The New Norm in Cybersecurity: Holding the Board and CISO Personally Responsible and Liable for the company’s cybersecurity measures

by Filip Talac, Corax Cyber Inc.
14 Apr, 2025 , in Houston, Texas
  • Company Blog
    • The New Norm in Cybersecurity: Holding the Board and CISO Personally Responsible and Liable for the company’s cybersecurity measures

    In today’s fast-changing digital world, cybersecurity is a critical issue for businesses in every sector. The recent ransomware incident targeting Change Healthcare, a subsidiary of UnitedHealth Group (UHG), underscores the pressing requirement for strong cybersecurity protocols and accountability from top corporate governance. This event, alongside the significant SEC case regarding SolarWinds, sets a new benchmark in cybersecurity: making the board and Chief Information Security Officer (CISO) responsible.

    The UHG Cybersecurity Breach: A Case Study

    On February 21, 2024, UHG announced a ransomware attack on its subsidiary, Change Healthcare. This attack resulted in widespread service outages, significantly impacting patients, healthcare providers, and even national security. Patients were unable to collect prescriptions, and some healthcare providers had to close or reduce their hours due to the disruption. Furthermore, sensitive health data, including information on military personnel and U.S. government employees, was stolen, posing considerable risks to national security.

    The root cause of this breach was UHG’s failure to implement industry-standard cybersecurity practices, particularly multi-factor authentication (MFA). Hackers gained access through a remote server that lacked MFA, which is an essential yet crucial cybersecurity measure. This oversight, compounded by the company’s inadequate planning for ransomware attacks and a lack of resilient technological infrastructure, led to catastrophic consequences. Some experts in the field estimate that the cost of UHG’s cyberattack will amount to at least $1 billion.

    Comparing UHG to SolarWinds

    The UHG breach bears striking similarities to the infamous SolarWinds incident. In 2020, Russian hackers infiltrated SolarWinds’ Orion software, resulting in a massive breach that affected approximately 18,000 organizations, including several U.S. government agencies and major corporations. The SEC’s subsequent lawsuit against SolarWinds and its CISO, Timothy Brown, marked a significant shift in regulatory enforcement. The SEC not only cited deficiencies in SolarWinds’ internal controls but also accused the company of making fraudulent statements regarding its cybersecurity practices.

    SolarWinds claimed compliance with the NIST Framework and strong password policies; however, internal documents revealed significant gaps. The SEC’s actions highlighted the importance of honest and transparent cybersecurity disclosures while setting a precedent for holding individuals accountable for organizational cybersecurity failures.

    The SEC’s New Cybersecurity Disclosure Rules

    In response to growing cybersecurity threats, the SEC implemented new cybersecurity disclosure rules on July 26, 2023. These rules, which take effect on September 5, 2023, require registrants to disclose their cybersecurity risk management, strategy, and governance in their annual Form 10-K and Form 20-F reports. Additionally, they mandate the reporting of material cybersecurity incidents within four business days on Form 8-K and Form 6-K.

    The SEC’s emphasis on transparency and accountability seeks to provide investors with a clear insight into a company’s cybersecurity position. These regulations are designed to mitigate the risk of significant financial and reputational damage by requiring detailed disclosures and timely reporting of incidents.

    Personal Liability of Upper Management: The New Norm

    One of the most significant shifts highlighted by these cases is the growing trend of holding upper management personally liable for cybersecurity failures. In the SolarWinds case, the SEC named CISO Timothy Brown as a defendant, establishing a precedent for personal liability in cybersecurity breaches. This trend is gaining momentum, as boards and senior executives are increasingly held accountable for their companies’ cybersecurity practices.

    The recent letter from a U.S. senator to the chairs of the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) underscores this trend. The senator’s letter urged these agencies to investigate UHG’s inadequate cybersecurity practices and hold its senior executives and board of directors accountable for the incident. This call for accountability highlights the increasing expectation that leadership must ensure strong cybersecurity measures are implemented and effectively managed.

    Potential Outcomes for UHG

    Given the SEC’s aggressive stance in the SolarWinds case, UHG is likely to face similar scrutiny. The SEC may investigate UHG’s cybersecurity failures, focusing on the absence of MFA, insufficient incident response planning, and the appointment of an unqualified CISO. If UHG is found to have made misleading statements about its cybersecurity practices or to have failed to meet regulatory standards, both the company and its senior officials could face significant penalties.

    The SolarWinds case also underscored the potential for fraud allegations in cybersecurity incidents. If UHG’s disclosures about its cybersecurity measures are misleading, the company could be liable under Rule 10b-5, which prohibits deceptive practices related to the purchase or sale of securities. This could lead to significant legal and financial repercussions, including class-action lawsuits from affected parties.

    Are Senior Managers’ Positions in Jeopardy?

    The rising trend of holding senior managers personally liable for cybersecurity failures raises an important question: Are senior managers’ positions at risk? The answer is increasingly yes. As regulatory bodies like the SEC and FTC adopt a more aggressive stance on cybersecurity, the personal liability of upper management is becoming standard. Senior executives and board members must be well-informed about their company’s cybersecurity practices and take proactive steps to mitigate risks.

    Lessons Learned and Best Practices

    The UHG and SolarWinds cases emphasize the necessity of holding the board and CISO accountable for cybersecurity. Organizations must ensure their cybersecurity leaders are qualified and that they establish robust, industry-standard defenses. Transparency in cybersecurity disclosures is crucial for maintaining investor trust and preventing legal pitfalls.

    Implementing comprehensive cybersecurity frameworks, such as ISO 27001, and adopting best practices like MFA and regular security audits can significantly enhance an organization’s cybersecurity posture. Furthermore, the SEC’s new disclosure rules provide a clear framework for reporting and managing cybersecurity risks, ensuring that companies are better prepared to handle incidents and communicate effectively with stakeholders.

    Conclusion

    The new norm in cybersecurity demands accountability from the highest levels of corporate governance. The UHG breach and the SEC’s actions against SolarWinds illustrate the severe consequences of failing to implement and disclose robust cybersecurity measures. By holding the board and CISO accountable, organizations can better protect themselves from cyber threats and maintain the trust of investors, customers, and the broader public.

    Our strategy for managing and mitigating these risks must also evolve as cybersecurity threats change. It’s vital to have qualified leaders at the forefront of cybersecurity initiatives and to ensure that transparent and honest disclosures are made to navigate this complex landscape.

    Tags :
    Share :