For cyber leaders, cyber risks are becoming personal.
In 2023, new US rules around the disclosure of data breaches heaped more pressure on companies’ security staff — in particular, chief information security officers (CISOs) — just as agencies and courts were signalling that individuals could be held liable for incidents.
Last year, for example, Uber’s former chief security officer, Joe Sullivan, was sentenced by US authorities to three years’ probation and fined $50,000 for covering up a data breach from 2016. He had been notified by hackers of a security flaw that exposed the personal information of nearly 60mn drivers and passengers on the ride-hailing platform. It was the first criminal prosecution of a company executive over the handling of a data breach.
Then, just a few months later, the US Securities and Exchange Commission charged SolarWinds’ CISO, Timothy Brown, for fraud and internal control failures, after the IT company was breached by Russian hackers as part of an espionage campaign. The regulator accused both the company and Brown of misleading investors by not disclosing “known risks” and not accurately representing its cyber security measures.
“If you talk…
