How enterprises are adapting to personal liability rules

With the threat of personal liability for data breaches hanging over CISOs' heads, organizations are increasingly working to minimize the risk.

Recent US and EU legislation has made it possible to hold executives responsible for security breaches, with potential penalties of fines and even imprisonment.

A recent survey from edge cloud platform provider Fastly found that 93% of organizations have made policy changes over the last 12 months to try and deal with concerns about increased personal liability for CISOs.

As part of this, two-in-five said they were giving CISOs more say in strategic decisions at board level. To reduce risk, 38% said they'd promised greater scrutiny of cybersecurity disclosure documentation from supervisory agencies.

The same number said they'd improved legal support for cybersecurity staff, including taking out liability insurance, and corporations have allocated more resources to security in the past year.

"It’s encouraging to see the vast majority of companies making changes to liability disclosure given the inevitability of another worldwide outage that will put CISO accountability back into the spotlight," said Fastly CISO, Marshall Erwin.

"However, while investing in legal protection is an important step, this change is often more about shielding organizations from legal risk rather than fostering meaningful accountability to drive better security practices."

Firms are still uncertain over personal liability rules

Adding to the uncertainty is the fact that nearly half of organizations are unclear about who actually holds ultimate responsibility for cybersecurity incidents, while only 36% have clearly delineated roles and responsibilities within their teams.

"CISOs do not make the final call on every decision. When it comes to security risks, the question a board should be asking is, ‘Are we aligning the budget to address the risks the CISO has communicated to us?’," said Erwin.

"This is where accountability should start - at the senior leadership level, with clear communication and alignment of resources."

In late 2023, new rules were introduced by the US Securities and Exchange Commission (SEC) aimed at holding executives responsible for security breaches and mishaps.

It's no empty threat, either. Last year, the SEC filed charges against both SolarWinds and its CISO, Tim Brown, following the notorious attack in 2020.

Similarly, in 2023 Uber CSO Joseph Sullivan was convicted of trying to cover up a data breach and sentenced to three years of probation, a $50,000 fine, and 200 hours of community service.

Across the Atlantic, similar rules have been introduced by EU lawmakers, in particular the EU’s Network and Information Security Directive (NIS2). This legislation aims to protect critical infrastructure and services across the union, and includes personal liability for executives.

The Digital Operational Resilience Act (DORA), which regulates security practices for financial institutions, does the same.

But there's great uncertainty about how readily the measures will be implemented, and in what circumstances, according to Fastly’s report.

"We need better, clearer standards from regulators and enforcers that distinguish between unavoidable incidents and avoidable ones resulting from truly deficient security practices," said Erwin.

MORE FROM ITPRO

• CISOs are gaining more influence in the boardroom, and it's about time
• How CISOs are navigating the “slippery” AI data protection problem
• Remote work is still causing security headaches for CISOs