This week: What the world of cyber security can tell us about the Individual Accountability Framework (IAF), and why CISO may stand for ‘Career is Sadly Over’.
Earlier this week, I mentioned that I attended the Compliance Institute’s annual conference and my surprise that DORA (The Digital Operational Resilience Act) was not the main topic of the day. In its place was the individual Accountability Framework, aka the IAF. (You can go here to read my previous article about IAF).
At the conference, many people expressed concern about the personal risk that arises when they are regarded as accountable for a particular area of business. Given many of the people who are held accountable for cyber security are COOs / CFOs / CIOs who do not have cyber security expertise, the risks are even greater.
That’s why this week’s edition of Cyber 3-2-1 focuses on the consequences when someone accountable for cyber security is regarded by the regulators as having failed to fulfil their duties, and what you can do to avoid such allegations in the future.
PS Where you see ‘CISO’ or ‘CSO’ mentioned below, you could interpret this as ‘the person accountable for cyber security’.
3 – Why Uber’s CISO ended up in court
In 2022, the former Chief Information Security Officer (CISO) of Uber Technologies, was convicted of federal charges related to his actions during a 2016 data breach at Uber. This breach involved the theft of personal information of 57 million Uber users. A United States Federal Jury found [the individual] guilty of obstructing the proceedings of the Federal Trade Commission (FTC). This conviction was specifically in connection with his attempted cover-up of the data breach.
This is according to an article on Cyber Management Alliance. “Apparently, [the individual], then in-charge of security operations and cyber security at the company, spearheaded the scheme in which Uber paid hackers $100,000 [..] to not release the data and stay silent on the attack.” The incident was only disclosed to the regulator a year later when a new CEO took over.
The former CISO appealed the sentence, arguing:
- The main reason for the case was not the data breach, but the accusations of a cover-up by the CISO.
- However, his actions were taken with the full knowledge and blessing of Uber’s CEO at the time, other members of the ride-sharing giant’s legal team, and none of them suggested the need to inform the regulator.
- He also says he never lied to the FTC or destroyed evidence. Apparently, “thirty others at Uber knew of the incident and [he] never told any of them to conceal anything.”
- “Despite the fact that [the former CISO] was not responsible at Uber for the FTC’s investigation, including the drafting or signing any of the submissions to the FTC, the government singled him out among over 30 of his co-employees who all had information that [only he] is alleged to have hidden from the FTC.”
- No other individuals in Uber, including the former CEO, were charged with any offence. More information on the appeal is available here and here.
So what? It is not a shock to people working in cyber security that the person accountable for cyber security has been made the scapegoat for a security incident. But this usually means being publicly blamed or fired for such incidents. This case is believed to be the first time that a CISO of a major U.S company has been convicted for a data breach and its ensuing cover-up. It caused many people in the cyber security industry to question the risks and rewards of taking on the CISO role, which could mean ‘Career Is Sadly Over’.
2 – Why the SolarWind’s CISO is facing a day in court
The SEC has accused SolarWinds Corporation and its Chief Information Security Officer (“CISO”) of fraud, arising from internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. “The SEC’s complaint alleges that, from SolarWinds’ October 2018 initial public offering through its December 2020 8-K filing, the company was the target of a massive, nearly two-year long cyberattack, known as SUNBURST, and defrauded investors by overstating its cybersecurity practices and understating or failing to disclose known risks.”
This is according to an article this week on The National Law Review. Apparently, “the SEC has alleged that [the CISO] was aware of SolarWinds’ cybersecurity risks and vulnerabilities but did not resolve the issues or sufficiently raise them further within the company.”
As one law firm puts it, “The SEC’s complaint [..] serves as a stark reminder to CISOs about the consequences of public and internal statements regarding cybersecurity practices and risks. The complaint highlights the expectation for CISOs to provide accurate representations of their company’s cybersecurity posture both internally and in public disclosures” and “CISOs should consider keeping detailed records of key discussions and decisions related to cybersecurity risks.”
So what? If you are accountable for cyber security, but someone else ultimately makes the decisions on where money / attention / resources are allocated, you’d better get better at ensuring these decisions (and the inputs to these decisions) are documented. Otherwise, your job title of CISO really will mean “Career Is Sadly Over”.
1 – What are ‘reasonable steps’?
IAF “introduces a duty of responsibility for individuals [..] to take reasonable steps to ensure that their areas of responsibility conform to legislative and regulatory requirements. [In
the event of an investigation], in assessing the steps that an individual took, the Central Bank will consider what steps an individual, in that position, could reasonably have been expected to take at that point in time”.
These are the remarks of Gerry Cross, Director of Financial Regulation, Policy & Risk at the Central Bank of Ireland. If things go wrong, your defence will centre on whether you took reasonable steps.
So what constitutes reasonable steps in cyber security?
- I would argue the minimum is ensuring alignment to regulatory guidance (e.g. CBI’s 2016 guidance on cyber security, and subsequent guidance on outsourcing and operational resilience, as well as their Dear CEO letters).
- But “minimum” does not mean “reasonable” (or “appropriate”, to reflect the language of GDPR).
- “Reasonable” must mean alignment to a relevant industry benchmark and/or framework, as these reflect the lessons of industry veterans and those who have been on the wrong side of an attack.
- If you want to see the difference between regulator guidance and an industry benchmark, compare the 2016 Cyber Security Guidance to CISA’s SCuBA guidance on how to secure Microsoft 365. One is looking at the breadth of cyber security with a telescope; the other is looking at the depths of cyber security with a microscope. You need both.
And what constitutes an unreasonable step?
- Assuming the people who manage your IT on a day-to-day basis (e.g. an intra-group IT team; an external IT service providers; a SaaS provider) are also managing your cyber security.
- Because unless you’ve assessed them (or got someone like me to do it for you), you should assume they are not!
- How can I possibly make such an outrageous statement? Because I’ve been assessing IT service providers for over 10 years.