Cyber Insights 2024: A Dire Year for CISOs?
Thursday, March 7, 2024
The SEC has pitched a potential 2024 curveball at the role of the CISO. It will affect the role of CISO, but we have yet to see how it is played.
Every company has incidents, but not all of them should require public disclosure.
The liability threat
The threat to CISOs is real. “Sanctions may range from suspended and real prison sentences to hefty monetary fines and prohibitions to occupy managerial positions for a certain period of time,” explains Ilia Kolochenko, chief architect at ImmuniWeb. “Regrettably, cybersecurity insurances will unlikely cover legal actions targeting employees of the insured organizations, leaving the former alone amid the mounting legal risks and little support from employers.”
The iconic example of SEC prosecution was that of Joe Sullivan — relating to his as time CSO at Uber. The issue revolves around whether Sullivan hid a breach from shareholders. Sullivan asserts that since the company had a bug bounty program, and that since his team negotiated with the ‘hackers’, effectively paid a bounty, and prevented any public disclosure, this was not a ‘material’ incident and didn’t require disclosure to shareholders. Ultimately, it was a clash between subjective interpretation from the CISO versus legal interpretation from SEC. Read Full Article
SecurityWeek: Cyber Insights 2024: Artificial Intelligence
IT PRO: LockBit rises from the ashes, but will it pack the same punch as before?