Proceed With Caution: CISOs May Be Personally Liable Under New Rules

Report Summary

Proceed With Caution: CISOs May Be Personally Liable Under New Rules

The legal climate appears to be changing, potentially impacting the role of the CISO.

Boston, September 15, 2021 Chief information security officers (CISOs) are rarely held personally liable for their professional actions unless those actions are clearly intentional attempts to conduct unlawful activities. However, several developments since August 2020 have blurred the lines between traditional cybersecurity management decisions and questionable conduct, potentially putting CISOs in the crosshairs for criminal prosecution and civil suits.

This Impact Brief identifies three narratives that point to potential for CISO liability and provides several recommendations for cybersecurity professionals to potentially limit the impact. It is based on discussions with several CISOs and legal professionals from May 2021 to August 2021, as well as the author’s personal experiences as a former CISO at publicly traded companies.

Clients of Aite-Novarica Cybersecurity service can download this nine-page Impact Brief. To learn more about the topic covered in this Impact Brief, please contact us at [email protected].

How can we help?

If you have a question specific to your industry, speak with an expert.  Call us today to learn about the benefits of becoming a client.

Talk to an Expert

Receive email updates relevant to you.  Subscribe to entire practices or to selected topics within

Get Email Updates