Chief Information Security Officers (CISOs) and Chief Security Officers (CSOs) face unprecedented pressures, not only from the evolving threat landscape but also from a legal environment that increasingly seeks to hold them personally liable for data breaches. This shift toward personal accountability places immense pressure on these leaders to ensure their organizations’ security postures are robust and compliant with ever-tightening data protection laws, all while balancing the needs to protect both themselves and their organizations in environments that often have limited resources.
The Personal Liability Landscape
CISOs and CSOs are being held personally accountable for breaches for a multitude of reasons. Stricter data protection laws, such as the General Data Protection Regulation (GDPR) in Europe and various state laws in the U.S., often contain provisions that penalize individuals for non-compliance. We’ve also seen in the past couple of years, increasing interest by the U.S. Department of Justice and the Securities and Exchange Commission to hold CISOs and CSOs criminally liable for security breaches. This shift toward individual accountability stems in part from the common perception that without personal liability, companies will never take their responsibilities for security seriously.
At the same time, shareholders are also demanding accountability. A data breach can lead to a plummet in stock value, reputational harm, brand damage, and other negative consequences, prompting shareholders to seek someone to blame. CISOs and CSOs, as the guardians of their organization’s security posture, are logical targets. Public awareness of data breaches has also increased, which has led to an environment where consumers increasingly resort to the civil courts to hold CISOs and CSOs responsible.
Given these developments, some organizations have started incorporating clauses in employment contracts that explicitly make CISOs and CSOs liable for data breaches, regardless of their personal culpability.
Navigating Legal Implications
With the pressures increasing, the CISO and CSO’s job is rapidly expanding from securing their organization to protecting themselves from these increasing personal risks. CISOs and CSOs now must stay abreast of industry best practices for data security not only to mitigate the risks of a data breach but also to establish their due diligence in fulfilling this role.
CISOs and CSOs must now maintain comprehensive records of decisions and actions taken in the interest of cybersecurity since such documentation can serve as powerful evidence in the defense of a negligence claim. Furthermore, CISOs and CSOs must now understand their contractual commitments, consult with legal counsel before signing employment agreements, and consider acquiring insurance in order to shield themselves from the potential legal and financial ramifications of personal liability.
Staying Ahead of the Curve
All of this means that it is imperative for CISOs and CSOs to stay ahead of the curve by implementing the latest available cybersecurity measures in their organizations and being prepared to justify their decisions when they don’t.
One such area that CISOs and CSOs can no longer afford to ignore is API security. In the last year, 34% of data breaches stemmed from API vulnerabilities, and 92% of organizations experienced an API-related security incident, according to research from Salt Security. And with the proliferation of APIs set to explode with advancements in artificial intelligence, the threat posed by APIs is only expected to increase. To protect their organizations and themselves, CISOs should prioritize API security as a fundamental component of their cybersecurity strategy. By proactively implementing measures to protect APIs and other emerging threat vectors, CISOs can demonstrate a commitment to security that not only reduces the likelihood of a breach but also strengthens their legal defense should a breach occur.
Best Practices
To minimize the risk of personal legal repercussions following a breach, CISOs and CSOs should:
- Stay informed about the latest cybersecurity threats and regulations.
- Conduct regular risk assessments and have a process to address identified risks.
- Document decision-making processes to demonstrate diligence.
- Advocate for necessary resources and document any refusals.
- Collaborate with the leadership team and board of directors to ensure alignment on cybersecurity risks.
- Thoroughly understand their employment agreements and consult legal counsel before signing.
- Consider obtaining personal liability insurance.
Conclusion
As the cybersecurity landscape continues to evolve, CISOs and CSOs must adapt to meet the demands of their roles. By prioritizing best practices, documenting decisions, and understanding the legal implications, CISOs and CSOs can better protect not only their organizations but also themselves in this challenging environment.
About the Author
Amanda Fitzsimmons is the Head of Legal at Salt Security, whose API Protection Platform empowers organizations to secure their APIs through discovery, posture management, and run-time threat protection. Amanda has more than 15 years of experience, specializing in data privacy, cybersecurity, and legal compliance matters. Prior to her time at Salt Security, Amanda advised numerous clients through some of the most significant data breaches in recent history.
