Chief information security officers (CISOs) are facing increasing pressure to get cybersecurity incident disclosures right, with the recent sentencing of former Uber CISO Joseph Sullivan for his role in covering up a 2016 data breach underscoring the potential legal consequences of mishandling such incidents. The SolarWinds CISO Tim Brown has called for greater clarity on rules around disclosures, which currently include a complex web of regulations, executive orders, and case law before any impact on the business is considered.
According to Brown, in the same way Sarbanes-Oxley prescribes steps for CFOs to prevent financial fraud, CISOs need regulations that outline cybersecurity requirements to prevent and respond to cybercrime on their watch. The stakes are high: while Sullivan was sentenced to three years’ probation for his role in attempting to bury Uber’s data breach, Judge William Orrick warned that future CISOs could face prison time for committing similar offenses.
The current rules are a maze, making it difficult for CISOs and cybersecurity teams to comply with disclosure requirements, leading to a rising need for in-house counsel and outside legal advisers to help navigate the process. Melissa Bischoping, director of endpoint security research at Tanium, urged enterprise security teams to coordinate with legal and communications stakeholders to ensure they comply with regulatory and legal requirements while providing the required information at the right time. For now, the rules remain excessively complicated, providing ample opportunity for enterprise cybersecurity teams to get it wrong.
US state attorneys general are pushing for tougher regulations around cybersecurity incident disclosures, leading to each state having its unique disclosure landscape riddled with broad, ill-defined requirements like taking “reasonable” actions to protect data. CISOs note this has created significant confusion, necessitating greater clarity on how to meet Colorado’s “Duty of Care” rules under the Colorado Privacy Act, which require reasonable action to be taken in protecting personal data. The slow churning of courts, regulatory bodies, and legislatures means it will take time for all parties to come to a consensus, but Brown foresees standardized rules for CISOs and their organizations likely emerging over the next few years.