How CISOs can protect their personal liability
Wednesday, July 3, 2024
Unfortunately, many CISOs today operate without that kind of clarity, says Ilia Kolochenko, founder of cybersecurity firm ImmuniWeb and a practicing attorney in cybersecurity for Platt Law LLP. He’d venture to guess that if someone were to ask CISOs at large companies whether they could clearly and comprehensively enumerate all their duties, most of them would say ‘no.’
“Frequently, CISO professional duties are vague and they’re really blurred. You are in charge of everything,” he tells CSO. “At the same time, when you need budget, you cannot have it because it’s actually the board who’s deciding.”
From policies to meetings, document everything
Of course, it’s not just roles and responsibilities that need to be documented. Effective CISOs need to make documentation the name of the game in just about every other facet of their job. Not only is this important for doing their duty as a risk officer who is answerable to the board and to auditors — it can also make all the difference in reducing their personal liability. “Documentation is essential. When you have documentation, you are already decently protected,” says Kolochenko.
Setting policies for what happens when things go wrong, who should be informed, and who should be signing off on next steps is an important CYA mechanism for CISOs. Kolochenko explains that a CISO can act in much greater personal confidence if they’re able to tell a regulator or prosecutor that they have a corporate policy reviewed by general counsel, that the CISO followed rules and notified the board and counsel of a security weakness via email, and that the higher ups responded to proceed as usual. “Then you have available evidence saying, ‘I’ve been acting as per corporate rules and I fully acted in compliance with our policy and procedure,’” he says. “If the board ignores your email, later on it will be their accountability and responsibility.”
Insurance and indemnification protection
Even with rock solid policies, procedures, and documentation, CISOs should also seek to establish legal protection through tools like indemnification agreements, employment contractual terms, and the right level of insurance protection.
Kolochenko says CISOs that are unsure of their protections should proactively reach out to their general counsel and ask them about all of their duties, liabilities, and protections. If something sounds unfavorable, push back, he says.
“Don’t hesitate to renegotiate certain things, because if your general counsel says, ‘Listen, you have no protection whatsoever and if we are hacked, we’ll sue you as well. We’ll join the class action lawsuit and we’ll take you to court,’ it’s a good idea to renegotiate employment conditions,” he says. “I think it is always a good idea to mention, ‘Listen, it’s not just about me. If you want me to be efficient and effective and if you want me to protect our trade secrets and intellectual property, and personal data for our customers, I need additional protection to be certain that I can do what is right, not just what is politically correct or where I have the least possible personal risk.'”
“There’s one crucial point that some people probably miss. When you are an employee of a company and you have a general counsel, general counsel is not your attorney,” Kolochenko adds. “This is very important. In most cases, general counsel will act in the best interests of your employer.”
When CISOs aren’t aware of the terms of this relationship, they can potentially set themselves up for some ugly conflict of interest situations that could put them in personal legal peril.
“Let’s say, a CISO talks to a general counsel and says that ‘Listen, it’s all my fault,’ clearly admitting the guilt. Later on, the company utilizes this information against the CISO. The CISO may have a valid claim against the general counsel. But I don’t think that it will bring much value to have another legal action pending in parallel.”
Proactivity in vetting a lawyer before a crisis ever presents itself is crucial. “When you have already received summons to court, it may be a little too late,” Kolochenko says. “Most importantly, you and everyone around you will make suboptimal decisions.”
CISOs don’t necessarily have to have someone on retainer, but they should seek out some free initial consultations and find a lawyer with the right mix of employment, corporate, and cybersecurity liability experience. Read Full Article
SecureWorld: Cyber Insurance Premiums Decline as Businesses Boost Security Measures
SecurityWeek: Cyberinsurance Premiums are Going Down: Here’s Why and What to Expect