It is now widely accepted that Ransomware attacks bear the potential of severely damaging businesses, corporations and organizations of all sizes and industries. Damages can go as far as severely hurting operations, ruining reputation, and often causing regulators to levy fines and sanctions.
The less spoken fact in the industry is that Ransomware is getting personal, in the sense of the growing tendency of corporate stakeholders to be held personally responsible for the damages sustained by organizations and their customers.
The most recent example is the October 30th published indictment by the US Securities and Exchange Commission (SEC) of Tim Brown, the chief information security officer (CISO) of SolarWinds on the charges of fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.
This is the most recent but certainly not the only example of corporate stakeholders personally charged for their organizations being non-complaint with industry best practices, overstating its cyber security posture, negligent about identifying vulnerabilities or failing to disclose the ones that are known.
Another case would be the one in 2020, of Joseph Sullivan, at the time the CISO at Uber, being criminally charged for actions he took after he learned hackers had infiltrated the company’s system.
These cases are different but they both involve criminal and civil exposure of the company’s top cybersecurity executives for their lack of preparedness and/or response to incidents.
The tendency to hold stakeholders personally accountable is not unique to the US. The April 2023 sentence of Ville Tapio, former CEO of Vastaamo, a private psychotherapy service in Finland, is another example of a senior stakeholder being held personally responsible for the violation of the provisions of the General Data Protection Regulation (GDPR), namely, for being negligent with his duties related to the safe processing of personal data as well as reporting a personal data breach. In this case, Vastaamo was breached in 2020, patient information and other private data, held without proper password protection and not anonymized, was exfiltrated by the perpetrators and later used to extort Vastaamo, its patients and their families. The hackers went beyond communicating with the victim of the breach and directly emailed about 30,000 of its customers.
It is not about being hit by Ransomware. Many organization are. It is for gaps in preparedness or the total lack of it, and the inability or incompetence to properly manage a cyber crisis. Organizations can and should be both prepared and ready to face a cyber incident, as in today’s reality it is not a question of “If” but of “When”. Senior executives should make sure their organizations are aware of the risk and invest in cyber-crisis preparedness. Or they would be personally exposed to the consequences.It is CIPTeam’s business to respond to Ransomware attacks and assist corporations in the journey towards being both prepared and ready to face cyber crises. Visit us at https://cipteam.com, so you could concentrate on yours.