blog post

Get Ready for Cyber Caremark Lawsuits

The upcoming SEC Cybersecurity Regulations, coded as 17 CFR 229.106 and slated to be enforced starting December 2023, establish heightened responsibilities for Directors and Officers of publicly traded companies. These new rules aim to shield them from shareholder lawsuits that may arise from significant cyber-incidents. Notably, such incidents now require reporting to the SEC within a stringent 96-hour window if they result in shareholder financial losses.

As a case in point, we can reflect on the well-documented shareholder lawsuit against Home Depot back in 2015. The legal action targeted 12 individuals, comprising both current and former directors and officers, along with the company’s general counsel, accusing them of inadequate supervision over the company’s cybersecurity measures.

As Joe Sullivan would probably say, Officers and Directors need to protect themselves from personal liability, even if they aren’t Directors and Officers. The CISO is NOT an officer of the company. S/he generally does not get the insurance protection regularly provided to Board members and actual Officers of the corporation. And even if they did, one case like the Uber case or the Home Depot case will push normal CISOs into bankruptcy even with insurance. Just trial costs alone blow past the cap. The bigger picture requires keeping the vault closed.

The Regulation’s Teeth

These SEC Cybersecurity Regulations are already codified, while CISA is actively alerting companies to Known Exploited Vulnerabilities (KEVs) in software—vulnerabilities that present substantial cyber-risks. These notifications pose important implications for the liability of a company’s Officers and Directors. Take, for instance, the Log4j vulnerability identified by CISA under the code CVE-2021-44228; it serves as a prime example of a significant cyber-risk that companies must proactively detect, ideally in the “Left of Bang” stage, immediately following a KEV warning from CISA. Contrary to what some might think, software vulnerabilities aren’t trivial elements in the tech landscape. They frequently serve as the critical points of entry for hackers seeking to compromise their targets.

In the era of Cyber Caremark derivative actions, the liability of a company’s directors and officers will likely hinge on the establishment of a well-calibrated, preemptive process tailored to the company’s specific data, risk profile, and regulatory context. The financial toll of a legal defense will correlate directly with the quality and extent of this pre-breach planning.

What to Do

To navigate these complex shoals, the following proactive strategies merit serious consideration:

  • Implement a comprehensive risk assessment that scrutinizes the nature of your company’s data, assesses its susceptibility to cyber-attacks, and anticipates the consequences of a potential breach.
  • Formulate robust policies and procedures, coupled with an actionable incident response plan. These should aim not just to thwart a data breach but also delineate the course of action when the breach occurs.
  • Evaluate your company’s existing insurance landscape to ensure it affords adequate coverage against data breaches and provides a defense for directors and officers and the CISO should litigation arise under a Caremark or similar derivative claim.
  • Assess the “technical literacy” of the board and key officers. Subsequently, recruit a board member to spearhead cybersecurity initiatives, acting as a conduit between the board and the IT security management. Keep the board regularly informed on cybersecurity matters, employing external experts when necessary.
  • Collaborate closely with legal advisors to revisit and update public statements concerning the company’s cybersecurity measures. This is pivotal, especially given the SEC’s intensifying scrutiny of cybersecurity disclosures. Keep in mind that such disclosures could be weaponized by plaintiffs—like those in the Home Depot case—to assert that the company exaggerated its protective measures.

The time for boards and executives to plead ignorance about cybersecurity vulnerabilities and responsibilities has unequivocally come to an end.

Under the updated SEC regulations, the onus is squarely on the Directors and Officers of public companies to ensure rigorous cybersecurity protocols. A significant cyber-incident could trigger intense scrutiny from shareholders, particularly if reported within the mandated 96-hour window, and may well pave the way for a Caremark lawsuit, as exemplified by the past Home Depot case.

InfoSec Controls

Given this heightened level of responsibility and scrutiny, companies would be wise to accept the insights and recommendations for best practices offered nearly everywhere and the myriad of frameworks from NIST to ISO to the CIS Critical Security Controls (CIS Controls).

In particular, the CIS Controls Version 8 combines and consolidates the CIS Controls by activities, rather than by who manages the devices. Physical devices, fixed boundaries, and discrete islands of security implementation are less important; this is reflected in v8 through revised terminology and grouping of Safeguards, resulting in a decrease of the number of Controls from 20 to 18.

Prior to the December 2023 implementation date of these new regulations, companies must work diligently to establish and document what can be demonstrably described as “reasonable” and “convincing” cybersecurity processes.

Furthermore, it’s crucial to preserve indisputable, tamper-proof evidence of these operational controls. Such meticulous preparation could serve as a linchpin for the defense in the event that a shareholder lawsuit or SEC action puts the personal liability of Officers and Directors at stake.

What Does It Take?

What is the timeline for implementing a system to proactively monitor software supply chain cyber risks and CISA Known Exploited Vulnerabilities (KEVs) in compliance with upcoming SEC cybersecurity regulations?

A basic monitoring program could be up and running within a week, while a more robust system, complete with trained personnel and production-level processes, may take as long as three months to fully implement. The exact timeline will largely depend on factors such as resource availability, the commitment level of the organization, technical skill sets of the staff responsible for the setup, and the overall support and commitment from executive leadership.

Additionally, the volume of software assets utilized within the organization can also influence the time required for complete implementation.

As the December 2023 deadline for the new SEC cybersecurity regulations approaches, each Officer and Director should ask themselves: “Am I confident that our existing cybersecurity measures will shield me from personal financial repercussions in the event of a significant cyber incident leading to shareholder losses and subsequent litigation?”

It’s not just peace of mind at stake here, its jail time and large fines. Real “hardball, no glove” stuff.


Steve King

Managing Director, CyberEd

King, an experienced cybersecurity professional, has served in senior leadership roles in technology development for the past 20 years. He has founded nine startups, including Endymion Systems and seeCommerce. He has held leadership roles in marketing and product development, operating as CEO, CTO and CISO for several startups, including Netswitch Technology Management. He also served as CIO for Memorex and was the co-founder of the Cambridge Systems Group.