The rapid evolution of cybersecurity liability for security chiefs, management, and information security professionals
Cybersecurity liability is changing rapidly and has become a boardroom (and personal) matter in 2024, with increasing threats that pose significant challenges to organizations globally. In this environment, the role of Chief Information Security Officers (CISOs) and information security professionals has expanded far beyond technical security measures. Directors and upper management can now be personally held accountable for their customers’ data security. Individuals within an organization are now confronted with a rapidly evolving slew of liability regulations that can directly affect their professional and personal lives.
As if the duties of the modern CISO aren’t hard enough… personal cybersecurity liability was one of the topics on the lips of attendees at RSA this week and is a justified concern for those in the role of CISO with already high levels of responsibility and professional stress.
The New Scope of Cybersecurity Liability
Even a single instance of negligence can have catastrophic consequences, potentially driving a business into bankruptcy—and liability insurance, unless specific cybersecurity insurance, invariably doesn’t cover professional negligence related to IT security incidents. For cybersecurity professionals, this further underscores the importance of compliance. If we’re not fulfilling our legal obligations, we’re exposing ourselves—and our organization—to the risk of professional negligence.
With the increasing frequency and severity of cybercrime, CISOs and information security professionals are finding themselves individually named as defendants in legal proceedings, facing regulatory, shareholder, and even criminal actions. The stakes have never been higher, and understanding this evolving liability framework is crucial for security chiefs navigating these complex waters.
Key Factors Contributing to Increased Cybersecurity Liability
- Regulatory Actions: Regulatory bodies are tightening data protection and privacy standards, enforcing fines and penalties for non-compliance.
- Shareholder Actions: Shareholders are increasingly holding companies accountable for data breaches that impact the value of their investments.
- Criminal Prosecution: Authorities are pursuing criminal charges against individuals for willful neglect, fraud, or intentional mismanagement of cybersecurity protocols.
Legislative and Regulatory Landscape
Multiple laws and cybersecurity standards impose accountability on individuals responsible for cybersecurity best practices:
- General Data Protection Regulation (GDPR)
GDPR is a comprehensive data protection regulation that applies to organizations handling EU citizens’ data, regardless of the company’s location. Article 82 states that any person who has suffered material or non-material damage due to a GDPR infringement is entitled to compensation. Data controllers and processors can be held jointly liable, and fines can reach up to €20 million or 4% of global annual turnover, whichever is higher. In the event of gross negligence, CISOs and DPOs (Data Protection Officers) can be individually prosecuted. - California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA)
The CCPA/CPRA grants California residents significant data privacy rights. Organizations and individuals that fail to protect consumer data can face lawsuits with fines of up to $7,500 per intentional violation, plus statutory damages of $100–$750 per consumer per incident. - Securities and Exchange Commission (SEC) Cybersecurity Disclosure Requirements
Public companies must disclose cybersecurity risks and incidents that could materially affect their business. Companies and executives may face shareholder lawsuits for non-disclosure or misleading statements, and financial penalties vary based on case specifics. - Sarbanes-Oxley Act (SOX)
SOX sets strict requirements for financial reporting. CISOs and executives are liable for ensuring adequate internal data accuracy and security controls, with fines of up to $5 million and imprisonment for up to 20 years for willful violations. - Health Insurance Portability and Accountability Act (HIPAA)
HIPAA best practices govern the protection of health information in the U.S. Healthcare organizations, and their executives can face civil and criminal charges for breaches. This can include civil fines of up to $1.5 million and criminal penalties, including imprisonment for up to 10 years. - New York Department of Financial Services (NYDFS)
Cybersecurity Regulation Overview: NYDFS requires financial services companies to implement cybersecurity programs. CISOs and executives are liable for ensuring program compliance, with fines reaching $250,000 per violation. - Federal Trade Commission (FTC)
The FTC enforces consumer protection laws, including data privacy, and can bring cases against companies and individuals for unfair or deceptive practices. Fines vary based on case specifics, with criminal charges possible.
Examples of CISO Liability
Prosecution is not without precedent; several notable cases have made front-page news.
Uber’s former CISO, Joe Sullivan, was charged with obstruction of justice and misprision of a felony for allegedly covering up a data breach affecting 57 million users. Sullivan was convicted, marking a historic case where a CISO was held criminally liable.
Following the Equifax data breach affecting 147 million Americans, the company’s former CIO, Jun Ying, was charged with insider trading for selling shares before the breach was disclosed. Ying was sentenced to four months in prison and fined $55,000.
Preventative Measures to Mitigate Cybersecurity Liability
To prevent liability and meet industry standards, organizations must implement comprehensive cybersecurity strategies:
- Asset Discovery and Management: Use a platform that provides automated discovery of all devices, applications, and services within the network. This offers a clear and complete inventory, ensuring all assets are accounted for and protected.
- Behavioral Analytics and Baselines: Leverage behavioral analytics to establish baselines for normal activity across devices, users, and applications. Detecting deviations and potential threats early, allows for rapid response.
- Microsegmentation and Network Segmentation: Implement microsegmentation tools and policies to isolate and protect critical systems from unauthorized access. By detecting lateral movement this limits the scope of attacks and reduces the potential impact of breaches.
- Zero Trust Security Model: Through adopting zero trust principles, such as least-privilege access and continuous verification, organizations are actively combating the insider threat and reducing their exposure to external attacks.
- Continuous Compliance Monitoring: Deploy a platform that monitors compliance with security standards in real time. This ensures adherence to regulations like GDPR, HIPAA, and SOX, preventing penalties and reducing liability.
- Automated Policy Enforcement: Automate policy enforcement across devices, applications, and users to reduce the chance of human error and ensure consistent application of security measures.
- Incident Response Automation: Implement automated incident response workflows to contain and remediate threats quickly. This shortens response times, reduces the impact of breaches, and demonstrates proactive risk management.
- Privileged Account Management: Monitor and control privileged account access to sensitive data and systems. Benefit: Prevents unauthorized use and potential abuse of high-level credentials.
- Comprehensive Reporting and Documentation: Generate detailed reports on security activities, incidents, and compliance status. Through providing evidence of due diligence and proactive risk management, this can greatly smooth audits and legal proceedings.
- Regular Security Audits and Testing: Conduct regular internal and external audits, including penetration cybersecurity testing and vulnerability assessments, to identify gaps in security controls and validate the effectiveness of existing measures.
Get it in Writing and Reinforce the Risk
Let’s be honest here. In some cases of a breach, it’s possible that someone higher up the decision-making chain within an organization has ignored the warnings raised—probably by an individual on our security team. It might have been due to budget constraints or the inconvenience of operational impact, but ultimately, that decision rests with them (the higher-up). For this reason, as security professionals, we must be sure to have it in writing. They’re choosing to accept the risk, and it’s our job to ensure that the decision is an informed one.
Document everything to prove the information was communicated, and the choice not to act wasn’t ours. CIOs, CISOs, and even CEOs have been fired for failing to communicate certain risks to their boards. When conveying such information, it’s crucial to clearly outline, in business terms, the nature of the risk and the potential impact if the threat materializes. We need to reinforce the importance of our suggestions, the cybersecurity risk, and the potential gamble to cybersecurity business continuity that inaction would entail. This applies regardless of our position on the organizational chart.
Final Words
As the role of security chiefs and information security professionals becomes more complex and cybersecurity liability increases, it’s crucial for organizations to adopt comprehensive cybersecurity measures that align with industry standards and regulations. By leveraging advanced security platforms that offer asset discovery, behavioral analytics, microsegmentation, and automated policy enforcement, CISOs can significantly reduce their personal and organizational risk.
Ultimately, the rapid evolution of liability means that security chiefs must not only defend their networks but also protect themselves through robust compliance and proactive cybersecurity strategies.