The New Liability Reality for CISOs
This is the third in a series of articles covering rapid changes in security governance
John Morello | January 16, 2024
The conviction of former Uber CISO Joseph Sullivan by a jury in a Federal Court was the first time someone in this role was convicted of a felony resulting from their actions in responding to a cyberattack. At its core, the case hinged more on Sullivan’s failure to disclose a new breach to Federal investigators shortly after they had interviewed him for an ongoing investigation at Uber.
A second pending case against Timothy Brown, the CISO of SolarWinds, indicates that CISOs can expect greater personal liability for their actions in reporting and mitigating security breaches.
This is new territory. CISOs have not traditionally been thought of as personally liable for security incidents or the responses to them. Corporations often did not purchase Directors & Operators liability insurance for CISOs, reserving that for other C-Suite occupants. While CISOs worked closely with legal teams to determine the right policies for complying with the law, the Uber case involved company attorneys accepting immunity in exchange for testimony against Sullivan.
With the SEC case against Brown, the charges allege that public statements made by SolarWinds about incident impacts contradicted internal statements. These cases are forcing a reckoning in the CISO community and a new approach to security governance to minimize personal liability.
Ways CISOs Should Change Security Governance to Reduce Liability
There five some common sense changes to security governance CISOs can pursue to reduce their legal exposure:
- Increased Focus on Documentation and Records: To minimize liability, CISOs must improve documentation of security processes and keep detailed records of actions taken and team communications during incident responses and other critical security operational activities. CISOs should preserve presentations, emails, and other communications for extended periods to better enable due diligence and create a clear record of their actions and intent. For their own well-being, CISOs should insist on robust enterprise knowledge management and document and communications indexing to ensure that internal communications are easy to search and navigate.
- Default, Automated Reporting: CISOs should implement detailed, automated reporting using security governance and operations aggregation tools. Reports should be system-generated from ongoing metrics capture and security observations. This approach ensures that notification is transparent and automated and puts the onus on all recipients to remain informed. Recipient lists should be determined by the CISO, legal team, and C-Suite to match best practices for disclosure and security governance as determined by the legal team.
- Closer Scrutiny of External Communications and Disclosure for Potential Conflicts: In the case of SolarWinds, the SEC specifically cited internal presentations by the CISO voicing concerns about the security of systems against external attackers. Such concerns were not included in SolarWinds' public risk statements. The key problem is the disconnect between what the CISO states internally and what the organization states publicly. Often a CISO has no control over public statements. For that reason, a CISO should assume that any internal presentation could ultimately become discoverable for litigation or published online. To cover their liabilities, CISOs should make explicit statements in any internal documents indicating what information is material and should be disclosed to comply with the law.
- Shift Towards Earlier Disclosure and Overdisclosure: In most cases where CISOs are faulted, the point of contention is not how incident response is conducted but when an incident or data breach is disclosed and the degree of disclosure. The hesitancy to disclose for fear of reputational damage leading to lost customers and revenues is counterbalanced by stronger legal requirements to disclose and the resulting bad publicity of “disclosure sprawl.” An example of this is the Okta incident in the fall of 2023 when the company slowly widened its admissions from a few customers to all customers subject to information leakage from a breach. A better approach is to detail the known scope of exposure and concede that the final scope is unknown and may be revised upwards.
- Implement Programmatic Monitoring of Security Governance Processes: To ensure that they have good information on what is really happening in security governance, CISOs must monitor processes programmatically to verify that incident response playbooks are followed. This includes monitoring engagement with legal teams to document when they are informed and how their inputs inform incident response efforts. Newer forms of artificial intelligence make analysis of conversational data more accessible and applicable. This type of monitoring also simplifies post-incident audits required by law enforcement.
Programmatic monitoring also facilitates third-party investigations, something that Uber was criticized for failing to accommodate as it worked through root cause and response analysis of its data breaches.
CISOs Can Address Liability Through Common Sense Changes
Security is a messy business. Incident responses are chaotic. Communications and information sharing between humans are inexact and may create false impressions of malicious intent. Projecting increased personal liability in this already unsettled environment raises the stakes for CISOs. Shifting security governance to emphasize early and complete disclosure, monitoring and capture of processes, eliminating discrepancies in reporting, and automating the reporting process help contain CISOs’ personal liability.
Staying ahead of this new security governance landscape requires a proactive approach. For CISOs, CEOs, BODs, and security teams, the focus must be on compliance, transparency, and strategic risk management.
Download our ebook "Process Mining: The Security Angle" for insights into other governance strategies organizations should incorporate to stay ahead of evolving cyber threats.