Cyber Update: Personal Certification by Corporate Executives on the Rise

The likelihood of meaningful federal cybersecurity legislation in 2020 remains suspect. Yet, developments in 2019 show that cybersecurity regulation is headed toward a Sarbanes-Oxley model with or without congressional input. The Sarbanes-Oxley Act (SOX) had a significant effect on corporate governance in the United States by requiring public companies to strengthen audit committees, perform internal controls tests, and make directors and officers personally liable for the accuracy of financial statements. For SOX certifications, the act requires that an organization's senior officer personally certify the accuracy of the company's financial reports. A false certification can implicate personal liability. Regulation of cybersecurity is taking a similar approach.

Cyber regulations promulgated by the New York Department of Financial Services (NY DFS), 23 NYCRR Part 500, in 2017 were among the first to require personal certification of a senior officer to compliance of the regulations' requirements. In 2019, cybersecurity regulation veered further toward the Sarbanes-Oxley model, materializing in numerous Federal Trade Commission (FTC) orders, and in a significant, but little spoken about, rule change in the financial services industry when the Securities and Exchange Commission required members of the National Securities Clearing Corporation (NSCC) to undertake cybersecurity confirmations. Growing passage of the model law for insurance data security in multiple states, including Delaware, also incorporates the certification requirement.

The threat of personal liability adds teeth to requirements in regulatory regimes for a written and comprehensive cybersecurity program. Yet, it has not received much attention. This article briefly addresses these 2019 changes.