• Cybersecurity incidents are more than availability problems
• Malicious actors are using the legal process to their advantage
• Personal liability for cybersecurity mishandling is becoming more common

Cybersecurity incidents, once dismissed as minor disruptions, have evolved into significant threats with far-reaching consequences. Initially seen as temporary setbacks, their impact on business operations was underestimated. Over time, the realization of their financial implications, such as ransom payments and regulatory fines, has grown. This shift in perception was further intensified when legal accountability for cybersecurity failures extended to criminal liabilities, significantly altering the landscape and raising the stakes for cybersecurity management.

Historical Context: A “Bad Day at the Office”

Historically, cybersecurity incidents were viewed as ‘bad days at the office,’ disrupting business but not leading to lasting damage. This perspective resulted in a disconnect between the digital realm of cyberspace and real-world consequences. Organizations focused on short-term recovery, often overlooking the need for long-term cybersecurity strategies. This approach resulted in repeated incidents, each treated as isolated occurrences rather than symptoms of systemic vulnerabilities.

Current State: From Operational Hazards to Criminal Liabilities

The shift to viewing cybersecurity failures as potential grounds for criminal charges is exemplified by the case of Vastaamo’s ex-CEO in Finland. Following a massive data breach that compromised sensitive patient data, the ex-CEO was charged and received a (suspended) prison sentence.

The breach exposed the personal details and therapy session notes of tens of thousands of patients, some of which were published on the dark web. The court found that the ex-CEO failed to adhere to GDPR requirements by not encrypting patient data, was aware of cybersecurity gaps for years, and attempted to conceal the breaches – leading to his criminal liability​​​​​​.

Emerging Tactics by Cybercriminals: Exploiting Legal Systems

Cybercriminals are becoming increasingly sophisticated, exploiting legal systems to augment their attacks. A ransomware gang, ALPHV/BlackCat, filed an SEC complaint against MeridianLink, their own victim, for failing to report a significant data breach – caused by ALPHV/BlackCat themselves. This innovative tactic of using legal requirements for mandatory cybersecurity incident disclosure against victims highlights a worrying trend where cybercriminals use legal loopholes to increase pressure on their targets, redefining the rules of digital extortion​​.

In a somewhat unexpected turn of events, all of these incidents can lead to reduced (mandatory) reporting, as CEOs/CIOs/CISOs weigh the potential legal liability against the potential risks of not reporting at all.

Case Study: SolarWinds and Heightened Legal Scrutiny

The SolarWinds case is a prime example of increased legal scrutiny in cybersecurity. The SEC charged SolarWinds and its CISO for concealing poor cybersecurity practices and risks, marking it the first time the SEC has brought cybersecurity enforcement claims against an individual.

The complaint alleged that from its 2018 IPO through at least December 2020, SolarWinds made misleading public statements about its cybersecurity practices, failed to disclose known vulnerabilities and breaches, and did not maintain adequate controls to protect its critical assets. This case emphasizes the expectation for accurate cybersecurity risk disclosure and the personal accountability of executives and security officers​​​​​​.

A New Era of Cybersecurity Accountability

The evolution of cybersecurity incidents from operational hazards to grounds for criminal liability marks a significant change in how businesses and their leaders must approach cybersecurity. It is a clear message to organizations and their executives to prioritize robust cybersecurity measures, adhere to regulatory requirements, and be transparent in their security practices. Failing to do so can lead to severe legal and financial repercussions, not just for the organization, but also personally for those at the helm. As the landscape of cybersecurity threats continues to evolve, so too must the strategies to combat them, emphasizing prevention, transparency, and accountability.

Maybe this is the push that finally moves cybersecurity concerns to the forefront across industries.

The post Another Look at Accountability in Cybersecurity appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Joao Correia. Read the original post at: https://tuxcare.com/blog/another-look-at-accountability-in-cybersecurity/