Cybersecurity: A Personal CEO Liability

Published by Axio

“The analyst firm [Gartner] expects liability for cyber-physical systems (CPSs) incidents will pierce the corporate veil to personal liability for 75% of CEOs”. By 2024 the report predicts 75% of CEOs will be personally liable for cybersecurity incidents. This means that insurance policies will no longer be able to cover the costs and damages related to a cyber incident. CEO personal liability will lead to significant financial and reputational repercussions in the event of a cyber incident.

Cybersecurity is Shifting to an Enterprise Issue

Previously, it was not the norm for CEOs to be directly responsible for cyberattacks. For example, when Equifax fell victim to one of these incidents, Moody’s downgraded their credit rating and their CIO was jailed for insider trading. Despite the fact that this attack affected 143 million consumers, no other executives were held liable. However, their CEO did resign due to the backlash the company received after the data breach. Target was a victim of a data breach in 2013 and their CEO at the time, Gregg Steinhafel resigned a few months following. In addition to reputational damage, CEOs may soon be personally liable for these cyberattacks.

With the increase in physically connected devices whose function are essential for public livelihood, CEO personal liability is not far-fetched. In particular, when it comes to cyber-physical systems (CPS) for critical infrastructure, successful cyberattacks can lead to physical damage and put human lives at stake. The interconnectedness of CPS also leads to third party impacts – both physical and financial. Some examples include mechanical breakdowns, destruction of others’ machinery and equipment or bodily harm to individuals outside of your organization. This type of widespread impact from a cyber event contributes to the shift towards CEO personal liability.

There’s an overall push for more regulation and cybersecurity requirements. For example, the US Cyber Solarium Commission is advocating for the addition of cybersecurity reporting requirements in the Sarbanes Oxley Act. They also recommend the creation of the Bureau of Cyber Statistics. This bureau with help, informs policy making and collaborates with NIST to establish significant cyber metrics and data about cyberattacks. With more policies and agencies in place, it’s important for CEOs to make cybersecurity management a priority.

The CEO and Board Relationship Needs to be Strengthened

This increase in CEO personal liability may not necessarily be a bad thing. Having a CEO more in touch with cyber risk can set an example for a culture that empowers cybersecurity. This shift can show that cybersecurity is not just a concern for those on the technology side of the business. This shift can be the bridge between OT and IT, breaking down silos between the functions raising awareness around cyberattacks.

With so much on their plate, CEOs need a cybersecurity management system that helps them understand their risk. That means a system that can identify short comings in their system, plan and address those deficiencies and quantify the impact of potential events. Cyber leaders will need to show CEOs return on investment for all the controls and insurance they buy. If these new regulations are implemented, the board will also be expecting a comprehensive brief from the CEO about their cyber posture.

How CEOs can Cover Their Bases with Axio360

A comprehensive tool that manages your cybersecurity program effectively, Axio360 can enable CEOs to secure their organization. With a variety of features, our platform gives visibility across the different functions in an enterprise. One of our features – the board report can give confidence to the board that the CEO and cyber leaders are managing their cyber risk well. This report can help the board pass the “duty of care” test so that they can answer to shareholders. Our milestones feature can show progress over time. That way as a CEO, you can quickly tell how much you’ve improved, and which areas still need work. Lastly, users can consolidate the different assessments across different functions into an aggregate dashboard providing visibility across the enterprise. Allow Axio360 to be the tool for securing against cyberattacks.