Leadership & Executive Communication , Training & Security Leadership , Video

Will CISOs Become Personally Liable for Breach Response?

Cordery's Jonathan Armstrong on Security Incidents: CISOs Should Never Go It Alone
Jonathan Armstrong, partner, Cordery

Regulators and prosecutors are signaling an increased interest in charging individuals such as CISOs with violating cybersecurity and privacy rules. Attorney Jonathan Armstrong, a partner at London-based law firm Cordery, said the imperative for CISOs responding to security incidents is clear: Never go it alone.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

"If there was an age where CISOs went it alone on these sort of decisions, that age has gone," he said. "So CISOs do need to phone a friend, they do need help when they're in the same sort of sort of situation that Sullivan was in."

While personal liability for CISOs is not yet a clear trend, multiple cases - including the prosecution of former Uber CSO Joe Sullivan - have emphasized that CISOs should only act in lockstep with their internal legal team, Armstrong said. Ideally, they should be using playbooks developed in advance with legal and other relevant departments and taking a committee-backed approach to all decisions, he said.

In this video interview with Information Security Media Group at ISMG's London Cybersecurity Summit 2023, Armstrong also discussed:

  • How recent verdicts or fines - including for Carlos Abarca, TSB's former CIO - have affected the perception of security and technology executives' own potential personal liability;
  • Key factors security leaders should consider when handling operational failures or breaches;
  • How executive liability for security and technology leaders looks could evolve.

Armstrong is an experienced lawyer with a concentration on compliance and technology. His practice includes advising multinational companies on matters involving risk, compliance and technology across Europe.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.