Who is financially responsible for a security breach? Things are changing.

The understanding of financial responsibility for security breaches continues to evolve. Where will it stop, and could a CISO ever be held personally financially responsible?

At first, companies bore the brunt of intellectual property-type losses, credit card issuers ate most of the credit card losses, and end customers took the entire hit when their personal data were lost.

The first big change was probably California’s SB1386 law that transferred some of the pain from customers to the custodians of their data.

The second big change was the aftermath of the TJX breach. When banks sued TJX for their losses they set an important precedent about the financial implications of a breach. What was lost seemingly belonged to TJX and its customers, but the banks had a good argument that they suffered real damage.

The latest development is a further extension of the reach of responsibility: an auditor is being sued by a bank that did business with payment card processor CardSystems Solutions—the subject of the audit and the locus of the breach. In other words, instead of (or in addition to) blaming CardSystems for poor security practices, the bank is blaming CardSystems’ auditor for not identifying those practices.

To the extent actions like this latest one are successful, they will likely lead to large changes in the security and compliance areas.  Here are a few:

Rising audit costs:

  • Auditors must be more careful and thorough—resulting in increased bills submitted to their clients as well as increased pain for the clients in responding to the audits.
  • Regardless of their increased thoroughness, auditors will realize their increase risk in performing audits and pass that on as an additional cost to their clients.
  • Increasingly thorough and inflexible audits will require more security measures from clients.

Changing strategic use of audits. If a company’s third party can sue an auditor, the company may be able to sue the auditor as well.

  • This will change the dynamic of the audit. Companies will need to ensure that they can show due diligence in complying with the auditor and maintaining systems in post-audit conditions to preserve this right.
  • Incident response and forensics will take on new importance. Companies will need to be able to identify the cause of the breach if they wish to transfer some blame. And if they can limit follow-on damage with a good response plan they may more effectively transfer risk to their auditors.

After this, what is next? The May cover story of CFO magazine has an interesting sidebar about the increasing personal risk to CFOs from creditor lawsuits for mismanagement (see the bottom of the article on the web, pg 37 in print). As CISOs assume more strategic roles in their organizations, at what point do they start to take on similar personal responsibilities for their management of information risk? Do CISOs have D&O insurance, and what does it cover? Perhaps more importantly, who pays for it and does it have a “tail“?

Explore posts in the same categories: Regulation/Compliance, Third-party risk

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: