Another Look at Accountability in Cybersecurity

Joao Correia

November 28, 2023 - Technical Evangelist

Cybersecurity incidents are more than availability problems
Malicious actors are using the legal process to their advantage
Personal liability for cybersecurity mishandling is becoming more common

Cybersecurity incidents, once dismissed as minor disruptions, have evolved into significant threats with far-reaching consequences. Initially seen as temporary setbacks, their impact on business operations was underestimated. Over time, the realization of their financial implications, such as ransom payments and regulatory fines, has grown. This shift in perception was further intensified when legal accountability for cybersecurity failures extended to criminal liabilities, significantly altering the landscape and raising the stakes for cybersecurity management.

Historical Context: A “Bad Day at the Office”

Historically, cybersecurity incidents were viewed as ‘bad days at the office,’ disrupting business but not leading to lasting damage. This perspective resulted in a disconnect between the digital realm of cyberspace and real-world consequences. Organizations focused on short-term recovery, often overlooking the need for long-term cybersecurity strategies. This approach resulted in repeated incidents, each treated as isolated occurrences rather than symptoms of systemic vulnerabilities.

Current State: From Operational Hazards to Criminal Liabilities

The shift to viewing cybersecurity failures as potential grounds for criminal charges is exemplified by the case of Vastaamo’s ex-CEO in Finland. Following a massive data breach that compromised sensitive patient data, the ex-CEO was charged and received a (suspended) prison sentence.

The breach exposed the personal details and therapy session notes of tens of thousands of patients, some of which were published on the dark web. The court found that the ex-CEO failed to adhere to GDPR requirements by not encrypting patient data, was aware of cybersecurity gaps for years, and attempted to conceal the breaches – leading to his criminal liability.

Emerging Tactics by Cybercriminals: Exploiting Legal Systems

Cybercriminals are becoming increasingly sophisticated, exploiting legal systems to augment their attacks. A ransomware gang, ALPHV/BlackCat, filed an SEC complaint against MeridianLink, their own victim, for failing to report a significant data breach – caused by ALPHV/BlackCat themselves. This innovative tactic of using legal requirements for mandatory cybersecurity incident disclosure against victims highlights a worrying trend where cybercriminals use legal loopholes to increase pressure on their targets, redefining the rules of digital extortion.

For reference, this is the same threat actor that was reportedly behind the Las Vegas casinos’ hack (the MGM and Caesars incidents in September).

While the SEC did not act on the report by the threat actor, this was partly due to a recent ruling not having been in effect (a new reporting timeframe has been approved by the SEC but will only go into effect in mid December). This raises concerns about the loophole exploited by the threat actor, but also regarding the efficacy of the regulator – there seemed to be factual material behind the complaint that should have led to action by the regulator, in a situation best described by a memorable movie quote: “(…)dogs and cats living together(…)”.

In a somewhat unexpected turn of events, all of these incidents can lead to reduced (mandatory) reporting, as CEOs/CIOs/CISOs weigh the potential legal liability against the potential risks of not reporting at all.

These also tie neatly into a separate problem, which is the time that a breach goes undetected after the initial access (with estimates placing this figure at upwards of 270 days, according to an IBM report in 2022). If this legal loophole is allowed to continue, then this undetected time is more than enough for a complaint to be made about an unreported breach – and it will be factually accurate.

Case Study: SolarWinds and Heightened Legal Scrutiny

The SolarWinds case is a prime example of increased legal scrutiny in cybersecurity. The SEC charged SolarWinds and its CISO for concealing poor cybersecurity practices and risks, marking it the first time the SEC has brought cybersecurity enforcement claims against an individual.

The complaint alleged that from its 2018 IPO through at least December 2020, SolarWinds made misleading public statements about its cybersecurity practices, failed to disclose known vulnerabilities and breaches, and did not maintain adequate controls to protect its critical assets. This case emphasizes the expectation for accurate cybersecurity risk disclosure and the personal accountability of executives and security officers.

A New Era of Cybersecurity Accountability

The evolution of cybersecurity incidents from operational hazards to grounds for criminal liability marks a significant change in how businesses and their leaders must approach cybersecurity. It is a clear message to organizations and their executives to prioritize robust cybersecurity measures, adhere to regulatory requirements, and be transparent in their cybersecurity practices. Failing to do so can lead to severe legal and financial repercussions, not just for the organization, but also personally for those at the helm. As the landscape of cybersecurity threats continues to evolve, so too must the strategies to combat them, emphasizing prevention, transparency, and accountability.

Maybe this is the push that finally moves cybersecurity concerns to the forefront across industries.

Summary