CISOs are burned out – now they face personal liability too

Regulators worldwide are upping their scrutiny of corporate cybersecurity. With a precedent now set for individual liability, is the CISO role about to get much more dangerous?

Worried Mature Man Using Laptop Working At Office

As the public grows more aware of the devastating impact of cyber incidents, regulatory agencies across the globe are tightening reporting requirements and strengthening penalties. In an effort to counterbalance the immense material risk posed by data breaches and cyber attacks, regulators have set a new precedent for cybersecurity enforcement – personal liability.

In late 2023, the US Securities and Exchange Commission (SEC) alleged that software company SolarWinds had failed to establish adequate security controls, practices and processes.

Crucially, the regulator said SolarWinds – the victim of a huge supply chain attack from a Russian cybercrime group, which led to breaches of US government agencies as well as private sector organisations – had misled investors about its cybersecurity posture.