It has been reported that corporate CEOs could soon be personally liable if they fail to adequately secure IT systems connected to the physical world, Gartner has warned. The analyst firm predicted that as many as 75% of business leaders could be held liable by 2024 due to increased regulations around so-called “cyber-physical systems” (CPSs) such as IoT and operational technology (OT).
As critical infrastructure organisations converge their IT, OT, IoT and physical systems to improve overall performance, security cannot be an afterthought and state and federal law makers are increasingly taking action to hold corporate executives responsible. In January California was the first state to enact an IoT security law requires all “connected devices” sold in the state to have reasonable security measures. At the federal level, a proposed Corporate Executive Accountability Act would make it easier to hold executives criminally liable for negligent oversight of activity that affects the health, safety, finances, or personal data of the general public.
The perfect storm of increasing cyber threats, digital transformation and IT/OT convergence means organisations must move swiftly to gain visibility and enhance cybersecurity into their OT and IoT networks. It’s a board issue and an employee issue. Earlier this year, in a survey Nozomi Networks commissioned, we were encouraged that organisations recognise both the threats and the opportunities of modernising critical infrastructure. We know from working with thousands of industrial installations, that it’s possible to reap the benefits of converged cyber and physical systems without compromising public safety and security.
The challenge in holding an individual responsible for adequately securing IT systems is that there is a lack of industry standards to be measured against. While some cybersecurity standards for verticals and practices within business processes do exist, it can certainly be argued that they are not detailed enough.
Key standards such as ISA-62443-1-1-2007 Security for Industrial Automation and Control Systems, ISO/SAE DIS 21434 Road Vehicles — Cybersecurity Engineering, and Payment Card Industry (PCI) outline comprehensive processes and requirements but do not call for detailed testing of the components used to develop solutions. Nor do these standards define consistent and measurable security testing and maintenance organisations must carry out.
Another challenge involves the expertise of the staff implementing security solutions. Certifications ensure those individuals performing an action are indeed qualified and are to be held responsible for their actions but not at the same level as a licensed healthcare provide or other stringently managed profession. Until there is legislation that addresses these ambiguities, holding a CEO accountable for others\’ actions will be difficult and error-prone at best.
In cases of clear violation of the law, cover-ups, or outright negligence, CEOs should be held responsible, but laws already exist for such transgressions.