January 24, 2024
Cyber Risk

Personal Liability: How Not To Get Singled Out by the SEC in 2024

Ensure holistic visibility into enterprise risk & ongoing measurement

By Sweta Bhattacharya

The SEC's new cyber risk disclosure rules promote a more dispersed approach to cybersecurity accountability. However, it also carries a potential dark side – personal liability for CISOs. Cases like Uber, where CSO Joe Sullivan faced personal charges after a data breach, and SolarWinds, where CISO Timothy Brown encountered financial penalties, serve as stark cautionary tales. Though not widespread, these instances have instilled a palpable fear among CISOs.

Why? Because the buck still stops with them when a breach occurs. This makes CISOs increasingly nervous, asking: "Who has my back?"

Let’s look at how a CISO can navigate the complex landscape of accountability while building critical strategies to insulate against potential liabilities from day one of their job.

The Cybersecurity Accountability Landscape

Cyber Risk Management, once considered a technical and back-office operations-driven department, is now front and center to ensure business success. CISOs are no longer solely technical advisors but are integral to business risk decisions, and owning a piece of the risk pie comes with a hefty serving of pressure.

So, it is unsurprising that over 61% of CISOs feel their job expectations are unreasonable and are concerned about being held personally liable for successful cyber-attacks on their watch.

Personal liability for CISOs, in the context of cybersecurity incidents, refers to the potential for legal and financial repercussions landing directly on their shoulders, along with the implications these accusations have on their careers.

Register for a “CISO Personal Liability” webinar with a panel of global CISO experts: Gain insight into real-life cyber attack crisis management and learn how to protect your career.

Building your CISO Personal Liability Shield

While 88% of boards acknowledge cybersecurity as a business risk, the CIO or CISO still carries primary responsibility for cybersecurity in 85% of organizations. The modern CISO walks a tightrope; now, they need more than just a safety net. The ideal solution is a unified platform that empowers them to:

  1. Establish cybersecurity as a business risk (quantify it in dollars)
  2. Define an acceptable cyber risk appetite with the C-suite & the board
  3. Ensure holistic visibility into enterprise risk & ongoing measurement
  4. Create a well-documented, transparent, and defensible strategy

To achieve the objectives mentioned above, the CISO will have to completely step away from traditional cybersecurity practices that are siloed, subjective, and spreadsheet-driven. Cybersecurity needs to be simplified, and its management needs a revamp.

A CISO’s Ally: The Safe Security Solution

  1. Establishing cybersecurity as a business risk with Safe

    Eliminate discussions and reports that need you to decipher “Which red is redder?” before managing your risks. Instead, pivot to Safe’s AI-powered cyber risk quantification, which equips your board with dollar-driven visibility in every decision, strategy, or investment.

    The Safe Security Platform elevates CISOs as indispensable partners to the business by helping them position cybersecurity risk as integral to business risk management. SAFE’s AI-driven platform eliminates subjective assumptions, enables you to get visibility & alignment on top risks that matter to the business, and helps the Board understand how their decisions reduce the business risk from cybersecurity exposures.

  2. Define an acceptable cyber risk appetite with the C-suite & the board

    CISOs must effectively communicate the balance of risk, value, and cost to enable collaborative and informed decisions. Remember, cybersecurity is a team sport.

    1. Talk to your General Counsel
    2. Talk to the Audit team
    3. Talk to your Board

    SAFE’s prioritization engine is powered by the world’s only international gold standard for risk quantification: the FAIR™ Institute’s FAIR-CAM Module. Using FAIR-CAM, Safe performs the risk:value:cost analysis and delivers an actionable list of prioritized recommendations to lower your risk.

    The Safe platform automatically quantifies and contextualizes cyber risk in dollars

  3. Ensure holistic visibility into enterprise risk & ongoing measurement

    The CISO’s goal is to inform business decisions. So, once you’ve defined your cyber risk appetite, you must also enable business leaders to drive cybersecurity decisions.

    A simple way to gauge if your leaders are self-reliant is to ask if they can confidently make risk-informed decisions without facilitation from your team.

    Safe provides the enterprise with a unified view of cyber risk in a single place with its industry-leading cyber risk cloud of clouds. Safe generates a real-time and unified risk view and automatically presents where your riskiest risks are across your attack surface (users, technology, and supply chain), and maps your risks into bespoke cyber risk scenarios based on the FAIR™ Model.

    Safe Security’s Cyber Risk Cloud of Clouds

Create a transparent, well-documented, and defensible strategy

A CISO will be challenged by the board or regulators on where the numbers driving decisions come from. So, a transparent, well-documented, and defensible strategy is more pressing than ever. Most current processes and methods are spreadsheet-led and promote blind spots.

  1. Step away from manual, subjective, and spreadsheet-led documentation. Instead, do what the world is doing – turn to AI.
  2. Use standard-based practices to prepare for the worst from day 1 of your job.
    If a data breach occurs, Safe Security’s AI-powered solution tracks your cybersecurity risk posture over 12 months with a unified and real-time view of enterprise-wide risks and cybersecurity initiatives deployed to reduce or manage those risks. The outcome? You have a defensible, transparent, automated, dollar-driven strategy.

Safe’s open approach is defensible if legal or regulatory bodies question you

Fortressing the Future with Cyber Risk Quantification and Management

Notwithstanding the SEC’s mounting scrutiny and the CISO’s ever-evolving role, companies must take this opportunity to transform their cyber risk management approach. By shifting from an activity-based to a risk-informed outlook, enterprises can truly embrace shared accountability and step away from Monday morning quarterbacking!

With Safe’s AI-powered cyber risk quantification and management, CISOs can perform their duties with integrity while ensuring they do everything possible to secure the enterprise.

Your Next Steps

Schedule your 1:1 so our cyber risk experts can learn your requirements.

Register for a “CISO Personal Liability” webinar with a panel of global CISO experts: Gain insight into real-life cyber attack crisis management and learn how to protect your career.