In July, SolarWinds CISO Tim Brown and CFO Bart Kalsu received Securities and Exchange Commission notices of potential enforcement action over alleged violation of securities laws. The issue stems from their response to the Russian hack of the Orion network monitoring software in 2020 — a product used by more than 30,000 organisations.
This isn’t the first high-profile instance of a chief information security officer facing individual scrutiny for decisions affecting their organization.
Everyone makes mistakes. But what if your mistakes cost you tens of thousands of dollars in fines, see you facing jail time, or risk the security of millions of other people? Companies now access and handle more personal data than ever before. And regulators are reexamining the significant responsibility that brings.
Ranging from negligence to deliberate cover-ups, here are two other cases from recent years, involving Uber and TSB.
Protecting the Public
In May 2023, former Uber chief security officer Joe Sullivan was sentenced to three years’ probation and given a $50,000 fine for covering up a massive 2016 data breach at the ride-sharing giant.
Sullivan started as Uber’s chief security officer in 2015. At the time, the company had recently disclosed a 2014 data breach that compromised about 50,000 consumers’ personal information, leading to an FTC investigation. Shortly after, Uber was hacked once again. This time the hackers contacted Sullivan directly. About 57 million users had their data stolen.
According to the US Department of Justice (DOJ) release covering the charges, “Sullivan executed a scheme to prevent any knowledge of the breach from reaching the FTC.” He paid the hackers $100,000 in exchange for them agreeing not to disclose the hack.
Following Sullivan’s trial in 2022, information security professionals reportedly were worried about liability in similar situations, according to The Wall Street Journal. Edward Amoroso, former chief security officer at AT&T Inc., told the Journal that many top security officers believe Sullivan did nothing wrong.
Prosecutors originally wanted a 15-month prison sentence. One of the reasons Sullivan isn’t facing jail time is because of the volume of letters of support sent by industry peers and his friends and family — and because it was the first case of its kind.
In the DOJ’s press release, US attorney Stephanie M. Hinds said, “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.”
“Prescribed Responsibilities”
In April this year, Carlos Abarca, the former chief information officer of TSB Bank, was fined £81,620 (US$103,900) for operational resilience failings. The Prudential Regulation Authority’s (PRA) investigation found that Abarca breached its Senior Manager Conduct Rule 2 in failing to take “reasonable steps to ensure that TSB complied with PRA Outsourcing Rules.”
In short, Abaraca didn’t make absolutely sure that a third-party service provider contracted by TSB was up to its task.
In 2018, TSB migrated data for its corporate and customer services to a new IT platform. The data migration itself was successful. However, the platform immediately experienced technical failures.
The result was major disruption to the continuity of TSB’s banking services. The initial issue affected a “significant” portion of the bank’s 5.2 million customers. Many were still dealing with the effects by December 2018.
Sam Woods, deputy governor for prudential regulation and chief executive officer of the PRA, said, “Senior managers have an essential role to play in ensuring that firms manage and supervise outsourcing effectively.”
The Bank of England Senior Managers Regime (SMR) was introduced in 2016 “for banking institutions to embed greater individual accountability by ensuring authorised firms allocate clear responsibilities to key decision-makers.”
Under these regulations, firms must allocate “prescribed responsibilities” — specified in the PRA Rulebook — to senior managers: “At the core of the SMR is the belief that companies should be led by skilled, principled colleagues, that there is absolute clarity about the responsibilities of the senior leadership team and that leaders of a business are held to account for its failures as well as its successes.”
In IT, Failures Are Inevitable
In these cases, it isn’t a matter of fining IT admins for minor failures. It’s about holding senior executives responsible for failings that affect their customers, shareholders, and the wider market.
Will this effect give CISO applicants means to demand higher salaries to compensate for greater responsibility? And would that open them up to greater scrutiny — or show that they’re taking their responsibilities seriously?
At this year’s RSA Conference in San Francisco, Gadi Evron, CISO at venture capital firm Team8, said that following Sullivan’s trial, many CISOs thought, “Should I leave this occupation?” and “Why is the CISO the only one standing trial?”
TechTarget, which covered the conference and panel featuring Gadi, suggests — among other things — holding crisis communication drills to mitigate your risk of liability. It also includes the importance of defining and knowing your role responsibilities as CISO, using the correct terminology, and not panicking.
Preparation through practice is the backbone of any solid business continuity and incident response plan.