The Securities and Exchange Commission’s (SEC) new cybersecurity rules that went into effect in December have changed the game for chief information security officers (CISOs), not only around incident reporting and response, but also for their personal liability during incident investigations.
Prior to the rules going into effect, we had already seen the SEC bring charges against SolarWinds CISO Timothy Brown for allegedly failing to accurately disclose the company’s cybersecurity risks and exaggerating its cybersecurity readiness, thus defrauding investors. SolarWinds suffered a massive breach in the fall of 2019 that was not discovered nor reported until December 2020. That decision came on the heels of a guilty verdict against former Uber CISO Joe Sullivan for his role in allegedly covering up a 2016 hack that exposed the personal data of tens of millions of users and drivers.
Now with additional clout, the SEC can enforce stricter regulations for CISOs of public companies, forcing them to consider their exposure during incidents, and what they should be doing about it.
In this episode of the Nexus podcast, Hormel Foods CISO and Director of Security and Compliance Mike Rogers explains that CISOs should understand their level of of coverage, for example, under a corporate directors and officers insurance policy should they be named in a suit, and what supplemental protection they should be thinking about.
“I think it’s important to have that conversation and understand what your level of coverage is, out of an abundance of caution,” Rogers said, adding that he is pursuing a professional liability insurance policy with his agent.
“One of the things that I learned about professional liability coverage, whether it's an umbrella or professional liability—and let's just make up a number—you have $3 million dollars in liability coverage, your insurance company now has three million reasons to ensure that you don't get held liable for something.”
Rogers praised his management team for its support but cautions that not every company may be as upstanding.
“I think professional liability [coverage] is definitely worth looking at, I think, understanding your position and your relationship within the company, too, because this could be easy to misjudge,” he added. “Just making sure, what's your confidence level, that your leadership will go to bat for you if things get tough?”
This aspect of liability protection could be a negotiating chip in future contract renegotiations or for security leaders being considered for promotion to the CISO chair or seeking a new CISO role.
“Now is the time to have that conversation, not when you're under fire, not when you're in the middle of an incident, or you're worried about these things,” Rogers said. “You need to have these conversations now, and just be super proactive about it.”
Rogers also covers, strategically, how the SEC rules impact day-to-day operations, when and how to declare a material incident investigation, how the rules have changed incident response, the role of cyber insurance in this context, and how this could impact future investments in and prioritization of security technology.
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.