A new era of litigation is posing significant threats to the cybersecurity community, with several high-profile cases shedding light on the legal vulnerabilities faced by companies and their security officers. In the past 18 months, we have seen an increase in lawsuits and enforcement actions against individuals and organizations involved in cybersecurity breaches and data incidents.
Tesla’s legal actions against former employees for cybersecurity breaches, the FTC’s charges against Uber’s former chief information security officer (CISO) for concealing a data breach, and the SEC’s fraud charges against SolarWinds and its CISO for misrepresenting cyber-risk information are just a few examples of the growing legal scrutiny around cybersecurity.
Furthermore, the rise in class-action lawsuits for data breaches and the enforcement actions by regulatory bodies like the SEC and state Attorney General Offices are adding layers of complexity and accountability for companies, both publicly traded and private. This raises concerns about the future of the cybersecurity profession and the role of security officers in mitigating legal risks.
Many cybersecurity leaders are now hesitant to take on CISO roles due to the perceived legal exposures and liabilities associated with the position. Some companies are opting for a distributed responsibility model, while others are frequently changing CISOs to reduce their legal risks. This raises questions about the long-term viability of the CISO role and the overall direction of cybersecurity leadership in organizations.
As companies and CISOs navigate this challenging landscape, there are several areas where the cybersecurity community can collectively improve to address legal vulnerabilities and enhance cybersecurity practices.
One critical aspect is ensuring sufficient security budgets to effectively carry out cybersecurity initiatives. CEOs, CFOs, and boards of directors should prioritize cybersecurity funding on par with other essential back-office functions to mitigate internal control deficiencies and enhance security measures.
Another area of improvement is recognizing that third-party attestation may not address all cybersecurity risks. Companies should engage in risk-based audits to identify and address security risks beyond compliance requirements, establishing a governance structure for independent cyber-risk reporting.
Additionally, distinguishing between security researchers and cybercriminals is becoming increasingly challenging in the age of bug bounty programs. Security officers must navigate this fine line and ensure that bug bounty programs do not inadvertently engage with malicious actors.
Moreover, the current governance structure for CISOs poses challenges, as reporting incidents may lead to termination while failing to report could result in personal accountability. It is essential to establish clear rules of engagement and accountability for security officers, to protect individuals from undue legal exposure while ensuring accountability at the organizational level.
In conclusion, the cybersecurity community faces a new era of legal challenges and enforcement actions that require a careful balance of legal compliance, risk management, and organizational accountability. By addressing these challenges collectively and proactively, the cybersecurity profession can navigate this evolving legal landscape and enhance cybersecurity practices for the future.