Breach reporting has changed drastically over the past year. The conviction of former Uber CSO Joe Sullivan for actively taking steps to hide a 2016 data breach — and subsequently holding back from fully disclosing details when questioned — certainly fed into a cascade of mandatory reporting rules and a spotlight on the CISO and CSO roles, prompting many top security chiefs to investigate their own breach disclosure processes and cyber risk strategies. Most recently, the Securities and Exchange Commission (SEC) required that any material cybersecurity incident be reported within four days of the company determining its impact.
Reporting a breach and its anticipated impact on a company invites considerable scrutiny from regulators, the public and potential litigation. In certain instances, an organization may even have to provide technical details relating to how certain vulnerabilities were compromised, as stated in the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Complying with regulatory disclosure requirements while balancing the need to protect the investigation and response efforts is not easy even on a good day. If an organization is impacted by multiple regulations across several countries or regions, a CISO is now maneuvering through a web of reporting, adding another layer of work to an already overstressed group of professionals. Gartner predicted earlier this year that almost half of cyber leaders will change jobs by 2025 and a full quarter will change career paths entirely due to the mental and emotional toll associated with their job.
The first-ever federal prosecution of a CSO or CISO for how they handled a breach can certainly add to that stress if they haven’t successfully built out a disclosure plan.
CISO accountability and the need for better collaboration
In the past, organizations sought to keep breaches quiet for a variety of reasons. Many times, this can be accomplished without breaking the law, but the shifting legal and regulatory landscape now requires that CISOs and CSOs consider their own personal liability and how best to reduce their exposure. However, it’s important to note that the case with Uber’s CSO was unique. It wasn’t his failure to disclose the breach of 57 million records and 600,000 driver’s license numbers, but his active effort to deceive regulators and the C-suite, including making factual assertions that were not true. Sullivan hid details from regulators, 10 days after he provided sworn testimony to the FTC. To maintain accountability with the Board and protect personal liability in the face of an incident, CISOs and CSOs need to set up a structure of delegation — an incident response plan that spans wider than their own teams.
It’s a well-known fact that a multi-departmental incident response plan should always be in the background, ready to go in case of a breach. CISOs should identity the key areas and contacts of the business that should be engaged, which include legal, IT/IT security and communications/PR, who are not bogged down with day-to-day security tasks and can help alleviate the pressure so that CISOs and their teams can focus on attending to the breach.
Being an effective security leader in today’s world is as much about people skills within the organization as it is the technical know-how. It is security leaders’ job to get all teams to buy in, as it is virtually impossible for one team to have eyes on every piece of the incident disclosure process. The legal team needs to be involved from the beginning, as do the communications and customer management teams, so that messaging can be effectively developed and disseminated after a breach occurs.
The broader impact of mandatory reporting laws
Ultimately, the actions being taken by the SEC, FTC, CISA and other agencies in putting forth breach disclosure mandates can be commended. The sharing of threat and incident intelligence takes the spotlight off any individual company and can bring us all together as an industry committed to a singular mission — protecting people. It’s important to understand that Sullivan was not charged for the breach occurring nor were the cybersecurity strategies in place during his leadership accused of being insufficient. He was found guilty of actively taking steps after the breach to hide the existence of the intrusion. Failure to report a breach, no matter how unequipped a security team claims they were, is bad, but actively hiding a breach is even worse.
This ruling has also been empowering security leaders. Although it may not have been true in the Sullivan case, some security leaders are pressured into sweeping things under the rug for the sake of public image. By placing real punitive measures in place to prevent that, the ruling helps spur security leaders to either walk away or blow the whistle in these instances. Rather than remaining on the defensive by refusing to share information for fear of industry backlash, organizations need to remember that the dissemination of incident intelligence helps the cybersecurity community better combat bad actors.
At the end of the day, while no security leader wants the threat of prosecution hanging over their head, a year out from the ruling, I think we are starting to see some positive culture shifts. The headline generating nature of this ruling brought more attention to what security leaders are held responsible for and it can be a rallying point for the whole industry to refocus on working together.