CISO Under Fire: Navigating Personal Liability in the Cyber Age

In today's rapidly evolving cybersecurity landscape, the role of the Chief Information Security Officer (CISO) has become increasingly complex, extending far beyond traditional technical duties to encompass significant personal legal and financial risks. Recent high-profile cases and regulatory shifts have fundamentally altered the CISO's accountability, making it crucial for security leaders to understand and actively mitigate their personal liability.

The New Reality of CISO Personal Liability

The shift towards holding CISOs personally accountable for cybersecurity incidents is a global trend, particularly evident in the United States. This has created a "chilling effect" within the CISO community, making an already challenging job even harder and leading some competent professionals to leave or avoid the role altogether.

• The Uber Precedent: In 2022, former Uber CISO Joe Sullivan was convicted on federal charges of obstruction of justice and misprision of a felony. This stemmed from his handling of a 2016 data breach that compromised the personal information of approximately 57 million users and drivers. Instead of disclosing the incident while Uber was under investigation by the Federal Trade Commission (FTC), Sullivan allegedly paid the hackers through Uber’s bug bounty program and had them sign non-disclosure agreements. This landmark case marked the first US federal prosecution of a corporate executive for mishandling a data breach, sending shockwaves through the security industry and demonstrating that executives can face criminal charges for concealing breaches or misleading regulators.
• SolarWinds and SEC Scrutiny: In October 2023, the US Securities and Exchange Commission (SEC) charged SolarWinds and its CISO, Tim Brown, for allegedly downplaying or failing to disclose cyber-risks while overstating the firm’s security practices. While most charges were later dismissed, claims of securities fraud were sustained, signaling that CISOs can face securities fraud allegations if they sign off on false statements or material omissions about cybersecurity. This was the first time the SEC had charged a CISO in this manner. The court's rejection of claims based on internal accounting controls and voluntary NIST scoring was a win for CISOs, but it still emphasized the importance of accurate and detailed cybersecurity disclosures.
• Global Regulatory Push: Beyond the US, new legislation like the EU’s NIS2 directive also includes provisions for CISOs to face personal liability if their organization fails to meet required cybersecurity standards. Regulatory bodies, including the SEC and FTC, are heightening oversight and strengthening regulations, forcing permanent changes to business practices.

Given this heightened exposure, a 2024 Proofpoint report revealed that 72% of CISOs now refuse positions without proper liability protection.

Impact on Corporate Governance

The increased personal liability for CISOs is instigating significant shifts in corporate governance practices:

• Policy Changes and CISO Engagement: Nearly all (93%) organizations have introduced policy changes over the past 12 months to address rising CISO personal liability risks. This includes 41% of organizations increasing CISO participation in strategic decisions at the board level. Additionally, 38% of respondents promised "increased scrutiny of security disclosure documentation from supervisory agencies".
• Broader Accountability and Clarity: While CISOs (14%), security managers (21%), and security engineers (19%) are most commonly cited as leaders responsible for incidents, there remains a lack of clarity, with 46% of respondents feeling unsure about who is responsible. However, there's a rise in accountability across teams outside of cybersecurity, such as application developers (10%), platform engineers (8%), and site reliability engineers (7%), suggesting that cybersecurity responsibility is no longer solely siloed. Only 36% of respondents clearly identify roles and responsibilities for cybersecurity.
• Board Oversight and Expertise: Boards are increasingly expected to view cybersecurity as an enterprise-wide risk management issue, not merely a technical one. They need to understand the legal implications of cyber risks and have adequate access to cybersecurity expertise, with many Fortune 100 companies using audit committees for oversight. Regular board discussions on cybersecurity and sufficient focus from senior management are crucial. Companies should also assess if senior IT executives have sufficient standing to inform the board. Cybersecurity is not the sole responsibility of the IT department; all stakeholders need to be aware of their roles before an incident occurs.
• Documentation and Transparency: CISOs are advised to practice rigorous documentation of key decisions and communications, maintaining an accurate and detailed log of "who, what, when, why, where, and how" of analyses, decisions, and communications. Maintaining openness with internal counsel and stakeholders can prevent issues from escalating into legal problems later. Transparency with regulators is non-negotiable; suppressing or delaying required breach reports can lead to severe consequences, as seen with Yahoo's $35 million fine for delayed breach reporting.
• Pre-incident Legal Planning: Experienced CISOs are implementing regular tabletop exercises (TTXs) that specifically include legal counsel to plan pre-incident communication strategies and understand potential legal implications before an actual event. This preparation also involves developing fluency in "legal speak" to translate complex technical details into terms of risk, financial impact, and reputational damage that legal teams and executives can understand.

D&O Insurance: A Critical Shield

Directors & Officers (D&O) insurance is becoming increasingly critical for CISOs due to their heightened personal liability.

• D&O vs. Cyber Policies: A standard cyber policy typically covers events like data loss or theft but would not respond to claims arising from SEC enforcement actions. Instead, a company’s D&O policy is what’s most likely to respond on behalf of a CISO in such cases, offering legal defense and indemnity coverage.
• Coverage Gaps: Historically, many companies have not considered the CISO a corporate officer like a CEO or CFO, meaning CISOs were often not covered under the organization’s D&O policy. A recent survey reported that 38% of CISOs are not covered by their company’s D&O policy. If a CISO is not covered, and a breach occurs, they can be personally liable under newly implemented SEC rules.
• Mitigating CISO Liability through D&O: Adding CISOs to the company's D&O policy is now seen as an important part of an organization's risk management strategy and a competitive advantage for recruiting top cybersecurity talent.
• Unified Risk Management Strategy: The increasing frequency of D&O claims post-cyber incidents highlights the need for a unified risk management strategy that combines cyber and D&O insurance. This holistic approach provides comprehensive risk assessment, streamlines claims management, enhances coverage synergy, and offers efficiency opportunities by leveraging insurer relationships across both lines of coverage. Research indicates that approximately 43% to 50% of companies experiencing a significant cyber event are likely to face a D&O event as well. Recent settlements by Google, Zoom, and Okta for cyber-related securities claims demonstrate the significant financial impact of such events. Insurers are also more open to recognizing companies' efforts to strengthen governance and operational resilience when underwriting.

Actionable Recommendations for CISOs

To effectively navigate this new era of personal accountability and protect both themselves and their organizations, CISOs should adopt a multi-layered strategy:

• Seek and Retain Legal Counsel: While your company's in-house legal counsel represents the company, it is crucial to understand that they do not represent you individually. In situations where your interests might diverge from the company's, it is not an overreaction for a CISO to have their own personal attorney on standby. This personal attorney can advise on your rights and whether you should be taking actions like whistleblowing or ensuring accurate information is provided to regulators. It is recommended to retain a personal attorney proactively, before any potential disputes arise.
• Practice Rigorous Documentation and Transparency: Meticulously document all key decisions, analyses, and communications (oral, written, or electronic), including "who, what, when, why, where, and how". Always ensure that any statements made or attributed to you are accurate, reasonable, and complete. Maintain openness with internal counsel and stakeholders to prevent issues from escalating.
• Master Breach Reporting Obligations: Be the resident expert on breach notification laws and regulatory requirements, working closely with legal and compliance teams. Ensure your company's incident response plan includes timely notification procedures for legal and regulatory disclosures, knowing specific deadlines for various jurisdictions. Never suppress or delay a required breach report for short-term corporate embarrassment; it's better to face reputational damage now than legal consequences later.
• Secure Personal Legal Coverage:
  • Inquire about D&O Coverage: Consult your company’s in-house counsel and finance team to determine if you are covered by the company’s D&O policy for potential liabilities arising from your professional responsibilities. Many CISOs are currently not covered.
  • Review Policy Details: If covered, request to review the full policy, including any endorsements and exclusions. If possible, review this coverage with your personal attorney.
  • Negotiate Explicit Coverage: When joining an organization or reviewing your employment contract, ensure there are provisions that indemnify you for actions taken in good faith as CISO. Verify that you are explicitly covered as an officer in the corporate bylaws or your employment agreement, and that the company’s D&O insurance policy includes you by name or title.
  • Consider Personal Legal Support: During job negotiations, try to secure provisions for personal legal cover, such as the company lending money for legal defense until conviction.
• Embed Cybersecurity into Corporate Governance: Advocate for cybersecurity risk to be managed as an enterprise-wide issue, not solely a technical one. Push for regular reporting of cybersecurity posture and incidents to the board of directors, as this helps distribute accountability. Work to clearly define roles and responsibilities in security governance, perhaps through a RACI (Responsible, Accountable, Consulted, Informed) matrix, to prevent future finger-pointing. Have candid conversations with leadership about the CISO role’s scope and ensure it's documented.
• Advocate for a Strategic Reporting Structure: Consider advocating for the CISO to report directly to the CEO, positioning yourself as a strategic partner in decision-making and risk assessment, rather than being relegated to a technical function under a CIO. This can prevent you from being seen as "disposable" after an incident.
• Continuous Learning: Stay current on cybersecurity management practices, standards, and guidelines (e.g., NIST), ensuring your cybersecurity program aligns with these principles.

The days when a CISO could focus solely on technology are long gone. Today's security leaders must be equally adept at navigating complex legal frameworks as they are at implementing security controls. By proactively adopting these strategies, CISOs can continue to fulfill their vital mission of protecting their organizations, even in this new era of heightened personal accountability.