The software company Blackbaud from South Carolina in the USA was fined $6.75 million after a ransomware attack in 2020. According to the Attorney General, the company grossly violated common IT security practices and attempted to deceive the public about the true extent of the damage. After the Solarwinds breach, another case that points to the future, Boards of Directors must start to take IT security seriously as they’ll be unable to continue to hide behind claims that they cannot substantiate because of the transparency demanded by reporting requirements of regulations such as Digital Operational Resilience Act (DORA) and NIS-2 Directive.
The Attorney General in California stated in his reasons for the verdict that Blackbaud had not implemented basic security measures. This was revealed from investigations by the California Department of Justice. No multi-factor authentication was implemented. In addition, the company failed to monitor suspicious activities on systems on which personal information was stored. The company was poorly informed about current security requirements and made misleading statements about its security measures before the breach, as well as false statements about the breach itself.
Companies and their senior executives are increasingly being sued for successful cyberattacks. In November 2023, the US Securities and Exchange Commission (SEC) accused SolarWinds' CISO of fraud and internal control deficiencies. The SEC claims that the CISO was aware of SolarWinds' cybersecurity risks and vulnerabilities, but did not resolve these issues or did not adequately address them within the company at times. The outcome of the case is still open, but it sends a clear message to those responsible in Europe. Anyone who does not take security seriously can be sued by the courts for attacks years later.
Personal liability
With its two sets of rules, the DORA, which focuses on the financial industry, and the NIS-2 Directive focused on an increasing definition of critical national infrastructure, the EU wants to start right here and strengthen cyber resilience. To this end, the rules also specifically hold company management accountable. Anyone who violates the requirements can be held personally liable for a lack of governance of their cyber risk. Sanctions can include fines and/or management restrictions.
The fines are tough, as they are based on the mechanisms of the GDPR. If companies fail to meet their DORA obligations, they face fines of up to EUR 10 million or 5% of the previous year's global turnover. The penalties under NIS-2 are even tougher and now target management more closely. The fines can range from EUR 100,000 to EUR 20 million for legal entities. The fines for violations have increased significantly since the IT Security Act 2.0 of 2021. It is also to be expected that the authorities will pursue violations with similar rigour as they do with the GDPR. NIS-2 dramatically expands the number of industrial sectors that must comply with the standard compared to its predecessor from 2016.
It is important to know that in all cases in which NIS-2 regulates areas that were left out of DORA, NIS-2 must be considered. The latter therefore fills in the gaps left out by DORA, and both are connected. While DORA is a regulation and organisations can determine what is expected of them reading the documentation, NIS 2 is a directive and should be seen as a minimal baseline as each of the 27 member states have the freedom to extend the scope of what is determined as critical national infrastructure and mandate more stringent requirements than the directive themselves. With this in mind, organisations should start their journey to cyber resiliency now to build a foundation that any country-specific legislation will require.
Stronger focus on resilience
Company managers and the quality of their cyber resilience measures are becoming increasingly transparent and in the spotlight. Anyone who works poorly in this area not only risks a successful cyber attack and total IT failure and all the associated economic consequences. There is also the threat of expensive regulatory fines and legal recourse from impacted data subjects and supply chains.
Companies should therefore take a realistic, honest look at their prevention and detection capabilities, taking into account the size of organisations that we’re seeing in the headlines being impacted by ransomware. The motivation is simply too great for adversaries and our attack surface is so wide that we can say, regardless of budget and headcount, we can stop all attacks. It is only then we can have adult conversations with the business about the potential impacts and build the right tone to support the creation of appropriate investigatory, mitigation and recovery processes to deliver cyber resiliency. Pretending that our preventative and detective controls are infallible and remain ahead of a constantly adapting adversary will only leave the CISO and senior management exposed when they file their post-incident report.
The average company has over 130 different cybersecurity tools installed, the vast majority sit in detection and prevention, most of which are not sufficiently integrated and operationalised to prevent organisations from falling victim to a cyberattack. Any further investment in prevention and detection will likely only lead to a marginal reduction in cyber risk, while causing more friction with users, less agility for the organisation, more alert fatigue, higher license costs and even more security infrastructure to manage. In addition, the trend has been to move security controls out onto the end point, resulting in isolated islands that need investigating but are unreachable as the first thing all best practice incident response frameworks tell you is to isolate infected hosts and networks. Post-breach, can we even trust our traditional security tooling that didn’t stop or detect the attack? Operating systems have dramatically improved in their security, pushing security tools further away from the kernel, leaving them open to evasion. In fact the MITRE ATT&CK framework that is used to model adversary behaviour has far more techniques in the defence evasion stage than any of the others.
Spending on response and recovery, on the other hand, especially that which doesn’t suffer from the shortcomings of our traditional tooling, offers a solid path to Cyber resiliency that these latest frameworks and regulations require and that modern cyber attack threats demand, as well as keeping yourself and senior executives out of court.