The New Liability Reality for CISOs

The conviction of former Uber CISO Joseph Sullivan by a jury in a Federal Court was the first time someone in this role was convicted of a felony resulting from their actions in responding to a cyberattack. At its core, the case hinged more on Sullivan’s failure to disclose a new breach to Federal investigators shortly after they had interviewed him for an ongoing investigation at Uber.

A second pending case against Timothy Brown, the CISO of SolarWinds, indicates that CISOs can expect greater personal liability for their actions in reporting and mitigating security breaches.

This is new territory. CISOs have not traditionally been thought of as personally liable for security incidents or the responses to them. Corporations often did not purchase Directors & Operators liability insurance for CISOs, reserving that for other C-Suite occupants. While CISOs worked closely with legal teams to determine the right policies for complying with the law, the Uber case involved company attorneys accepting immunity in exchange for testimony against Sullivan.

With the SEC case against Brown, the charges allege that public statements made by SolarWinds about incident impacts contradicted internal statements. These cases are forcing a reckoning in the CISO community and a new approach to security governance to minimize personal liability.

Ways CISOs Should Change Security Governance to Reduce Liability

There five some common sense changes to security governance CISOs can pursue to reduce their legal exposure:

• Increased Focus on Documentation and Records: To minimize liability, CISOs must improve documentation of security processes and keep detailed records of actions taken and team communications during incident responses and other critical security operational activities. CISOs should preserve presentations, emails, and other communications for extended periods to better enable due diligence and create a clear record of their actions and intent. For their own well-being, CISOs should insist on robust enterprise knowledge management and document and communications indexing to ensure that internal communications are easy to search and navigate.
• Default, Automated Reporting: CISOs should implement detailed, automated reporting using security governance and operations aggregation tools. Reports should be system-generated from ongoing metrics capture and security observations. This approach ensures that notification is transparent and automated and puts the onus on all recipients to remain informed. Recipient lists should be determined by the CISO, legal team, and C-Suite to match best practices for disclosure and security governance as determined by the legal team.
• Closer Scrutiny of External Communications and Disclosure for Potential Conflicts: In the case of SolarWinds, the SEC specifically cited internal presentations by the CISO voicing concerns about the security of systems against external attackers. Such concerns were not included in SolarWinds' public risk statements. The key problem is the disconnect between what the CISO states internally and what the organization states publicly. Often a CISO has no control over public statements. For that reason, a CISO should assume that any internal presentation could ultimately become discoverable for litigation or published online. To cover their liabilities, CISOs should make explicit statements in any internal documents indicating what information is material and should be disclosed to comply with the law.
• Shift Towards Earlier Disclosure and Overdisclosure: In most cases where CISOs are faulted, the point of contention is not how incident response is conducted but when an incident or data breach is disclosed and the degree of disclosure. The hesitancy to disclose for fear of reputational damage leading to lost customers and revenues is counterbalanced by stronger legal requirements to disclose and the resulting bad publicity of “disclosure sprawl.” An example of this is the Okta incident in the fall of 2023 when the company slowly widened its admissions from a few customers to all customers subject to information leakage from a breach. A better approach is to detail the known scope of exposure and concede that the final scope is unknown and may be revised upwards.
• Implement Programmatic Monitoring of Security Governance Processes: To ensure that they have good information on what is really happening in security governance, CISOs must monitor processes programmatically to verify that incident response playbooks are followed. This includes monitoring engagement with legal teams to document when they are informed and how their inputs inform incident response efforts. Newer forms of artificial intelligence make analysis of conversational data more accessible and applicable. This type of monitoring also simplifies post-incident audits required by law enforcement.

Programmatic monitoring also facilitates third-party investigations, something that Uber was criticized for failing to accommodate as it worked through root cause and response analysis of its data breaches.

CISOs Can Address Liability Through Common Sense Changes

Security is a messy business. Incident responses are chaotic. Communications and information sharing between humans are inexact and may create false impressions of malicious intent. Projecting increased personal liability in this already unsettled environment raises the stakes for CISOs. Shifting security governance to emphasize early and complete disclosure, monitoring and capture of processes, eliminating discrepancies in reporting, and automating the reporting process help contain CISOs’ personal liability.

Security governance is getting personal

For CISOs, CEOs, BODs, and security teams, staying ahead of these new security governance changes requires a proactive approach with a focus on compliance, transparency, and strategic risk management.

Download our whitepaper, "Navigating a New Security Governance Reality: A CISO's Guide to Cybersecurity Disclosure and Compliance" for:

• Real-world ideas for improving your security governance to better navigate recent global disclosure changes
• An understanding of personal and corporate liability risks security leaders assume when they don’t prioritize security governance
• Ways to prepare for the possible unintended consequences of the new disclosure rulings
• A checklist of ideas to help you reshape your security processes in response to new challenges