Security news that informs and inspires

Gartner Warns CEOs Will be Personally Liable for Breaches by 2024

Cyberattacks against connected devices having an impact on the physical world is not yet a commonplace occurance, but are very much in the realm of possibility. Hijacked medical devices may be unable to dispense life-saving drugs, or a connected car could receive instructions to crash itself and potentially injure the human passenger inside.

Changes in the regulatory climate could have CEOs and other senior executives being personally liable for not adequately securing connected systems Gartner said. By 2024, as many as 75 percent of CEOs could be held liable for data breaches if it is found that the incidents occured because the organization did not focus on cybersecurity or invest sufficiently in security, and a security breach or incident led to actual physical consequences, the research firm said in a research note.

“Soon, CEOS won’t be able to plead ignorance or retreat behind insurance policies.”

“Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs (cyber-physical systems), drastically increasing rules and regulations governing them,” said Katell Thielemann, a research vice president at Gartner.

Gartner defined cyber-physical systems (CPSs), such as the Internet of Things and operational technology, as systems “engineered to orchestrate sensing, computation, control, networking, and analytics to interact with the physical world, including humans.” The list of CPSs include manufacturing equipment and power grid infrastructure, smart buildings and cities, and connected and autonomous vehicles.

Shift to Physical

Gartner's note focused on the fact that cyberattacks on CPSs could eventually go beyond just online disruptions to leading to human fatalities and property damage. Ransomware, for example, evolved from being a digital annoyance when consumers lost personal documents and photographs to life-threatening attacks capable of crippling hospital operations and disrupting patient care.

The financial impact of CPS attacks resulting in casualties to human life will reach over $50 billion by 2023, Gartner predicted.

“The more connected CPSs are, the higher the likelihood of an incident occurring,” Thielemann said.

Attacks against CPSs will increase drastically over the next few years, but many enterprises are not even aware of the CPSs deployed within their networks, Thielemann said. There could be many reasons, such as legacy systems connected to the network and managed by non-IT teams, or because the system was set up as part of a business-driven initiative without IT involvement. Technology leaders need to help CEOs understand the risks posed by CPSs as well as the necessity of stepping up investments to secure these systems.

“Soon, CEOS won’t be able to plead ignorance or retreat behind insurance policies,” Thielemann said.

Regulatory Change

For Gartner's prediction to come about, there would need to be signficant change in current laws defining criminal penalties and to give regulators sufficient enforcement powers. No one, to date, has gone to jail for security failures. Equifax’s massive data breach affected 143 million consumers, and the company faced lawsuits, regulatory fines, and Congressional scrutiny. Only one person went to jail, but that was the chief information officer, and he went to jail for insider trading that occured after the breach. No one else in senior management was held liable for the mistakes that led to the breach, or how it was handled afterwards. All the major data breaches—Equifax, Target, Marriott, to name a few—of the past few years led to regulatory fines and costly changes to the organization's security program, but not much else.

"If history is any guide, @Marriott’s mega data breach will be treated like all the others: the company will apologize & offer useless credit monitoring to the victims impacted. The status quo isn’t working," Sen. Ron Wyden (D-Oregon) wrote on Twitter back in 2018 after Marriott announced its data breach.

Wyden sought to impose real punishments on companies and their executives with the Consumer Data Protection Act of 2018, which would have sent senior executives—chief executive officers, chief privacy officers, chief information security officers—to jail for security and privacy failures. The proposed legislation called for establishing minimum privacy and security standards for organizations to follow; establishing a national Do Not Track system to allow consumers opt-out of online data collection and sharing; and allowing consumers a way to review data companies have about them and correct inaccuracies. Organizations would have potentially faced fines of up to 4 percent of annual revenue on first offense and 10-20 year criminal penalties for senior executives for not safeguarding privacy or providing adequate security.

"Corporations don't make decisions, people do, but for far too long, CEOs of giant corporations that break the law have been able to walk away, while consumers who are harmed are left picking up the pieces," Warren said when she announced the bill.

Consumers can sue organizations for failing to safeguard personal information, but they are the ones grappling with the long-term impact of having their personal and healthcare data stolen. Organizations move on with their reputations a little dented, but still intact. In fact, CEOs "were more likely to receive an increase in total and incentive pay several years after a security breach," Warwick Business School found in a 2019 study which examined data breaches in the United States between 2004 and 2016.

The Corporate Executive Accountability Act proposed by Sen. Elizabeth Warren (D-Mass) sought "criminal liability for negligent executive officers" of companies if it came out that company actions led to a data breach affecting "personal data of 1 percent of the U.S. population or 1 percent of the population of any state.”

There are clear signs that regulators are paying attention. Last year, the Government Accountability Office said the Federal Trade Commission and Consumer Financial Protection Bureau should be given authority to improve oversight of companies like Equifax and punish them when they violate the public trust.

Just last month, the U.S. District Court in San Francisco announced criminal charges against Joe Sullivan, the former CISO of Uber, for covering up the 2016 data breach at the ride-sharing company which affected 57 million drivers and users. The charges are the first against an executive for actions related to a company's security incident.

Companies aren't going to make changes to hold executives accountable for data breaches. There have been shareholder proposals at Disney and Verizon to connect CEO pay to cybersecurity. The companies recommended voting against the proposals, and that was that. But there are signs things may be changing, and Gartner seems to think that the changes aren't all that far off.