What Companies & CISOs Should Know About Rising Legal Threats

Litigation and regulatory enforcement are increasing risks for companies and cybersecurity leaders. Something must be done to protect the profession.

Lily Yeoh, CEO, C1Risk

February 27, 2024

4 Min Read
Statue of blindfolded woman holding scale, representing justice
Source: Piotr Adamowicz via Alamy Stock Photo

COMMENTARY

A new era of litigation is threatening the cybersecurity community. In just the last 18 months, Tesla sued two ex-employees for cybersecurity breaches, the Federal Trade Commission (FTC) successfully charged Uber's former chief information security officer (CISO) for concealing a data breach, and the Securities and Exchange Commission (SEC) charged SolarWinds and its CISO with fraud due to nondisclosures and misstatements about the company's cyber-risk. In addition to corporate and government enforcement, companies are being served with class-action lawsuits for data breaches. 

For publicly traded companies, failure to report or disclose internal control deficiencies and incidents are investigated by the SEC and relevant jurisdictions. Private companies are not immune to these liabilitiesas federal, state, and local jurisdictions mandate cybersecurity accountability. For instance, the New York Attorney General's Office is leveraging the regulatory authority of the state's Department of Financial Services (DFS) concerning digital assets. In another example, the FTC took action against the online alcohol marketplace Drizly, a privately held company, for allegations of security failures that led to a data breach.

Some say the SEC regulates only publicly traded companies, but the agency also has jurisdiction over many private companies. Under federal securities laws, every security that buys or sells shares or investments must be registered with the SEC. This includes companies of all sizes, private and public.

Security Officers Are Taking the Hits 

In this environment, many cybersecurity leaders are shunning CISO roles for a less risky path, while others are concerned about the future of their entire profession. In an effort to reduce their statistical exposure to legal ramifications, some companies are frequently changing CISOs and some CISOs are switching companies every couple of years. Uber dissolved its CISO role entirely to adopt a distributed responsibility model. It seems like many are taking steps backward and moving in different directions. Is this progress? Will there be any CISOs in the future? 

As cybersecurity threats and government enforcements increase, companies and CISOs are more vulnerable than ever. While a balanced "carrot and stick" approach is essential, we also need programs to help address deficiencies. Here are some areas where we can collectively improve as a community. 

Sufficient Security Budgets to Get Things Done

Companies should be held accountable for the cybersecurity budget. Cybersecurity initiatives begin with the tone set from the top. CEOs, CFOs, and boards of directors should take responsibility for establishing cybersecurity budgets equal or higher to other essential back-office functions, such as human resources, finance, and IT. Cybersecurity requires tools and resources to effectively fulfill its role and mitigate internal control deficiencies. 

Recognition That Third-Party Attestation May Not Address All Risks

I often find myself in discussions about audits for compliance or security risk. Companies should engage in risk-based audits to address security risks beyond the compliance scope. This proactive approach can establish a governance structure for independent cyber-risk reporting that is communicated both from the top down and the bottom up. 

It May Be Hard to Discern Between Security Researchers and Criminals

Penetration tests used to carry more weight because they focused on finding meaningful exploitable attacks. But in the past 10 years, penetration testing turned into a costly compliance-driven duty. Although pen-test findings are significant, they are easily detectable with routine vulnerability scans. Instead, some CISOs turn to bug bounty programs to reward individuals with recognition and compensation for reporting software bugs. However, bug bounty programs must discern the fine line between security researchers and bad actors. Bug bounty programs may create an additional layer of complexity: When does a bug bounty turn into an incident? Who are you engaging with and are they a security researcher, a criminal, or someone walking a fine line in between? We need a better approach to elevate penetration strategies' business impact. Perhaps we also need to invest in ways to help people turn their bug-finding hobby into a fruitful profession in cybersecurity. 

Government Enforcement on Non-Officers Is Not Fair

The existing governance structure for CISOs creates significant challenges. Reporting may result in termination, while failure to report could lead to personal accountability by the government. This polarizing conflict is unhealthy for the entire cybersecurity community.

Security officers are employees contracted to protect businesses. Employees should not be personally prosecuted for simply doing their job. Corporate governance must originate from the top: the officers and board of directors. Therefore, we should be wary of holding individuals liable without having clearly defined rules of engagement in place. Just as clearly defined malpractice rules govern a doctor's rights to practice medicine, the government and the private sector must establish malpractice rules for security officers to level the playing field.

About the Author

Lily Yeoh

CEO, C1Risk

Lily Yeoh is the CEO of C1Risk and a senior GRC technology executive and strategy consultant with more than 25 years of experience in regulatory compliance, governance, and risk management for enterprise business in the airline, manufacturing, technology, healthcare, and public sectors. Lily was one of the first 10 members of Deloitte's cybersecurity practice; she was the first internal auditor for eBay, and has also worked with aviation industry companies, including Boeing, Aviall, Global Eagle, Gables Engineering. She has built risk programs, and led internal and external audit teams, both as a GRC practitioner for Fortune 500 companies and as a consultant for Big Four cybersecurity consulting practices.

She is a frequent conference speaker for Fortinet, ISACA, ISC, Women In Cybersecurity, Women Who Code and ILTA, among others, addressing the challenges of modern risk management and the ARCI Risk Methodology that she developed for C1Risk.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights