However, since the lawsuits against Sullivan and Brown first emerged, CEOs and other high-ranking decision-makers have increasingly come under more pressure to accept some of the cyber incident legal liabilities that have often been the sole province of CISOs.
“In my case, at my sentencing hearing, the judge turned to the prosecutor and repeatedly asked, ‘Why isn’t the CEO charged?’” Sullivan says. “The judge literally said, ‘As far as I’m concerned, the CEO is at least as culpable, if not more, as anyone else inside the company when it comes to the situation.’”
Sullivan adds, “In Australia, in the Qantas case, the board took away the bonuses for the CEO and a bunch of others. In one of those DOJ civil cyber fraud cases, the Aero Turbine case, they pierced the corporate veil and went after the private equity firm as well. There is a growing recognition inside government enforcement authorities that if you want to change corporate behavior, you’ve got to aim a little higher than the CISO.”
