The Feds Are Coming for CISOs. Here’s How to Steer Clear

When the SEC charged SolarWinds and its CISO, Tim Brown, last year with intentional securities fraud for failing to report cybersecurity vulnerabilities, it jangled many a nerve in the industry. Suddenly, tech companies and their security chiefs, in particular, seemed to be in the government’s legal crosshairs.

But the truth is that government entities like the Securities and Exchange Commission, the Department of Justice, and state attorneys general launch investigations, subpoena executives, and file charges all the time. When they target technology companies, many of those executives call Jessica Nall, a partner at the Chicago-based law firm Baker McKenzie LLP.

With 23 years of experience under her belt, Nall is considered one of the country’s foremost experts in federal criminal and regulatory liability for information security professionals, especially CISOs. Indeed, she says she’s personally represented more CISOs, InfoSec leaders, and team members in high-profile federal investigations and follow-on civil actions than perhaps any other lawyer in the United States.

Gain visibility to sensitive data at scale and meet regulatory compliance requirements.

She’s also defended individuals being questioned in internal investigations, and conducted countless internal investigations.

Now that more CISOs are wondering whether they could run aground like Brown – who got a bit of a reprieve last week when a U.S. judge threw out most of the SEC charges but sustained the core intentional securities fraud charge against him – Focal Point thought it would be useful to pick Nall’s brain on ways to stay out of trouble in the event of a breach. She will also speak on this topic in a Black Hat USA 2024 session on August 7 titled “Skirting the Tornado: Essential Strategies for CISOs to Sidestep Government Fallout in the Wake of Major Cyberattacks.”

Here’s our conversation with Nall:

(This interview has been edited for clarity and length.)

When did you decide to pivot from general corporate defense to the world of cybersecurity?

About 10 years ago, we got some of the first federal cases or investigations involving cybersecurity professionals where agencies looked at what individuals and companies did or didn’t do in the face of massive cyberattacks. That’s been a big part of my practice ever since.

My main skill set is the battle. While my information security clients are battling bad guys and threat actors, I fight the government.

Though I can advise on best practices to avoid government intervention, I’m usually the one called in once the building’s on fire. It’s usually something like, “We’ve got this major subpoena, or there’s an aggressive investigation, or there’s a whistleblower report that needs to be investigated and could potentially lead to government intervention down the line.” My main skill set is the battle. While my information security clients are battling bad guys and threat actors, I fight the government.

You talk to a lot of CISOs. What’s their mood right now?

There is a rising level of concern, obviously. The role of the CISO has become increasingly difficult as we layer in new technologies like AI governance, and everybody I see is racing to incorporate that latest technology. It’s getting to be a harder job. And I think there’s a shortage, honestly, of really great CISOs who are willing to take on that responsibility. And you can understand why that might be, when they’re taking on a great level of risk yet don’t always have executive support or aren’t given enough budget.

[Read also: It’s not all bad news for CISOs – in our series of success stories, a real-life Marvel “superhero” tells how he fights cybercrime with AI]

There are definite feelings of frustration, concern, and fear, especially since the SolarWinds SEC enforcement action. Government agencies coming after you can be like a nuclear bomb falling from the sky. There’s not much you can do to prevent it ultimately. It’s just one of these things that could happen at any time following a high-publicity negative event. And that’s the thing that’s more terrifying for people who work in technology, where usually one step follows the next, that there’s this unforeseeable and existential danger if you are unlucky enough to be successfully attacked.

Why do you think the government is increasing its scrutiny of CISOs?

Well, they have an ax to grind. They are looking to deter certain conduct. And with major security incidents, especially when they are state-sponsored, the U.S. government doesn’t have a lot of recourse. They can’t do much to go after cybercriminals in Russia, China, or other countries where there is no feasible path to extradition or foreign law enforcement cooperation.

[After] a giant breach, the public expects action from law enforcement and they expect things to change to prevent it from happening next time.

When a major cybercrime happens, like a giant breach, the public expects action from law enforcement and they expect things to change to prevent it from happening next time. So, since our government can’t go after the FSB (Federal Security Service of the Russian Federation, formerly the KGB), they need to do something. And because the CISO is seen as the tip of the spear for cybersecurity response, they’re often the convenient target when the government wants heads to roll.

I think it’s very wrong and unjust and unfair, and that’s why I fight the government with such zeal, because I am convinced this is not the way to do it. But it’s too often the way it happens.

If we can’t use laws to hold companies accountable for cybersecurity and you think using the hammer of enforcement is unfair to CISOs, how do we do it?

This is one area where I think collective, corporate responsibility is the way to go. An example of this is the 2018 SEC order in SEC v. Altaba, which pointed out some collective failures around cyber-incident disclosures and issued a large fine ($35 million) to be paid by the company but did not charge any individuals. Instead, it issued guidance that other companies can follow to avoid large fines that hit shareholders and the stock price, thus – arguably – making positive change happen without putting the wrong individual heads on the chopping block.

[Read also: How CISOs can fight burnout and extend their careers]

Unfortunately, the federal criminal and regulatory systems have evolved strongly in the past approximately 10 years to demand the government aggressively seek individuals to hold liable in enforcement actions and criminal prosecutions. This has been an increasing imperative on the government side ever since the DOJ’s “Yates Memo,” issued in 2015. The DOJ put that memo out after public outcry when the 2008 market meltdown did not result in any individuals being held to account. But this is one area where it’s really misplaced.

The government must love you, huh?

I like to think that they do. Quite frankly, there’s a lot of fluidity between federal prosecutors’ offices, the SEC enforcement bar, and the white-collar defense bar. Credibility is everything, and working with highly skilled and knowledgeable counsel on the defense side can usually only help. So, of course, yes, they do love me. And I love them, especially when they let my people go.

Can you share a few strategies CISOs can follow to stay out of hot water?

First, it’s important to understand the dynamics of how things work. Why do different parties act the way they do? Ask yourself, “What are the company’s incentives when a big security incident happens and the government gets interested in it, and how can you get ahead of that to make sure that you’ve got as much control as possible over that communication?”

What are the company’s incentives when a big security incident happens and the government gets interested in it, and how can you get ahead of that?

Also, you want to look closely at your lines of communication in the company. Before taking a CISO role, make sure you know who you’ll report to. That tends to be all over the map for companies. But if I were somebody who is considering accepting a promotion to that role or joining a new company, I want to be really aware of that and make sure that I know protection will extend to me in the event of a breach and not just to protect the company itself.

[Read also: Your basic overview of IT compliance and how it boosts the bottom line]

You also want to be able to identify red flags. If something has happened, and you’re being asked to come and give an interview in an internal investigation, and the pressure is ratcheting up, and you’re doing it without your own lawyer, that’s one of many possible red flags.

Legal problems don’t always come from government agencies. Sometimes cyber insurance carriers sue CISOs or IT security teams. What do you advise clients to do to head off those challenges?

In my decades of practice, I’ve dealt a lot with insurance carriers. And I’ve seen time and time again every strategy that they use on their side to try to avoid paying however they can, whether it’s rescinding a policy based on some information that was not disclosed or wasn’t disclosed in enough detail or it’s some exclusion. Even policy limits can be an issue.

If something has happened, and you’re being asked to come and give an interview in an internal investigation… and you’re doing it without your own lawyer, that’s one of many possible red flags.

So, in my Black Hat session, I will talk about insurance and the key questions you need to ask if you’re in a security role. I’ll discuss what you need to know about insurance coverage and what might be an adequate level of insurance so you have a good safety net.

We’ve heard insurers say the best way to avoid issues is to work with them. Do you agree?

To some extent, that’s right. I have spent many hours briefing insurers about what’s going on in various government investigations. But it’s not always the case that everybody’s interests are aligned.

[Read also: Having the right cybersecurity platform can ease your cyber insurance underwriting journey. Here’s how to improve your cost-benefit ratio]

I would say there’s always going to be a potential for adversity when you’re talking to your carrier because they have a penchant for being your friend while they’re collecting your premiums but when it comes time for them to pay up, not so much. So it’s a delicate dance that has to be done strategically. I understand where they’re coming from, but that’s a position that they use very often to deny paying. You shouldn’t have rose-colored glasses on when it comes to that.

Anything else you’d like to preview from your upcoming Black Hat talk?

The plan is to leave the audience with a toolkit of strategies to think through so that they never have to deal with the horrible situations that Tim Brown and others have. The federal government has a ton of power. So much power. And it can really turn people’s lives upside down. What I want to do is try to help everybody to not end up there, and if they do end up there, to know who to call.