The recent news of CardSystems Solutions suing their auditor, Savvis Inc., created a storm of activity in various circles. The Merrick Bank v. Savvis lawsuit has the potential to significantly change the dynamics of legal liability regarding information security audits.
Attorney David Navetta writes that the Merrick Bank complaint alleges it relied on Savvis' certification of CardSystems as Visa CISP compliant (this matter pre-dated the PCI DSS standard), and that certification was false. After CardSystems suffered a breach exposing up to 40 million payment card records, Merrick allegedly incurred $16 million in payments to the card brands (which was ultimately transferred to issuing banks who suffered losses arising out of the CardSystems breach).
Whether or not Savvis -- or Merrick Bank for that matter -- are culpable is a matter for the legal system to decide. That said, having done hundreds of audits, the writers of this article are all in favor of incompetent auditors and auditing firms being held liable for their ineptitude. We agree that their auditing certifications should be revoked, and the auditors themselves should be required to take the requisite courses to ensure that audits they perform in the future, once they are recertified, are indeed appropriate.
We would also like to suggest that any future litigation hold the firms and businesses for which the audits were performed to the same level of responsibility. Specifically, when an audit is done and there are negative findings, a clock should start ticking for the audited firm in which it has a limited, yet reasonable (months, not years), amount of time in which to remediate the findings.
We can attest to being at client sites over a course of years where audits were done, the findings ignored, an audit repeated, and the findings again ignored, year after insecure year.
The real story is that any client such as the one described above who blames their auditor for failing them is only shooting themselves in the foot. So what is this thing called an audit? Our dictionary defines audit as a methodical examination or review of a condition or situation. (Editor's note: See Jennifer Bayuk's IT Audit: The Basics.) As security professionals, we tell the client what their exact security state it is at any given time. While management may not know their exact state, they should know their general state.
Any CEO who is astounded by negative findings resulting from an information security audit is quite possibly derelict in their duties. That CEO should have a competent CISO or some other executive level person(s) (e.g., CSO, CRO) advising them on known or suspected information security issues. Assuming that such a corporate function exists, there will usually be findings after an audit, but there should be no surprises. Properly managing risk to corporate assets is a vital part of conducting business, and critical information assets should be protected just like any other corporate asset. It is incumbent upon C-level executives to remediate all known risks to all corporate assets.
By way of analogy, there are cases where obese smokers have sued their physicians for a variety of concocted reasons. No one wakes up one morning surprised that they are suddenly diabetic and weighing 450 pounds with a blood pressure of 190/125; but that has not stopped the lawsuits. Obese smokers are made, not born, and insecure networks are also made, not born. Those who made such networks should be held liable for their years of security neglect.
The problem could be that management has spent years relegating information security to the doldrums through minimal funding and limited resources, and then are astounded when they have massive data breaches. The same organization that has reams of negative security reports is often the first in line to lay the blame; be it on their own CISO, or the outside auditors and consultants.
We are all in favor of throwing incompetent auditors to the dogs. Any company that is the victim of an incompetent auditor should be able to get back all audit fees paid, in addition to all expenses incurred, including punitive damages.
Conversely, any organization that refuses to remediate security gap findings should be given an injunction. Give them 90 days to fix the problem or their license to conduct business should be suspended. It really is that simple. For the lawyers, there is certainly a lot more money to be made suing incompetent management than incompetent auditors. And for such a class-action lawsuit, these auditors would love to sign on.
The bottom line is that companies that are serious about security will be serious when they select their auditors. The majority of auditors are competent and bring significant value to the clients they serve. Imprudent organizations will sue their auditors to solve their problem. But smart organizations will leverage the experience of their auditors to see what other companies are doing right and how they can do the same. In the long run, that is a much smarter and cheaper approach, and no lawyers needed. ##
Ben Rothke CISSP, QSA (firstname.lastname@example.org) is a Security Consultant with BT Professional Services and the author of Computer Security: 20 Things Every Employee Should Know.
David Mundhenk CISSP, PCI-DSS & PA-DSS QSA, QPASP (email@example.com) is a Security Consultant with a major professional services firm.