C-Suite Liability & Cybersecurity: Navigating a New Era of Enforcement

On October 30, 2023, the SEC charged both SolarWinds and their CISO Tim Brown with defrauding investors, by failing to make disclosures about cybersecurity issues and vulnerabilities related to the massive nearly two-year long “SUNBURST” hack of the company. 

This action by the SEC highlights two recent enforcement trends – (1) increasing scrutiny on corporate cybersecurity practices and (2) personal liability for C-Suite officers for gaps in those practices. 

Given these heightened legal risks, companies and corporate officers must be more vigilant than ever – by using better assessment tools to encourage healthier cybersecurity practices. 

Turning up the heat on the C-Suite

It’s well established that corporate directors have fiduciary “duties of care” to protect their companies against major risks and compliance failures. Only recently have courts clarified that these duties now extend to the C-Suite — CEOs, CISOs, GCs and other key executives now face personal liability for failing to safeguard their companies.  

SolarWinds and other recent regulatory actions, including the SEC’s proposed cybersecurity rules, all point to the same conclusion — regulators are turning up the heat on cybersecurity programs and the boardrooms and officers who oversee them. 

CISOs in the cross-hairs

Being a CISO was already a stressful job, with significant retention issues and burnout risk. The SolarWinds case will only make it harder to recruit and retain top cybersecurity talent. 

Increased D&O coverage (e.g., more coverage for securities liability) and employer indemnification can help mitigate some of the legal and financial risks to CISOs and other corporate officers, but the cost of this “risk shifting” is only going up for companies and insurers – with increasing cyberattacks and more aggressive enforcement actions.

A better way to measure cyber risk and compliance

What are boardrooms, key executives and companies supposed to do in the face of multiplying threat actors and more aggressive cybersecurity enforcement? 

It’s clear that the need for greater transparency, frameworks, and objective assessment tools such as cybersecurity ratings for continuous monitoring of cybersecurity programs – both for risk management and compliance purposes – has never been more critical. 

What we can’t measure, we can’t improve. Better objective assessment tools and compliance standards will promote better cybersecurity practices, and help boardrooms and executives meet their fiduciary and legal obligations in the process.