Managing these risks at a single company should be straightforward. Executives and CISOs may be personally held accountable for cyber failings, negligence, breaches, and inadequate disclosure around cyber vulnerabilities and incidents. Further, a CISO may be left with a choice: face prosecution or blow the whistle.
However, the risk calculation changes significantly if risk needs to be managed across a portfolio of companies. First, if cybersecurity risks are managed at the fund level, visibility of the portfolio business may be limited. Second, by nature, portfolio company networks are independent and the cyber protections in place are not, and cannot be, uniform. For example, a direct-to-consumer company has a very different cyber posture than a critical infrastructure supplier with B2B sales. Rarely is a one size fits all approach across a portfolio appropriate. Indeed, a failure to adjust based on a portfolio company’s cyber risk profile may itself be grounds for enforcement because such an approach can be deemed unreasonable.
Moreover, cyber personnel at the fund or private equity level and those at the portfolio company level may not see eye-to-eye on how to manage risk. Indeed, the question of which party is the ultimate decision-maker on how to manage risk can be cause for disagreement – especially in a breach scenario.
Personal liability for data breaches: Chief Information Security Officers and other executives
The specter of personal liability starts with two cases. The first was Uber, where its CISO was charged and eventually convicted for his actions in connection with a 2016 data breach and consent decree. There, a jury found the CISO guilty of obstructing an FTC investigation and concealing a felony. Later, the FTC held the former CEO of Drizly personally responsible for the company’s security failures. In that matter, the Company and CEO were both fined and are subject to the FTC order, which requires a data disposition program, minimizing data collection, and implementing a data security program.
Interestingly, the “Drizly penalty” follows the CEO; per the FTC press release, the CEO “will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO, or senior officer with information security responsibilities." Taken together, the cases show an appetite for enforcement aimed at individuals responsible for privacy and cybersecurity.
Notwithstanding, the Solarwinds case still manages to roil executives and CISOs. In Solarwinds, issues were generally reported in a manner that accorded with industry norms: Solarwinds made routine statements about cyber risks and its adherence to widely accepted cybersecurity standards like NIST. The root cause of their 2020 incident was a sophisticated attack carried out by a state-sponsored actor. While professionals can disagree about whether better security controls could have prevented this specific attack, it is uncontroversial and accepted that state sponsored threat actors are extremely difficult to defend against, even with a best-in-class cyber program. Accordingly, it was a bit of a shock when the SEC unveiled charges against the Solarwinds CISO personally. Many CISOs, who are committed to protecting companies, believed there was nothing to indicate the Solarwinds CISO had acted in bad faith. On the contrary, many observers believe there were earnest attempts to shed light on the company's vulnerabilities and needs before the incident occurred.
Given those facts, CISOs are left with questions - will their professional choices withstand SEC scrutiny? If a breach occurs will they be left carrying the can? And where do they turn if their warnings aren't heeded? In some of these instances CISOs or executives with access to this type of information might be inclined to cooperate with investigators or proactively blow the whistle on what they perceive as sub-par cyber practices.
In the private equity context, particularly when more than one CISO may be involved in cyber risk decisions, this issue takes on a new layer of complexity. What if risk has been disclosed at the company level but not to the fund? What if those CISOs disagree? What if regulators, or even investors, assert that the private equity firm underinvested in cybersecurity across the portfolio? Or made decisions to hasten an exit or make a portfolio more attractive on a balance sheet? It is very easy to see how the nature of the relationship can work against CISOs, especially in circumstances like data breaches where cooperation is critical.
Data breach whistleblowing on the rise
Even though few cases are public, privately, companies are dealing with cyber whistleblowers more often. Many whistleblowers fall into tried-and-true categories - disgruntled employees, anonymous tips, and individuals with genuine information on corporate wrongdoing. These investigations conform with the norms of internal investigations - allegations are investigated and vetted, conclusions are drawn, and actions are taken. But alongside this sort of case is the CISO or employee caught in the fog of a breach. In these circumstances, CISOs are left to wonder how their actions before, during, and after a breach will be viewed in the light of day; after the breach and investigations, public reporting, and the litigation has settled.
What we are seeing in the latter are two trends. First, the risk of leaks or whistleblowing during a high profile cyber incident are acute. Rather than wait for the incident to resolve, individuals with inside information are coming forward to preempt accusations that they were negligent with respect to the causes of the breach – even before the causes of that breach have been confirmed. This often means inside, confidential information about an ongoing incident is leaked to the press or investigators. While this is not necessarily done in bad faith, it often results in notice to regulators and third parties without the full scope, or even accurate scope, of the facts. We have seen numerous examples where individuals with incomplete information misidentify the threat actors who perpetrated an event. In some cases, leaks link attacks to state-actors when there is no evidence to support that claim. Nonetheless, even incorrect information can compromise decision-making processes or compel companies to make incomplete or unnecessary disclosures. This is especially true in breach cases where crucial decisions that affect companies and investors are being made on compressed timelines or where sensitive negotiations with threat actors may be ongoing.
Second, we are seeing CISOs reevaluate their personal risk after a breach. Because personal liability is a real possibility, the tenor of conversations with executives and investors may change. By extension, there is a definite chill in the CISO community -- a general feeling that a hard job just got a lot harder. In more extreme cases, we may see some cyber professionals take matters into their own hands to avoid allegations of wrongdoing down the line. The result is a choice to provide information to investigators especially where they feel there is a risk of personal liability.
How to handle these risks now
Don’t wait to be in this situation during a crisis. Executives know that breaches are joining the list of things you can be certain of - death, taxes, and data breaches. There are key steps to take now:
- Have ways for employees to report and escalate – at the company and to the fund. Think of what sort of risks should be handled by the portfolio company and which need to be escalated. Foremost, companies should have hotlines and protocols for individuals who want to make good faith complaints. Those protocols should evaluate and address those concerns quickly. Companies that can demonstrate they have a track record of responding to these complaints will be in a better position.
- Plan. Breach plans should address the potential for leaks and whistleblowing. Plans should also be clear about who makes key decisions during data breaches and who has the authority on cyber risk management. This should include setting up clear controls around how information is shared and disseminated – what, if any, information should be shared with the private equity group. Companies should also consider who will speak on behalf of the company and how they will respond.
- Compliance. Cyber programs should be able to demonstrate mature and systematic approaches to risk. Specific disclosures about how risks are managed should be communicated with specificity to the board. If compliance programs are managed centrally, make sure adjustments are made to account for a portfolio companies specific risk profile.
- D&O Coverage. CISOs, especially at portfolio companies, should understand whether they are covered for investigations and cases related to cyber whistleblowing. We have seen disputes about whether CISO's and other employees are covered. Indeed, if considering a job in this space, ask how and whether these policies offer coverage. Remember, insurance is not a cyber risk management strategy.
- Communication Protocols. Establish clear lines of communication during incidents. There should be clear expectations about what information stays with the portfolio company and what is shared with investors and the private equity company. Importantly, understand how to maintain privilege over communications and work product in this relationship as sharing too much could lead to waiver. Information should be controlled and limited to people working on the incident. In a surprising number of cases, leaks come from individuals who should not or do not have access to the information in the first place.
- Reporting. Be decisive and clear about how cyber risks are reported to investors and executives. Consider who is tasked with reporting these issues and make sure the person reporting understands the issues and clearly communicates the risk to a non-technical audience.
Undoubtedly, these charges are an inflection point. They will change the way boards, executives, investors, portfolio companies, and CISOs approach and communicate about cyber risk. Yet, these developments are an opportunity to recognize and fix issues before a breach occurs. (There is no reason to find out what your insurance policies say after an incident…). Indeed, clarity around these issues can empower more open communication and greater investment in cybersecurity and technology across an entire portfolio.
Also, we should view the trajectory of these cases in conjunction with the SECs new rules around disclosures following cyber incidents. For nearly a decade, we have watched companies sidestep reporting breaches and cybersecurity issues. We have also witnessed a failure to pass a meaningful federal privacy law and a relatively quiet enforcement environment. Or at least one that has been very focused on a handful of companies. A combination of actions from the SEC and FTC demonstrate that the environment is heating up, even in the absence of a federal law. And even in private capital markets.