As hacks worsen, SEC turns up the heat on CISOs
Over the past year we’ve seen Uber’s former chief security officer convicted in federal court for mishandling a data breach, a federal regulator charge SolarWinds’ security chief with allegedly misleading investors prior to its own cyberattack and new regulations that compel companies to publicly reveal materially impactful data breaches within four business days.
It might seem like it’s never been a riskier time to work in cybersecurity.
But a takeaway from one panel at the ShmooCon hacker conference in Washington, DC on Sunday is for those in cybersecurity not to walk away from the challenges.
Now in its penultimate year, ShmooCon brings together hackers, researchers, government officials and cybersecurity executives to discuss some of the most pressing issues facing the security community. A common theme heard among attendees this year is the increasingly risky nature of working in the cybersecurity industry itself. The infosec community is no stranger to legal risks — perhaps an inherent byproduct of working in the field — but is becoming more aware of the mounting legal oversight and consequences that go with the work.
Leading the discussion, startup lawyer Elizabeth Wharton, former SEC prosecutor Danette Edwards and tech investor Cyndi Gula shared their perspectives and predictions in a panel that explored how the cyber-liability stakes are changing from the junior entry-level positions all the way to the executive suite.
Let the glow from past breach dumpster fires light the way to better data care & security practices. Thanks @cyndi_gula & Danette for joining me at #shmoocon discussing how to minimize risks of “Chief Information Sacked Officer” and team pic.twitter.com/pN8G24TQAh
— Elizabeth Wharton (@LawyerLiz) January 15, 2024
Last year saw the introduction of the SEC’s new cyber reporting rules that now require companies to disclose “material” security incidents in public 8-K filings within four working days. The rules took effect in December and have already resulted in a flurry of companies filing new data breach disclosures with the SEC in its wake as companies figure out what “material” impact means. It also saw the first case of a ransomware gang using the rules to call out the very company it hacked for not filing with regulators.
“We’re going to see a lot of initial 8-K reports, and then probably multiple reports reporting on the same cyber hacks,” said Edwards, now a defense attorney and partner at law firm Katten, speaking at ShmooCon.
Wharton, founder of Silver Key Strategies and who previously served on Atlanta’s ransomware incident response team, said cyber incidents can change by the hour and can require subsequent disclosures.
“When you’re dealing with an incident and you’re still knee-deep in the response four days in, you’ve identified, ‘oh, shoot, our dumpster is on fire!’ but you haven’t even figured out what materials necessarily are in the dumpster as it’s burning — and you’ve got to start reporting,” said Wharton. “Knowing that as stuff ebbs and flows, public companies are going to have to update [those disclosures].”
The flip side to transparency coupled with remote work is that more things than ever are written down, recorded or otherwise saved and documented. That can be a boon for investigators and a headache for companies.
“I assume every email is going to be read either by your mother or in a deposition, or… in an SEC complaint, and it’s shifting that watercooler talk,” said Wharton. “Since we’re not necessarily in offices, it’s making sure that you’re not necessarily putting it in writing and context gets lost in the meme that you send your colleagues because you thought it was hilarious.”
“And the regulator’s don’t always have a great sense of humor,” said Edwards.
“Culture is integral to an organization — specifically in what we do — because we have a lot of trust,” said Gula, managing partner at Gula Tech Adventures. “Companies are going to be struggling with bringing that culture with the eye that everything that they do is going to be under scrutiny.”
Not only are new cybersecurity reporting rules putting companies and their data incidents under the public spotlight, recent federal enforcement action shows cybersecurity executives are also shouldering some of the responsibility.
In October, the SEC brought charges against SolarWinds CISO Timothy Brown for allegedly misleading investors about the company’s security prior to a cyberattack launched on the company by Russian spies in 2019. Much of the SEC’s accusations stem from comments Brown allegedly shared internally.
“We have also been hearing lots of people don’t want [to be CISO] because of this oversight and because of all of these traps that you don’t even know are ahead of time,” said Gula, who serves as board member of multiple startups. “Please don’t walk away from that position. Please step up and do that.”
On that advice, Gula said documentation can also help. When executives have to effect change, patch flaws or improve cybersecurity training but get plans or budget denied, ask: “Can I get that in writing?” Adding: “Whatever you can do to take that Eye of Sauron off you, so you can continue to throw the ring in the fire to put out whatever you need to do — that’s important.”
Zack Whittaker reporting from ShmooCon in Washington, DC.