Protecting CISOs from Personal Liability Risks

This document is a guide that discusses the increasing personal liability risks faced by Chief Information Security Officers (CISOs) due to evolving cybersecurity regulations and enforcement actions. It outlines the recent actions taken by the U.S. Securities and Exchange Commission (SEC) against CISOs, including the notable case involving SolarWinds' CISO, Timothy G. Brown, who was charged with fraud related to cybersecurity practices. The guide details the implications of new SEC cybersecurity disclosure rules and New York Department of Financial Services (NYDFS) regulations that heighten the scrutiny on CISOs. It emphasizes the importance of companies implementing best practices to protect their CISOs from potential liability, including establishing clear reporting lines, maintaining a robust cybersecurity framework, and fostering a culture of transparency. The document further highlights the need for ongoing legal compliance and the establishment of effective incident response plans to mitigate risks associated with cybersecurity breaches.