In today’s volatile cybersecurity landscape, chief information security officers (CISOs) operate in a paradox. They are hired to safeguard against risk—but increasingly, they are the risk. As breaches grow more frequent and regulatory scrutiny more intense, CISOs now find themselves exposed not only to reputational fallout but to personal liability as well.
This is no longer a theoretical concern. The SEC’s enforcement action against the former CISO of SolarWinds, filed in October 2023, marked a seismic shift in how regulators view cybersecurity governance. For the first time, a CISO faced charges not simply for failing to prevent a breach but for allegedly misleading investors by overstating the maturity of the company’s cybersecurity program. The implications are profound: The role of the CISO has formally crossed over into the realm of securities liability and public disclosure obligations.
For cybersecurity and IT professionals aspiring to leadership—or already in the hot seat—the path forward demands not only technical fluency but governance maturity, legal awareness and a strategic mindset. Here, we examine the evolving contours of CISO liability and offer practical steps to insulate yourself and your organization from becoming the next cautionary tale.
The Expanding Perimeter of Legal Risk
Historically, CISOs were shielded from personal liability in breach scenarios. The logic was intuitive: Cyberattacks are inevitable, and no security leader can guarantee perfect defense. But that legal safe harbor is eroding. Today, liability stems not from the fact of a breach but from what is said, done, or undocumented before and after it.
The SEC, DOJ and FTC are scrutinizing:
- Discrepancies between internal assessments and public statements.
- Board-level reporting practices (or lack thereof).
- Failure to follow established incident response protocols.
- Negligence in patching known vulnerabilities.
- Omissions or inaccuracies in breach notifications.
What this means is that a CISO may find themselves liable not just for how a breach occurred but for whether they were transparent, consistent and accountable in their stewardship of security risk.
Five Best Practices to Reduce Personal and Organizational Risk
1. Document, Document, Document
The most important thing a CISO can do is leave a defensible paper trail. Regulatory and civil claims often hinge not on what was done but on whether it can be demonstrated that it was done.
- Maintain dated risk assessments, security audits, penetration test results and patching logs.
- Document internal discussions around material risk decisions, especially if concerns were raised but not acted upon due to business constraints.
- Ensure that incident response plans are reviewed and updated regularly and that each version is archived.
Remember: If it isn’t written down, it didn’t happen.
2. Don’t Overstate Readiness
Marketing materials, investor updates and board reports often celebrate a company’s “robust cybersecurity posture” or “industry-leading practices.” If these claims overreach—or worse, contradict internal concerns—they may form the basis of a securities fraud allegation.
CISOs must review public statements for accuracy and consistency with actual internal risk assessments. If your SOC 2 Type II report shows gaps in logging or alerting, do not allow those realities to be glossed over for optics. Tone at the top matters, but so does integrity at the bottom line.
3. Insist on Board-Level Visibility
A CISO without access to the board is a liability waiting to happen. The board bears fiduciary duties to oversee material risk—including cybersecurity—and CISOs must ensure that directors are educated on evolving threats, active vulnerabilities and strategic investments required to mitigate exposure.
CISOs should:
- Deliver quarterly updates to the board or audit committee, emphasizing changes in risk posture.
- Use metrics the board understands (e.g., cost of risk, regulatory exposure, time to contain).
- Solicit feedback and track follow-up actions in minutes.
If you are denied board access, document your requests and elevate your concerns through appropriate legal or compliance channels.
4. Align with Legal Early and Often
The legal department is not your adversary. Especially in breach situations, counsel can provide critical privilege protections, guide regulatory disclosures and evaluate the risks of third-party notification.
Prebreach, consider partnering with legal to:
- Establish a joint review process for public statements related to cybersecurity.
- Define what constitutes a “material incident” under SEC Rule 1.05.
- Develop escalation protocols for newly discovered risks.
In practice, many CISOs operate in siloed environments. Breaking down those silos may be the difference between a managed incident and a legal quagmire.
5. Know Your Coverage—and Fight for It
Most CISOs do not negotiate their indemnity rights or ask to see the company’s directors and officers (D&O) policy until it’s too late. Do not assume that because you’re an officer, you are fully covered.
Key questions to ask:
- Does the D&O policy expressly include the CISO role?
- Is cyber liability insurance separate or integrated into the policy?
- Are defense costs advanced or reimbursed only after resolution?
- What exclusions exist (e.g., for “intentional acts,” which can be broadly interpreted)?
Request a copy of the policy and consult with outside counsel if necessary. If your company won’t clarify coverage, ask why—and escalate.
Toward a Culture of Shared Accountability
One of the most damaging myths in cybersecurity is the notion of the “hero CISO”—the lone technologist who can singlehandedly defend the digital perimeter. In truth, cybersecurity is an enterprisewide discipline, and accountability must be distributed accordingly.
Companies must invest not only in firewalls and AI-powered detection tools but in training, communication and governance infrastructure. CISOs should not shoulder the burden alone, but neither can they afford to abdicate the responsibility of translating technical risk into business language.
The question is no longer whether CISOs can be held liable. They can. The question is whether they are empowered, protected and integrated into decision-making structures that enable them to lead effectively and defensibly.
Final Thoughts
The modern CISO walks a narrow ridge between innovation and regulation, speed and scrutiny, and technical depth and strategic breadth. The job has never been more important—or more precarious. But with the right structure, support and foresight, CISOs can not only survive this era of accountability—they can shape it.
By taking deliberate steps to document risk, manage disclosures, engage the board, and secure legal and insurance protections, CISOs can reduce liability while building a culture that sees cybersecurity not as a compliance function but as a core pillar of enterprise resilience.
In this new chapter, the best shield against personal liability may be the same thing that built your career: clarity, integrity and leadership.
________
Allison Raley is a partner in Arnall Golden Gregory LLP’s Corporate & Finance practice and co-chair of the firm’s Emerging Technologies industry team. A former chief compliance officer, she advises national and international companies on complex regulatory compliance and risk management. She can be reached at [email protected].
Jacqueline Cooney is a partner and co-chair of Arnall Golden Gregory LLP’s Privacy & Cybersecurity practice and Emerging Technologies industry team. She has 30 years of experience handling privacy, governance, risk, compliance and public policy matters. She can be reached at [email protected].
Join our LinkedIn group Information Security Community!
