A couple of recent cybersecurity-related court cases brought back autumnal memories of growing up in the mountains of Utah. Those memories unavoidably included the sights and sounds of the annual deer hunt. Everyone in town knew when it was “open season.” In a somewhat disquieting manner, I’m sensing what strikes me as parallels between that world and that in which we as chief information security officers (CISOs) now live. Open season has been declared on CISOs.
The cases that triggered that impression include that of Joe Sullivan, former Chief Security Officer (CSO) of Uber, who is being criminally prosecuted for covering up a data breach, and that of Tim Brown, CISO of SolarWinds, who was sued in civil court.
As security executives are increasingly made the subjects of cyberattack litigation, there are a number of precautions CISOs should keep in mind.
Suing the CISO
Last year, a district judge allowed most of an investor lawsuit against SolarWinds to proceed. This specific case — fallout from the SUNBURST attack against the company — named the SolarWinds CISO (among others) and alleged that he displayed “severe recklessness” when he enthusiastically touted the security measures implemented at SolarWinds.
“Plaintiffs assert Brown’s title was Vice President of Security Architecture, he often appeared in interviews endorsing SolarWinds’ cybersecurity efforts, he was the face (literally) of the Security Statement page on the company’s website, and he addressed cybersecurity issues when they arose.”
SolarWinds countered that the case was without merit and should be dismissed:
"The Complaint does not contain a single factual allegation supporting any inference, much less a cogent and compelling inference, that the SolarWinds defendants intended to deceive investors into believing that SolarWinds was immune to cyberattacks or otherwise spoke with severe recklessness such that investors would draw that conclusion."
The court largely rejected their argument and toward the end of 2022 the company announced its intention to settle this lawsuit for $26 million. Since joining the CISO proved profitable in this case, there’s every reason to anticipate that future data breaches and cyberattacks may spawn additional class-action suits naming security leaders. Many plaintiff’s attorneys and their associated law firms avariciously watch case law precedent and pivot based on what works.
Prosecuting the CISO
Undoubtedly by now, you’ve also heard about former Uber CSO Joe Sullivan. He’s looking at up to 8 years in jail, following his conviction on charges related to the company’s 2016 data breach. Reportedly, this was the first time an executive faced federal criminal prosecution over response to a data security incident.
As I wrote in a recent column, a season of “attestations” is coming up later this year as the deadline for cybersecurity Executive Order 14028 approaches. This is an important, long-needed step in improving software supply chain security. Understandably, the pressure on cybersecurity leaders is likely to increase, as corporations turn to them as their attesters. If in the wake of such attestations a breach should occur, it’s disconcerting to think that one’s fate could lie in the prosecutorial discretion of an assistant United States attorney whose career aspirations could incline them toward prosecution.
Protecting the CISO
Time will only tell where all of this will take us. For now, however, these cases raise a red flag that CISOs ignore at their peril — a clarion indication of the very real possibility that they could be singled out and judged, based on their actions, e.g. attestations, or inactions, and held personally exposed in the litigation following a cyber incident. As a result, a re-examination of indemnification and how it’s applied in corporations seems appropriate. During my career, this has never been a significant point of conversation. Apparently, given the current environment, that now needs to change.
Can one be considered an “insured person” under an organization’s Director and Officers (D&O) coverage? How are “director” and “officer” defined? Many, if not most, public corporations define them narrowly, excluding a CISO from those called out in SEC Section 16 as officers, alleging that there are instead various statutory and common law indemnification provisions covering them and other employees of the corporation. These things are typically specified within one’s corporate policy. Cybersecurity leaders are, then, often overlooked when it comes to this type of D&O coverage, even though they rank as VPs or higher and are responsible for managing data breaches, the average of which costs millions and can disrupt one’s entire organization.
This clearly begs the question of whether one has discussed this situation with legal counsel. Is your organization protecting you or are they willing to? How is that documented?
Now, more important than ever, is the consideration of the following ideas:
- The inclusion of cyber incident disclosure guidelines in your incident response plan because what you say or do not say (and when) will be scrutinized after an incident.
- If you report to the board, the inclusion in board minutes the organization’s ongoing efforts to mitigate cyber risk.
The disparity in the application of indemnification provisions makes one wonder: Are we all truly “in the boat together” — rowing collaboratively — if only some in the boat are indemnified?
Open season on CISOs is apparently just emerging. That makes this the right time to have these conversations, exploring one’s options. Our plates as cybersecurity leaders are already full with a plethora of matters about which we might lose sleep. Additional matters are not needed. In an environment where diminishing talent is already a factor with which the world is struggling, we do not need this possibility looming as that which discourages talented individuals from considering and eventually entering the profession or encourages seasoned professionals to leave.