By Charles Shugg, Brig Gen, USAF (Retired)
Partner | Chief Operating Officer
Sylint Group, Incorporated
Session P6: Cyber Security Due Diligence: Will You Be the One to Save Your Company & CEO From Disaster
September 15, 2019, 8:45-10:15 AM
Could you ever imagine that one of your duties as a Corporate Ethics and Compliance Officer was to ensure your CEO is not fired because of their inadequate due diligence? How about being ensuring your CEO does not go to jail due to their failure to perform due diligence regarding a cyber breach? There are plenty of historical instances of C-Staff and CEOs losing their jobs after a major cyber incident, to include Target, Sony Pictures (Co-Chairman) and Equifax. So why would anyone think a CEO should be held responsible for a cybersecurity breach to the point of having to resign or to even serve jail time?
First, the risk and potential impact of a cybersecurity breach makes this issue a top priority for the entire business operation, and not merely a stovepipe issue for IT or the CIO. As CEOs continue to take on more responsibility for oversight of cybersecurity and its budget, Boards and shareholders are also demanding more accountability. How much accountability will the public eventually demand? A glimpse into a legislative proposal by Senator Elizabeth Warren (D-Massachusetts) might provide some shocking insight.
On the 3rd of April 2019, Senator Warren announced that she was proposing legislation to ensure CEOs whose companies are involved in massive data breaches be held accountable in ways not seen before. Senator Warren’s legislation is called the Corporate Executive Accountability Act and would impose jail time for violations. Violations would be defined as those who “negligently permit or fail to prevent” (read as lack of due diligence) a “violation of the law” (read as a malicious cyber breach), that “affects the health, safety, finances or personal data” of 1% of the population of any state. The proposed legislation recommends up to a one (1) year in prison for the CEO if it is their first offense with repeat offenders getting as much as three (3) years. This penalty has constraints as it would only apply to companies that generate more than $1 billion in annual revenue (for perspective, Equifax generated $3.4 billion in revenues in 2017). To appease those who think this prospective legislation might be too harsh, the authors added a clause that a company would also have to be either convicted of violating a law or have settled a claim with a state or federal regulator (Equifax signed a consent decree with state regulators in 2018). And if one thinks this type of legislation is too far outside the norm of reality, Senator Ron Wyden (D-Oregon) is proposing an even harsher legislative bill regarding data privacy that would recommend up to twenty (20) years of prison for corporate executives who violate their customer’s privacy.
Now back to reality, just because a company may suffer a substantial cybersecurity breach does not necessarily mean their CEO must be fired (or fined or jailed). In truth, there is no such thing as perfect security or an impermeable cyber defense. However, that does not relieve the CEO, or the rest of the Senior Management team, of the responsibility to mitigate the risk of a cybersecurity incident and the potential damage it could inflict upon the operations of the company. It is within the CEO’s skill set to assess the overall, or enterprise, risk and impact of a significant cybersecurity breach on their organization. However, with so many other responsibilities, a CEO needs a trusted staff member who fully comprehends the ramifications of non-compliance, the true meaning of due diligence and the ability to incorporate mitigation actions into plans, processes and procedures. The overall goal is to ensure the CEO does not unwittingly get off track, to the detriment of themselves and the overall organization, during a crisis scenario that has not been well thought out or previously discussed. Corporate Ethics and Compliance Officers have the knowledge and skill set to recognize and ensure that a comprehensive detailed plan is in place that outlines processes and responsibilities for a significant cybersecurity incident. It should be within their purview to ensure there is an appointed response team and that it regularly exercises to ensure their plan’s effectiveness.
It is a fact of life that CEOs get fired from time to time. However, it should never happen because a CEO’s staff did not adequately prepare their organization for a potential major cybersecurity incident. Corporate Ethics and Compliance Officers can ensure a major cybersecurity incident is not the weakest link in the organization’s sustainability and survivability