SEC cyber disclosure rules put CISO liability under the spotlight
The long anticipated Securities and Exchange Commission rule on cyber incident reporting took effect in September, creating significant changes at the C-suite and board level.
The rules will reframe the role and responsibility of the CISO, who will likely face the task of not only responding to a material incident, but also reporting that incident up the command chain and making an official regulatory disclosure.
The personal and professional stakes for CISOs have never been greater. Over the past year, the former CSO at Uber was convicted in federal court for helping to cover up a ransomware attack amid a previously launched data security probe by the Federal Trade Commission. In June the CFO and CISO at SolarWinds were notified by the SEC that they were under civil investigation for their role in the Sunburst malware attack.
“The CISO role has never been easy, and it looks a lot less appealing when you add liability and criminal responsibility to the pressure, the on-call hours and the stress,” Ryan Witt, VP of industry solutions at Proofpoint, said via email.
Proofpoint released its annual Voice of the CISO report in May, which indicated 62% of CISOs were already concerned about potential liability in connection with incident response and corporate governance issues.
Given the responsibilities they will face under the new SEC rules, the level of anxiety among CISOs is on the rise.
"The SEC ruling and its disclosure requirements continue to place a lot of pressure and responsibility on the CISO,” Jon France, CISO at (ISC)2, said via email. “CISOs are navigating this challenge individually, with their accountability and job difficulty increasing simultaneously.”
The new regulations require publicly traded companies in the U.S., and foreign companies that trade in the U.S., to disclose cybersecurity incidents within four business days of determining the incident is considered material to the company’s financial performance.
Therefore a CISO might be expected to work with various stakeholders, including finance, legal, human resources and bring in a cyber forensics expert and legal counsel, to determine the scope of an attack and make a collective determination as to the cost and scope of the event.
Jeff DiMuro, deputy CISO at IT firm ServiceNow, said he doesn’t expect the new SEC rule to force any major changes in how the company manages cyber risk.
“The SEC rule we think just memorialized a demarcation of the four-day reporting rule, but these are things we have to do anyway as CISOs for a publicly traded company,” DiMuro said in an interview.
The company has an ethical steering committee that includes multiple executives, including the general counsel, CFO, CTO, his direct supervisor the CISO, and other key executives.
The committee meets bi-weekly and on an ad hoc basis, in the case of a cyber incident, to discuss how they will manage the response. The company also offers a bug bounty public responsible disclosure program using the HackerOne platform.
Corporate officers can be held personally liable by various regulatory agencies for how they respond to data security issues, including lawsuits from investors and class-action litigation from consumers.
In 2022, following the leak of 2.5 million consumer records, the FTC ordered Drizly CEO James Cory Rellasto implement a data security program at the online liquor marketplace and any new business he joins in the future.
One effect of the new ruling has been a push by CISOs and other risk executives to obtain additional liability protection as part of their jobs. C-suite executives and board members are typically covered from liability by directors and officers insurance.
Executives at professional services firm Aon say they are getting additional requests about whether CISOs are included in coverage or can be added to existing policies.
“The rails around that are typically the bylaws of the company, whether somebody is an officer of the company, and I think for the most part CISOs do qualify in that regard,” said Uri Dallal, managing director and U.S. regional leader at Aon.
“That said, when you get to situations like this where the role is attracting litigation in the way that it’s typically reserved for the CFO and CEO, it’s not uncommon for people to question whether they are covered under the policies, and seek affirmative coverage,” Dallal said.
Lexmark CISO Bryan Willett said even though the SEC rule applies to publicly traded companies, the rule also will impact closely-held businesses. For example, if a company has a third-party relationship with a publicly traded company, any type of data breach or attack may require changes in the ability to respond.
“A public company’s third party risk management program may require contractually very short notification,” Williett said via email. “Regardless of whether the partner company is private, they still need to meet the requirement indirectly.