Tag: CISO liability

The issue of personal liability for Chief Compliance Officers (CCOs) and Chief Information Security Officers (CISOs) is not new, but as we move into 2025, it is becoming an increasingly pressing concern. The regulatory environment is evolving, and enforcement trends indicate a growing willingness among prosecutors to target individual executives. The cases of Joe Sullivan, Carlos Abarca, and Tim Brown highlight critical lessons for compliance professionals. These cases—and the broader regulatory framework—underscore the importance of proactive risk management, clear governance structures, and a strong compliance culture. Jonathan Armstrong and I explored these cases, their issues, and the lessons learned from them in a recent episode of the award-winning podcast Life with GDPR.

Personal Liability: A Trend That’s Here to Stay

The SEC has long embraced the idea of holding individuals accountable for corporate misconduct. The rationale is simple: corporations may treat fines as a cost of doing business, while individual prosecutions create a stronger deterrent effect. This approach is particularly evident in cybersecurity failures, data breaches, and financial misrepresentation. Indeed, former SEC Director of Enforcement Gurbir Grewal, in a speech to the New York City Association Compliance Institute in 2023, said that there were “three situations where the Commission typically brings enforcement actions against compliance personnel.” These three are:

1. Where compliance personnel affirmatively participated in misconduct unrelated to the compliance function;
2. Where they misled regulators, and
3. They had a wholesale failure to carry out their compliance responsibilities.

The question facing compliance professionals is no longer whether they could be held personally liable but how to mitigate that risk. We then turned to three key individual cases to see what lessons might be drawn.

Case Studies in Individual Accountability

• Joe Sullivan and the Uber Case

Joe Sullivan, a former federal prosecutor and Uber’s CISO, was convicted for his role in covering up a data breach. When hackers exploited Uber’s system, Sullivan arranged a $100,000 payment through Uber’s bug bounty program, framing it as a legitimate transaction rather than a ransom payment. The prosecutors argued that he misled regulators and obstructed justice. Though Sullivan avoided prison and received a sentence of three years probation, the judge clarified that future cases might not be met with such leniency. The lesson here? Transparency is non-negotiable. Attempting to manage a breach in secret, even with good intentions, can result in severe personal consequences.

• Carlos Abarca and the TSB Bank Migration Failure

Carlos Abarca, former CIO of TSB Bank, oversaw an IT migration project that ultimately failed, leading to widespread customer service outages. During board meetings, Abarca assured directors that the project was on track. However, regulators scrutinized his statements when the migration went awry due to supplier failures. He was fined nearly $100,000, with investigators even citing his LinkedIn profile, where he described himself as an expert in change management. The key takeaway? CCOs and CISOs must ensure that their public and internal statements accurately reflect organizational realities. Overstating capabilities—or underreporting risks—can become evidence of liability.

• Tim Brown and the SolarWinds SEC Action

Tim Brown, SolarWinds’ CISO, faced SEC charges for allegedly misleading investors about the company’s cybersecurity posture. The SEC contended that Brown downplayed known security risks, making generic statements such as “we could be attacked” while failing to disclose specific vulnerabilities that were internally documented. Though these charges were eventually dismissed, it highlighted the increasing role of securities regulators in policing cybersecurity disclosures. For compliance professionals, this underscores the importance of precise, fact-based reporting. Vague assurances will not suffice when regulators uncover internal evidence of known risks.

Regulatory and Legislative Trends: A Tougher Landscape Ahead

The move toward personal liability is not just a U.S. phenomenon. The EU’s Digital Operational Resilience Act (DORA), the Cyber Resilience Act, and similar regulations introduce new accountability mechanisms for compliance and security professionals. These laws emphasize:

1. Personal responsibility for cybersecurity and compliance failures
2. Heightened reporting obligations for executives
3. Potential fines and bans from holding future positions

Furthermore, changes in corporate listing rules, especially regarding cybersecurity disclosures, suggest that more CCOs and CISOs will be in the regulatory crosshairs. With shareholder lawsuits also on the rise, particularly in the U.S., individuals may face government enforcement and private litigation.

Mitigating Personal Risk: What Compliance Officers Can Do

Given these trends, compliance professionals must take proactive steps to protect themselves. We reviewed the following steps a CCO/CISO could take.

• Due Diligence Before Accepting a Role

If you are considering a new compliance or security leadership position, conduct thorough due diligence on the organization:

1. Investigate past compliance failures or regulatory issues.
2. Assess the board’s composition and governance practices.
3. Evaluate the company’s historical commitment to compliance and cybersecurity.

A company with a poor compliance track record or a weak board structure may pose significant personal risks.

• Clarify Your Role and Responsibilities

Clearly define your job responsibilities, ensuring that you supervise compliance rather than solely being responsible for it. A well-drafted job description should:

1. Specify oversight responsibilities rather than direct operational duties.
2. Ensure a direct reporting line to senior leadership or the board.
3. Include indemnification clauses in cases of legal action.

• Secure Adequate D&O Insurance

Directors and Officers (D&O) insurance is a critical safeguard. Compliance professionals should:

1. Confirm that D&O insurance covers regulatory and enforcement actions.
2. Negotiate for personal indemnification clauses in employment contracts.
3. Ensure coverage is broad enough to include cybersecurity incidents and regulatory fines.

• Strengthen Internal Reporting and Documentation

Proper documentation is one of the best defenses against liability.

1. Ensure board minutes accurately reflect discussions about compliance and risk.
2. Maintain records of risk assessments and mitigation efforts.
3. Encourage formal reporting mechanisms rather than informal communications.

• Be Cautious with Communications

Emails and internal memos can become evidence in investigations. Best practices include:

1. Avoid speculative discussions about compliance risks.
2. Stick to factual reporting and avoid overly optimistic statements.
3. Encourage employees to use formal reporting channels rather than casual email exchanges.

Looking Ahead: What to Expect in 2025

As regulatory scrutiny increases, compliance and security professionals must remain vigilant. We can expect:

1. More enforcement actions targeting individuals rather than just corporations.
2. Greater regulatory focus on cybersecurity disclosures in public filings.
3. Stronger whistleblower protections increase the likelihood of internal reports leading to investigations.
4. Continued expansion of liability under new European and U.S. regulations.

The era of heightened personal liability for compliance and security executives stays here. The best defense is a strong offense: conducting due diligence before taking a role, clearly defining responsibilities, securing proper insurance, maintaining meticulous documentation, and ensuring precise internal and external reporting. In this new environment, compliance professionals must not only safeguard their companies but also themselves.