By Amanda Fitzsimmons, Head of Legal, Salt Security
As a digital-first society, we rely on technology for nearly every facet of daily life. With this in mind, it comes as no surprise that cybercrime is on the rise. New innovations such as Generative AI (GenAI) are adding fuel to this malicious activity, increasing the sophistication and scale of attacks. With rampant cyber risks impacting organizations of varying sizes across industries, corporate boards are coming under increasing scrutiny from shareholders and regulators, leading to more concentrated efforts on cybersecurity strategy. Chief Information Security Officers (CISOs) are at the helm of leading such initiatives.
CISOs have become a core part of organizations’ c-suites with nearly half (47%) of global CISOs reporting directly to their CEO and the majority (78%) are backed by a board-level cybersecurity committee, according to Splunk. While the role of a CISO is challenging and all encompassing, from implementing preventative measures to developing and testing incident response plans, the stakes have become even higher for CISOs who now find themselves in the midst of battling a new challenge – personal liability for breaches.
Lay of the Land
This new threat of personal liability comes after legislators, regulators, and prosecutors have watched many high profile breaches cause significant harm to consumers and shareholders with very little change in corporate behavior. Many have come to believe that, without personal liability, companies will never take their security responsibilities and due diligence seriously. This is why regulations including the General Data Protection Regulation (GDPR) in Europe, along with various state laws in the U.S., are increasingly drafted with provisions enabling regulators to penalize individuals for non-compliance, and the U.S. Department of Justice and the Securities and Exchange Commission (SEC) have started to conduct criminal investigations and in some cases even filed criminal charges against CISOs in connection with security breaches.
In addition, many shareholders are demanding that CISOs be held accountable for cybersecurity failures. As a data breach can lead to plummeting stock value and inflict immense reputational and financial harm, it is unsurprising that shareholders want an actual person to blame and hold accountable. As the leader of an organization’s security team, CISOs are the most obvious scapegoat.
Notable security breaches at companies like JBS Foods and T-Mobile in recent years have also led to an environment where consumers increasingly resort to the civil courts to hold CISOs responsible. Given these developments, many organizations have started to include clauses in employment contracts that explicitly make CISOs liable for data breaches, regardless of their personal culpability.
Battling Legal Complexities
The CISO role has evolved from simply working to secure an organization’s digital perimeter to protecting themselves from the increasing risk of personal liability. According to Salt Security’s 2023 State of the CISO report, nearly 50% of CISOs are concerned about personal litigation stemming from breaches. CISOs are now required to stay informed of industry best practices for data security not only to mitigate their organization’s risk of breach, but also to ensure that they avoid individual civil suits.
Given this new legal landscape, it is imperative that CISOs maintain detailed documentation of their cybersecurity risks, controls, and decisions. These records can serve as powerful evidence in the defense of a claim, should legal action be taken following a breach. CISOs must also pay closer attention to the fineprint within their contractual commitments and consult with legal counsel before agreeing. They should also consider acquiring insurance in order to shield themselves from the potential legal and financial ramifications of personal liability.
Staying One Step Ahead
Rising personal liability has heightened the requirement for CISOs to stay ahead of threats and implement proactive cybersecurity measures in their organizations. There is one key segment of cybersecurity that CISOs can no longer afford to ignore – API security. According to our research at Salt Security, within the last year, 34% of data breaches stemmed from API vulnerabilities, and 95% experienced security problems in production APIs.
As API usage is set to continue to accelerate, especially with advancements in GenAI, the risk of API abuse will also proliferate. As the core connector between consumers and vital data and services, APIs are a prominent target for cybercriminals. To protect the livelihood of both themselves and their organizations, CISOs need to prioritize API security as a fundamental component of their cybersecurity strategy. By proactively implementing measures to protect APIs and other emerging threat vectors, CISOs can demonstrate a commitment to security that not only reduces the likelihood of a breach but also strengthens their legal defense should a breach occur.
The Gold Standard
There are several best practices that CISOs should abide by to minimize their risk of legal repercussions following a breach.
- Stay informed: Awareness of the latest cybersecurity threats and regulations enables CISOs to proactively implement measures that protect against new attack vectors, thus protecting company assets and limiting personal liability.
- Risk assessments: Conducting regular risk assessments and having a process to address identified risks is another essential component to mitigating the risk of breaches.
- Detailed documentation: CISOs must keep a robust record of their decision-making processes to demonstrate diligence in the event of a security incident. This includes documenting any refusals by the Board and/or CEO to proposed security controls.
- Collaboration: Security is a team sport and CISOs must make a concerted effort to collaborate with their leadership team and board members to ensure alignment on cybersecurity risks and priorities.
- Legal counsel and insurance: As previously outlined, CISOs should consult with legal counsel before signing any employment contracts to thoroughly assess their possible liability repercussions. As an added protective layer, CISOs may also consider investing in personal liability insurance in the event of a security incident.
Over the next few years, the cybersecurity landscape will continue to evolve, and we may see additional personal liability regulations imposed on CISOs. This ‘new normal’ requires CISOs to adapt. By focusing on best practices, thoroughly documenting their decisions, and understanding the legal implications of their role, CISOs can enhance the protection of both their organization and themselves in this ever changing environment.
