Why CISOs Need Their Own Attorneys
- Scott M. Giordano
- Nov 11, 2024
- 9 min read
Updated: Dec 7, 2024
By Scott M. Giordano, AIGP, FIP, CISSP, CCSP
Partner and Co-Founder, The CISO Law Firm LLP
The lack of a Sarbanes-Oxley regulatory regime for cybersecurity, a shifting legal landscape, and an often-tenuous position vis-à-vis the Board necessitates CISOs having their own attorneys to provide independent advice and counsel.
The saga of the 2016 data breach of ride-sharing application company Uber, including the payment of ransom by the company to those responsible, and concluding with the conviction and sentencing of then-CISO Joe Sullivan, is well known to CISOs in North America and potentially around the world. In a November 28, 2023 article on Dark Reading, Sullivan said something quite remarkable about the breach and his subsequent October 2022 conviction on charges stemming from his response to it: "The thing we didn't do was insist that we bring in a third party to validate all of the decisions that were made," he says. "I hate to say it, but it's more CYA." In this respect, Sullivan is correct; more CYA was needed. In fact, what Sullivan really needed was his own independent counsel to advise him on the potential for his becoming the fall guy. The fact that Sullivan was a former federal prosecutor and (evidently) didn’t realize the danger he was in underscores how easy it is to be overwhelmed by events during the response to a breach or other high-stress assault by threat actors.
The Sullivan Prosecution Was Not a One-Off
During the saga of the Uber data breach, another one began, this time at IT software publisher SolarWinds. In September 2019, threat actors (likely the Russian Foreign Intelligence Service) gained unauthorized access to SolarWinds’ network. In December 2020, some fifteen months later, cybersecurity firm FireEye disclosed that it and their customers were victims of the attack. Approximately 18,000 customers were affected, notably the U.S. Depts. of Homeland Security, State, Commerce and Treasury. In October 2022, the U.S. Securities and Exchange Commission (SEC) sent SolarWinds a so-called “Wells Notice,” indicating the substance of the charges that the SEC was intending to bring against SolarWinds for alleged cybersecurity failures related to the breach. What was truly remarkable, however, was that in June 2023 the SEC sent a Wells Notice to SolarWinds’ CFO, J. Barton Kalsu, and CISO, Timothy Brown, as individuals, something likely unprecedented. On October 30, 2023, the SEC filed a civil complaint against SolarWinds and Brown. Not only was this remarkable, but even more so was the fact that among the charges that the SEC brought was one of “scienter”-based fraud against Brown, meaning that he was conscious of what he was doing and not merely negligent. A July 18, 2024, decision of the U.S. District Court for the Southern District of New York dismissed all but one of the charges; the remaining one was for fraud based on claims made on the SolarWinds website about the efficacy of the company’s cybersecurity posture. While this dismissal was likely a cause for celebration for the defendants, the SEC’s aggressive approach should give pause to all CISOs.
There is No Sarbanes-Oxley for Cybersecurity
The Sarbanes-Oxley Act of 2002 was the U.S. Congress’ response to the financial frauds committed by publicly-traded firms such as Enron, WorldCom, and Tyco International in the early 2000s. The law was designed to protect shareholders by imposing rigorous reporting standards not just for publicly-traded companies but for their auditors as well. Moreover, it advanced the idea of offering access to the highest authority (e.g., the audit committee) of a company by ordinary employees in the event that violations of the Act were suspected. Arguably, the law has been a success, given that no Enron-scale frauds by publicly-traded firms have been perpetrated since the Act’s going into force. A review of the financial industry literature (e.g., here, here, and here) seems to confirm this, and the goal of restoring investor confidence in U.S. securities markets seems to have been achieved. All of this, then, raises a question about the integrity of those firms’ IT systems – isn’t it equally as important as that of their financial systems? The fact that the duty of securing a firm’s financial systems falls to the InfoSec team underscores this.
The fact of the matter is that we don’t have a Sarbanes-Oxley for cybersecurity, with its attendant standards for firms and their auditors, and with a prescribed path to an appropriate committee of the board in the event that the CISO finds trouble and can’t get anyone in management to listen. Until CISOs legally receive the same dignity afforded to CFOs, we’ll continue to see the same constant drip-drip-drip of news of data breaches and ransomware attacks and seemingly little accountability by firms for the damage caused to the public.
Changes in Law and Jurisprudence Have Created Greater Exposure for CISOs
Over the past five or so years, there have been changes both in cybersecurity laws and in the jurisprudence of personal liability for corporate directors and officers, both of which create greater legal exposure for CISOs. In July 2023 the SEC promulgated significantly updated rules for the reporting of cybersecurity incidents by publicly-traded companies; they went into effect in the latter half of December 2023. Perhaps most noteworthy about the rules is the requirement that, upon a determination of materiality of the incident, afflicted companies must notify the SEC within four business days. Moreover, those companies must also file an updated 8-K disclosure and include details about the disclosure in their 10-K. The 186 pages that comprise the new rules are also noteworthy because a draft, 129-page version would have required covered companies to disclose if any member of the board of directors had cybersecurity expertise; this was later changed instead to require companies to disclose if any member of the management team had cybersecurity expertise. The implication of this latter mandate is that the SEC wants companies to demonstrate to the market that someone is minding the (cybersecurity) store.
While the updated SEC rules translate into more work for CISOs, it’s the combination of this rule with changes to jurisprudence here in the U.S. that pose greater exposure for CISOs. One change in particular is the threshold for personal liability for corporate directors via what is known as the “mission critical” standard. Normally, when directors fail to implement appropriate management oversight mechanisms or fail to use them, they can be held personally liable, although the bar for that liability is relatively high. This is sometimes referred to as the “Caremark” standard, after the court case that established it. However, when oversight failures occur for a function that is core or “mission critical” to a company, that bar is lowered. Examples include Boeing (related to the 737 MAX) and Blue Bell Creameries (related to an outbreak of listeria). The concept and importance of the doctrine of mission criticality has recently been expanded to include cybersecurity. One journal serving the corporate director community went so far as to say that boards should hire third parties to independently review their company’s cybersecurity program, noting (perhaps ironically) that “The CISO may not tell you that everything is falling apart[.]”
Completing this legal trifecta is the extension of personal liability to corporate officers. In a so-called shareholders “derivative” lawsuit against fast-food giant McDonald’s, a Delaware court extended the Caremark standard to corporate officers. In this case, the company’s chief people officer was accused of enabling a corporate culture of sexual harassment by ignoring red flags about misconduct at the company; he later was terminated for his own sexual harassment and misconduct. The judge presiding over the matter essentially took Caremark’s concept of the board’s duty of oversight and extended it to corporate officers with respect to areas within their purview. Given that the purview of McDonald’s chief people officer was establishing a system to preview sexual harassment, extending Caremark duties to him was not difficult in this case. Moreover, it’s easy to see how this standard could be applied to CISOs in the case of derivative lawsuits stemming from a data breach, ransomware incident, or some other alleged cybersecurity failure.
The Very Tenuous Position of CISOs
CISOs exist in a very tenuous position vis-à-vis their corporate employers, especially compared to their C-Suite counterparts. A 2024 report on the global CISO workforce saw CISOs citing personal, financial and legal liability as a particular concern; notably, 66% of those surveyed cited such liability, up from 62% in 2023. Undoubtedly, the criminal and civil actions taken against CISOs described earlier and the attendant publicity have contributed to this concern.
CISOs’ relationships with their respective boards of directors or, more significantly, the lack thereof, is another contributor to this problem. Unless a CISO is “duly appointed” by a board, he/she is not a true corporate officer and likely not covered by the organization’s D&O insurance. A 2023 global CISO workforce report shed some light on this: 38% of CISOs surveyed are not covered by D&O insurance, and another 18% do not know whether they are covered; this latter statistic is particularly troubling, evincing that tenuous relationship.
When CISOs do brief boards on the state of a firm’s cybersecurity posture, they likely will get about 15 minutes to cover risks and ask for the needed resources, something that can be an uphill climb, even given how often ransomware and other attacks are featured in news reports and industry periodicals. A 2024 report on security budgets showed that while the average growth of cybersecurity budgets has risen from 6% in 2023 to 8% in 2024, this is only about half of growth rates in 2021 (16%) and 2022 (17%). Moreover, obtaining the necessary personnel is a problem. The report cited that staff growth decreased from 31% in 2022 to 12% in 2024.
Another 2023 report on the global CISO workforce cites a statistic that is likely familiar to CISOs but is perhaps surprising to others: the average tenure for a CISO is only estimated at 18 to 26 months, in contrast to an average tenure of 4.9 years for the C-Suite. The report went on to cite an estimate by analyst firm Gartner that, by 2025, nearly half of cybersecurity leaders will change roles and 25 percent will transition to entirely different positions. This turnover of cybersecurity leaders charged with protecting their organizations is likely a contributing factor, perhaps significantly so, to the seeming inability of those organizations to keep threat actors out of their networks.
Why CISOs Need Their Own Attorneys
The time has come for CISOs to have their own legal representation. Some examples where this is particularly applicable include:
Employment and contractor agreements. Employment and independent contractor agreements are often lengthy and dense and contain all manner of traps for the unwary. The surrender of IP rights can be especially difficult to navigate if the candidate CISO has already developed his/her own IP or is planning to. Non-compete clauses are another aspect that requires close scrutiny. If the candidate is joining a start-up, early stage, or growth stage company, the matter of stock options vs. warrants is another consideration that merits scrutiny.
Standing vs. the Board. A CISO’s relationship with a company’s board of directors is arguably his/her most important one at a company. Access to the board and the ability to brief the board on a regular basis (more than once a year) is key to every CISO’s success and to protecting the company. As a CISO, being duly appointed (or not) by a company’s board of directors has very important implications. Advice from outside counsel can help prevent dangerous assumptions on the part of the CISO.
Directors & Officers Insurance. CISOs are not automatically covered by D&O insurance. As mentioned earlier, D&O insurance is a complex topic but a critical one for CISOs to understand. Moreover, there are many types of insurance and their coverage is often riddled with exceptions. Understanding those nuances can prevent a business problem from turning into a personal disaster.
Trouble on the horizon. There are times at an organization when it becomes apparent to the CISO that there is trouble on the horizon, and if it does materialize, it will likely land on him or her. Perhaps it’s the lack of funding for necessary staffing and/or technology, or a regulatory agency inquiry, or an incident that is bigger than management wants to acknowledge. In any case, getting legal representation in place early can help positively shape the outcome.
Second opinions. Sometimes, a CISO needs a second opinion. It may be with respect to a relationship with a vendor, an interpretation of a regulatory mandate, or challenges internal to the InfoSec team. While a company’s General Counsel may be able to offer some perspective, it always will be in the context of what’s best for the company. The ability to pick up the phone and get an opinion as to what’s best for the CISO can be invaluable.
In summary, this need for legal representation owes much to the often-tenuous positions that CISOs find themselves in vis-à-vis their employers, a shifting regulatory and jurisprudential landscape, and a constantly-evolving cybersecurity threat matrix. All of this creates an environment where the CISO is being set up to be the fall guy, and it’s not difficult to see why recruitment of CISOs is currently such a challenge. Previously, as a practical matter, CISOs had no one to turn to.
Now, they do.