Threatonomics

Navigating the growing personal liability facing CISOs

by Emma McGowan , Senior Writer
Published

The stark reality? CISOs are "getting nailed"

Let’s not mince words: The threat of personal liability and potential criminal charges for CISOs has become a legitimate concern. At a recent “CISOs Off the Record” panel hosted by Resilience at the 2025 RSA Conference, three experienced CISOs talked about the growing trend of CISOs being found personally liable for actions they take at work. And, to start, they cited the landmark case of former Uber CISO Joe Sullivan as a sobering example of what contemporary CISOs are facing.

In 2022, Sullivan was convicted of obstruction of justice and misprision of a felony (failure to report a crime) for his handling of a 2016 data breach at Uber. The breach compromised data from more than 50 million Uber riders and 600,000 drivers, but rather than disclosing it, Sullivan directed his team to pay the hackers $100,000 through Uber’s bug bounty program while having them sign non-disclosure agreements. 

What makes this case particularly significant is that Sullivan wasn’t just any security professional; he had previously served as a federal prosecutor with the Department of Justice, specializing in computer hacking and IP issues. Yet despite his background and expertise, he found himself on the wrong side of the law.

The judge ultimately sentenced Sullivan to three years’ probation and 200 hours of community service, though prosecutors had pushed for 15 months in prison. What’s particularly alarming is that Sullivan’s trial represented the first United States federal prosecution of a corporate executive for the handling of a data breach. The case sent shockwaves through the security industry, with many CISOs suddenly questioning their own legal exposure.

Beyond breach reporting, regulators are scrutinizing misleading statements about security. In late 2023, the SEC took the unprecedented step of charging the CISO of SolarWinds alongside the company for alleged fraud related to cybersecurity disclosures. The SEC’s complaint claims that SolarWinds and its security chief misled investors about the company’s cyber risks and defenses prior to its well-known supply chain attack. 

While parts of that case are still being litigated, it put CISOs on notice that they could face securities fraud allegations if they sign off on false statements or material omissions about cybersecurity. In combination, these enforcement actions show that whether it’s failing to report an incident or misrepresenting security posture, a CISO may be held personally accountable by authorities.

How to protect yourself (and your career)

As the Sullivan case and others have demonstrated, personal liability isn’t just a theoretical risk; it’s a reality that security leaders must actively prepare for. And it looks like most people in the field know it: A 2024 Proofpoint report found that 72% of CISOs now refuse positions without proper liability protection

Luckily, CISOs are already good at protection—the only real shift here is who you need to protect. The following strategies offer a roadmap for security leaders looking to safeguard not just your organizations, but your careers and personal freedom as well.

1. Have a lawyer on speed dial

This isn’t hyperbole or a luxury anymore; it’s a necessity. The complexity of information security incidents combined with evolving legal frameworks means having trusted legal counsel readily available is now part of the job.

While it’s important to establish a strong relationship with your organization’s legal counsel, remember that the company’s lawyers represent the company, not you individually. In situations where your interests might diverge–for example, during an investigation where someone is at fault–you may need independent legal advice. 

It’s not overreacting for a CISO to have their own attorney on standby, especially if you suspect a serious incident could lead to personal scrutiny. Many CISOs learned this from the Uber case. Your personal attorney can advise you on your rights and whether you should be doing anything differently to protect yourself (for instance, whistleblowing in extreme cases, or at least ensuring accurate information is given to regulators). 

Hopefully you’ll never need to use this, but having a plan for personal legal counsel is part of being prepared. Think of it as your own form of insurance: you hope to never be personally investigated, but if you are, you don’t want to scramble to find a lawyer at the last minute.

2. Do some pre-incident legal planning

One of the most valuable practices emerging from experienced CISOs is the implementation of regular tabletop exercises (TTXs) that specifically include legal counsel. These simulations aren’t just about technical response; they’re crucial for planning pre-incident communication strategies and understanding potential legal implications before an actual event occurs.

Alongside these exercises, CISOs must develop fluency in “legal speak”: understanding the nuances of legal language and contracts that could impact their personal liability. This skill becomes especially critical during incidents, during which you’ll need to translate complex technical details into terms of risk, financial impact, and reputational damage that legal teams and executives can understand and act upon.

Part of this preparation involves understanding the cost implications of breach response. Legal expenses during remediation can be substantial, often requiring specialized external counsel who command premium rates. By developing these legal communication skills and relationships before an incident, you’ll be better positioned to navigate the complex intersection of technology, business impact, and legal requirements when a crisis hits, protecting both your organization and yourself.

3. Practice rigorous documentation and transparency

A prudent CISO documents key decisions and communications meticulously. If you deliver a report on a security incident or known risks, keep a copy of your original report in a secure personal archive. Mistakes happen and things get lost, but this way you’ll always know you’re covered.

Additionally, maintain openness with internal counsel and stakeholders. Don’t keep problems hidden. By fostering transparency inside the company, you reduce the chance of issues escalating into legal problems later. Essentially, cover your bases by covering it in writing.

4. Stay on top of breach reporting obligations

As a CISO, you should be the resident expert (alongside legal/compliance teams) on breach notification laws and regulatory requirements. Ensure your company has an up-to-date incident response plan that includes timely notification procedures for legal and regulatory disclosures. Know the specific deadlines for various jurisdictions and requirements.

Implement internal processes to flag when an incident might trigger these obligations, and involve legal counsel early. Most importantly, never let short-term corporate embarrassment tempt you into suppressing or delaying a required breach report. The Yahoo case in 2018 – in which Yahoo was fined $35 million for failing to disclose a data breach – resulted in significant SEC fines for delayed breach reporting and, as we’ve seen with Uber, hiding a breach from regulators can result in personal criminal charges.

When in doubt, report it: it’s better to face some reputational damage now than legal consequences later.  Also, consider using available safe harbors, such as when law enforcement officially requests a reporting delay (and document that). By diligently following legal requirements, you protect both the company’s compliance record and yourself from accusations of negligence or willful misconduct.

5. Secure personal legal coverage

Directors and Officers (D&O) insurance might seem like the obvious solution, but it comes with significant caveats. Standard D&O policies may not adequately cover CISOs, particularly in cases involving criminal allegations or if they aren’t designated as Section 16 officers. Securing specific endorsements on existing policies or finding separate products designed explicitly for CISOs has become essential.

When joining an organization or reviewing your employee contract, ensure there are provisions that indemnify you for actions taken in good faith as CISO. Verify that you are explicitly covered as an officer in the corporate bylaws or your employment agreement, and that the company’s D&O insurance policy includes you by name or title.

A crucial lesson from veteran CISOs: negotiate personal legal cover during your initial job offer. One approach mentioned by the panelists is arranging for the company to lend money for legal defense until conviction. This subtle but important distinction can provide critical protection when you need it most.

Many experienced CISOs also stress the importance of personal financial resilience, i.e. having enough savings (ideally a year’s worth) to walk away if faced with an unethical decision. As one panelist bluntly put it: “Negotiate your exit on the way in.”

6. Embed cybersecurity into corporate governance

One effective way to protect yourself is to ensure that cybersecurity risk is managed as an enterprise issue, not just a technical matter left solely to you. Advocate for regular reporting of cybersecurity posture and incidents to the board of directors, which helps distribute accountability appropriately.

When the board and CEO are kept informed about major risks and sign off on security investments (or conscious risk acceptances), it establishes a record that those with fiduciary authority are making the decisions, not the CISO unilaterally.

Push for clear definition of roles and responsibilities in security governance. If possible, help define a framework or RACI matrix that delineates who is responsible for what aspects of security. This clarity can prevent finger-pointing later because it will be evident which decisions were outside your authority.

Have candid conversations with leadership about the CISO role’s scope–are you an advisor or the ultimate decision-maker on certain matters? Make sure the answer is documented. Additionally, involve cross-functional teams (legal, IT, risk, compliance) in major security decisions so it’s a shared process. This goes back to the TTXs mentioned in section two of this post, as a well-run TTX gets everyone on board before an incident even occurs.

A strong governance model not only improves security outcomes but also means the CISO isn’t isolated as the “fall person” when something goes wrong.

7. Advocate for a new type of reporting structure

The discussion around optimal reporting structures for CISOs has gained new urgency in light of increasing personal liability concerns. One panelist insisted that CISOs must report directly to the CEO to be strategic partners involved in company decision-making and risk assessment, rather than being relegated to technical functions reporting to a CIO. They argued that anything less means “it’s not a real CISO gig” and sets you up to be disposable after an incident.

Others maintain that impact can be achieved regardless of reporting lines by effectively translating technical risk into business risk for all stakeholders. However, the increasing personal liability, particularly in publicly traded companies and regulated industries, adds significant weight to the reporting structure argument. CISOs may have regulatory obligations and potential liability that extends well beyond their employer’s walls.

Final thoughts

The shift from a primarily technical position focused on protecting organizational assets to that of a complex leadership role requires a corresponding evolution in how CISOs approach their responsibilities. Security leaders must now balance traditional security functions with deliberate self-protection strategies. This isn’t self-serving; it’s necessary risk management. A CISO entangled in legal proceedings or constantly worried about personal liability cannot effectively protect their organization.

The strategies outlined in this post–from securing proper legal coverage to documenting decisions meticulously–should be viewed as essential components of the modern CISO toolkit. Just as you wouldn’t deploy a new system without proper controls, you shouldn’t step into a CISO role without appropriate personal protections.

As one panelist at the RSA panel aptly noted, “The days when a CISO could focus solely on technology are long gone.” Today’s security leaders must be equally adept at navigating legal frameworks as they are at implementing security controls. By taking proactive steps to protect themselves, CISOs can continue to fulfill their vital mission of protecting their organizations, even in this new era of heightened personal accountability.

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

How to prepare your organization for a post-quantum world

Quantum computing is on the horizon, and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections, what we call quantum decryption, could undermine the trust, confidentiality, and resilience of digital business. This briefing series distills a highly technical topic […]

When will quantum decryption become practical?

As part of Cybersecurity Awareness Month, we’re publishing this three-part series that distills a highly technical topic into strategic insights for leaders. Part 1 explained why quantum decryption poses a threat to current encryption systems. Part 2 lays out credible timelines for when the disruption may arrive. Part 3 will offer practical guidance on how […]

What business leaders need to know about post-quantum cyber risk

Quantum computing is on the horizon and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections–what we call quantum decryption–could undermine the trust, confidentiality, and resilience of digital business.                                                                                          As part of Cybersecurity Awareness Month, throughout October we are […]

The false promise of paying criminals to delete your data

On October 6, 2025, hackers demanded ransom from Salesforce for nearly one billion stolen customer records. The company’s response was unequivocal: no payment, no negotiation. While the refusal made headlines, the more important question is why Salesforce—and increasingly, other mature organizations—are walking away from the table when criminals offer to “suppress” stolen data. The answer […]

A CISO’s guide to winning the annual budgeting battle

It’s that time of year again. Finance has sent the email with the budget template attached. Your CFO wants preliminary numbers by next week. And you’re staring at a spreadsheet wondering how to justify the security investments your organization desperately needs when last quarter’s board meeting included the phrase “do more with less.” Welcome to […]

How brokers and CISOs can lead the charge for Cybersecurity Awareness Month 2025

October is Cybersecurity Awareness Month, and this year’s theme—”Building a Cyber Strong America“—has never been more relevant. For over two decades, this initiative led by CISA and the National Cybersecurity Alliance has spotlighted the importance of taking daily action to reduce online risks. In 2025, the focus shifts to the government entities and small-to-medium businesses […]