Alerts, Best Practices, Legal, Security Practices

A Cyber Breach Could Lead to Criminal Charges Against You

May 21, 2024 CyberCecurity Leave a comment

The government is escalating their response to cyber attacks and they are having a little bit of success, but as we have seen recently, that means that they are also going against companies that do not have adequate security. In addition, we have seen that they are going the people in those companies who should be managing that security.

“In a worst-case scenario, a cyber breach could lead to criminal charges against people,” Steinberg says. “We are talking about not only financial penalties, but, under some circumstances, potential prison time.”
https://www.newsweek.com/now-more-ever-its-crucial-companies-get-cybersecurity-right-1897117

Normally, we think about reputation damage and financial costs, but recently, a new concern has been added to the mix: legal action against both the management and members of the boards of directors of organizations that suffer cyber breaches.

The recent conviction of Joe Sullivan, former head of security for Uber and also a former federal prosecutor who only avoided prison time because this was the first case that judge had heard like that. The judge said that next time he would not be so lenient.

Follow that with the SEC filing a civil complaint against SolarWinds and its CISO (see the SEC press release) and the new disclosure rules from the SEC, it seems pretty clear that the government is following in my footsteps (sure, right) and has stopped considering some of these companies victims, but rather, they are considering them co-conspirators.

In the worst case, a cyber breach could result in criminal charges against companies and individual people.

“Essentially, the onus has shifted as to who is responsible,” Steinberg says. “Instead of viewing cyber incidents as something that happened to a company, as something that doesn’t necessarily need to be explicitly explained in filings or revealed to the public, the new rules basically say that if an incident occurs, the company’s management and board are responsible to ensure that they adequately explain to the world what happened.”
https://www.newsweek.com/now-more-ever-its-crucial-companies-get-cybersecurity-right-1897117

Newsweek said that being upfront with investors is paramount; someone’s decision to invest in a company can be dramatically impacted by information about cyber risks. Not fully disclosing could be considered ‘falsifying a financial statement’.

“Companies need people on their boards who can oversee the management of cyber risk, not people who are technically savvy but do not understand how to ensure that the business is properly managing cyber risk,” he says. “The board must oversee the management of cyber risk rather than seeking to perform or actively manage the job of the CISO.”

https://www.newsweek.com/now-more-ever-its-crucial-companies-get-cybersecurity-right-1897117

This is a very significant shift in the landscape. If you have questions, please contact us.

Credit: Newsweek