “Now, you have an opportunity to have a seat at the table, to talk to the CEO, and be part of the conversation.”
Cyber leaders have become increasingly important as businesses have undergone digital transformations and faced a wider range of hacking threats. More recently, a shift to remote working, and an increased threat of cyber warfare amid heightened geopolitical tensions — notably, around the Russia-Ukraine conflict — have elevated internal security roles further.
In tandem, the regulatory burden of cyber security professionals has grown. New SEC rules require public companies to disclose, in regulatory filings, any incident deemed “material” within a window of four business days after it has been established as being so. Any public company must also report, annually, on how it is governing and managing cyber security risks internally.
These rules provide transparency to investors, may help government agencies better support companies, and could even reveal patterns in cyber attacks and attack vectors. “This is a dramatic step towards greater transparency and accountability and will greatly improve our cyber security preparedness as a nation,” reckons Amit Yoran, chief executive of Tenable, a cyber security exposure management company.
Some cyber security experts note, however, that the information cyber leaders disclose is likely to be incomplete and may provide key details of their companies’ vulnerabilities to potential cyber attackers.
In some cases, the new regulations might even be used to increase the pressure on victims to pay a ransom.
For example, one ransomware gang, known as ALPHV/BlackCat, reported one of its own victims, MeridianLink, to the SEC for non-disclosure after the software company refused to pay up. ALPHV/BlackCat then threatened to publish the compromised data if the company did not pay up within 24 hours.
MeridianLink issued a statement saying it had identified no evidence of unauthorised access to its systems.
In several ways, then, the new regulations raise legal risks for public companies: exposing them to lawsuits over privacy violations, as well as raising the spectre of charges and financial penalties for their individual CISOs.
“There is a lot of concern inside of the cyber security community today that there . . . could be consequences for things that they feel are still outside of their control,” says Hugh Thompson, executive chair of the RSA cyber security conference and managing partner at venture capital group Crosspoint Capital Partners.
Responses to the new rules have varied, according to cyber security experts. Companies have adopted different thresholds for “material” cyber incidents, and many have not been overly detailed in their disclosures, or have caveated them heavily.
“A matter of real concern for CISOs is any delta [or variation] between prior statements about their security posture,” says Igor Volovich, vice-president of compliance strategy at cyber security compliance group Qmulos. He warns that, if companies have claimed to be cyber resilient to third parties when they have known security deficiencies, this could be deemed corporate malfeasance or shareholder fraud.
Experts advise cyber leaders to conduct regular security audits and map out clear incident response plans that align their legal, security, public relations and finance departments.
Thompson says action is being taken. He is “seeing more significant investment” by cyber leaders in “fleshing out risk management processes”.
Some are trying to determine in advance what would count as “material” if part of their business was hit by a cyber attack, and are carrying out “tabletop exercises” [discussion-based assessment sessions].
But Vivek Jetley, executive vice-president and head of analytics at data analysis company EXL, adds that CISOs “need to document decisions, even the most minuscule ones, and be prepared to defend them, not only internally but to regulators and inspectors”.
Nascimento urges companies to have protocols in place for when there is disagreement over what constitutes materiality. In some cases, “for the lawyer it might not be material, for the CISO it is”, he explains, “When [that] happens, what is the path?”