Analysts predict CEOs will be personally liable for security incidents. Should they be?
As more of our world becomes interconnected and reliant on computer systems to function, the risks from cyberattacks have increased. From public utilities, power generation, manufacturing and smart cities, to telecommunications and health systems, so much of the global economy relies on industrial control systems (ICS) to function properly, safely and reliably.
However, this increasing reliance has not come without the notice of cybercriminals. According to an IBM X-Force report in February 2020, cybercriminals executed 2,000 percent more attempts to manipulate or degrade ICS, cyber-physical systems and operational (OT) assets between 2018 and 2020.
Research firm Gartner predicts that with these attacks, we could soon see these sorts of attacks begin to go beyond online disruptions to eventually include risk to human life and property damage. As seen with ransomware attacks on hospital systems, attacks on ICS and OT can quickly move from opportunities to extort money to be deadly attacks on individual safety.
It is for these reasons that Gartner predicts that by 2024, more senior corporate and organizational leaders will soon face personal liability for the results of cyberattacks to these ICS and cyber-physical systems, moving beyond that of risk to a corporate brand, fines and financial judgements. In fact, Gartner predicts that, in the next four years, three out of every four CEOs will have liability for a cyberattack directly linked to them.
Is this evolution of liability, as Gartner predicts, a good thing for the overall implementation of cybersecurity at the organizations these CEOs represent, or could this change lead to more negative side effects? Could more security incidents actually occur?
This article will attempt to explore these questions and some of the related potential side effects from both sides of the predictions, for both organizations and the larger systems these organizations enable and interact with.
What Gartner predicts for executive liability
Because of the interconnectivity and importance of cyber-physical systems (CPS), which are systems created to “orchestrate sensing, computation, control, networking and analytics to interact with the physical world (including humans),” Gartner believes that regulators and governments will begin to assign liability to CEOs as a result of a failure to secure them. Additionally, as the potential for environmental disasters and physical danger to people and property increase and combine with “a lack of security focus and spending currently aligning to these assets,” governments will react by “drastically increasing rules and regulations governing [CPS systems},” according to Gartner research vice president Katell Thielemann. “Soon, CEOs won’t be able to plead ignorance or retreat behind [cyber] insurance policies.”
The Gartner study continues to project that the financial impact of cyber-physical system attacks will reach over $50 billion by 2023, including the costs of insurance, lawsuits, fines and damage to their brand. This is a staggering figure for companies to have to bear, without even taking the actual value of human life and environment destruction into account.
Because of this risk — and the large potential benefits of continued benefits of smart cities, connected and autonomous vehicles, and innovation in digital technology — Gartner goes on to argue that organizational technology leaders need to help “CEOs understand the risks that cyber-physical systems represent and the need to dedicate focus and budget to securing them.”
“Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies,” Thielemann continues. “The more connected cyber-physical systems are, the higher the likelihood of an incident occurring.”
If what Gartner predicts is true, that new reality is just a few short years away.
Why CEOs facing personal liability could be good for overall organizational cybersecurity
Could this change in liability, however, be a blessing in disguise for overall corporate cybersecurity?
Some could argue that it could, by finally raising the importance and personal stakes for CEOs to understand and invest in adequate cybersecurity for their technology infrastructure, in general, and their cyber-physical systems specifically. Sadly, many senior executives are not fully aware of the types of systems already in place across their organization, either from a lack of interest, an inability of the organization to accurately document them because of a lack of IT centralization, or because of the sheer number of them put into place, many of which could constantly be evolving.
However, the assumption that Gartner’s research relies upon is the establishment and existence of regulations and civil and criminal penalties that could be enforced to assign that liability to CEOs. As evidenced by the fact that no one has been criminally charged in the wake of data breaches the size and scale of Equifax, Marriott or Target, there is still quite the distance that federal and state enforcement mechanisms need to go. In the Equifax hack alone, at least 143 million people were affected, but the consumer credit agency only faced Congressional hearings, lawsuits, and regulatory fines; no one went to jail for anything linked to the hack itself. In fact, more broadly, according to the Warwick Business School and their 2019 study, CEOs “were more likely to receive an increase in total and incentive pay several years after a security breach.”
If these legal and regulatory changes did take effect, in theory, these punishments could hold CEOs personally liable — including financial and criminal penalties — for knowingly underinvesting in cybersecurity for systems that could put people at risk. Today, victims’ only relief can only come in the form of suing a company, leaving them the only one’s likely to be personally left with long-term damage, while senior corporate leaders are themselves left financially intact.
Elevating the security priority is especially important given the critical role that many operational technology (OT) assets, ICS, and cyber-physical systems play in our economy. To quantify the threat in a different way, IBM identified over 200 new ICS-related vulnerabilities in 2019 alone. In other words, it is not a matter of “if,” but “when” a cyberattack with devastating environmental, human and public service impacts could occur.
Therefore, it is argued, in the wake of a major physical, environmental or systematic damage from a cyberattack, citizens and their representatives need to be able to say “enough is enough” and assign blame and liability toward those that deserve it. Because, as evidenced by the Warwick Business School study, it is clear that, to date, corporate boards are not going to hold their executives accountable.
A different approach
The foundation for Gartner’s assumption could come in the form of something similar to the U.S. Senator Ron Wyden’s Consumer Data Protection Act of 2018 (CDPA) or Senator Elizabeth Warren’s Corporate Executive Accountability Act (CEAA).
The CDPA is designed so an organization’s senior executives can face criminal charges for cybersecurity and other failures that result in consumer privacy failures. The CDPA establishes minimum privacy and security standards, among other safeguards, and organizations can face fines up to four percent of their annual revenue for a first offense and 10 to 20 years of criminal penalties for executives that did not adequately ensure security and privacy safeguards were in place.
Senator Warren’s CEAA seeks to assign “criminal liability for negligent executive officers” of companies if it was determined that company actions led to a data breach affecting “personal data of 1 percent of the US population or 1 percent of the population of any state.” Afterall, notes Senator Warren, “Corporations don’t make decisions, people do, but for far too long, CEOs of giant corporations that break the law have been able to walk away.”
While the CDPA and the CEAA have not garnered enough support to pass as of yet, it is another sign, when taken in combination with the European Union’s Global Data Protection Regulation, that consumers, governments, and businesses are slowly trying to make security a corner-office priority, even if it is only because of a recalculation of the financial costs of making — or avoiding — cybersecurity investments.
In fact, 68 percent of organizations studied admitted that they have invested more in cybersecurity because of the GDPR and “fear of significant penalties.” Companies could react at least as much when CEOs and other senior executives could face criminal penalties, too.
Why more liability for CEOs could negatively affect overall organizational cybersecurity
On the other hand, the downstream impacts of the GDPR could also be a case study for why personal liability for CEOs could still leave an organization’s cybersecurity posture lacking, if not worse over time. This could arguably occur for three reasons:
- Depending on the jurisdictional scope of the laws, a patchwork system can make it more difficult to enforce and implement.
- Organizations could tailor their cybersecurity programs toward the legal requirements and not an overall, higher cybersecurity mission.
- More and more responsibility could be shifted to managed services and contractor resources, shifting blame while also further segmenting technology resources.
A patchwork system
Regulations and laws can only be enforced according to the jurisdiction to which they apply. If states begin to design their own criminal penalties for CEOs resulting from damages linked to cyber-physical system attacks left unprotected and then federal rules are defined, businesses could be left having to navigate a patchwork of rules and regulations that can actually hinder the implementation of comprehensive cybersecurity. In other words, businesses would be incentivized to just fulfill the limits and boundaries of the laws applicable to them instead of pursuing a sound cyber defense for cybersecurity’s sake.
It is for this reason that US-based organizations, just as the National Retail Federation and the Network Advertising Initiative have, could lean more toward a federal regulation, as it would be nationally recognized and applicable. However, as with other federal programs, especially in a partisan environment, the resulting law could be more limited in scope or penalty than what an individual state could design. Add in global regulatory frameworks and it could be argued that companies could find themselves pulled in multiple directions, ultimately lessening the focus and overall effectiveness of cybersecurity investments.
One size doesn’t fit all
Similarly, but more narrowly, too much focus on defining requirements and standards could lead toward unintended consequences. On one hand, companies could just focus on satisfying the cybersecurity standards that would prevent or limit corporate liability instead on developing and implementing an over-arching cybersecurity program.
On the other hand, as seen with the GDPR, in the process of seeking political compromise and making regulations as applicable as possible across industries, laws that assign liability could not be specific enough to be meaningful, leaving gaps. As a result, companies could ultimately be left more vulnerable after being lulled into believing they are appropriately applying cyber defenses, when in actuality they are just “checking the box” and not applying the rules to their unique circumstances.
For example, with the GDPR, one study found that while 62 percent of businesses invested more in security, 49 percent of those actually do not believe that their investment has made their businesses safer.
A third possible side effect of increasing the personal liability of corporate executives is more of a reliance on outsourcing, contracting and managed services, effectively shifting more responsibility toward third parties. While it is difficult to predict how regulations would include the use of third-party providers, managed services and contractor support when it comes to defining and implementing cybersecurity and infrastructure management, it is very plausible that many executives would just increase the involvement of outside organizations to help contractually and organizationally shift more of the responsibilities to outside of their hands.
While there are many professional technology managed services and cybersecurity firms in the market, moving more of the responsibility — and, in turn, more of the day-to-day knowledge and control — of network infrastructure and cyber-physical systems out of the hands of corporations could ultimately increase the attack surface, segment systems and increase overall risk. This would also coincide with less fidelity of what exactly makes up the IT backbone of an organization and its true nature and risk, further exacerbating the original problem.
What the future could bring
Today, consumers cannot go a day without encountering a website privacy disclaimer or hearing of another costly cyberattack occurring somewhere in the world.
However, for decades, the private sector — especially in the technology sector — has sought to be excused from liability and privacy laws, backed by lawmakers agreeing that such rules not only stifled innovation, but were misplacing blame. As a result, companies and consumers work within and are protected by a limited and incomplete regulatory framework that allows executives and their companies to define, to a large degree, the rules that they play by.
The CEAA and the CDPA, however, are in the early stages of trying to find the right balance between executive liability, enforcement, and defining privacy and security standards. At the same time, the US Government Accountability Office has recently recommended that the Federal Trade Commission and Consumer Financial Protection Bureau be given the ability to punish corporations when they violate the public trust.
While these attempts are still in their early stages, they are promising signs that the United States is beginning to think more seriously about ensuring that cybersecurity is given the priority it deserves in the corner office, especially when it comes to cyber-physical system security. Obviously more research and analysis is required to find the right level of reporting requirements, security standards, industry-specific components, criteria for liability, and enforcement mechanisms, but consumers, as a whole, will likely welcome more corporate responsibility and accountability from those that call the shots — or fail to.
Views and opinions published in this article are intended to foster productive thought and discussion around challenges in the cybersecurity industry. Views expressed in this article do not necessarily represent the views of Infosec.
What the Explosive Growth in ICS-Infrastructure Targeting Means for Security Leaders, Security Intelligence
A BILL To amend the Federal Trade Commission Act to establish requirements and responsibilities for entities that use, store, or share personal information, to protect personal information, and for other purposes, wyden.senate.gov