How are U.S. CISOs Addressing Liability Risk?
New regulations taking effect in the U.S. mean that cybersecurity leaders could face legal liability in the event of an incident. What strategies are they using to protect themselves?
One minute insights:
Most have completed training on legal liability related to cybersecurity incidents, with some doing so on a regular basis
Clear incident response documentation is the most common strategy used by respondents to mitigate liability risk
Leaders consider available liability protections to be an important factor when deciding on new roles
The majority of leaders have completed legal training on liability
Over half (58%) of all respondents (n = 100) have completed training on legal liability for cybersecurity incidents, but one-fifth (20%) say such training is unavailable in their current role.
Among surveyed leaders who have not yet completed legal training on liability (n = 42), 58% intend to seek it out over the next 12 months.
Question: Please share any final thoughts you have on legal liability for cybersecurity leaders and/or how organizations should approach prevention.
Personal liability is something [our] Info Security team is very conscientious about.
[Legal liability is a] very important topic that [is] currently not being covered in many organizations and for many CISOs.
Most leaders use incident response documentation to mitigate liability risk
60% of all respondents (n = 100) are clearly documenting incident response roles and responsibilities to protect themselves from liability risk. 40% are updating their existing cyber insurance.
Question: Please share any final thoughts you have on legal liability for cybersecurity leaders and/or how organizations should approach prevention.
Seek legal advice when making decisions related to cybersecurity strategy & compliance.
I wish there was a guidance doc on what CISOs need to have in place as well as contracts to protect from personal liability.
Liability protection a key factor when considering new cyber leadership roles
Nearly all (97%) consider available liability protections when deciding whether to take on a cybersecurity leadership role, with over one-third (36%) citing it as a very important factor in their decision.
Question: Please share any final thoughts you have on legal liability for cybersecurity leaders and/or how organizations should approach prevention.
The legal landscape on this seems to be evolving and the liability risk to CISOs is increasing, [so] going forward, I will require liability coverage from any new employer rather than ask for it later.
In their own words...
Question: Please share any final thoughts you have on legal liability for cybersecurity leaders and/or how organizations should approach prevention.
Far too often the CISO is protected but the downstream [senior] management is not. This results in a lot of verifying next steps with the CISO that should be automatic but leave you holding the ball if you don't.
I think most organizations will have to carry liability insurance in order to recruit future leaders.
This is an emerging area of concern for CISOs and I'm certainly going to look into this.
The legal risk exposure continues to expand.