CEO’s… On the Hook for Millions!

CEO’s… On the Hook for Millions!

From the Desk of Jonathan Goetsch

Founder / Application Architect

US ProTech Cyber Security

Anamo.io CDM

May 2019

 

 

Legal Question:

If you could avoid a Million-Dollar Fine, would you care?

Today, CEO’s are being required to personally sign both for legal responsibility and for the massive fines being imposed related to cybersecurity non-compliance, and “yes,” that’s even before a cybersecurity breach has even happened.  

Warning:  Negligent CEO’s refusing to properly fund cybersecurity – be forewarned.

Legal Risk:

10 Million Dollars was the fine just imposed upon an America company when “serious risk” of potential cybersecurity was found in a recent audit.  The Wall Street Journal identified the investigated company as Duke.  The CEO, Lynn Good, was forced to sign not only for the total fine but for the implementation of the corrective action plans (CAP’s) as well.  But there… is a far greater financial impact than what one might think. Legal fees, loss of revenue, loss of production, new technology, new software & hardware, professional services, risk assessments, penetration-testing, new policies & procedures, brand damage and so forth.

While the list of expenses related to CAP’s can vary greatly and vary from one industry to another, CEO’s today seeking solutions, cyber-insurance and even ways to hide risk under the vail of attorney client privilege are in a frenzy.  How high could all these expenses run you ask? Jonathan Goetsch, a 20-year veteran of cybersecurity and CEO of US ProTech responded by saying “Use a minimum factor of 3 to 5 but in Dukes case it could be substantially more.” Goetsch is also the Founder of Anamo.io, a CDM “Continuous Diagnostics & Mitigation” Cybersecurity software platform that has capture national attention with its newest Real-Time cybersecurity capabilities and U.S. governmental leadership in Washington DC has shown a growing interest), see: Goetsch at the White House].

Legal Action:

Looking at one Business Journal Report and other data from related audits, the anticipated financial impact picture becomes more clear.  But in additional to these new expenses and new investments, accommodating governance, risk & compliance, required mandates and timeframes may be one of the greatest unforeseen costs to the business.  It’s safe to say that Duke will incur expenses ranging between 30 and 50 million dollars before the energy company can demonstrate effective remediation, new controls, adequate documentation and process capability sufficient to pass another NERC audit compared to the previous audit.

Legal Solution:

With multi-million-dollar fines being handed out for potential risk, businesses should be scrambling for a Governance, Risk & Compliance “GRC” tool built upon the NIST framework, that can accommodate SCADA and other regulatory framework to help solve capabilities, compliance and auditing objectives.  While there are many GRC applications are in today’s market place, Goetsch said the fact is that they are mostly just a bunch of empty shells where clients are required to drag in volumes of data. Any application that is not comprehensive, pre-populated with required regulatory documentation or doesn’t provide incident management, project management, policies & procedures, automated compliance with distribution functionality, tracking of tasks, teams and groups within the framework, etc. should be avoided.

For more information related to the details of the NERC Audit or solutions surrounding CDM Cybersecurity or Governance, Risk & Compliance, contact US ProTech for a discussion and complimentary evaluation.

Legal Review / By State:

All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.  Security breach laws typically have provisions regarding who must comply with the definitions of “personal information,” what constitutes a breach, requirements for notice and exemptions. The laws for each state can be reviewed on the US ProTech Blog and here: