Every BoD Member and C-Level Executive needs to read this article (Read More) below.
The preservation of evidence showing that cybersecurity controls are in place, and effective, could one day save you from financial losses and possible jail time. Demand that your organization is preserving evidence showing that cybersecurity controls are being properly implemented, and this is especially true for software products. The ability to show PROACTIVE software risk assessment results/evidence before procuring and installing software will become an imperative, that can be used by the defense in a trial. Here are a few quotes from the article that are noteworthy:
"When Joe Sullivan, former CSO of Uber, was found guilty of obstruction of justice and concealment of a felony, there was a new precedent set for security leaders. Suddenly, CISOs face the added consequence that they could be held personally responsible for breaches."
"there are lots of laws coming out that aim to add extra layers of governance and oversight of cyber risk. The one that blew my mind was one that the SEC proposed last year that would require public companies to disclose a breach within four days."
"These shifts are changing the way leaders think and speak about security. Executives are now saying, hang on a second – if I don’t disclose properly, my people could have criminal liability, whether they intended to or not."
"All of this is making large companies rethink the concept of risk"
"The context behind all of those technical pieces is increasing in value, with more and more CEOs and boards pushing their security leaders to explain the overall risk to the business. I truly believe we’re going to see enterprises double down on cyber risk management and look at their security posture with a more holistic perspective in the upcoming year."
The risk of personal liability is real, just ask Joe Sullivan who's facing a statutory maximum sentence of five years in prison on the obstruction count and three years in prison on the misprision of a felony count. The federal sentencing guidelines, which are not binding on the court, will likely range from 24 to 57 months (depending on whether certain enhancements are applied).
"shareholders have taken notice of increased cybersecurity risks and are increasingly seeking to hold directors and officers personally liable through derivative litigation. Cases recently decided by the Delaware Chancery Court under the landmark Caremark case have paved a path for shareholder-plaintiffs to hold directors and officers liable for breaching their fiduciary duties in the wake of a cybersecurity failure, and have increased the importance of board oversight of cybersecurity."
"Delaware courts have allowed a number of Caremark claims to survive a motion to dismiss.2 Nevertheless, two recent decisions from this past year — SolarWinds and NiSource — dismissed Caremark claims regarding alleged “mission critical” risks because the board had implemented reporting systems and monitored risks in good faith, even though the monitoring of those systems was considered less than ideal based on the facts alleged.3 One of those decisions also suggested that a failure to monitor mission critical “business risks” (in contrast to risks arising from violations of positive law), could, in an “extreme” case, give rise to a Caremark claim. The court’s analysis in both cases underscores the important need for boards to implement and monitor effective systems for “mission critical” risks."
C-Suite Executives and BoD members should demand to see proof that cybersecurity controls are being applied and evidence of their application is being preserved, starting with evidence showing software supply chain risk assessments are being performed, before procurement and before installation of software. You may need this evidence for your own defense in any lawsuits by shareholders or others that can be harmed by a cyber-breach, while under your watch.