Veracity Blog

Cyber risks are becoming personal for C-Suite

Cyber risks are becoming personal for C-Suite

Rule changes surrounding cyber risks which have already seen Uber’s former CISO sentenced to three years’ probation should be of concern to all C-Suite executives. 

Joseph Sullivan, Uber’s former chief information security officer, was found guilty of paying hackers $100,000 (£79,000) after they gained access to 57 million records of Uber customers, including names and phone numbers. 

He was also fined $50,000 and ordered to serve 200 hours of community service and found guilty of obstructing an investigation from the Federal Trade Commission. 

The data breach had actually taken place in November 2016. The attackers emailed Sullivan and told him they had stolen a large amount of data, which they would delete in return for a ransom, according to the US Department of Justice (DOJ). 

Instead of reporting the breach, Uber allegedly paid the hackers’ ransom and had them sign NDAs according to CBS. 

It was the first prosecution of its kind to hold a senior executive liable for the handling of a data breach. 

Those responsible for the hack, Brandon Glover, from Florida, and Vasile Mereacre, a Canadian national, pleaded guilty to the extortion conspiracy in a California court in 2019. 

SolarWinds sued by US SEC in October 2023 

The US Securities and Exchange Commission sued software company SolarWinds Corp (SWI.N) and its former Chief Information Security Officer (CISO), Timothy Brown, saying they defrauded investors by hiding cyber-security weaknesses during a massive hack targeting the US government. 

The 2020 SolarWinds hack was a major cyber-attack that affected thousands of organisations around the world. The hack was orchestrated by a group of Russian hackers who infiltrated SolarWinds’ systems and inserted malicious code into its Orion software (a popular IT management platform).  

This code allowed the hackers to gain unauthorised access to the networks of SolarWinds’ customers and steal sensitive data. Among the victims were the US Departments of Commerce, Energy, Homeland Security, Justice and State, the Treasury and the National Institutes of Health, as well as NASA, though it’s not believed the attackers breached their classified networks. 

The case is ongoing at the present time. 

Court action could leave companies vulnerable 

That is the contention of several groups that filed friend-of-the-court briefs in February this year backing SolarWinds’ motion to dismiss the SEC’s complaint. 

According to Reuters, the SolarWinds backers – BSA|The Software Alliance, 21 former government officials, and a plethora of organisations for corporate cybersecurity chiefs – contend that instead of assuring that investors receive detailed warnings about cyber risk and robust disclosures after cyberattacks, the SEC’s lawsuit could end up discouraging companies from probing for potential security weaknesses and cooperating with government investigators after a breach. 

“A regime that incentivizes early detailed public disclosure of vulnerability information, along with information detailing a company’s security posture, can actually damage law enforcement investigations, provide a roadmap to aid threat actors and make companies less safe,” wrote Paul, Weiss, Rifkind, Wharton & Garrison for the government officials, including former high-ranking Justice Department and SEC lawyers specialising in cyber enforcement. 

And, in an additional amicus brief backing SolarWinds, the US Chamber of Commerce and the Business Roundtable said they shared concerns that the case would backfire, leaving US companies more vulnerable to hackers.  

The brief also argued that the SEC was improperly relying on its right to police internal financial and accounting controls to assert “a general grant of corporate police power.” 

In an article in the Financial Times, Wagner Nascimento, vice-president and CISO at chip design toolmaker Synopsys, said: “If you talk within the CISO community, every CISO I know is concerned about this.” 

However, he also believes the regulatory changes may provide an opportunity for CISOs to become more involved in their company’s governance and take a more active and influential role. 

Nascimento said it gave them a perfect opportunity to “have a seat at the table, to talk to the CEO, and be a part of the conversation.” 

But he also expressed concerns about what might happen if there were disagreements over what constituted “materiality” when it came to a cyber-attack. He said there needed to be protocols in place for if the CISO believed there’d been a material breach and the company lawyer did not.  

Speaking to BleepingComputer, Lesley Ritter, Senior Vice President for Moody’s Investors Service said the rules will improve transparency, but could cause some headache to smaller businesses:  

“The cybersecurity disclosure rules adopted by the U.S. Securities and Exchange Commission earlier today will provide more transparency into an otherwise opaque but growing risk, as well as more consistency and predictability.” 

When did the regulations come into effect? 

Since September 2023, the SEC has required publicly traded companies in the US to disclose within four days all cyber-security breaches that could impact their bottom lines. 

The Commission also expects registrants to provide more consistent and informative disclosure regarding their cybersecurity risk management and strategy in their annual reports. 

SEC Chair Gary Gensler said: “Whether a company loses a factory in a fire – or millions of files in a cybersecurity incident – it may be material to investors.”  

He added: “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.  

“Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.” 

There are exceptions to the rule, though. If the US Attorney General finds disclosing the data breach so quickly would undermine national security or public safety, the filing may be postponed. 

How will this affect UK businesses? 

According to the SEC, the rules also require comparable disclosures by foreign private issuers on Form 6-K for material cybersecurity incidents and on Form 20-F for cybersecurity risk management, strategy, and governance. 

A foreign private issuer is a non-governmental company that is incorporated outside of the US and does business in the US. 

Within the EU, the UK, Canada, South Africa, and Australia, companies have 72 hours to report a cyber incident. In other countries like China and Singapore, it’s 24 hours. Organisations in India have to report the breach within six hours. 

Veracity Trust Network CTO, Stewart Boutcher, has this to say: 

“I speak with many CISOs and CTOs both as customers, and when speaking at events, and universally there is concern that cybersecurity is not given enough credence or enough budget at the board level. As AiSP President Tony Low noted ‘The biggest issue in the Cybersecurity Industry is the ever-evolving nature of cyber threats…’, which means a continually evolving threat defence posture is required. Moves by Government regulators such as outlined in this article can only be welcomed to encourage and in some cases force CEOs and CFOs to take seriously the risk from Cybersecurity, provided CISOs are adequately funded to do their job.” 

, , , , , , , , , , , , ,

Award-winning malicious bot protection.

Cyber Award Winner 2021

AI-Enabled Data Solution of the Year – DataIQ Awards 2023 Finalist

Tech Innovation of the Year Winner – Leeds Digital Festival Awards

Cyber Security Company of the Year – UK Business Tech Awards 2023 Finalist

Tech Leader of the Year – Tech Awards 2023 Finalist

Best Use of AI – Tech Awards 2023 Highly Commended