Source: FunTap via Shutterstock
Companies and their CISOs could be facing anywhere from hundreds of thousands to millions of dollars in fines and other penalties from the US Securities and Exchange Commission (SEC), if they don't get their cybersecurity and data-breach disclosure processes in order to comply with the new rules that have now gone into effect.
For those who may find themselves at the wrong end of an investigation, it's important to know that there a variety of tools at the SEC's disposal to use for enforcement. These run the gamut from a permanent injunction ordering the defendant to cease the conduct at the heart of the case, to paying back ill-gotten gains, to three tiers of escalating penalties that can result in astronomical fines.
In addition, the SEC could bar an individual from certain roles, such as a seat on the board of other companies, while such cases could also result in mounting legal fees, reputational damage to the business and executives, and monetary damages from shareholder lawsuits.
The SEC Breach Rules Have Teeth
No enforcement actions are yet underway, but in many ways, the requirement that companies disclose any "material" cybersecurity incidents fits into the SEC's existing framework of investigation and penalties. All in all, companies should be ready for the SEC to investigate.
That means empowering their CISOs with the ability to meet the rules, says Jena Valdetero, shareholder and co-chair of the US Data Privacy and Cybersecurity Practice at law firm Greenberg Traurig, LLP.
"The SEC has made it very clear that this is an enforcement priority, so there's really no fighting City Hall on this one," she says, adding, "I do think that CISOs are right to be very concerned, because the SEC has clearly said, 'we are going to make the buck stop with the CISO,' [because they are] the best person to know what cybersecurity compliance measures are in place and what risks they're facing."
That "buck" could be more like beaucup bucks. The SEC traditionally has four main types of penalties, all of which can be brought to bear on the cyber-realm. The first is a permanent injunction, which prevents a company and individuals from continuing a specific type of activity. Second, the disgorgement of ill-gotten gains results in penalties equal to the amount of profit purportedly made through fraud or nondisclosure. Third, they can seek an order that bars an individual from serving as an officer or director, according to Steve Malina, a shareholder with Greenberg Traurig and former senior attorney in the SEC's enforcement branch.
However, those three forms of relief are rather small compared to the potential monetary fines, he says. Penalties start at $5,000 per violation for any breach of SEC rules and quickly escalates to $100,000 per violation — or $50,000 and $500,000 for organizations — depending on whether fraud was involved and investors were harmed. The SEC can also "break down every single time they think you violated the law and call that an independent violation," he says.
"The permanent injunction — putting aside the reputational damage — doesn't have a ton of teeth; it's just an order that you're not going to violate the law again," Malina says. "But the disgorgement, the Civil Monetary Penalties, they have real teeth, and they can really harm someone's future in the business."
Those penalties do not include reputational damage, shareholder lawsuits, and the cost of defending against any investigation or lawsuit, he says.
Fear and Loathing in the C-Suite
Apart from traditional enforcement penalities, there are other costs ahead from SEC enforcement actions.
The SEC enforcement actions against SolarWinds and its CISO Timothy Brown caught executives off guard — perhaps more than the SEC regulations themselves. Whether the agency wins its case, or SolarWinds and Brown successfully defend themselves, the expense of the litigation and its effect on the company's reputation highlights the damage that any SEC enforcement action can have.
Perhaps most worrisome for CISOs is the personal liability they face for many areas of business operations for which they have historically not had responsibility. Only half of CISOs (54%) are confident in their ability to comply with the SEC's ruling, and two-thirds of CISOs (68%) feel overwhelmed in dealing with the new rules, according to a survey of 300 executives conducted by AuditBoard, a cloud-based risk and compliance platform.
"There's always been liability in the C-suite, but CISOs now have a level of personal liability that they have never had before," says Richard Marcus, vice president of information security with the company. "If you don't have a process nailed down to handle this, and you make the wrong decision, and you failed to disclose when you should have should have, you can be held personally liable — a lot of CISOs that we talk to are concerned about this."
All of that is leading to a broad rethinking of the role of the CISO, says Ken Fishkin, senior manager of information security — essentially the acting CISO — for law firm Lowenstein Sandler LLP.
"A lot of people are very nervous about being in a position like mine now because of this responsibility," he says. "It's a company issue, definitely not just CISO issue. Everybody will be very leery about vetting statements — why should I say this? — without having legal give it their blessing ... because they are so worried about having charges against them for making a statement."
The worries will add up to additional costs for businesses. Because of the additional liability, companies will have to have more comprehensive Directors and Officers (D&O) liability insurance that not only covers the legal expenses for a CISO to defend themselves, but also for their expenses during an investigation.
Businesses who will not pay to support and protect their CISO may find themselves unable to hire for the position, while conversely, CISOs may have trouble finding supportive companies, says Josh Salmanson, senior vice president of technology solutions at Telos Corp., a cyber risk management firm.
"We're going to see less people wanting to be CISOs, or people demanding much higher salaries because they think it may be a very short-term role until they 'get busted' publicly," he says. "The number of people that will have a really ideal environment with support from the company and the funding that they need will likely remain small."
Established Policies, Good Faith, Keep Notes
Yet, there is a silver lining. The SEC's breach disclosure rule has put companies on notice that they must pay attention to security and have a process in place — including evidence from the discussions of whether a security incident is material to investors — but this will likely lead to more security-aware organizations, says Kathleen McGee, a partner with Lowenstein Sandler LLP.
"Make sure you have a policy in place before the incident occurs, that you know who the stakeholders are, who will be making those determinations, and that you are documenting the process, so that if the SEC comes calling and wants to understand what the thought process was, you have a good explanation at the ready," she says.
Those companies and CISOs that have a policy and follow that policy will likely not have to worry as much about enforcement actions, even if later evidence may show that the initial decision was wrong, she says.
"If [companies and their CISOs] make a determination, initially, that an incident is not material, and then [they] come across new information that leads me to believe it was material," they will have time — albeit four days — to correct the record, McGee says.