Resisting Hindsight Bias: A Proposed Framework for CISO Liability

Written by

In SEC vs. SolarWinds,  the U.S. Securities and Exchange Commission (SEC) for the first time ever recently charged a CISO in connection with alleged violations of the federal securities laws occurring within the scope of their cybersecurity functions.

That lawsuit has raised concerns that the SEC, despite lacking deep cybersecurity expertise, intends to dissect a CISO’s good-faith judgments and second guess the design and effectiveness of a company’s entire cybersecurity program and related disclosures and attempt to hold the CISO liable for any perceived failures.

CISOs are understandably worried that they may now face personal liability for their good-faith efforts to fulfil their responsibilities and potentially be held accountable for aspects of a company’s security posture and disclosures outside of their control. The SEC’s decision to target CISOs sets up an untenable internal tension between CISOs and their companies, as CISOs may feel forced to demand cybersecurity structures, processes, and headcount without regard for the appropriate balance of risk, security, and business functions. 

Many in the CISO community are wondering whether serving in this essential function is worth running the risk that their good-faith efforts will expose them to professional jeopardy.

To address these concerns, we propose a regulatory framework of factors for the SEC to consider when evaluating whether to charge a CISO (or other executive responsible for running a company’s cybersecurity program) with violations of the federal securities laws for conduct arising out of their duties.

Summarized below, our proposed CISO Framework recognizes the critical and evolving nature of the CISO role by focusing the question of CISO liability squarely on whether the CISO made good-faith efforts to perform their role. If the answer to that question is yes, CISO liability should never be appropriate, regardless of the SEC’s post-mortem view of the merits of the CISO’s performance.

In particular, and consistent with chief compliance officer (CCO) liability for alleged compliance failures, we propose that SEC charges against a CISO are only appropriate when the CISO: (i) was affirmatively involved in alleged misconduct unrelated to the cybersecurity function; (ii) sought to mislead or obstruct an SEC investigation; or (iii) where there is a “wholesale failure” of the CISO “in carrying out responsibilities that were clearly assigned to” them.

“Wholesale Failure:” Affirmative Factors in Favor of Liability

What is a “wholesale failure” and when does it give rise to potential liability? Prior to charging a CISO for alleged “wholesale failures,” the SEC should find that each of the following factors was present (and clearly articulate them to provide clear guidance and reassurance to the CISO community):

  • Did the CISO make a good-faith effort to carry out their responsibilities? The SEC should decline to pursue charges where a CISO made a good-faith effort to develop an information security program or execute an incident response. In assessing whether a CISO acted in good faith, the SEC should look to the fundamentals of proactive compliance recently set out by Director of Enforcement Grewal: education, engagement, and execution. But the SEC’s analysis cannot be based on ex-post analysis of how well the CISO weighed risks and red flags against the functioning of the business; no institution will ever be without risk, and how risks are mitigated, addressed, or managed requires enterprise-wide judgments based on, among other things, an evaluation of business risk tailored to the organization’s different threats, vulnerabilities, and risk tolerances.
  • Did the alleged failure relate to a fundamental or central aspect of a well-run cybersecurity program at the company? Even where a CISO is alleged to have failed to act in good faith, that should not be considered a “wholesale failure” unless it relates to a fundamental or central aspect of a company’s cybersecurity program. For example, a CISO’s failure to stay informed about significant changes in the threat landscape might, depending on the circumstances, indicate a wholesale failure because it relates to a central aspect of cybersecurity program. 
  • Did the alleged failure persist over time, and did the CISO have multiple opportunities to cure the alleged failure? Even where there is an alleged failure to act in good faith that relates to a fundamental aspect of a cybersecurity program, the SEC should consider the extent to which that failure persisted over time and whether the CISO had opportunities to remediate it.
  • Did the SEC issue clear rules or guidance related to the alleged failure in advance of the time at which the alleged failure occurred? Individual CISO liability is inappropriate where reasonable minds could differ on the proper interpretation of regulatory expectations and what would constitute violative conduct.
  • Does charging the CISO help fulfill the SEC’s regulatory goals? An SEC charge, particularly against an individual, must always serve the SEC’s regulatory mission to protect investors.

Mitigating Factors

If the affirmative factors above suggest that charges against a CISO may be appropriate, the SEC should next consider mitigating factors weighing against liability.

  • Did the CISO timely and transparently escalate the issue to other stakeholders?  The fact that the CISO – having determined that a risk manifested or a breach occurred – actively raised the issue to security stakeholders like senior management and/or the board should weigh against personal liability.
  • Did structural or resource challenges hinder the CISO’s performance? A CISO cannot be expected to evaluate, educate, and execute a functioning program singlehandedly. CISOs require resources, cooperation from internal stakeholders, and decision-making authority, and the SEC should consider whether and how a company’s organizational structure affects that coordination or a CISO’s empowerment.

Conclusion

This CISO Framework would require the SEC to decline to pursue enforcement actions against a CISO where the CISO made good-faith efforts to fulfil their responsibilities. In light of the SEC’s recent charges in SEC vs. SolarWinds, we think this CISO Framework would instil greater transparency, accountability, and predictability in the way the SEC contemplates charging CISOs – something the CISO community needs and deserves.  

What’s hot on Infosecurity Magazine?