Judge Sentences CISO to 8 Consecutive Hours on RSA Expo Floor as Formal Punishment for Security Breach
Judge Sentences CISO to 8 Consecutive Hours on RSA Expo Floor as Formal Punishment for Security Breach
The SEC announces a new enforcement action requiring executives of breached companies to spend eight consecutive hours walking the RSA Conference expo floor — visiting 40 vendor booths, sitting through six demos, and letting anyone scan their badge.
Judge Sentences CISO to 8 Consecutive Hours on RSA Expo Floor as Formal Punishment for Security Breach
Judge Sentences CISO to 8 Consecutive Hours on RSA Expo Floor as Formal Punishment for Security Breach
The SEC announces a new enforcement action requiring executives of breached companies to spend eight consecutive hours walking the RSA Conference expo floor — visiting 40 vendor booths, sitting through six demos, and letting anyone scan their badge.
WASHINGTON, D.C. — The Securities and Exchange Commission (SEC) announced a new enforcement action on Friday requiring both the CEO and CISO of companies that suffer material cybersecurity breaches to spend a minimum of eight consecutive hours walking the RSA Conference expo floor as part of their remediation obligations.
The ruling, which the SEC described as "proportionate and corrective," applies to any publicly traded company that fails to disclose a breach within the mandated four-day window. Affected executives must walk the full expo floor at Moscone Center together, visit a minimum of 40 vendor booths, sit through at least six live product demonstrations, and allow any vendor who asks to scan their badge. They are also required to accept at least three meeting requests on the spot.
"We considered fines. We considered trading suspensions. But after consulting with cybersecurity professionals about what constitutes genuine suffering, the answer was unanimous. Eight hours on the expo floor. No shortcuts. No hiding in the hotel lobby."
The first pair sentenced under the new rule, the CEO and CISO of a mid-cap financial services firm that took eleven days to disclose a breach, will complete their eight hours on Tuesday. The CISO told reporters he had been "preparing mentally" since the ruling was announced, while the CEO asked what an expo floor was.
"I've dealt with state-sponsored attackers, ransomware at 2 a.m., and a board that doesn't understand what a firewall is," the CISO said. "But I've never had to do any of that while standing next to my CEO, who keeps asking the vendors if their product can also do email."
The CEO, who had never attended RSA, was reportedly briefed by the company's security team on what to expect. He was told to "nod a lot, don't touch anything, and for the love of God do not give anyone your phone." He gave his phone to an ethical hacker within the first eleven minutes while "sharing a photo of his grandchildren."
By hour four, the CISO was spotted sitting on the floor behind a booth for an endpoint vendor, eating a protein bar he described as "the only thing keeping me from asking that vendor if I can just sleep in their booth for the remaining time." The CEO was three booths ahead, actively engaged in what a witness described as "a genuinely enthusiastic conversation about a product that does exactly what they do."
At press time, three companies had fast-tracked their breach disclosures to avoid the ruling. One filed within 90 minutes of discovering the incident, which the SEC called "the fastest disclosure in regulatory history and almost certainly a direct result of the policy."
About the Author
The Exploit Staff
Staff WriterThe editorial team at The Exploit - bringing you the most absurd cybersecurity news before it's patched.
Subscribe before we're patched
Like a vitamin you ingest with your eyes. The best cybersecurity parody, delivered.
