Corporate CEOs could soon be personally liable if they fail to adequately secure IT systems connected to the physical world, Gartner has warned.
The analyst firm predicted that as many as 75% of business leaders could be held liable by 2024 due to increased regulations around so-called “cyber-physical systems” (CPSs) such as IoT and operational technology (OT).
Gartner defines CPSs as “engineered to orchestrate sensing, computation, control, networking and analytics to interact with the physical world, including humans.”
In this world, cyber-attacks can lead to human fatalities rather than mere data loss or service outages. For example, a medical device could be hijacked to prevent life-saving drugs from being dispensed, or a connected car could be remotely directed to crash.
Gartner argued that the financial impact of such attacks on CPSs resulting in fatalities could reach as much as $50 billion by 2023.
“Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them,” said Katell Thielemann, research vice president at Gartner.
“In the US, the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry. Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies.”
However, at present, many business leaders aren’t even aware of the scale of CPS investment in their organization, often because projects have happened outside of the control of IT, said Gartner.
This is where technology leaders in the organization must step up to help CEOs understand the risks that CPSs represent, and why more budget needs to be allocated to operational resilience management (ORM) in order to secure them, argued Thielemann.
“The more connected CPSs are, the higher the likelihood of an incident occurring,” she added.