Threatonomics

Navigating the growing personal liability facing CISOs

by Emma McGowan , Senior Writer
Published

The stark reality? CISOs are "getting nailed"

Let’s not mince words: The threat of personal liability and potential criminal charges for CISOs has become a legitimate concern. At a recent “CISOs Off the Record” panel hosted by Resilience at the 2025 RSA Conference, three experienced CISOs talked about the growing trend of CISOs being found personally liable for actions they take at work. And, to start, they cited the landmark case of former Uber CISO Joe Sullivan as a sobering example of what contemporary CISOs are facing.

In 2022, Sullivan was convicted of obstruction of justice and misprision of a felony (failure to report a crime) for his handling of a 2016 data breach at Uber. The breach compromised data from more than 50 million Uber riders and 600,000 drivers, but rather than disclosing it, Sullivan directed his team to pay the hackers $100,000 through Uber’s bug bounty program while having them sign non-disclosure agreements. 

What makes this case particularly significant is that Sullivan wasn’t just any security professional; he had previously served as a federal prosecutor with the Department of Justice, specializing in computer hacking and IP issues. Yet despite his background and expertise, he found himself on the wrong side of the law.

The judge ultimately sentenced Sullivan to three years’ probation and 200 hours of community service, though prosecutors had pushed for 15 months in prison. What’s particularly alarming is that Sullivan’s trial represented the first United States federal prosecution of a corporate executive for the handling of a data breach. The case sent shockwaves through the security industry, with many CISOs suddenly questioning their own legal exposure.

Beyond breach reporting, regulators are scrutinizing misleading statements about security. In late 2023, the SEC took the unprecedented step of charging the CISO of SolarWinds alongside the company for alleged fraud related to cybersecurity disclosures. The SEC’s complaint claims that SolarWinds and its security chief misled investors about the company’s cyber risks and defenses prior to its well-known supply chain attack. 

While parts of that case are still being litigated, it put CISOs on notice that they could face securities fraud allegations if they sign off on false statements or material omissions about cybersecurity. In combination, these enforcement actions show that whether it’s failing to report an incident or misrepresenting security posture, a CISO may be held personally accountable by authorities.

How to protect yourself (and your career)

As the Sullivan case and others have demonstrated, personal liability isn’t just a theoretical risk; it’s a reality that security leaders must actively prepare for. And it looks like most people in the field know it: A 2024 Proofpoint report found that 72% of CISOs now refuse positions without proper liability protection

Luckily, CISOs are already good at protection—the only real shift here is who you need to protect. The following strategies offer a roadmap for security leaders looking to safeguard not just your organizations, but your careers and personal freedom as well.

1. Have a lawyer on speed dial

This isn’t hyperbole or a luxury anymore; it’s a necessity. The complexity of information security incidents combined with evolving legal frameworks means having trusted legal counsel readily available is now part of the job.

While it’s important to establish a strong relationship with your organization’s legal counsel, remember that the company’s lawyers represent the company, not you individually. In situations where your interests might diverge–for example, during an investigation where someone is at fault–you may need independent legal advice. 

It’s not overreacting for a CISO to have their own attorney on standby, especially if you suspect a serious incident could lead to personal scrutiny. Many CISOs learned this from the Uber case. Your personal attorney can advise you on your rights and whether you should be doing anything differently to protect yourself (for instance, whistleblowing in extreme cases, or at least ensuring accurate information is given to regulators). 

Hopefully you’ll never need to use this, but having a plan for personal legal counsel is part of being prepared. Think of it as your own form of insurance: you hope to never be personally investigated, but if you are, you don’t want to scramble to find a lawyer at the last minute.

2. Do some pre-incident legal planning

One of the most valuable practices emerging from experienced CISOs is the implementation of regular tabletop exercises (TTXs) that specifically include legal counsel. These simulations aren’t just about technical response; they’re crucial for planning pre-incident communication strategies and understanding potential legal implications before an actual event occurs.

Alongside these exercises, CISOs must develop fluency in “legal speak”: understanding the nuances of legal language and contracts that could impact their personal liability. This skill becomes especially critical during incidents, during which you’ll need to translate complex technical details into terms of risk, financial impact, and reputational damage that legal teams and executives can understand and act upon.

Part of this preparation involves understanding the cost implications of breach response. Legal expenses during remediation can be substantial, often requiring specialized external counsel who command premium rates. By developing these legal communication skills and relationships before an incident, you’ll be better positioned to navigate the complex intersection of technology, business impact, and legal requirements when a crisis hits, protecting both your organization and yourself.

3. Practice rigorous documentation and transparency

A prudent CISO documents key decisions and communications meticulously. If you deliver a report on a security incident or known risks, keep a copy of your original report in a secure personal archive. Mistakes happen and things get lost, but this way you’ll always know you’re covered.

Additionally, maintain openness with internal counsel and stakeholders. Don’t keep problems hidden. By fostering transparency inside the company, you reduce the chance of issues escalating into legal problems later. Essentially, cover your bases by covering it in writing.

4. Stay on top of breach reporting obligations

As a CISO, you should be the resident expert (alongside legal/compliance teams) on breach notification laws and regulatory requirements. Ensure your company has an up-to-date incident response plan that includes timely notification procedures for legal and regulatory disclosures. Know the specific deadlines for various jurisdictions and requirements.

Implement internal processes to flag when an incident might trigger these obligations, and involve legal counsel early. Most importantly, never let short-term corporate embarrassment tempt you into suppressing or delaying a required breach report. The Yahoo case in 2018 – in which Yahoo was fined $35 million for failing to disclose a data breach – resulted in significant SEC fines for delayed breach reporting and, as we’ve seen with Uber, hiding a breach from regulators can result in personal criminal charges.

When in doubt, report it: it’s better to face some reputational damage now than legal consequences later.  Also, consider using available safe harbors, such as when law enforcement officially requests a reporting delay (and document that). By diligently following legal requirements, you protect both the company’s compliance record and yourself from accusations of negligence or willful misconduct.

5. Secure personal legal coverage

Directors and Officers (D&O) insurance might seem like the obvious solution, but it comes with significant caveats. Standard D&O policies may not adequately cover CISOs, particularly in cases involving criminal allegations or if they aren’t designated as Section 16 officers. Securing specific endorsements on existing policies or finding separate products designed explicitly for CISOs has become essential.

When joining an organization or reviewing your employee contract, ensure there are provisions that indemnify you for actions taken in good faith as CISO. Verify that you are explicitly covered as an officer in the corporate bylaws or your employment agreement, and that the company’s D&O insurance policy includes you by name or title.

A crucial lesson from veteran CISOs: negotiate personal legal cover during your initial job offer. One approach mentioned by the panelists is arranging for the company to lend money for legal defense until conviction. This subtle but important distinction can provide critical protection when you need it most.

Many experienced CISOs also stress the importance of personal financial resilience, i.e. having enough savings (ideally a year’s worth) to walk away if faced with an unethical decision. As one panelist bluntly put it: “Negotiate your exit on the way in.”

6. Embed cybersecurity into corporate governance

One effective way to protect yourself is to ensure that cybersecurity risk is managed as an enterprise issue, not just a technical matter left solely to you. Advocate for regular reporting of cybersecurity posture and incidents to the board of directors, which helps distribute accountability appropriately.

When the board and CEO are kept informed about major risks and sign off on security investments (or conscious risk acceptances), it establishes a record that those with fiduciary authority are making the decisions, not the CISO unilaterally.

Push for clear definition of roles and responsibilities in security governance. If possible, help define a framework or RACI matrix that delineates who is responsible for what aspects of security. This clarity can prevent finger-pointing later because it will be evident which decisions were outside your authority.

Have candid conversations with leadership about the CISO role’s scope–are you an advisor or the ultimate decision-maker on certain matters? Make sure the answer is documented. Additionally, involve cross-functional teams (legal, IT, risk, compliance) in major security decisions so it’s a shared process. This goes back to the TTXs mentioned in section two of this post, as a well-run TTX gets everyone on board before an incident even occurs.

A strong governance model not only improves security outcomes but also means the CISO isn’t isolated as the “fall person” when something goes wrong.

7. Advocate for a new type of reporting structure

The discussion around optimal reporting structures for CISOs has gained new urgency in light of increasing personal liability concerns. One panelist insisted that CISOs must report directly to the CEO to be strategic partners involved in company decision-making and risk assessment, rather than being relegated to technical functions reporting to a CIO. They argued that anything less means “it’s not a real CISO gig” and sets you up to be disposable after an incident.

Others maintain that impact can be achieved regardless of reporting lines by effectively translating technical risk into business risk for all stakeholders. However, the increasing personal liability, particularly in publicly traded companies and regulated industries, adds significant weight to the reporting structure argument. CISOs may have regulatory obligations and potential liability that extends well beyond their employer’s walls.

Final thoughts

The shift from a primarily technical position focused on protecting organizational assets to that of a complex leadership role requires a corresponding evolution in how CISOs approach their responsibilities. Security leaders must now balance traditional security functions with deliberate self-protection strategies. This isn’t self-serving; it’s necessary risk management. A CISO entangled in legal proceedings or constantly worried about personal liability cannot effectively protect their organization.

The strategies outlined in this post–from securing proper legal coverage to documenting decisions meticulously–should be viewed as essential components of the modern CISO toolkit. Just as you wouldn’t deploy a new system without proper controls, you shouldn’t step into a CISO role without appropriate personal protections.

As one panelist at the RSA panel aptly noted, “The days when a CISO could focus solely on technology are long gone.” Today’s security leaders must be equally adept at navigating legal frameworks as they are at implementing security controls. By taking proactive steps to protect themselves, CISOs can continue to fulfill their vital mission of protecting their organizations, even in this new era of heightened personal accountability.

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

Does the proposed UK ransomware payment ban take things too far?

Cowritten with Henry Westwood, Resilience Cyber Underwriting Manager Simon West, Resilience Head of Customer Engagement The UK government recently launched a consultation on legislative proposals to combat ransomware attacks, one of the most significant cyber threats facing organisations today. As cybersecurity professionals working with organisations across various sectors, we’ve carefully examined these proposals and offered […]

North Korea is targeting the job interview process to infiltrate US companies

This post is based on threat intelligence compiled by Resilience Intelligence Analyst Steph Barnes, published May 8, 2025. North Korean hackers have turned the interview chair into a staging ground for cyberattacks. Two sophisticated campaigns—Contagious Interview and WageMole—are actively targeting job seekers and employers alike, with a clear endgame: funneling money back to the North […]

Scattered Spider strikes again in recent UK retail attacks

In the past two weeks, the UK retail industry has faced an unprecedented wave of sophisticated cyberattacks, exposing critical vulnerabilities across the sector. The high-profile breaches at Marks & Spencer, Harrods, and others have sent shockwaves through the industry, with M&S alone suffering an estimated £3.8 million in lost online sales per day and seeing […]

See what a cyber attack could really cost your enterprise

Data breaches cost U.S. businesses an average of $9.36 million per breach in 2024, yet many enterprises still struggle to quantify their specific cyber risk exposure in financial terms. How do you translate complex technical vulnerabilities into language that your CFO, board members, and other stakeholders can understand and act upon? We’re excited to announce […]

A decision scientist’s perspective on AI

As the Senior Director of Cyber Resilience at Resilience, I bring a somewhat unconventional perspective to the table. Unlike many in our industry who come from traditional cybersecurity or insurance backgrounds, my expertise lies in decision science. Throughout my career, I’ve been fascinated by one central question: How can we help people make good decisions […]

What enterprises over $10 billion need to know about managing cyber risk

The role of the Chief Information Security Officer has undergone a profound transformation from a purely technical role to a strategic business one in recent years. For CISOs operating in organizations with over $10 billion in revenue—a segment that Resilience has recently expanded its cyber risk solutions to serve—the shift comes with unique pressures and […]