By 2024, changes in cyber security legislations may make CEOs personally liable for cyber-physical security incidents involving their companies that may directly endanger human lives or the environment, Gartner has predicted.
Gartner said that 75% of CEOs could be held personally liable for cyber-physical security incidents if it is found that such incidents took place due to a lack of focus on cyber security or security spending. Cyber-physical security incidents have the capability of causing physical harm to people, destruction of property, or environmental disasters.
According to Gartner, cyber-physical systems are "systems that are engineered to orchestrate sensing, computation, control, networking and analytics to interact with the physical world (including humans)". These systems include all connected IT, operational technology (OT), and Internet of Things (IoT) systems and devices that are used for running asset-intensive, critical infrastructure, and clinical healthcare environments.
“Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them,” said Katell Thielemann, research vice president at Gartner.
“In the U.S., the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry. Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies,” she added.
Cyber attacks targeting cyber-physical systems that run critical infrastructure, healthcare systems, and other industries could result in fatal casualties in the near future and the financial impact of such attacks will exceed $50 billion by 2023. The financial impact will include significant compensations, litigation costs, insurance payouts, and regulatory fines.
“Technology leaders need to help CEOs understand the risks that cyber-physical systems represent and the need to dedicate focus and budget to securing them. The more connected CPSs are, the higher the likelihood of an incident occurring. A focus on ORM – or operational resilience management - beyond information-centric cybersecurity is sorely needed,” Thielemann added.
Commenting on Gartner's prediction, Boris Cipot, senior security engineer at Synopsis, told Teiss that if developed carelessly, technical equipment and products could be manipulated or abused by cyber criminals to cause harm or even death. Therefore, it is understandable why we would no longer simply issue financial penalties, but extend this to jail time as well.
"However, I do not believe that the idea is as cut and dry as saying that one has to go jail and that’s it. There needs to be supporting guidelines on what adequate development practices are and what is expected to be followed, in order to satisfy these security standards.
"I not only believe that this will be needed but also welcomed by many companies struggling today on the security compliance front. It will also be welcomed by users who will feel more secure knowing that the software or devices they use are developed under some sort of formalized standard," he added.