After a Cyberattack, Assigning Blame Can Get Personal

In the aftermath of a cyberattack, analysts seek to identify its cause or source in a task known as attribution. With assistance from government agencies and other threat intelligence, many of today’s most damaging breaches are traced to “state actors” such as those with ties to North Korea or Russia.

It is attribution of a different sort – assignment of legal liability to corporate executives – that is worrying chief information security officers (CISOs), and perhaps by extension, others responsible for risk, compliance and control functions.

“They’re Coming After Us,” read an Information Week headline about a panel discussion at the recent RSA cybersecurity convention on “the modern perils of the CISO position and . . . an escalating threat landscape that threatens to blow back on senior security executives.”

The issue was triggered by a case involving one of the participating panelists, Joseph Sullivan. Investigated for his handling of cyberattacks while serving as chief security officer of Uber Technologies, Sullivan was convicted in September 2022 on federal charges stemming from an attempted cover-up of a 2016 incident. Customer information was compromised, and a $100,000 ransomware payment was made.

Although prosecutors sought a 15-month prison sentence, Sullivan’s penalties were three years’ probation, 200 hours of community service and a $50,000 fine.

Gadi Evron: “Not like the old days.”

In the public forum, Sullivan, now a consultant, noted that he was so far “the only one” who was actually indicted. The pressure on executives and managers is intensifying in parallel with cyberattacks and official concern about them. As Information Week reported, another RSA Conference panelist, CEO Gadi Evron of AI security startup Knostic, said, “It’s not like the old days, where there’s an incident and most people wouldn’t notice. When stuff happens today, the whole world knows.”

Should CISOs and potentially others expect to find themselves increasingly in legal crosshairs?

The Precedent

"While the Uber case on its face appears to open a new wave of personal liability, it is important to remember the unique facts that led to the verdict,” says Chirag Patel of the Clark Hill law firm in Chicago. Uber’s Sullivan “engaged in a scheme to cover up an internal breach during an ongoing investigation” by the Federal Trade Commission. The case centered on false statements regarding security and was “not based on the performance of his duties . . . In some sense, it is new territory for executives to face criminal liability for hiding information from investigators."

Natalia Gindler Corsini, founder and managing partner of Prae Venire, a corporate compliance and risk mitigation consulting firm, sees legal considerations adding to the pressures on CISOs and others who are responsible for “allocation of more resources to ensure compliance with regulations; increased investment in cybersecurity technology, like threat detection systems; plus adopting a comprehensive business risk management framework.

“Equally important are effective reporting and communication on cybersecurity risks and incidents to the designated committees, senior management and authorities,” she adds.

Top-Level Oversight

It follows that companies must inculcate a climate and culture of transparency about cybersecurity, defining management roles and being prepared to communicate effectively in the event of breaches.

“The Uber case serves to demonstrate the importance of candor” and the consequences of the opposite, particularly in the face of investigations, Patel says.

As Deloitte & Touche principal Daniel Soo underlines, cultural values and communications are multi-stakeholder efforts. Soo’s Cyber Risk Services Infrastructure practice advises security teams and other leaders on such tasks as documenting key decisions and how they arrived at them. Issues of accountability, however, make their way to the top of an organization as an intrinsic aspect of corporate governance.

Daniel Soo: Consult legal counsel.

The possibility of personal liability will naturally affect strategic planning and decision-making up to senior executive and board levels.

"CISOs will want to establish more structure in their organizational governance by more clearly defining roles, responsibilities, accountability related to cyber risk," Soo says. “Further, CISOs should seek legal guidance from in-house or outside counsel to better manage their own personal liability risks.”

Turning to Third Parties

“Any serious compliance failure – be it related to cybersecurity, bribery or corruption – can result in negative consequences, both for the organization and potentially for the individuals involved,” says Jack Holleran, managing director in BDO’s Forensics practice. Those can involve civil litigation, regulatory exposure, financial penalties and reputational damage – not to mention disciplinary action and even termination of employees.

Protection against personal cyber-liability risk was rarely if ever discussed before the Uber case. Reliance on third parties – along with proper attention to third-party due diligence and risk management – can be seen as a form of protection.

“Outsourcing to a vendor is a common method for risk reduction through transference,” says BDO’s Holleran. “While you can never truly transfer the risk, relying on a vendor to provide a service that may be difficult for an organization to perform, staff and execute is often the only way to maintain compliance.

Jack Holleran: Best-practice outsourcing.

“We see this quite often with small to mid-size businesses that require 24/7 cybersecurity coverage, as they may not have the resources to handle it internally, whereas large organizations typically possess the bandwidth to manage such demands effectively. Of course, any time an organization hires a vendor, it’s critical to qualify the vendor up front” and manage the relationship through the contract period.

It is key to ask, for example, “How are compliance requirements and expectations described in the contract?” and to ensure that the vendor’s performance is aligned with its client’s business.

"Such vendor use,” Soo says, “requires strong third-party oversight by financial institutions to ensure that vendors’ solutions are implemented correctly, monitored regularly and used in compliance with applicable laws and regulations.”

Technology and Data Accuracy

Corsini of Prae Venire agrees that third-party providers may help with compliance and risk reduction, but it’s not automatic. “These services may not be using accurate data,” she warns. “Lenders, to ensure accuracy and fairness, should also be sure their data is analyzed, and not solely trust what a third-party AI solution provides.”

David Oliwenstein: Conduct will be probed.

With greater understanding of the complexities of cyberattack attribution and the teams that are mobilized in response, more accountability may be borne by the IT infrastructure and those responsible for its safety. Punishment could be more widely distributed when blame can be pinpointed for a breach or, perhaps worse, for deliberately trying to cover it up.

“Enforcement and regulatory authorities seem to view cyber failures as a near-existential threat, and they may be correct to do so,” says David Oliwenstein, partner, Pillsbury Winthrop Shaw Pittman. “It is clear that cybersecurity is one area where companies and their executives will not be able to avoid government enforcement by virtue of the fact that they are very likely victims, rather than perpetrators, of cyber breaches.

“For that reason, in the event of a breach, companies, security officials and other individuals who deal with security must not only deal with the breach itself, but must also be mindful that the government is likely to probe their own conduct in responding to the breach and addressing cyber risks.”