Tag: CCO liability

Categories
Blog

The Rising Tide of CCO and CISO Liability

The issue of personal liability for Chief Compliance Officers (CCOs) and Chief Information Security Officers (CISOs) is not new, but as we move into 2025, it is becoming an increasingly pressing concern. The regulatory environment is evolving, and enforcement trends indicate a growing willingness among prosecutors to target individual executives. The cases of Joe Sullivan, Carlos Abarca, and Tim Brown highlight critical lessons for compliance professionals. These cases—and the broader regulatory framework—underscore the importance of proactive risk management, clear governance structures, and a strong compliance culture. Jonathan Armstrong and I explored these cases, their issues, and the lessons learned from them in a recent episode of the award-winning podcast Life with GDPR.

Personal Liability: A Trend That’s Here to Stay

The SEC has long embraced the idea of holding individuals accountable for corporate misconduct. The rationale is simple: corporations may treat fines as a cost of doing business, while individual prosecutions create a stronger deterrent effect. This approach is particularly evident in cybersecurity failures, data breaches, and financial misrepresentation. Indeed, former SEC Director of Enforcement Gurbir Grewal, in a speech to the New York City Association Compliance Institute in 2023, said that there were “three situations where the Commission typically brings enforcement actions against compliance personnel.” These three are:

  1. Where compliance personnel affirmatively participated in misconduct unrelated to the compliance function;
  2. Where they misled regulators, and
  3. They had a wholesale failure to carry out their compliance responsibilities.

The question facing compliance professionals is no longer whether they could be held personally liable but how to mitigate that risk. We then turned to three key individual cases to see what lessons might be drawn.

Case Studies in Individual Accountability

  • Joe Sullivan and the Uber Case

Joe Sullivan, a former federal prosecutor and Uber’s CISO, was convicted for his role in covering up a data breach. When hackers exploited Uber’s system, Sullivan arranged a $100,000 payment through Uber’s bug bounty program, framing it as a legitimate transaction rather than a ransom payment. The prosecutors argued that he misled regulators and obstructed justice. Though Sullivan avoided prison and received a sentence of three years probation, the judge clarified that future cases might not be met with such leniency. The lesson here? Transparency is non-negotiable. Attempting to manage a breach in secret, even with good intentions, can result in severe personal consequences.

  • Carlos Abarca and the TSB Bank Migration Failure

Carlos Abarca, former CIO of TSB Bank, oversaw an IT migration project that ultimately failed, leading to widespread customer service outages. During board meetings, Abarca assured directors that the project was on track. However, regulators scrutinized his statements when the migration went awry due to supplier failures. He was fined nearly $100,000, with investigators even citing his LinkedIn profile, where he described himself as an expert in change management. The key takeaway? CCOs and CISOs must ensure that their public and internal statements accurately reflect organizational realities. Overstating capabilities—or underreporting risks—can become evidence of liability.

  • Tim Brown and the SolarWinds SEC Action

Tim Brown, SolarWinds’ CISO, faced SEC charges for allegedly misleading investors about the company’s cybersecurity posture. The SEC contended that Brown downplayed known security risks, making generic statements such as “we could be attacked” while failing to disclose specific vulnerabilities that were internally documented. Though these charges were eventually dismissed, it highlighted the increasing role of securities regulators in policing cybersecurity disclosures. For compliance professionals, this underscores the importance of precise, fact-based reporting. Vague assurances will not suffice when regulators uncover internal evidence of known risks.

Regulatory and Legislative Trends: A Tougher Landscape Ahead

The move toward personal liability is not just a U.S. phenomenon. The EU’s Digital Operational Resilience Act (DORA), the Cyber Resilience Act, and similar regulations introduce new accountability mechanisms for compliance and security professionals. These laws emphasize:

  1. Personal responsibility for cybersecurity and compliance failures
  2. Heightened reporting obligations for executives
  3. Potential fines and bans from holding future positions

Furthermore, changes in corporate listing rules, especially regarding cybersecurity disclosures, suggest that more CCOs and CISOs will be in the regulatory crosshairs. With shareholder lawsuits also on the rise, particularly in the U.S., individuals may face government enforcement and private litigation.

Mitigating Personal Risk: What Compliance Officers Can Do

Given these trends, compliance professionals must take proactive steps to protect themselves. We reviewed the following steps a CCO/CISO could take.

  • Due Diligence Before Accepting a Role

If you are considering a new compliance or security leadership position, conduct thorough due diligence on the organization:

  1. Investigate past compliance failures or regulatory issues.
  2. Assess the board’s composition and governance practices.
  3. Evaluate the company’s historical commitment to compliance and cybersecurity.

A company with a poor compliance track record or a weak board structure may pose significant personal risks.

  • Clarify Your Role and Responsibilities

Clearly define your job responsibilities, ensuring that you supervise compliance rather than solely being responsible for it. A well-drafted job description should:

  1. Specify oversight responsibilities rather than direct operational duties.
  2. Ensure a direct reporting line to senior leadership or the board.
  3. Include indemnification clauses in cases of legal action.
  • Secure Adequate D&O Insurance

Directors and Officers (D&O) insurance is a critical safeguard. Compliance professionals should:

  1. Confirm that D&O insurance covers regulatory and enforcement actions.
  2. Negotiate for personal indemnification clauses in employment contracts.
  3. Ensure coverage is broad enough to include cybersecurity incidents and regulatory fines.
  • Strengthen Internal Reporting and Documentation

Proper documentation is one of the best defenses against liability.

  1. Ensure board minutes accurately reflect discussions about compliance and risk.
  2. Maintain records of risk assessments and mitigation efforts.
  3. Encourage formal reporting mechanisms rather than informal communications.
  • Be Cautious with Communications

Emails and internal memos can become evidence in investigations. Best practices include:

  1. Avoid speculative discussions about compliance risks.
  2. Stick to factual reporting and avoid overly optimistic statements.
  3. Encourage employees to use formal reporting channels rather than casual email exchanges.

Looking Ahead: What to Expect in 2025

As regulatory scrutiny increases, compliance and security professionals must remain vigilant. We can expect:

  1. More enforcement actions targeting individuals rather than just corporations.
  2. Greater regulatory focus on cybersecurity disclosures in public filings.
  3. Stronger whistleblower protections increase the likelihood of internal reports leading to investigations.
  4. Continued expansion of liability under new European and U.S. regulations.

The era of heightened personal liability for compliance and security executives stays here. The best defense is a strong offense: conducting due diligence before taking a role, clearly defining responsibilities, securing proper insurance, maintaining meticulous documentation, and ensuring precise internal and external reporting. In this new environment, compliance professionals must not only safeguard their companies but also themselves.

Categories
Life with GDPR

Life With GDPR – Navigating CCO and CISO Liability Trends

Tom Fox and Jonathan Armstrong, renowned experts in cyber security, co-host the award-winning Life with GDPR. This episode discusses the complex topic of liability for the Chief Compliance Officer (CCO) and Chief Information Security Officer (CISO).

Tom and Jonathan begin by examining notable cases like Joe Sullivan, the former CISO at Uber, who faced prosecution for mishandling a ransomware threat. They also cover other significant cases like Carlos Abarca from TSB Bank and Tim Brown from SolarWinds, highlighting the increasing trend towards personal liability among high-ranking compliance and security officers. Jonathan points out that prosecutors and legislators focus more on individual accountability, driven by the belief that this approach will encourage others to adhere to standards more rigorously. They explore the implications of misleading LinkedIn profiles and the importance of thorough due diligence when taking on new roles. The episode provides practical advice for C-suite executives to protect themselves, including negotiating indemnity clauses and ensuring accurate job descriptions.

Key takeaways:

  • Chief Compliance Officer Liability Overview
  • Case Studies: Joe Sullivan and Uber, Carlos Barker and TSB Bank and Tim Brown and SolarWinds
  • Legislation and Trends in Personal Liability
  • SEC Formula for CCO Liability

Resources:

Connect with Tom Fox

Connect with Jonathan Armstrong

Life with GDPR was recently honored as a Top Data Security Podcast  

Categories
Everything Compliance

Everything Compliance – Episode 126, The Corporate Governance Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In this episode, we have the quartet of, Jonathan Armstrong, Matt Kelly, Karen Woody, and guest Kristy Grant-Hart; all hosted by Tom Fox, joining us on this episode.

1. Matt Kelly reviews the recent DOJ speech regarding the use of data analytics in compliance. He shouts out to Congress to do something right in its expulsion of George Santos.

2. Karen Woody reviewed the Jarkesy case in front of the US Supreme Court. She shouts out to Sandra Day O’Connor, the first female Justice of the US Supreme Court.

3. Tom Fox shouts out to John Reed Stark for being the first voice that crypt was a fraud and cryptocurrency exchanges were being used for criminal activity.

4. Jonathan Armstrong takes us on a long discussion of the OpenAI termination of Sam Altman and his return. He shouts out to the rescue workers who saved victims of the Boscastle Flood.

5. Guest Kristy Grant-Hart reviews the actions by the former Binance CCO in the context of the overall Binance $4MM+ enforcement action. She shouted out to Congress to require an investigation of the FDIC after the WSJ broke the story of widespread sexual harassment at the agency.

6. Jonathan Marks rants during the entire episode but then shouts out to Charlie Jeffers and his Lego initiative, Pass the Bricks.

The members of the Everything Compliance are:

•  Jay Rosen– Jay is Vice President of Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com

•  Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu

•  Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com

•  Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com

• Jonathan Marks can be reached at jtmarks@gmail.com.

• Special Guest Kristy Grant-Hart is the founder of Spark Consulting.

The host and producer, ranter (and sometimes panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Binance Pays $4+ Billion for Criminal Acts

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on sanctions compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt take a deep dive into the Binance enforcement action brought by the DOJ, OFAC, FinCEN, and the CFTC.

In a landmark case that has sent shockwaves through the cryptocurrency industry, Binance, the world’s largest cryptocurrency trading platform, has been slapped with a staggering $4.3 billion fine for intentionally violating anti-money laundering laws and other financial regulations. Tom views this as a significant turning point, marking the end of the libertarian experiment around cryptocurrency and alternative financial systems. He believes that the hefty penalties imposed on Binance, along with other smaller enforcement actions in the crypto world, are a clear message from regulators that the crypto sector must comply with US laws and regulations.

Matt echoes Fox’s sentiments, emphasizing that the enforcement actions against Binance and other cryptocurrency ventures signify the end of the libertarian experiment around cryptocurrency. He underscores the deliberate and intentional nature of Binance’s violations, stating that they knowingly deceived and evaded compliance regulations. Join Tom Fox and Matt Kelly on this episode of the Compliance into the Weeds podcast as they delve deeper into this case and its implications for the cryptocurrency industry.

 Key Highlights:

  • Binance’s $4.3 Billion AML Violation
  • Deceptive Evasion of Regulations in Cryptocurrency
  • Extensive Monitorship to Address Compliance Deficiencies
  • Binance’s Non-Compliance Leads to Legal Consequences
  • Personal Liability of the CCO
  • End of Crypto?

 Resources:

Matt’s blog post in Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Life with GDPR

Sullivan Conviction from GDPR Perspective

Jonathan Armstrong and Tom Fox return for another episode of the award-winning Life with GDPR. In this episode, we discuss the recent conviction of Joe Sullivan, former CISO at Uber, for his role in hiding a data breach that hit the company. Sullivan was convicted in the US in October 2022 in connection with an investigation into a ransomware attack on Uber in 2016. However, we look at the conviction from the GDPR and UK perspective and ask whether it portends potential liability for CISOs and CCOs in the EU and UK. For instance, does this mean there are likely to be more prosecutions against executives? And could we see similar prosecutions in Europe? For a more detailed discussion and links to the case, check out the Cordery Compliance News Alert on the case, which you can find in the link below.

Some of the highlights include:

1.     What were the facts?

2.     Was Sullivan guilty of negligence or intentional conduct?

3.     Why were prior Uber convictions so significant?

4.     What happens next?

5.     Could this lead to more prosecutions of executives?

6.     What does this mean under GDPR and in the UK?

Resources

For more information on the issues raised in this podcast, check out the Cordery Compliance News Section. For more information on Cordery Compliance, go to their website here. Also, check out the GDPR Navigator, one of the top resources for GDPR Compliance, by clicking here.

Categories
From the Editor's Desk

July and August in Compliance Week

Welcome to From the Editor’s Desk, a podcast where co-hosts Tom Fox and Kyle Brasseur, EIC at Compliance Week, unpack some of the top stories which have appeared in Compliance Week over the past month, look at top compliance stories upcoming for the next month, talk some sports and generally try to solve the world’s problems.

In this month’s episode, we look back at top stories in CW from July around the EY cheating exam enforcement action and a discussion of a potential CCO liability framework. Kyle previewed some of the topics Compliance Week will report in August, including how technology innovation is causing heartburn for regulators and current issues in crypto enforcement. We previewed some upcoming CW events, including the ESG virtual event, CW 2022 in Europe, which will be held in Scotland and the 3rd Party Risk conference, scheduled for December. Kyle also discussed the upcoming Inside the Mind of the CCO survey in October.

We conclude with a look at some of the top sports stories, including the induction of David Ortiz into the Baseball Hall of Fame. Kyle talked about what Big Papi meant and continues to mean for Boston, and Tom spoke about him on the national stage. We touched on the new LIV pro golf tour.

Categories
Daily Compliance News

May 28, 2022 the Market Manipulation Edition

In today’s edition of Daily Compliance News:

  • Glencore says its revamped its compliance program. (WSJ)
  • Apple supplier workers revolt against Chinese lockdown. (Bloomberg)
  • Twitter investors sue Musk over market manipulation. (Reuters)
  • New CCO individual liability? (Law360)
Categories
Daily Compliance News

March 21, 2022 the CCO Liability Edition


In today’s edition of Daily Compliance News:

Categories
This Week in FCPA

Episode 291 – The Rams Win It All Edition


Super Sunday passed with fun but poorly played, poorly officiated, and poorly coached. Tom and Jay are back to look at some of the week’s top compliance and ethics stories this week in the Rams Win It All Edition.
Stories

  1. Ericsson is in more FCPA trouble. Mengqi Sun in the WSJ Risk and Compliance Journal. Aaron Nicodemus in Compliance Week(sub req’d)
  2. DD impeding compliance in developing markets? Katya Lysova explores in the FCPA Blog.
  3. ESG-no longer a nice to have. Karen Alonardo in Risk and Compliance Matters.   
  4. State AGs are waiting. Ashley Taylor and Chris Carlson in CCI.  
  5. The latest case on CCO liability. Matt Kelly in Radical Compliance
  6. Broken windows and compliance enforcement. Anthony O’Reilly in Compliance and Enforcement
  7. Companies yet again ask the EU for rules around ESG. Lawrence Heim inpracticalESG.
  8. White-collar enforcement trends in 2021. Jamie Rosenberg in Grand Jury Target.  
  9. HP-Autonomy from the auditors’ perspective. Francine McKenna in The Dig
  10. South African courts deny Zuma’s attempt to remove the SA corruption prosecutor. Rick Messick in GAB.  

Podcasts and More

  1. In February on The Compliance Life, I visited Ellen Smith, a former Director of Trade Compliance who recently started her consulting firm. In Part 1, she discussed her academic background and early professional career. In Part 2, Ellen discussed her move in-house. In Part 3, Ellen discusses being a part of the Compliance Dream Team at Weatherford.
  2. Tom and Richard Lummis are in the middle of their annual review of Best Picturing winning movies on 12 O’Clock High, a podcast on business leadership. Part 1 reviews Schindler’s List for leadership and ethical lessons. In Part 2, the look at Gladiator.
  3. CCI releases a new e-book from Mike Volkov, “Compliance Culture Revolution.” Available free from CCI.
  4. Tom looks at some innovation in compliance with a 3-part blog post series in the FCPA Compliance and Ethics Blog. Topics include Compliance Ecosystem GovernanceCompliance Branding, Building Culture & Compliance Coaching.
  5. Are you a Star Wars fan? How about an uber-Geek? You will love the 5-part series appearing next week on the Greeting and Felicitations podcast series on the Compliance Podcast Network if you are either or both. In this series, Tom visits astrophysicist Dr. Ben Locwin on the following topics: Traveling in Hyperspace, Fighting with a Light Saber, Mechanical Prosthetics, Cyborgs and Robots, and the Death Star. It is a ton of fun, and you will love it. Each episode will post at 10 each day next week. Check it out daily. 

Tom Fox is the Voice of Compliance and can be reached at tfox@tfoxlaw.com. Jay Rosen is Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com.