CISOs face higher stakes as regulators crack down on security failures

Share post:

Regulators are holding chief information security officers (CISOs) liable for the cybersecurity challenges they or their companies face, as evidenced by the SEC charges against SolarWinds and its top security executive, Timothy Brown.

The SEC’s complaint alleges that SolarWinds misled investors about the state of the company’s cyber defenses in the years leading up to a massive 2020 Russian cyberattack. The charges come a few months after a jury found former Uber security executive Joe Sullivan guilty of obstructing an active Federal Trade Commission investigation into Uber’s security practices and concealing a 2016 data breach.

These cases signal a new willingness on the part of regulators to hold CISOs accountable for cybersecurity failures, which is raising concerns among security executives. Some worry that the new SEC cyber disclosure rules, which go into effect next month, could lead to more frequent charges against CISOs, as they will require publicly traded companies to disclose material cyber incidents within four business days and share details about their internal cybersecurity strategies each year.

CISOs are now worried that any statements they make early in their incident response, or even in the years before an attack, could lead to legal problems years later, as it has for SolarWinds.

In an op-ed, Sullivan argued that the SolarWinds’ charges will lead “the private sector to become afraid to work closely with the government” after an attack.

Prospective security leaders may also be discouraged from taking on top roles in the wake of the SolarWinds and Sullivan cases, said Michael Sikorski, CTO and VP of engineering for Palo Alto Networks’ threat intelligence team.

The sources for this piece include an article in Axios.

SUBSCRIBE NOW

Related articles

Hackers Plant False Memories in ChatGPT to Steal User Data

A security researcher has uncovered a vulnerability in ChatGPT that could allow hackers to store false information and...

“Octo2” Trojan Targets Bank Accounts by Posing as VPN or Chrome Apps on Android

A new malware variant called “Octo2” is spreading across Android devices by posing as popular apps like NordVPN...

Evilginx – Open source tool can bypass Multi-Factor Authentication (MFA)

Security vendor Abnormal Security is reporting a new cybersecurity tool that is gaining traction among cybercriminals. The tool,...

Kaspersky’s exit from US market frightens some customers

Kaspersky, the Russian cybersecurity firm, has unexpectedly removed its antivirus software from U.S. customers' computers, replacing it with...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways