Cybersecurity Regulations Tighten, Stress Individual Accountability

A major shake-up in the regulatory framework governing cybersecurity for publicly traded companies is underway, according to a client alert by the Bradley firm. The new paradigm will feature a greater role for the chief information security officer and heightened duties for boards.

General counsel should advise their boards to reassess cybersecurity strategy and prepare for regulatory scrutiny of any decisions they make.

The recent, highly-publicized SEC announcement of fraud charges against SolarWinds is likely to set a precedent for holding CISOs individually accountable for the cybersecurity failings of their companies.

The SEC’s rationale for fraud charges in the SolarWinds complaint was that the company’s public statements regarding its cybersecurity risks were contradicted by its internal assessments. Therefore, it misled investors.

The New York Department of Financial Services has amended its cybersecurity regulations for financial institutions in a way that appears to have aims similar to the SEC. One provision requires the CISO and an organization’s highest-ranking executive to personally certify compliance with the state’s cybersecurity regulations annually.

The amendments require CISOs to articulate a clear, actionable narrative of cybersecurity postures to their boards. It must cover all aspects of risk and the details of tactical response. Along with the greater risks this poses, it acts to professionalize the CISO role.

The new regulatory framework is creating an environment where cyber governance is not just an IT concern but a central tenet of corporate governance. However, It poses its own new risks. For example, publicly disclosed information concerning cybersecurity vulnerabilities can be exploited by hackers.

Nevertheless, regulatory expectations are heightening and corporate leadership is facing increased accountability. Boards have a strong incentive to adapt and evolve.