Navigating the New Security Governance Reality: A Guide for CISOs, CEOs, BODs and Security Teams
This is the first in a series of articles covering rapid changes in security governance
John Morello | January 2, 2024
First, the law came for Joe Sullivan. The former Uber CISO was convicted in 2022 of federal charges of covering up a cybersecurity incident resulting in the theft of Uber drivers' and customers' personal information.
Next on the docket is Tim Brown, the CISO of network management company SolarWinds, which was the victim of a damaging supply chain attack. An SEC case against Brown alleges that Brown is personally responsible for SolarWinds’ cybersecurity posture and for the company’s alleged downplaying of the severity of the attack, which left thousands of government networks exposed.
On the heels of these cases came a new rule from the SEC mandating four-day disclosure of material impacts of cybersecurity events. This rule puts an even heavier onus on the CISO and their team to detect, triage, and categorize breaches and incidents at a much faster pace. The cost of making a mistake or even hesitating increased, and with it, the pressure on CISOs, their Boards, and the CEOs they report to.
Disclosure Laws, Privacy Regulations Alter the Landscape
These cases are only one of the many developments in an accelerating trend toward more complexity and potential liability in security governance. More stringent expectations of company cybersecurity response and laws governing security practice are starting to really bite hard.
In the European Union, a series of new laws, including the Cyber Resilience Act, are putting a heavier burden of security liability on companies building and selling technology gear. The existing EU umbrella law, the General Data Protection Regulation (GDPR), is being more and more widely applied to fine companies that fail to quickly inform customers or users whose data might have been stolen or to mitigate root causes of cyberattacks.
In 2023 alone, the EU levied roughly $2 billion in GDPR fines, including a whopping $1.3 billion fine against Meta and another $345 million fine against TikTok for data privacy and consumer protection violations.
In the U.S., the Food and Drug Administration (FDS) levied a six-figure fine on a mid-sized healthcare organization for failure to comply with HIPAA guidelines due to a phishing incident. This was the first penalty for phishing-induced HIPAA violations and a wake-up call for healthcare CISOs and CEOs.
More and more states are adding their own privacy laws, injecting greater and greater security governance complexity and making the life of a CISO ever more challenging. These states include:
These laws have considerable differences in definitions of covered data and acceptable disclosure periods.
Some states cover medical and biometric information and even user names and passwords. Others stick to more basic information like social security numbers and driver’s license numbers. California’s law also covers biometric data, email addresses with passwords, and health insurance information. Many state laws stipulate that companies tell potential victims as soon as possible and in no less than 30, 45, or 60 days of the breach and data loss, depending on the state.
The Uber CISO Case: A Wake-Up Call
The court ruling imposing personal and criminal liability on Uber's former Chief Information Security Officer (CISO) is a stark reminder of the personal stakes involved in cybersecurity governance. This precedent-setting case highlights the potential legal liability and ramifications for CISOs whose organizations fail to disclose information about breaches and attacks. In this instance, the CEO drove the decision not to disclose, but the CISO paid the price.
In addition, cases like these might drive CISOs towards overly conservative behaviors. An unintended consequence might be the ruling makes it more challenging to recruit good CISOs for jobs perceived to be more challenging and risky. This case, too, was questioned by many CISOs as conflating hesitancy and a cautious approach to disclosure with dishonesty and rule-breaking.
The reality is no breach or loss disclosure happens in a business vacuum and many actors may seek to influence the course of a cyber response. In this case, however, the lack of a rigorous set of processes and the absence of compliance mechanisms to validate appropriate breach disclosure processes came back to haunt Uber — and, in turn, the CISO profession.
Whistleblower Complaints: A New Threat Vector
The recent developments in the U.S. Securities and Exchange Commission's (SEC) cybersecurity incident disclosure rules have introduced new risks. In November 2023, AlphV reportedly breached the information systems of MeridianLink, a software company providing digital lending solutions. After exfiltrating data, the group not only demanded a ransom but also took the unprecedented step of filing a whistleblower tip with the SEC against MeridianLink. This action was based on the alleged failure of the company to disclose the cybersecurity incident publicly within the mandated time frame as per the SEC's new rule.
The SEC had adopted final rules mandating the disclosure of material cybersecurity incidents, which requires registered companies to disclose information about a material cybersecurity incident within four business days. AlphV's move to file a whistleblower complaint represents an escalation in ransomware tactics. By leveraging the SEC's regulations, the group aimed to increase the pressure and potential costs for MeridianLink by raising the likelihood of regulatory investigation, which could be costly and damaging to the company's reputation and business operations.
This approach illustrates how threat actors are becoming increasingly sophisticated, not only in their technical capabilities but also in their understanding of regulatory and corporate pressures.
The SEC has not publicly commented on how it will handle whistleblower complaints initiated by threat actors, and the likelihood that AlphV would ever directly profit from the filing is slim. (In the U.S., whistleblowers can receive a percentage of a fine should their claim hold up in court). However the law of unintended consequences implies this is likely one of many unforeseen complications resulting from the new policies and environment.
The Cost of Breaches Soar: Boards and Investors are On Alert
High-profile breaches and disclosure failures at companies like MGM, Clorox, Boeing, and particularly Okta — which suffered a $2 billion market capitalization loss following its breach announcement — illustrate the substantial financial and reputational risks involved. In particular, the growing wave of ransomware attacks is causing material harm.
Okta’s breach appeared to be more reputational damage after attackers leveraged inconsistencies in security processes to steal session tokens and download sensitive information. The incident impacted all Okta customers.
Clorox and MGM suffered ransomware attacks that caused massive business interruptions. MGM slot machines and IT systems were offline for extended periods, and Clorox was forced to warn of a $100 million potential revenue hit caused by delays in shipping products.
More recently, financial services provider Mr Cooper warned shareholders of a $25 million cleanup after what appeared to be a ransomware attack. These impacts and the increasing sophistication of attacks ratchet up pressure on CISOs to not only ensure security process improvements are properly followed but also to put in place air-tight forensics and process capture to document any incident.
A New Landscape Means New Models
The new landscape demands a reevaluation of traditional security governance models. Organizations must now consider the new landscape of personal and corporate liability, the realities imposed by new disclosure laws, and the required processes and tooling to meet the needs of these new landscapes.
For CISOs, CEOs, BODs, and security teams, the new security governance landscape presents a markedly more complex array of challenges and responsibilities.
Staying ahead of these changes requires a proactive approach with a focus on compliance, transparency, and strategic risk management.
Download our ebook "Process Mining: The Security Angle" for insights into the new strategies organizations need to implement to stay ahead of the multifaceted threats they face.