What Companies & CISOs Should Know About Rising Legal Threats

COMMENTARY

A new era of litigation is threatening the cybersecurity community. In just the last 18 months, Tesla sued two ex-employees for cybersecurity breaches, the Federal Trade Commission (FTC) successfully charged Uber's former chief information security officer (CISO) for concealing a data breach, and the Securities and Exchange Commission (SEC) charged SolarWinds and its CISO with fraud due to nondisclosures and misstatements about the company's cyber-risk. In addition to corporate and government enforcement, companies are being served with class-action lawsuits for data breaches. 

For publicly traded companies, failure to report or disclose internal control deficiencies and incidents are investigated by the SEC and relevant jurisdictions. Private companies are not immune to these liabilities, as federal, state, and local jurisdictions mandate cybersecurity accountability. For instance, the New York Attorney General's Office is leveraging the regulatory authority of the state's Department of Financial Services (DFS) concerning digital assets. In another example, the FTC took action against the online alcohol marketplace Drizly, a privately held company, for allegations of security failures that led to a data breach.

Some say the SEC regulates only publicly traded companies, but the agency also has jurisdiction over many private companies. Under federal securities laws, every security that buys or sells shares or investments must be registered with the SEC. This includes companies of all sizes, private and public.

Security Officers Are Taking the Hits 

In this environment, many cybersecurity leaders are shunning CISO roles for a less risky path, while others are concerned about the future of their entire profession. In an effort to reduce their statistical exposure to legal ramifications, some companies are frequently changing CISOs and some CISOs are switching companies every couple of years. Uber dissolved its CISO role entirely to adopt a distributed responsibility model. It seems like many are taking steps backward and moving in different directions. Is this progress? Will there be any CISOs in the future? 

As cybersecurity threats and government enforcements increase, companies and CISOs are more vulnerable than ever. While a balanced "carrot and stick" approach is essential, we also need programs to help address deficiencies. Here are some areas where we can collectively improve as a community. 

Sufficient Security Budgets to Get Things Done

Companies should be held accountable for the cybersecurity budget. Cybersecurity initiatives begin with the tone set from the top. CEOs, CFOs, and boards of directors should take responsibility for establishing cybersecurity budgets equal or higher to other essential back-office functions, such as human resources, finance, and IT. Cybersecurity requires tools and resources to effectively fulfill its role and mitigate internal control deficiencies. 

Recognition That Third-Party Attestation May Not Address All Risks

I often find myself in discussions about audits for compliance or security risk. Companies should engage in risk-based audits to address security risks beyond the compliance scope. This proactive approach can establish a governance structure for independent cyber-risk reporting that is communicated both from the top down and the bottom up. 

It May Be Hard to Discern Between Security Researchers and Criminals

Penetration tests used to carry more weight because they focused on finding meaningful exploitable attacks. But in the past 10 years, penetration testing turned into a costly compliance-driven duty. Although pen-test findings are significant, they are easily detectable with routine vulnerability scans. Instead, some CISOs turn to bug bounty programs to reward individuals with recognition and compensation for reporting software bugs. However, bug bounty programs must discern the fine line between security researchers and bad actors. Bug bounty programs may create an additional layer of complexity: When does a bug bounty turn into an incident? Who are you engaging with and are they a security researcher, a criminal, or someone walking a fine line in between? We need a better approach to elevate penetration strategies' business impact. Perhaps we also need to invest in ways to help people turn their bug-finding hobby into a fruitful profession in cybersecurity. 

Government Enforcement on Non-Officers Is Not Fair

The existing governance structure for CISOs creates significant challenges. Reporting may result in termination, while failure to report could lead to personal accountability by the government. This polarizing conflict is unhealthy for the entire cybersecurity community.

Security officers are employees contracted to protect businesses. Employees should not be personally prosecuted for simply doing their job. Corporate governance must originate from the top: the officers and board of directors. Therefore, we should be wary of holding individuals liable without having clearly defined rules of engagement in place. Just as clearly defined malpractice rules govern a doctor's rights to practice medicine, the government and the private sector must establish malpractice rules for security officers to level the playing field.