How are U.S. CISOs Addressing Liability Risk?

New regulations taking effect in the U.S. mean that cybersecurity leaders could face legal liability in the event of an incident. What strategies are they using to protect themselves?

Want more insights like these?

Join our community

No selling.

No recruiting.

No self promotion.

Read Our GuidelinesTrusted peer advice and insights for technology professionals.

More like this

Impact & Perceptions of A Privacy-First Digital Era

Impact & Perceptions of A Privacy-First Digital Era

View insights
Single Sign-On (SSO): Advantages and Disadvantages

Single Sign-On (SSO): Advantages and Disadvantages

View insights
Cyber Risk Quantification (CRQ): Adoption And Impacts

Cyber Risk Quantification (CRQ): Adoption And Impacts

View insights

One minute insights:

  • Most have completed training on legal liability related to cybersecurity incidents, with some doing so on a regular basis

  • Clear incident response documentation is the most common strategy used by respondents to mitigate liability risk

  • Leaders consider available liability protections to be an important factor when deciding on new roles

The majority of leaders have completed legal training on liability

Over half (58%) of all respondents (n = 100) have completed training on legal liability for cybersecurity incidents, but one-fifth (20%) say such training is unavailable in their current role.

In your current role, have you completed any legal training that addresses liability related to cybersecurity incidents?

chart 1 (1)

n = 100

Among surveyed leaders who have not yet completed legal training on liability (n = 42), 58% intend to seek it out over the next 12 months.

Do you plan to pursue legal training that addresses liability related to cybersecurity incidents in the next 12 months (either independently or through your employer)?1

chart 2 (1)

n = 42

Note: May not add up to 100% due to rounding

lock icon

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

  • Peer Discussions and Polls
  • One-Minute Insights
  • Connect with like-minded individuals

Question: Please share any final thoughts you have on legal liability for cybersecurity leaders and/or how organizations should approach prevention.

Personal liability is something [our] Info Security team is very conscientious about.

VP, construction industry, 10,000+ employees

[Legal liability is a] very important topic that [is] currently not being covered in many organizations and for many CISOs.

VP, arts and entertainment industry, 5,000 - 10,000 employees

Most leaders use incident response documentation to mitigate liability risk

60% of all respondents (n = 100) are clearly documenting incident response roles and responsibilities to protect themselves from liability risk. 40% are updating their existing cyber insurance.

Apart from D&O coverage or cyber insurance, what strategies are you using to protect yourself from liability? Select all that apply.

chart 3

Defer responsibility for determining when a breach has officially occurred to non-security function (e.g., legal, compliance) 27% | Update employment contract (e.g., adding liability protections and/or legal assurances) 25% | Consult personal lawyer 18% | Not sure 12% | Seek a new role with better liability protection 9% | Other 0%

Question: Please share any final thoughts you have on legal liability for cybersecurity leaders and/or how organizations should approach prevention.

Seek legal advice when making decisions related to cybersecurity strategy & compliance.

Director, retail industry, 1,000 - 5,000 employees

I wish there was a guidance doc on what CISOs need to have in place as well as contracts to protect from personal liability.

C-suite, construction industry, 1,000 - 5,000 employees

Liability protection a key factor when considering new cyber leadership roles

Nearly all (97%) consider available liability protections when deciding whether to take on a cybersecurity leadership role, with over one-third (36%) citing it as a very important factor in their decision.

When seeking a new role in cybersecurity leadership, do you consider available liability protections to be an important factor in your decision?

chart 4

Not at all important 0%

n = 100

Question: Please share any final thoughts you have on legal liability for cybersecurity leaders and/or how organizations should approach prevention.

The legal landscape on this seems to be evolving and the liability risk to CISOs is increasing, [so] going forward, I will require liability coverage from any new employer rather than ask for it later.

C-suite, manufacturing industry, 1,000 - 5,000 employees

In their own words...

Question: Please share any final thoughts you have on legal liability for cybersecurity leaders and/or how organizations should approach prevention.

Far too often the CISO is protected but the downstream [senior] management is not. This results in a lot of verifying next steps with the CISO that should be automatic but leave you holding the ball if you don't.

- C-suite, professional services industry, 1,000 - 5,000 employees

I think most organizations will have to carry liability insurance in order to recruit future leaders.

- Director, healthcare industry, 10,000+ employees

This is an emerging area of concern for CISOs and I'm certainly going to look into this.

- C-suite, finance industry, 1,000 - 5,000 employees

The legal risk exposure continues to expand.

- C-suite, professional services industry, 5,000 - 10,000 employees

Respondent Breakdown

respondent breakdown
Community GuidelinesRules of EngagementFAQsDirectory of ambassadorsPrivacyTerms of Service

© 2024 Gartner, Inc. and/or its affiliates. All rights reserved.