teissTalk: The liability of the CISO - a legal briefing

On 20 July, teissTalk host Tom Langford was joined by Joe Hancock, Partner (non-lawyer) & Head of MDR Cyber, Mishcon de Reya LLP; Peter McLaughlin, Partner, Armstrong Teasdale LLP; and J.J. Jones, Strategy Counsel & Advisor, Google

 

Views on news

 

Over three-fifths (62%) of global CISOs are concerned about being held personally liable for successful cyber-attacks that occur on their watch. The survey also revealed that CISOs in sectors with high volumes of sensitive data and/or heavy regulation such as retail (69%), financial services (65%) and manufacturing (65%) are most likely to demand cyber insurance coverage and suffer from burnout.

 

Nearly two-thirds (63%) of respondents said they have had to deal with the loss of sensitive information in the past year. But the biggest threat to CISOs may not be breaches but lying to authorities. Joseph Sullivan of Uber, for example, was sentences because he was guilty of two felonies. CISOs, however, might also feel worried about losing their jobs, even if they aren’t held liable for a breach. It’s also key that the company understands that security is a team sport, not a one-man show.     

Responsibility of CEOs and the way attacks should be disclosed

It’s rather likely that CISOs increased responsibility will result in them being held liable for hacks or the collapse of a company as a result. Even being named as a defendant in a cyber security litigation case can cost a lot. Therefore, CISOs need to think about how they’re protecting themselves, especially when they are negotiating with their employer for the job. Gartner, on the other hand, predicts that 75% of CEOs will be held personally liable for physical and cyber breaches as early as 2024, which sounds reasonable as a trend if we consider that cyber risk is only one aspect of corporate risk management.

 

Also, CEOs call the shots regarding new cyber security investments and sourcing. However, 2024 feels a bit too soon. The emergence of AI-infused cyber threats suggest that maybe what Gartner predicts is not far off. Cyber security is set to start a life cycle similar to health and safety with regulations becoming increasingly strict.  Each organisation’s continuity plan should include criteria that have been vetted and determined when an attack reaches the materiality threshold, as well as how you’re going to document that decision for posterity. DORA, the EU’s Digital Operational Resilience Act will most probably filter out to other jurisdictions, Increasing the liability of board members.

 

Therefore, a framework for how board members are kept in the loop and how they should communicate with each other, and the rest of the company should form part of the IR plan. 

The panel’s advice

It’s expensive just to think about litigation.

If you’re involved in a cyber security incident, write you own log and take your own notes on what you saw and heard and why you made a particular decision. 

If you are high enough in the company hierarchy, you’d better take out a liability insurance, even if your job title is not CISO. 

If you take out a cyber insurance, make sure you understand all the exclusions.