In the second half of 2023, an event in the North American cybersecurity sector put leaders on notice.
The US Securities and Exchange Commission (SEC) formally charged a company and its CISO with fraud and internal control failures related to a 2019 cyberattack.
The indictment sent a stern warning to security leaders, suggesting that they could be held criminally or civilly liable for cyberattacks that take place on their watch. It also highlighted a fundamental challenge for the CISO role: that while CISOs are responsible for raising risks to their senior leadership teams and board of directors, they rarely have the final say in how those risks should be managed. Additionally, the indictment raised broader questions about CISOs’ confidence levels in their organisations’ cyber risk management and governance practices.
The case would have had lessons for Australian leaders – if they hadn’t already been put on notice much earlier.
In May 2022, a similar set of circumstances emerged, where the Federal Court ruled that an Australian financial services licensee had breached its licence obligations “when it failed to have adequate risk management systems to manage its…
