Resisting Hindsight Bias: A Proposed Framework for CISO Liability

11 December 2023
View Debevoise In Depth
Key Takeaways:
  • A version of this article also appeared in Infosecurity Magazine on February 7, 2024. Access that version here.
  • On October 30, 2023, the U.S. Securities and Exchange Commission (the “SEC”) for the first time charged a chief information security officer (“CISO”) with violations of the anti-fraud provisions of the federal securities laws in connection with alleged disclosure and internal controls violations and alleged undisclosed weaknesses in the company’s cybersecurity program.
  • The charges raise industry concerns that the SEC will, with the benefit of hindsight, second-guess a CISO’s good faith judgments in the aftermath of a cybersecurity incident and attempt to hold the CISO liable for any perceived weaknesses in a company’s broader cybersecurity program and related disclosures.
  • We believe consideration of potential CISO liability should instead recognize the critical and evolving nature of the CISO role by focusing on whether the CISO made good faith efforts to perform his or her role.
  • Consistent with that view, this Debevoise In Depth proposes a CISO liability framework for the SEC to consider when evaluating whether to charge a CISO (or other executives responsible for a company’s cybersecurity program) for conduct arising out of his or her CISO duties.

On October 30, 2023, the U.S. Securities and Exchange Commission (“SEC” or “Commission”) charged SolarWinds Corporation’s (“SolarWinds” or the “Company”) chief information security officer (“CISO”) with violations of the anti-fraud provisions of the federal securities laws in connection with alleged disclosure and internal controls violations related both to the Russian cyberattack on the Company discovered in December 2020 and to alleged undisclosed weaknesses in the Company’s cybersecurity program dating back to 2018. This is the first time the SEC has charged a CISO in connection with alleged violations of the federal securities laws occurring within the scope of his or her cybersecurity functions. In doing so, the SEC has raised industry concerns that it intends to—with the benefit of 20/20 hindsight, but without the benefit of core cybersecurity expertise—dissect a CISO’s good-faith judgments in the aftermath of a cybersecurity incident and wield incidents to second guess the design and effectiveness of a company’s entire cybersecurity program (including as it intersects with internal accounting controls designed to identify and prevent errors or inaccuracies in financial reporting) and related disclosures and attempt to hold the CISO liable for any perceived failures.

The Commission’s approach threatens CISOs with personal liability for their good-faith efforts to fulfill their responsibilities and seemingly imposes broad accountability on CISOs for aspects of a company’s security posture and disclosures far beyond a CISO’s control. The SEC’s decision to target CISOs sets up an untenable internal tension between CISOs and their companies, including potentially forcing CISOs to demand cybersecurity structures, processes and headcount without concern for the appropriate balance of risk, security and business functions. The SEC’s approach also threatens to jeopardize national security; undermines the public- and private- partnerships and information sharing encouraged pre- and post-incident by agencies like Cybersecurity and Infrastructure Security Agency (“CISA”), Department of Homeland Security (“DHS”), Department of Defense (“DoD”), Department of Justice (“DOJ”) and the Federal Bureau of Investigation (“FBI”), as well as by the White House; heightens a victim company’s recovery challenges during a live incident; and, most relevant here, may reasonably cause the CISO community to consider whether serving in this essential function is worth running the risk of professional jeopardy even when they make good faith-efforts to devise cybersecurity programs to accurately disclose material elements of those programs and to respond to incidents.

Rather than pursue this fraught path, and to provide the CISO community with clarity and reassurance that their good-faith decisions will not expose them to liability, we believe an urgent need has emerged for a regulatory framework of factors for the SEC to consider when evaluating whether to charge a CISO (or other executive responsible for running a company’s cybersecurity program) with violations of the federal securities laws for conduct arising out of his or her CISO duties. 

To that end, the CISO Framework described herein proposes that the Commission recognize the critical and evolving nature of the CISO role by focusing the question of CISO liability squarely on whether the CISO made good-faith efforts to perform his or her role. If the answer to that question is yes, CISO liability should never be appropriate, regardless of the Commission’s post-mortem view of the merits of the CISO’s performance.

The Outsized and Growing Expectations for CISOs

In the face of increasingly sophisticated cybersecurity threats, including national security concerns and new regulatory requirements, it is no longer sufficient for many companies’ information technology (“IT”) departments to be expected to handle all cybersecurity issues. Regulators now expect larger organizations to have a dedicated CISO to lead a separate information security function and to oversee, implement and enforce the information security program—both for company security and with respect to the security of its supply chain. CISOs are at the forefront of protecting their companies from emergent cybersecurity threats by implementing and enforcing policies and procedures designed to address the ever-evolving threat landscape, collaborating closely with law enforcement and other governmental authorities to protect national security interests and, at the same time, collating, evaluating and translating information that may need to be reported by others at the company in rapidly evolving situations to investors and the SEC.

CISOs must do all of these things while grappling with significant structural and logistical constraints. The CISO role traverses the broader technology and data worlds and must consider systems, technology and software. Companies’ senior management and board members may lack cybersecurity expertise (and may disagree on security priorities and disclosures) and non-security colleagues seeking more efficient ways to complete their work may resist cybersecurity policies and procedures. And even where business and technology are fully aligned, some cybersecurity elements can only be implemented in serial fashion and may require months, if not years, to complete. The SEC’s action against SolarWinds’ CISO seems to suggest that CISOs will also be held personally responsible for ensuring that all security-related controls required by Section 404(a) of the Sarbanes-Oxley Act of 2002 (“SOX”) regarding internal accounting controls are effectively designed and maintained. Effective cyber risk management thus requires a meaningful resource commitment and a cross-functional response that draws resources from the business, compliance, legal, privacy and other functions—but the SEC’s enforcement approach nonetheless appears to foist this responsibility first and foremost upon CISOs.

The rapidly increasing regulatory expectations compound a CISO’s expanding responsibilities. The DOJ, for example, “is working more closely with victim companies than ever before” and has emphasized that it is “mission critical” that government and industry work together to identify and share information about new risk streams and threat actors.”

At the same time, the SEC is increasingly focused on cybersecurity from its own regulatory perspective, as demonstrated by its recently adopted rules on cybersecurity risk management, strategy, governance and incident reporting (“SEC cybersecurity rules”) that together impose an unprecedented mandatory cybersecurity disclosure regime including significantly expedited risk and incident disclosure. These disclosure obligations, which were not in place at the time of the Russian cyberattack against SolarWinds, may require crucial CISO involvement and leverage his or her judgment regarding the significance and scope of any risk or incident. Among other things, the new rules will require public companies to:

  • Make several disclosures related to cybersecurity risk-management programs in their public filings, including whether and how they assess, identify and manage material risks; whether the company engages any auditors, consultants or other third parties in connection with such processes; and whether the company has processes to oversee and identify third-party risk. Companies will need to disclose whether any risks for cybersecurity threats, current or historical, have materially affected or are likely to materially affect business strategy, operations or financial conditions.
  • Disclose certain information about a material cybersecurity incident within four business days of determining (without unreasonable delay) that a cybersecurity incident is material. In the Form 8-K, companies will be required to disclose material aspects of the nature, scope, timing and reasonably likely material impact of the incident on the company (including its financial condition and results of operations) to the extent the information is known at the time.

The new rules’ requirements for disclosures related to senior management’s and the board’s roles in managing and overseeing cybersecurity also increase expectations for CISOs. To the extent applicable, companies are expected to consider including in their disclosures details about which positions are responsible for managing cybersecurity risks, including the relevant expertise of such persons, the board members responsible for cybersecurity oversight and the process by which the board is informed of cybersecurity risks and management. CISOs will be essential to a company’s effective integration of these new SEC cybersecurity governance, risk management, and materiality and disclosure processes and requirements into existing policies and controls.

CISO Liability

Unsurprisingly, both the victim-focused national security workstreams and the more enforcement-focused obligations related to public disclosures and effective internal accounting and disclosure controls can require significant input from CISOs and, as demonstrated by the recent charges against SolarWinds’ CISO, expose CISOs to significant potential personal liability.

Even prior to promulgating the new rules, the Commission used its existing tools to bring enforcement actions against companies for allegedly deficient disclosures following cyberattacks. This precedent demonstrated that the Commission will probe pre-breach cybersecurity programs and post-breach response, driven by the theory that “cyberattacks often lead to securities law violations.” But the SEC’s choice to single out CISOs for potential personal liability is a particularly controversial step given that effective cyber risk management requires a cross-functional response and broad ownership that includes the board, management and the legal, compliance, IT and communications departments. For example, CISOs often report to chief information or chief technology officers, reflecting the need to balance security recommendations with the technology needs of a company. The SEC’s decision to focus on individuals like CISOs for liability purposes even where they conferred and worked in good faith with other stakeholders in the company undermines the notion that cybersecurity requires a whole-of-company effort.

And, importantly, the ever-evolving nature of cybersecurity means that CISOs must always evaluate the risk posed by any given threat or vulnerability—and the necessity of any remediation or disclosure—based on the imperfect information of the moment, knowing that by the time a risk evaluation is made, the information on which a CISO is basing any decisions will almost certainly have become stale because the threat often has changed. Enforcement actions against CISOs for alleged misconduct related to reasonable decision-making regarding cybersecurity programs and incident response and related disclosures will therefore discourage individuals from candidly communicating about these issues or, even worse, from becoming or continuing to act as CISOs at a time when the position is critically important to safeguard company and customer data to preserve shareholder value—for both business purposes and national security.

The CISO Framework

The CISO Framework proposed herein reflects the principle that the SEC should assess any potential CISO liability through the lens of whether the CISO took actions using good-faith efforts to fulfill his or her CISO-related responsibilities. This should be the beginning and end of the SEC’s analysis: even if, in hindsight, a CISO was mistaken or misguided, if he or she acted in good faith in developing the information security program or in executing an incident response, the SEC should decline to pursue individual charges.

Informing this CISO Framework are the adjacent SEC’s enforcement actions holding compliance gatekeepers like chief compliance officers (“CCOs”) personally liable for alleged compliance failures. Given the parallels in responsibilities and function within a company between CISOs and CCOs, a CISO liability framework should track the Commission’s longstanding, bipartisan position on the factors determining the appropriateness of charges against CCOs and the factors set forth in the New York City Bar Association Compliance Committee’s 2021 CCO liability framework (“NYC Bar Association’s CCO Framework”).

On October 24, 2023, the SEC Director of Enforcement Gurbir Grewal reiterated the three “rare” instances in which the Commission typically brings enforcement actions against a CCO: where he or she (i) “affirmatively participated in misconduct unrelated to the compliance function;” (ii) “misled regulators;” or (iii) “where there was a wholesale failure [] to carry out their compliance responsibilities.”

Following that model, we propose that SEC charges against a CISO are only appropriate when the CISO (i) was affirmatively involved in alleged misconduct unrelated to the cybersecurity function; (ii) sought to mislead or obstruct an SEC investigation; or (iii) where there is a “wholesale failure” of the CISO “in carrying out responsibilities that were clearly assigned to” him or her. Because no legitimate debate exists about potential CISO liability in connection with the first two categories, we focus for purposes of this CISO Framework on the “wholesale failure” category.

“Wholesale Failure:” Affirmative Factors in Favor of Liability

What is a wholesale failure, and when can it justify CISO liability?  We propose that the following factors should govern Commission consideration of potential charges against a CISO in connection with a “wholesale failure” to perform his or her job function:  (i) whether the CISO made a good-faith effort to fulfill his or her responsibilities; (ii) whether the alleged failure related to a fundamental or central aspect of a well-run cybersecurity program at the company; (iii) whether the alleged failure persisted over time; (iv) whether the SEC issued clear rules or guidance related to the alleged failure in advance of the time at which the alleged failure occurred; and (v) whether charging the CISO will help fulfill the SEC’s regulatory goals. Only where there is a legitimate question of whether the CISO made a good faith effort to fulfill his or her responsibilities—as demonstrated by the CISO’s pursuit of education, engagement and execution around the company’s cybersecurity program—should the other factors even be weighed.

Prior to charging a CISO for alleged “wholesale failures,” the SEC should find that each of these factors was present and be prepared to clearly articulate them in the charging document to provide clear guidance and reassurance to the CISO community that individual liability was justified and was not simply the result of second-guessing good-faith judgments.

Did the CISO make a good-faith effort to carry out his or her responsibilities?

As noted above, the SEC should decline to pursue charges where a CISO made a good-faith effort to develop an information security program or execute an incident response. In assessing whether a CISO acted in good faith to animate the core functions of an information security program, the SEC should look to the fundamentals of proactive compliance recently set out by Director of Enforcement Grewal: education, engagement and execution.

Education is particularly important for CISOs, who face not only changing regulatory obligations but also an ever-evolving threat landscape coming from both individuals and nation-state actors. CISOs can take steps to educate themselves and employees about these developments by, for example, attending cybersecurity conferences to engage with other industry and government professionals and subscribing to newsletters and security bulletins. If engagement by a CCO is an attempt to “really engage with personnel inside [their] company’s different business units and to learn about their activities” and risks, a CISO can “engage” by, for example, implementing a risk-assessment and reporting program designed to identify and escalate cybersecurity risks across the enterprise, but ultimately, CISO engagement should be driven by industry standards around CISO best practices, which are constantly evolving. Execution contemplates that a CISO will seek to implement well-designed policies to underpin a cybersecurity program—but execution must be considered in light of the fact that implementing a cybersecurity program is a cross-functional effort involving many stakeholders and the balance of risk against business need.

To be clear, whether a CISO made good-faith efforts to discharge his or her duties cannot be based on ex-post analysis of how well the CISO weighed risks and red flags against the functioning of the business. As the SEC has stated, threat actors have been successful in attacking the “most robust institutions” including the Commission itself. This is because even the most robust institutions can never arrive at a perfect cybersecurity program—no institution will ever be without risk, and how risks are mitigated, addressed or managed requires enterprise-wide judgments based on, among other things, an evaluation of business risk tailored to the organization’s “different threats, different vulnerabilities, different risk tolerances.”

Did the alleged failure relate to a fundamental or central aspect of a well-run cybersecurity program at the company?

Even where a CISO is alleged to have failed to act in good faith, such a failure still should not be considered a “wholesale failure” sufficient for the Commission to consider whether personal liability may be appropriate unless it relates to a fundamental or central aspect of a company’s cybersecurity program. For example, a CISO should generally stay abreast of significant changes in the threat landscape and a failure to do so might, depending on the circumstances, indicate a wholesale failure because it relates to a central aspect of cybersecurity program.  

However, before any security concern triggers escalation within an incident response plan, IT and security personnel need to investigate the concern, which might have been reported from any number of sources—including from internal penetration tests, “white-hat” hackers who probe companies’ controls and inform them of findings in hopes of a bounty and customer complaints. These employees must investigate complex issues and address novel attacks; a thorough investigation into a security incident will not always result in identification of the root cause or a solution. In this context, while a failure to maintain any process to triage and investigate might indicate a wholesale failure, the failure to identify a root cause or solution to a security concern following a good faith investigation, or to identify that the concern may be a larger red flag than the investigation uncovers, simply cannot be viewed as a per se wholesale failure.

Did the alleged failure persist over time, and did the CISO have multiple opportunities to cure the alleged failure(s)?

In situations where there is an alleged failure to act in good faith that relates to a fundamental aspect of a cybersecurity program, the SEC should consider the extent to which that failure persisted over time and whether the CISO had opportunities to remediate it.

For example, many companies rely on software vendors, which in turn must constantly issue bug fixes and security patches to address vulnerabilities in their own software. Those vendors issue updates and explanations of the updates, and the company must decide whether to install the update, considering whether, in light of the risk profile presented, doing so will be particularly resource-intensive or disruptive to operations. If a CISO is repeatedly warned of an unpatched and actively exploited vulnerability in vendor software and ignores opportunities to patch it where the risk profile presented indicates that a patch is needed and where it is fully feasible to implement without significant business disruption, that may—depending on the broader context—indicate a failure to address a lapse despite the opportunity to do so.

However, not all risks can or should be addressed, and good-faith decisions to accept a persistent risk should not be a basis for liability, even where that risk later manifests. Because cybersecurity resources are always finite, threats are constantly evolving, and cybersecurity is necessarily balanced against other legitimate interests and requires cross-functional coordination and alignment, the aim of a cybersecurity program is “continuous improvement,” not perfection. As a result, “insufficient” steps alone should never be the basis for individual liability—i.e., taking steps, even if judged with the benefit of hindsight to have been “insufficient,” is not a “wholesale failure.”

Did the SEC issue clear rules or guidance related to the alleged failure in advance of the time at which the alleged failure occurred?

Where guidance exists regarding the alleged wholesale failure of a fundamental aspect of a cybersecurity program, such as rules and regulations that clearly highlight regulatory expectations and what would constitute violative conduct, the presence of that guidance may weigh in favor of liability. But where CISOs and their corporate stakeholder partners work to interpret relevant laws or standards “about which reasonable minds can differ – or laws or rules for which there exists no or little relevant guidance from regulators,” individual liability should not be premised upon a view that the CISO’s interpretation was “incorrect with the benefit of hindsight.” Applying the NYC Bar Association’s CCO Framework to CISOs, we suggest that “individual liability should not be used in enforcement actions or settlements intended to introduce a new rule or clarify the interpretation of prior rules.”

Does charging the CISO help fulfill the SEC’s regulatory goals?

An SEC charge, particularly against an individual, must always serve the SEC’s regulatory mission to protect investors. Hindsight determinations of cybersecurity shortcomings that reevaluate decisions that were made by qualified cybersecurity personnel—particularly because the success of a cybersecurity program requires a whole-of-company approach and board-level ownership—threaten to punish good-faith efforts and potentially harm investors (and national security) in the longer term by driving qualified cybersecurity professionals away from CISO positions and chilling necessary internal communication between CISOs and their security teams as well as between CISOs and broader company governance functions.

Now that the SEC has brought its first case against a CISO, CISOs will naturally start to weigh their own potential liability under the federal securities laws in any decision that they make as part of their cybersecurity function. In a field that requires continuous improvement to guard against changing and increasing threats, CISOs may hesitate to have their teams document or report internal practices that can be improved—or to communicate candidly about weaknesses or areas for improvement—fearing that regulators will in hindsight argue that such identified issues demonstrate that the CISO was on notice of the deficiencies and/or that identified weaknesses enabled any subsequent cybersecurity attacks. CISOs may determine that the only safe position is to treat every risk, no matter how remote, as critical, pitting CISOs against other stakeholders in a constant and untenable battle for resources and unnecessarily escalating every risk.

Given these concerns, the SEC must consider the ultimate effects that investigating and charging CISOs may have on the interests of investors. For example, issuers are expected to disclose “whatever information is necessary, based on their facts and circumstances, for a reasonable investor to understand their cybersecurity processes.” Companies already face a challenging task when deciding what to disclose about the state of their cybersecurity programs: too much detail can provide a roadmap for attackers looking to capitalize on weaknesses in cybersecurity. The threat of personal liability may push CISOs to advocate for over-disclosure, regardless of the risk. Enforcement actions that have the perverse effect of making companies less safe through over-disclosure will undermine the Commission’s regulatory goals.

Taken together, the above-detailed factors would require the SEC to decline to pursue enforcement actions against a CISO where the CISO made good-faith efforts to fulfill his or her responsibilities. Where, however, a CISO is alleged not to have made good-faith efforts to fulfill his or her responsibilities, liability may be warranted if:  (i) the alleged failure related to a fundamental or central aspect of a well-run cybersecurity program at the company; (ii) the alleged failure persisted over time; (iii) the SEC issued clear rules or guidance related to the alleged failure in advance of the time at which the alleged failure occurred; and (iv) charging the CISO will help fulfill the SEC’s regulatory goals.

Mitigating Factors

Even where sufficient affirmative factors are present to warrant the SEC considering whether to charge a CISO, the SEC should next consider mitigating factors.

Did the CISO timely and transparently escalate the issue to other stakeholders?

The Commission should consider whether the CISO timely and transparently escalated known issues to other stakeholders. Having determined that a risk manifested or a breach occurred, the fact that a CISO actively raised the issue to security stakeholders like senior management, and/or the board should weigh against personal liability, even where the CISO had previously exhibited a “wholesale failure” to act, as outlined above. Post-breach collaboration and information sharing are critical for a company’s compliance with the federal securities laws as well as to collective cybersecurity defense for national security purposes and for raising awareness of other potential targets. Internal escalation of known issues is critical to the success of that collaboration and should be encouraged by considering it as a mitigating factor for a CISO’s personal liability.

Did structural or resource challenges hinder the CISO’s performance?

The SEC should also consider among potential mitigating factors whether the CISO was operating against structural or resource challenges that may have hindered her or his performance. As noted above, a sound information security program requires a whole-company approach. A CISO cannot be expected to evaluate, educate and execute a functioning program singlehandedly. CISOs require resources, cooperation from internal stakeholders, and decision-making authority, and the SEC should consider whether and how a company’s organizational structure affects that coordination or a CISO’s empowerment.

Again, personal liability should never be appropriate where a CISO acted in good faith, but even where there is an alleged persistent failure to act in good faith in connection with a fundamental aspect of the cybersecurity program, the SEC should consider the extent to which a CISO had access to sufficient resources and budget to address security issues or was burdened by competing functions and obligations, whether due to insufficient budgeting, staffing, or poorly defined or designated responsibilities—or as a result of a deliberate management decision to embrace a relatively high-risk tolerance.

Similar to how DOJ evaluates the extent to which corporate compliance programs are adequately resourced and empowered to function effectively, the SEC should consider the CISO’s support structure and the company’s risk posture when contemplating charging a CISO for a wholesale failure.

Conclusion

Given the SEC’s recent charges against the SolarWinds CISO and the discordant public statements made by SEC staff that the Commission does “not second-guess good faith judgments of compliance personnel made after reasonable inquiry and analysis,” we propose the above-described CISO liability framework that turns on whether the CISO made good-faith efforts to execute his or her duties. Imposing such a framework would instill greater transparency, accountability and predictability in the way the SEC contemplates charging CISOs.