teissTalk: Navigating the rising legal threats to cyber-security leaders

On 8 May 2025, teissTalk host Thom Langford was joined by Michela Resta, Solicitor, CYXCEL; and Kelly Hagedorn, Partner, ALSTON & BIRD.

Views on news

Nearly all (93%) organizations have introduced policy changes over the past 12 months to address rising CISO personal liability risks, according to new research by cloud service provider Fastly. This includes 41% of organizations increasing CISO participation in strategic decisions at the board level. Additionally, 38% of respondents promised “increased scrutiny of security disclosure documentation from supervisory agencies.” These policy changes are in response to a shift by regulators towards personal liability for cybersecurity incidents, both in the US and the EU’s NIST2. Holding people rather than organisations responsible for cyber incidents and attacks is a new trend, but cyber security professionals mustn’t be held to account without being given the power to drive meaningful change in their areas. 

Getting passwords right

Shortening timeframes for reporting breaches may put CISOs in a difficult position, as they are pushed to write a report when they may  still not see clearly what actually happened – and which, later, is hard for them to come back from without the move being read as a sign of negligence. Generally, a CISO’s responsibility is not about allowing an incident to happen but the way they respond to one. While liability insurance is a good safety net, that should only complement efforts to improve the company’s security posture.

 Incident response plans should always be tried and tested, so when an incident occurs, everyone knows what to do and how communication should be done off-line. Having said that, the CISO, on top of a structured, connected team, needn’t check all the minutiae of incident response. Also, testing a company’s incident response plan is often regarded as disruptive to operations.  Minor cyber incidents, however, can provide testing grounds for a plan alongside with tabletop exercises and simulations. Shared responsibility, an alternative trend to ascribing blame for breaches, can only work well with robust awareness raising and training programmes. 

The panel’s advice

• Most probably, CISOs will get accountable under the new legislation only if they’ve done something illegal.
• Moldova and India mandate a 6 hour timeframe for reporting a breach.  
• What a CISO should do as first thing in the morning is check their incident response plan.
• In simulation, you don’t need to do the whole exercise at the same time. You can break it up into bits and involve different teams separately.
• As a CISO, if you’re in the room when something is not right, say for the record that you disagree and you’ll be fine.