Click here to listen to this article via the BreachRx Blogcast
In the ever-evolving landscape of cybersecurity regulations driven by all too common data breaches and cyber incidents, the United States Securities and Exchange Commission (SEC) has introduced a new set of cybersecurity rules that have far-reaching implications. While the cybersecurity community is no stranger to compliance requirements, the SEC’s new cyber rules stand out due to their potential impact on Chief Information Security Officers (CISOs). Beyond the obvious, what’s being overlooked in coverage of the new directive is the potential for personal liability CISOs face and the increasing risk of whistleblower action undermining the status quo of minimal or delayed reporting.
Need help covering regulatory requirements during your incident response?
Leverage the BreachRx platform to automate incident reporting today!
The Significance of the New SEC Cyber Rules
At first glance, the SEC’s new cyber rules might appear to be just another addition to the complex web of data security laws worldwide. However, these rules are a game-changer, cementing a trend that has been growing in importance – attempting to hold CISOs and their companies accountable for the promptness and accuracy of their incident and breach notifications. These rules, scheduled to take effect this mid-December, elevate the responsibility of CISOs and other security leaders to an unprecedented level.
The recent issuance of Wells Letters to the CFO and CISO of Solarwinds, which signify a potential enforcement action, the FTC action on the Drizly CEO to improve its cybersecurity practices and those of any future companies, and the court ruling against the Uber CISO serve as powerful indicators that CISOs are squarely in the SEC’s crosshairs. These actions show that the US government is prepared to hold individuals accountable for data breach reporting. This enforcement approach is likely to become more commonplace, making it vital for CISOs to grasp the implications these rules could have on their roles and potential personal liability.
Overlooked: Personal Liability & Whistleblowers
What sets the SEC’s approach apart is the ability to pursue action against anyone found to be in violation of securities laws, which includes these new cyber directives. This sharp focus on personal liability stands in contrast to most data security laws to date, which rarely contemplate individual accountability for compliance failures. With the SEC looking to hold individuals accountable, a likely first target after an incident will be C-level titled individuals, like CISOs, who are in charge of cybersecurity incident response, governance, and risk management, and the person who should know if an incident or breach is material to the company.
In addition, the SEC’s whistleblower program, established through Dodd-Frank, offers a significant financial incentive for informants, especially employees of the company with detailed knowledge of events and actions (or lack thereof). Whistleblowers can receive 10% to 30% of any monetary penalty over one million dollars, a reward structure that has proven remarkably effective. This program has led to staggering results, with over $6.3 billion in monetary sanctions and $1.3 billion in combined payouts to whistleblowers. In fact, one award alone exceeded $279M to a single whistleblower.
The sharp increase in both the number and size of fines issued by the SEC underscores the seriousness of the situation. From 2021 to 2022 alone, the amount of monetary fines escalated by over 67%. The SEC office leading the whistleblower program is struggling to keep up with the increasing pace of tips, which exceeded 35,000 in 2022 and doubled from pre-pandemic numbers. The program is pushing to grow to 25 employees as soon as it can, a clear signal that the SEC, like other regulatory bodies, are tightening their grip on cybersecurity compliance.
The Dilemma of Documentation
Traditionally, some legal teams have advised companies to avoid putting anything in writing to protect themselves from potential liability. This strategy, while well-intentioned, has contributed to a lack of comprehensive reporting and detail, leading regulators to criticize companies for insufficiently informing investors and the public about cybersecurity risks. The dilemma lies in the balance between avoiding documentation that could potentially incriminate a company and providing enough information to satisfy regulatory expectations.
Let’s delve into a hypothetical scenario to illustrate the predicament: You, as a CISO, receive alerts about potential anomalies in event logs from a SOC analyst. The initial assessment in a standup meeting deems them insignificant, and a decision is made to monitor the situation. Over time, the anomalies evolve, and you verbally consult your General Counsel (GC) or Chief Legal Officer (CLO) to ensure a thorough evaluation, but collectively decide the anomalies are still immaterial. Subsequently, several months later, a significant cyber incident occurs, leading to extensive losses and regulatory scrutiny.
In this scenario, the SOC analyst who raised the initial concerns could be enticed by the allure of a substantial whistleblower reward because they know the issue was discovered months before the formal SEC notification. Without documented evidence of your decision-making process and materiality analyses, your position becomes vulnerable. The lack of an audit trail and comprehensive documentation could jeopardize your defense against potential accusations that you knowingly violated securities laws.
Will Typical Disclosure Language Cut It Moving Forward?
Given the increased regulatory scrutiny around the globe, it’s similarly unlikely that companies can continue to use standard response readiness disclosure without facing additional risk of post-incident action. This basic language has been tuned by legal teams to meet the absolute lowest bar of requirement. For example:
“Each year, the Company engages a third-party expert to oversee a cybersecurity incident response exercise to test pre-planned response actions from the Company’s Information Security Incident Response Plan and to facilitate group discussions regarding the effectiveness of the Company’s cybersecurity incident response strategies and tactics.”
This language says very little about readiness, inviting more questions than answers. CISOs need to consider how this generic language looks to customers, partners, and regulators post-breach. Instead, companies should consider something more specific, such as:
The Company strives to proactively prepare for cybersecurity incidents, investing in incident response planning technology that tailors specific response actions to the Company and to a range of types of incidents. This technology allows the Company to demonstrate its preparedness exceeds global cybersecurity compliance requirements for incident response and covers contractual, regulatory, and legal obligations as part of its processes. The business leadership participates in at minimum biannual readiness exercises based on real-world threats to the company, its industry, and its geographies, supported by third-party experts. The board and executive staff participate in regular discussions regarding the effectiveness of the Company’s cybersecurity incident response strategy and program.
This example demonstrates a significant focus on incident response planning, testing, and execution with only a minor increase in level of effort for cybersecurity teams. Especially given the potential for personal liability on top of regulatory action, CISOs would be wise to push their legal teams and leadership to commit to raising the bar and setting a higher standard than their peers and competitors.
CISOs: Safeguard Yourself from SEC Scrutiny
Given the impending enforcement of the SEC’s new cyber rules, CISOs need to proactively protect themselves and their organizations. Relying solely on a written incident response (IR) plan and manual processes using ticketing, chat, and ITSM response solutions is no longer sufficient. CISOs must establish a robust audit trail that meticulously records every stage of an incident investigation. This includes the development of facts, thorough analyses of materiality, and all decision-making processes related to the incident.
Imagine if, in the hypothetical scenario presented earlier, you had a comprehensive audit trail at every stage of your response. Such documentation could serve as a powerful defense against potential accusations and showcase your dedication to thorough analysis and compliance. By embracing transparency and comprehensive documentation, CISOs can elevate their credibility and mitigate personal liability risks.
The SEC’s approval of new cybersecurity requirements is a significant stride for corporate security practices. These regulations are intended to force public companies to improve their security posture and provide government increased awareness into evolving threats. Despite challenges, existing automation technologies like the BreachRx incident management platform and Cyber RegScout™ fulfill these requirements and ease compliance burdens. Such automation not only aids compliance but also streamlines incident response planning and testing, saving at least $1.5M during an incident and enabling faster alignment with global cybersecurity frameworks. Beyond regulatory benefits, it enhances team collaboration, minimizes incident impact, and accelerates overall response. Ultimately, automation empowers organizations to decisively prioritize and respond to security incidents, fortifying cyber resilience across the business.
Embracing the New Era of Accountability
The age of minimizing documentation to protect against potential liability is over. The stakes are too high, and the new focus on personal accountability and the risk of whistleblowers from within demand a shift in approach. CISOs must not only prioritize robust cybersecurity measures but also meticulously document their decision-making processes and materiality assessments. By embracing this new era of accountability, CISOs can navigate the complex landscape of cybersecurity regulations with confidence and safeguard their organizations, and themselves, from potentially devastating consequences.
As the cybersecurity landscape continues to evolve and more states, sector-specific regulators, and countries pass cybersecurity, privacy, and data breach notification laws around the world, CISOs will only continue to face a growing, heightened risk of personal liability. This intersection of whistleblowing incentives, escalating fines, and stringent regulations places CISOs under a magnifying glass. The days of minimizing and even evading documentation are behind us. CISOs must adapt to this new era, armed with comprehensive audit trails that showcase their commitment to diligent analysis and compliance. By embracing transparency and meticulous planning and record-keeping enabled by automation, CISOs can navigate these challenges with confidence, protecting both themselves and their organizations from the potentially severe repercussions of non-compliance.
Greenhill Strengthens Readiness with BreachRx
Find out how the leading investment bank is getting ahead of privacy & security incidents