Should CISOs be personally liable for corporate breaches?

Here's what they said

We asked 100 cybersecurity professionals whether CISOs should be personally liable for corporate security policy and data breaches.

Ever since the SEC filed a lawsuit against SolarWinds CISO, Tim Brown, the cybersecurity industry has been in an uproar.

The suit alleges that in the years leading up to the 2020 Sunburst attack, "SolarWinds and Brown ignored repeated red flags about SolarWinds' cyber risks". Brown is being charged with aiding and abetting the company's violations by not properly enforcing cybersecurity controls and misleading investors regarding the state of SolarWinds' security.

But should individual employees be personally liable for corporate policies and procedures? We posed this question in an online poll to an audience of cybersecurity professionals. Here's what they thought.

Should CISOs be held legally liable for corporate security policy or data breaches?

  • 42% answered Yes.

  • 35% answered No.

  • 23% answered Depends.

Perhaps surprisingly, the plurality of respondents felt that CISOs should be held legally responsible for actions taken on behalf of the company. This is in line with the SEC's judgement and perhaps indicates a wider trend toward executive responsibility across the C-suite.

Over a third of respondents believe that CISOs should never be responsible for corporate decisions. This is likely meant to ease pressure on already-overworked security leadership who are often up against immense odds.

But the most interesting responses came from those who felt that it simply depends. Here are some of the comments that they provided:

  • "The answer is the CISO should be treated just the same as any company executive that commits fraud or negligence. However, the CISO shouldn't be a get out of jail card for the C-suite and Board. The entire leadership team should be held accountable for poor cybersecurity, not just the CISO."

  • "If the breach was due to an internal actor that was either the CISO or a direct report to the CISO I can see the opportunity for legal action being open. Other than that, we are putting people in a legal bind for something they wouldn't be able to fully control. It will be extremely hard if not nigh impossible to hire a CISO with that environment."

  • "Sounds like a line was crossed that opened up personal liability. Figuratively speaking, it's the difference between you warning your boss that somebody's going to end up dead vs you helping to hide the body."

  • "It is contingent on whether the CISO acted with gross negligence to avert a compromise or exercised reasonable diligence and care in their efforts to do so. For Gross Negligence they should be held accountable up to termination of employment because there was likely no intent to engage in fraud or an intent to deceive. Unlike Gross Negligence, the act of deceiving stockholders (resulting in damages) and false statements is more of a serious issue. In such a case the CISO should be held liable."

  • The SolarWinds case serves as a watershed moment not only for the cybersecurity industry, but for leaders across all industries. How this case plays out will have enduring impacts on corporate decision making, risk analysis, and transparency for decades to come. Public opinion, such as those expressed in this poll, will be a core component to shaping that reality.

    Learn more about how partnering with Silent Breach can lower your cyber risk and outsource liability. Silent Breach works with organizations of all sizes to craft customized security solutions. Contact one of our experts today.

    About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.