As the public grows more aware of the devastating impact of cyber incidents, regulatory agencies across the globe are tightening reporting requirements and strengthening penalties. In an effort to counterbalance the immense material risk posed by data breaches and cyber attacks, regulators have set a new precedent for cybersecurity enforcement – personal liability.
In late 2023, the US Securities and Exchange Commission (SEC) alleged that software company SolarWinds had failed to establish adequate security controls, practices and processes.
Crucially, the regulator said SolarWinds – the victim of a huge supply chain attack from a Russian cybercrime group, which led to breaches of US government agencies as well as private sector organisations – had misled investors about its cybersecurity posture.
The SEC has taken businesses to task before for poor cybersecurity and data mismanagement, but this case was different. For the very first time, the regulator brought charges against not only a company, but also an individual security executive – SolarWinds’ CISO, Timothy Brown.
Many of the charges were dismissed in an 18 July ruling by US federal district judge Paul Engelmayer, but charges of securities fraud, relating to statements made about SolarWinds’ Orion product, were upheld.
The SEC’s actions in this case marked a notably more aggressive approach from the regulator. According to Ilkka Turunen, field CTO at cybersecurity firm Sonatype, this is a result of the US National Cybersecurity Strategy, introduced in 2023, which requires businesses to maintain a minimum standard of software development with accompanying security protocols.
“No matter where you look, this move towards personal liability is happening,” Turunen says. In Europe, for instance, an addendum to the upcoming Cyber Resilience Act – the Product Liability Directive – introduces no-fault liability, meaning that even if software is misused by the end user, the onus will be on businesses to prove minimum security standards were met in the first place.
“The assertion that the CISO’s job is going to get much more dangerous is absolutely true,” Turenen warns.
Why CISOs are burned out
Despite their title, many CISOs do not hold a position in the C-suite. Therefore, although they have an enormous responsibility, they often enjoy fewer benefits and safeguards than the typical C-level leader. Specifically, CISOs are not always guaranteed protection under directors’ and officers’ (D&O) liability insurance – the corporate coverage that guards executives from personal liability charges.
This lack of protection is top of mind for many security leaders, according to the 2024 Voice of the CISO report by cybersecurity firm Proofpoint. For the second year in a row, the survey found that personal liability is an enormous concern for CISOs, who are grappling with more responsibilities and higher expectations.
The report found that 61% of information security chiefs in the UK are worried about personal liability – although this is down from 79% in 2023, when the SEC first filed charges against SolarWinds and its CISO. Moreover, 67% said they would not join an organisation that didn’t offer D&O protection for their role.
Concern over personal liability is exacerbating burnout among CISOs. Matt Cooke, strategist at Proofpoint, notes: “Most UK CISOs already agree that expectations on security chiefs are unrealistic and more than half have experienced or witnessed burnout in the past 12 months.”
And, he adds, the pressure is mounting. Security leaders are increasingly expected to have expertise across many competencies. They are often tasked with staying up to date on complex and rapidly evolving compliance and reporting requirements, developments in data protection policy and case law. They also must possess the soft skills to communicate security needs to other leaders and employees effectively.
“Solving this problem must be a top priority if we want to ensure CISOs are equipped for their role now and in the future,” Cooke says.
Don’t panic
The emphasis on cybersecurity within organisations is growing, as is the interest in reducing harms to individuals and society. So says Rohan Massey, managing partner at global law firm Ropes & Gray London. “Because of this,” he continues, “we are seeing a greater focus on corporate accountability and personal liability. It’s a global trend.”
Although the SolarWinds case has understandably rattled some security professionals, actual charges against executives in the industry remain few and far between.
Most regulators take proportionality into account. And, executives will likely avoid legal punishment so long as they can demonstrate that they made reasonable preparations for a cyber attack, were honest about those actions and can explain the steps taken to report and resolve an incident.
Regulatory enforcement can sometimes seem “a little bit draconian,” says Massey, who speculates that the intention behind harsher charges may be to establish industry norms that keep other businesses in line.
But he admits that the regulators’ mission – to reduce material risk and other harms – is reasonable and that these overseers have helped businesses to develop a better understanding of cyber risk.
More accountability is better for security
To get ahead of these pressures, it is important for security leaders to ensure they have enough gravitas in their organisation, explains Massey. This way, they can ensure that decisions about security are given appropriate weight at all levels of the organisation.
At the same time, leaders must establish robust governance protocols and perform regular audits of their IT estate to understand what data the business is responsible for, what it owns and the resources available to keep it secure. Audits will help leaders to determine what is secured and where the vulnerabilities lie. The findings should be documented, not only because doing so is good practice, but also as a record to show regulators if necessary.
“Where you have vulnerabilities, make sure you can get the right engagement across the organisation to address them in a reasonable timeframe,” adds Massey. This may require escalating or reiterating the issues to other senior leaders.
Leaders should also work to maintain consistent messaging. After all, a core part of the SolarWinds case was the alleged mismatch between external quarterly reporting statements and internal communications.
Ultimately, more accountability may be beneficial for the security of everyone. Some senior leaders are understandably nervous about regulators becoming more aggressive, Marshall Erwin, CISO of cloud computing provider Fastly, believes that better accountability for executives “can be a healthy change if done right”.
He continues: “The standard for when there should be liability is still unclear. The concern is that CISOs are going to be held broadly responsible for the existence of security gaps. A reasonable set of security standards to determine what CISOs should and shouldn’t be held liable for hasn’t been defined yet.”
One way to address this is for regulators to develop their own internal cybersecurity expertise. Erwin suggests that regulators could help the security community be more effective by defining clear, reasonable standards that security professionals can actually live up to.