The many impacts of cyber breaches are well-documented, including financial and reputational damage. But recent developments indicate that another serious consequence is top of mind for business leaders. It is a legal action against both the management and board members of the cyber-compromised organization.
According to cybersecurity expert Joseph Steinberg, the SEC's recent charges against SolarWinds' chief information security officer (CISO), combined with its new cybersecurity disclosure rules, suggest that the government will force companies to There should be no doubt in anyone's mind that he is asking for the House to be taken over. In order. “
“In the worst-case scenario, a cyber breach could lead to criminal charges against people,” Steinberg said. “We are not only talking about monetary fines, but also possible prison terms in some circumstances.”
Shift responsibility to company leaders
The SEC's allegations against the SolarWinds CISO are not the first time criminal charges have been filed against a cybersecurity expert in the United States. Steinberg, a former Uber chief security officer who could have faced prison time pending sentencing for his role in the attempted cover-up of a 2016 data breach that compromised the personal information of more than 50 million customers. (CSO) Joseph Sullivan. ride-hailing platform. The former Uber CSO was ultimately sentenced to probation, fines, and community service “in connection with the cover-up of Uber violations in 2016,” according to an article in SC Media.
But the SEC's new disclosure rules and charges against the SolarWinds CISO could change the equation for companies when it comes to cyber breaches, Steinberg explains. The federal government takes cyber breaches seriously, and business leaders should heed recent news as a warning.
“Essentially, the responsibilities of who is responsible have changed,” Steinberg said. “Rather than viewing a cyber incident as something that happens to a company that doesn’t necessarily need to be clearly explained in filings or disclosed to the public, the new rules essentially require that when an incident occurs, Management and the board have a responsibility to properly explain to the world what happened.”
Steinberg emphasizes that being upfront with investors about material cyber risks is paramount. In other words, investors want to know what a company is doing to address cyber threats, how it has responded to past cyber incidents, what damage past cyber incidents have caused, and its prospects for the future. You need to know what damage you are at risk from a potential cyber incident. .
“Someone's decision to invest in a company can be heavily influenced by information about cyber risks,” Steinberg said, adding that companies mislead the public by not being upfront about cyber risks and incidents. He added that there is a possibility. Financial statements. ”
It’s important for companies to get the right cyber expertise
Although the SEC's new rules “do not explicitly require it,” “companies are expected to provide details about the cybersecurity proficiency of their boards,” according to a Thomson Reuters analysis. The directive from the SEC requires publicly traded companies to “describe the board's oversight of risks posed by cybersecurity threats and management's role and expertise in assessing and managing significant risks posed by cybersecurity threats.” That has become clear.
To comply with the SEC's new rules on cybersecurity, companies need board members with the right types of cybersecurity experience and skills, Steinberg says.
“Companies need people on their boards who are not technically savvy but don’t understand how to make sure a company is managing cyber risk well; ,” he says. “Boards must oversee the management of cyber risk, rather than performing or actively managing the CISO's job.”
Unfortunately, many companies do not have board members with adequate and relevant cyber expertise. A 2023 study conducted by WSJ Pro found that “the number of S&P 500 company directors with cybersecurity experience has increased sharply since 2022.” However, “the amount of cybersecurity expertise on boards remains relatively low at a time when boards are under increased scrutiny for security deficiencies.” Specifically, the survey found that as of August 31, 2023, “107 directors from 113 companies had specialized experience in cybersecurity.”
But Steinberg cautioned against boards rushing the process of signing someone with cybersecurity expertise.
“One of the challenges that many boards face is bringing in people who aren't necessarily skilled at overseeing cybersecurity,” Steinberg says. “Just because someone is a great baseball player doesn’t mean they can be the manager of a great team, and just because they’re a great manager doesn’t mean they can be the CEO of a great team.The same thing applies to management. ” And to oversee cyber risk, boards need the right mix of experience, skills and talent, rather than just thinking they're good at it. ”
Striking the right balance between cybersecurity management and oversight
To that end, Steinberg emphasizes that it's important for companies to ensure the right people are in the right roles when it comes to cybersecurity. Specifically, CISOs, CSOs, and other cyber professionals can manage cybersecurity, handle day-to-day operations, and enable the necessary stakeholders to do what they need to do to develop and implement a broader strategy. It should be like this. Board members should oversee the parties managing cybersecurity and ensure that the cybersecurity program provides the company with adequate protection (as agreed by the board) against cyber risks.
“One of the issues I regularly see is board members being overly involved in what they think is cyber risk oversight, when in reality they are overly concerned with cyber risk management and performance. They’re involved,” Steinberg said. “As a result, you end up wasting time and energy debating things that should be left to the CISO.”
He believes that when board members try to put cybersecurity completely under their control, it takes focus away from other elements of the business and makes it difficult to ensure that cyber risk management is properly overseen by the right professionals. They point out that companies may be at greater risk than if they were
“Board members who don't understand their proper role in addressing cybersecurity and cyber risks can hinder a CISO or CSO's ability to do their job,” Steinberg says. “Furthermore, if board members don’t understand where they fit into a company’s cybersecurity and cyber risk management efforts, the entire board becomes distracted and, as a result, doesn’t address pressing issues across the business.” You may not be able to.”
Ultimately, he says, organizations that don't already have cybersecurity expertise on their boards need to take action now.
“Just as you shouldn't have a board without accounting or legal expertise, you shouldn't have a board without cybersecurity expertise,” Steinberg said. “For many companies, cyber incidents are likely to pose a greater risk than accounting or legal issues.”
Ideally, he says, companies should appoint people who are “well-versed in information security and cybersecurity management.”
“Not having that level of expertise is like presenting financial statements to a board member with little or no accounting knowledge,” Steinberg says.
rare knowledge
Newsweek is committed to challenging conventional wisdom, finding common ground and finding connections.
Newsweek is committed to challenging conventional wisdom, finding common ground and finding connections.
