Chief information Security Officers and cyber whistleblowing: considerations for boards and breach response teams

First, there is the obvious risk - executives and CISOs may be personally held accountable for cyber failings, negligence, breaches, and inadequate disclosure around cyber vulnerabilities and incidents.  Second, is the less obvious risk, the plight of the executive or CISO who may be left with a choice: face prosecution or blow the whistle.  Under new SEC rules and enforcement actions, CISO’s "to be or not to be" conundrum may be an essential calculation for boards and breach response teams.

Personal liability for data breaches: Chief Information Security Officers and other executives

The looming specter of personal liability starts with two cases.  The first, was Uber, where its CISO was charged and eventually convicted for his actions in connection with a 2016 data breach and consent decree.  There, a jury found the CISO guilty of obstructing an FTC investigation and concealing a felony.  Later, the FTC held the former CEO of Drizly personally responsible for the company’s security failures.  In that matter, the Company and CEO were both fined and are subject to the FTC order, which requires a data disposition program, minimizing data collection, and implementing a data security program.  Interestingly, the Drizly penalty follows the CEO; per the FTC press release, the CEO “will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities."  Taken together, the cases show an appetite for enforcement aimed at individuals responsible for privacy and cybersecurity.

Notwithstanding, Solarwinds still manages to roil executives and CISOs.  In Solarwinds, issues were generally reported in a manner that accorded with industry norms: Solarwinds made routine statements about cyber risks and its adherence to widely accepted cybersecurity standards like NIST.  Moreover, the root cause of their 2020 incident was a sophisticated attack carried out by a state-sponsored actor.  While professionals can disagree about whether better security controls could have prevented this specific attack -- it is uncontroversial and accepted that state sponsored threat actors are extremely difficult to defend against, even with a best-in-class cyber program.  Accordingly, it was a bit of a shock when the SEC unveiled charges against the Solarwinds CISO personally.  Many CISOs, who are committed to protecting companies, believed there was nothing to indicate the Solarwinds CISO had acted in bad faith.  On the contrary, many observers believe there were earnest attempts to shed light on the company's vulnerabilities and needs before the incident occurred. 

Given those facts, CISOs are left with questions - will their professional choices withstand SEC scrutiny? If a breach occurs will they be left holding the bag? And where do they turn if their warnings aren't heeded?  In some of these instances CISOs or executives with access to this type of information might be inclined to cooperate with investigators or proactively blow the whistle on what they perceive as subpar cyberpractices. 

Data breach whistleblowing on the rise

Even though few cases are public, privately, companies are dealing with cyber whistleblowers more often.  Many whistleblowers fall into tried-and-true categories -- disgruntled employees, anonymous tips, and individuals with genuine information on corporate wrongdoing.  These investigations conform with the norms of internal investigations -- allegations are investigated and vetted, conclusions are drawn, and actions are taken.  But alongside this sort of case is the CISO or employee caught in the fog of a breach.  In these circumstances, CISOs are left to wonder how their actions before, during, and after a breach will be viewed in the light of day; after the breach andinvestigations, public reporting, and the litigation has settled.

What we are seeing in the latter are two trends.  First, the risk of leaks or whistleblowing during a high profile cyber incident are acute.  Rather than wait for the incident to resolve, individuals with inside information are coming forward to preempt accusations that they were negligent with respect to the causes of the breach – even before the causes of that breach have been confirmed.  This often means inside, confidential information about an ongoing incident is leaked to the press or investigators.  While this is not necessarily done in bad faith, it often results in notice to regulators and third parties without the full scope, or even accurate scope, of the facts. For example, we have seen numerous examples where individuals with incomplete information misidentify the threat actors who perpetrated an event.  In some cases, leaks link attacks to state-actors when there is no evidence to support that claim.  Nonetheless, even incorrect information can compromise decision-making processes or compel companies to make incomplete or unnecessary disclosures.  This is especially true in breach cases where crucial decisions that affect companies and investors are being made on compressed timelines or where sensitive negotiations with threat actors may be ongoing. 

Second, we are seeing CISOs reevaluate their personal risk after a breach.  Because personal liability is a real possibility, the tenor of conversations with executives and board members may change.  By extension, there is a definite chill in the CISO community -- a general feeling that a hard job just got a lot harder.  In more extreme cases, we may see some cyber professionals take matters into their own hands to avoid allegations of wrongdoing down the line.  The result is a choice to provide information to investigators especially where they feel there is a risk of personal liability.  

How to handle these risks now

Companies don't need to wait to be in this situation.  And executives know that breaches are joining the list of things you can be certain of - death, taxes, and data breaches.  There are key steps companies, boards, and executives can take now:

• Have ways for employees to report and escalate. Foremost, companies should have hotlines and protocols for individuals who want to make good faith complaints. Those protocols should evaluate and address those concerns quickly.  Companies that can demonstrate they have a track record of responding to these complaints will be in a better position.
• Plan. Breach plans should address the potential for leaks and whistleblowing. This should include setting up clear controls around how information is shared and disseminated -- these can mostly be in place before a breach occurs.  Companies should also consider who will speak on behalf of the company and how they will respond. 
• Compliance. Cyber programs should be able to demonstrate mature and systematic approaches to risk.  Specific disclosures about how risks are managed should be communicated with specificity to the board.
• D&O Coverage. Both boards, directors, and CISOs should understand whether they are covered for investigations and cases related to cyber whistleblowing.  We have seen disputes about whether CISO's and other employees are covered.  Indeed, if considering a job in this space, ask how and whether these policies offer coverage.
• Communication Protocols. Establish clear lines of communication during incidents -- this includes protocols to maintain privilege over certain communications and work product.  Information should also be controlled and limited to people actually working on the incident.  In a surprising number of cases, leaks come from individuals who should not or do not have access to the information in the first place.  Under those circumstances, we see disclosures of incorrect or incomplete information. 
• Reporting. Be decisive and clear about how cyber risks are reported to the board and executives.  Consider who is tasked with reporting these issues and whether your CISO should have direct access to the board.  Make sure the person reporting understands the issues and clearly communicates the risk to a non-technical audience.

Conclusion

Undoubtedly, these charges are an inflection point.  They will change the way boards, executives, and CISOs approach and communicate about risk to the public, their regulators, and each other.  Yet, these developments are also an opportunity to recognize and fix issues before a breach occurs.  (There is no reason to find out what your insurance policies say after an incident…) Indeed, clarity around these issues can empower more open communication and greater investment in cybersecurity and technology. 

Also, we should view the trajectory of these cases in conjunction with the SECs new rules around disclosures following cyber incidents.  For nearly a decade, we have watched companies sidestep reporting breaches and cybersecurity issues.  We have also witnessed a failure to pass a meaningful federal privacy law and a relatively quiet enforcement environment.  Or, at least one that has been very focused on a handful of companies.  A combination of actions from the SEC and FTC demonstrate that the environment is heating up, even in the absence of a federal law. 

Collectively, there is increased pressure on companies from the outside (enforcement, new regulations) and the inside (whistleblowers, penalties for underinvestment in cybersecurity).  Companies will need to chart a course through these colliding forces.