For the last month, an under-the-radar lawsuit has privately been a hot topic of conversation in Fortune 500 boardrooms and corporate security departments.
In October, the Securities and Exchange Commission sued a software company hacked by Russian agents in 2020, accusing it of defrauding investors by not disclosing allegedly known cybersecurity risks and vulnerabilities.
The lawsuit named not just the company, SolarWinds, but also its chief information security officer, Timothy Brown. A year earlier, a former chief security officer at Uber, Joe Sullivan, was found guilty of failing to disclose a data breach to federal regulators. Executives heading up cybersecurity have a sense that their personal risk is increasing.
“I’ve been doing this for 25 years, and I’ve always been protecting others,” said George Gerchow, the chief security officer and senior vice president of information technology at Sumo Logic, a software company. “Now, all of a sudden, I’m in a weird position where I’m having to protect myself.”