In a recent LinkedIn post Andrew Ginter made the case that legal liability is an argument for investing in cybersecurity. That those responsible for managing risk, and cybersecurity in particular, should put in place “reasonable” security controls to reduce legal liability if a cyber incident causes a loss of life, or damages to commercial or societal interests.
After some back and forth in the comments, Andrew wrote:
No, to my knowledge, there has never been a case like I illustrate in my article – I made up that dialog. The dialog is however based on my understanding of lawsuits related to industrial safety incidents – not triggered by cybersecurity attacks / defensive failures, but by other causes / failures.
I don’t know if Andrew is correct. No one knows. It hasn’t been tested yet. It will take a case that goes to trial and a judge willing to plow new ground. And for a judgment to survive appeal. My view is this is unlikely in the near or medium term for two major reasons
- We don’t have an agreement on what is reasonable.
- Even if we could agree on what is reasonable, well less than half of the asset owners in the sector aren’t implementing these reasonable controls.
If we look at past cases of liability, and what engineers have told me the way PE liability tends to work, is (simplified):
- something bad happens.
- it is investigated and the cause is identified.
- not making the same mistake is taught and becomes a requirement.
- if something happens bad again and this known cause is at fault there is liability.
You could make the case that we are there with two-factor authentication for remote access after Colonial Pipeline. It hasn’t been tested in court.
Whether Andrew is right or wrong, it’s not a compelling argument for management or the board. You walk in and say … if something bad happens and we haven’t implemented these security controls we will be legally liable. A reasonable board is going to ask you some questions.
- Are you a lawyer? What does our legal counsel say about this?
- Has there ever been a case like this in our industry? In related industries? Anything you can point to?
- Where did you come up with this reasonable list of security controls? How do we know the court will consider this reasonable?
I wouldn’t want to be standing in front of a board answering those questions as the rationale to invest in cybersecurity.
The company has real things that have happened to worry about. Weather incidents, supply chain and tariffs, regulatory risk, causes for actual safety incidents, and ransomware and IT attacks that have caused actual losses for companies in the sector and perhaps the company itself.
Andrew presents an interesting thought experiment and possible future. It’s not the case you want to make for OT cyber risk reduction investment. It’s not the first decade of the 21st century. We have some actual loss data, regulatory requirements in place and coming, and examples in each sector.
One more thing … avoid the hysteria of what’s possible when talking about cyber incidents and cyber threats. Admittedly, this can occasionally be effective, but we have real cases with real, and sometimes material, losses that you should use instead.