Vol 46: Issue 1 | March 2023
Back in 2015, lawyers writing for Bloomberg Law described C-level security officers as the natural targets of post-breach lawsuits. They forecast that it would only be a matter of time before liability claims were routinely extended to senior in-house legal stakeholders, with the CIO (also known as the CISO, CSO or CTO) in a starring role. More recently, Paul Bergman, a US-based cyber commentator, posted on LinkedIn:
“The courts are raising the bar on personal liability for executives and board members and there are a growing number of cases in which the CISO is the scapegoat after cybersecurity incidents”.
The predictions were correct. Scapegoat or otherwise, Uber’s former security officer Joe Sullivan is thought to be the first cybersecurity leader to face criminal charges in this context. Last year, in San Francisco federal court, he was found guilty of obstruction of justice and failure to report a crime, following a 2016 hack that exposed the email addresses and phone numbers of 57 million drivers and passengers.
More cases have followed and, while there hasn’t been any in APAC so far, this is highly likely to change. Law firms including Maurice Blackburn and Slater & Gordon are investigating potential class actions against Medibank and Optus following last year’s highly publicised breaches. If legal action goes ahead, their security officers might be named.
“Directors and officers in Australia and New Zealand are more likely to be held to account for their acts or omissions than those in other APAC countries,” says Patrick Boardman, a partner at Clyde & Co. in Sydney. “For example, ASIC recently brought proceedings against senior officers and the entire board of Star Casino for an alleged breach of duty in failing to protect the company from significant risks to its business.”
When are officers liable?
When a major cyberattack occurs, a forensic review takes place to ascertain how it occurred and whether the attack or its consequences could have been avoided.
“This will always put the spotlight on the activities of the CIO and whether they have fulfilled their duty,” says Boardman. “The potential for both a review and liability will increase with the size of the loss incurred, though liability will always be based on loss arising from their breach of duty rather than loss caused by the attack itself.”
There has been an ongoing debate as to whether D&O insurance should cover cyber risks.
“The prevailing view is that it should, as the basis of any claim is the breach of the officer’s duty,” says Boardman. “This is the exact risk that D&O insurance is meant for and intended to cover.”
However, cyber insurance can also provide some protection. “Cyber insurance generally covers a range of both first-party losses such as breach costs, forensic investigations and business income loss, and third-party losses including regulatory proceedings, fines and penalties against the company, its directors, officers or employees,” says Bill Hassos, head of financial lines, Zurich Australia & New Zealand.
Some D&O insurers work closely with their cyber underwriters when they’re evaluating a company’s cyber exposure.
“They’re relying in part on how well companies satisfy cyber insurance underwriters in their assessment of the D&O risk,” says Boardman.
Bergman urges CIOs to ensure they are named on both D&O and cyber policies.
“Don’t assume you’re covered,” he writes. “It’s often difficult to establish if a CISO/CIO/CTO is an officer or director of the company. You may be on the executive team and sit in on the board meetings but that doesn’t make you an officer. Get your name on the policy, or at least your title if you can clearly prove that is your position.”
Prevention is the best protection
As with any risk, prevention is the best protection.
“Companies should continuously conduct cyber risk assessments and training, and analyse core business processes for cyber exposures,” says Hassos. “This can be completed independently by cyber risk engineers. Companies should have a well-documented cybersecurity strategy; robust risk management, policies and procedures; management metrics for cybersecurity; and an experienced and well-resourced information security officer is also crucial for modern businesses.”
Boardman points out that a CIO must advise and recommend matters to the board, so that they are fully informed in making the budget decision. However, they may be restricted by the allocated budget.
“A good paper trail of their considerations and advice could be invaluable in the defence of a claim,” he says.
Security leaders facing court
Uber’s former head of security
Joe Sullivan faces up to eight years in prison after being found guilty of hiding a data breach from the authorities. He paid the hacker US$100,000 to destroy all evidence that they had accessed the personal information of 57 million Uber users.
CIO of the US Office of Personnel Management
Donna Seymour is facing a class action lawsuit for her role in failing to protect the personal data of past and present employees. At least 21.5 million people had information including their addresses and their legal, health, mental and financial history exposed.
After the SolarWinds attack became public in late 2020, the company’s share price fell from almost US$25 per share to less than US$15 per share in a week. Shareholders sued the company, with CISO Tim Brown named in the action.
Potential for liability
- Patrick Boardman from Clyde & Co. outlines five ways that CIO liability could arise.
- Regulatory investigations, prosecutions and claims.
- Consequential losses by third parties, customers or persons affected by the cyber breach.
- Claims for the loss sustained by the company, including derivative actions or subrogated actions by a cyber insurer.
- Shareholder claims arising from any resultant fall in the share price following a cyberattack.
- Claims by directors for contribution or indemnity.
Read this article and all the other articles from the latest issue of the Journal e-magazine