How to Mitigate Your Risk as a CISO

CISOs must not only protect and defend their organization’s assets but also safeguard themselves as individuals. A strategic plan and clear communication are effective tools for a CISO’s personal protection. This piece provides recommendations for mitigating a CISO’s risks, including tips on retaining a personal attorney.

The CISO Role: A Landmine of Potential Risks 

Today’s CISOs may find themselves increasingly concerned about potential legal liability. From an individual perspective, such issues can stem from regulatory compliance, cybersecurity program management and internal or external communications. Complications often arise when the CISO’s opinion differs from that of the business. While the CISO may prioritize a “security first” perspective, the business may weigh financial or operational considerations more heavily, which can cause friction.

Additionally, regulators such as the FTC, SEC and others require regulated entities to accurately disclose notable events like security incidents and breaches. Depending on the scope of the regulation, this may include successful and unsuccessful attempts to compromise information systems or data. Transparent and accurate disclosures are often required by regulators, along with timely periodic updates. Potential legal liability can also arise from statutes like the Sarbanes-Oxley Act of 2002 for false, misleading or otherwise inaccurate disclosures to the SEC.

The following is not an exhaustive list of situations where personal liability may arise, nor does it constitute legal advice. These points are intended for educational purposes only. It is recommended that individuals consult with their retained legal counsel.

Download: Determine the Cost and Impact of a Security Breach

How to Mitigate CISO Liability

CISOs are typically focused on mitigating risk for their companies. However, it is becoming increasingly clear that they must also protect themselves. CISOs need to take special precautions to ensure their exposure to liability is minimized as much as possible. Much like the principle of defense in depth, CISOs should implement a multi-layered strategy to protect their personal interests.

Legal Counsel for CISOs

Whenever feasible, seek guidance from your company’s legal counsel on meeting regulatory, legal and contractual obligations. Collaborating with legal counsel can benefit the CISO, as their role is to advise the company on these matters. It is important for the CISO to maintain regular communication with legal counsel rather than taking matters into their own hands. Let the company’s legal counsel manage the legal, regulatory and contractual issues.

In-house counsel is, by definition, a lawyer employed by a company to provide legal advice to the company. Therefore, in-house counsel has a professional and ethical obligation to the company. In other words, the lawyer’s client is the company itself. In-house counsel cannot provide individual legal advice to employees or contractors, especially if their interests conflict with the company’s. Lawyers, including in-house counsel, must adhere to the rules of professional responsibility established by the jurisdictions in which they are licensed. Each jurisdiction has its own set of professional responsibility rules lawyers must follow to remain in good standing with the bar.

CISOs can proactively protect themselves by retaining qualified legal counsel before any potential disputes or legal questions arise that could expose them to liability. Before hiring legal counsel, CISOs should first evaluate their specific legal needs, which might include compliance with certain regulations, adherence to contractual requirements, employment law considerations or litigation defense. Legal considerations may include questions pertaining to state, federal or even international laws and regulations (e.g., the EU GDPR).

When selecting an attorney, it is recommended to retain one who works directly for a law firm. While there are lawyer referral services available, these services may be limited, and conducting your own due diligence may yield better results. 

Download: SEC Cyber Disclosure Checklist

Safeguards to Reduce CISO Liability

While not exhaustive, the following safeguards can help reduce liability. Whenever feasible and practical, the CISO should work with the company’s legal and compliance teams to ensure laws, regulations and contractual obligations are being met.

• CISOs should uphold strong ethics and professional responsibility in all forms of communication. Whether oral, written or electronic, communications should be clear, accurate and consistent. This includes, but is not limited to, email, chat messages, text messages and in-person interactions. Always remain vigilant and think before speaking, writing, typing or reacting. Relevant communications can occur both on- or off-premises, during social functions, or even on social media. Maintain an accurate and detailed log that covers the who, what, when, why, where and how of your analyses, decisions and other communications.
• Any statements made by or attributed to the CISO should be accurate, reasonable and complete. Ideally, the CISO works in conjunction with legal counsel, the compliance team, the risk management team and/or leadership. However, there may be instances where the CISO needs to consult a personal attorney. Attorneys specialize in various areas of law, and the CISO may need more than one attorney, especially if multiple legal issues span different areas of law (e.g., employment, cybersecurity, etc.). In such cases, it may be advisable to hire an attorney from a large, reputable law firm with a strong reputation in the relevant areas of need.

READ: Cyber Incident Communications Checklist

CISO Insurance, Indemnification and Other Coverage

CISOs should consult the company’s in-house counsel and finance team to determine whether they’re covered by the company’s insurance for potential liabilities that may arise from their professional responsibilities. This coverage might include protection against errors and omissions, negligence claims and other related issues. Actual coverage depends on factors such as who is considered an insured party, specific endorsements and exclusions, and the applicable law in the relevant jurisdiction.

If the CISO is not covered or if the coverage is inadequate, they should inquire about being added to an existing insurance policy or about purchasing additional coverage. When asking about insurance coverage, it is important to ask for specific details about the policy, including the opportunity to review the policy in full, along with any endorsements and exclusions. If possible, review the coverage with a personal attorney and consider discussing a written indemnification agreement with the company. This, along with the attorney’s recommendations on evaluating professional and personal risk, will help provide additional assurance.

Recommendations to Reduce CISO Risk

Being prudent in their analyses, decisions and communications can help CISOs reduce their professional and personal risk. Additionally, CISOs can further reduce their liability by following these dos and don’ts:

• Don’t stop learning: Stay current on cybersecurity management practices, standards and guidelines. Ensure the cybersecurity program aligns with these principles.
• Do communicate clearly, consistently and accurately: Be mindful of your communications, as many things are “on the record.” Professional integrity, including transparency and accuracy in communications (whether they are internal or external) is crucial. Additionally, maintain accurate and thorough notes regarding the who, what, why, when and how of any communications.
• Do ask what the company can do for you: Inquire about the extent of your coverage under the company’s insurance, written indemnification agreement or other protective measures.

Finally, consulting with appropriate legal counsel on how to proceed can be a powerful and proactive step in reducing your liability.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.