Minimizing CISO personal liability through end of year budgeting

As the end of 2024 quickly approaches and companies are scrambling to finalize fiscal year 2025 budgets, Chief Information Security Officers (CISOs) are tasked with balancing ever increasing cyber risks with limited budgets, all while facing potentially crippling personal liability if they fail to strike the right balance and a breach occurs. To minimize the potential risks to their organizations and their own personal well-being, there are a number of steps CISOs should consider taking as they work to prepare for fiscal year 2025.

The shift toward personal liability

As the harm to consumers and shareholders from headline grabbing data breaches continues to mount, legislatures, regulators, consumers and shareholders no longer consider large monetary fines imposed on corporations to be sufficient deterrents for corporate negligence. Many have concluded that the only way to get corporations to take their cybersecurity obligations seriously is to hold individuals accountable for their corporate employer’s neglect, and unfortunately for CISOs, they are the natural individuals to target.

As a result, consumers and shareholders have started naming CISOs as defendants in civil suits, global and United States regulators have begun to target CISOs in civil enforcement proceedings, and prosecutors at agencies like the Department of Justice and Securities and Exchange Commission (SEC) have begun to file criminal charges against CISOs following data breaches.

We have also started to see more efforts by legislatures and regulatory bodies to better enable these efforts. For example, the European Union’s Network and Information Systems Directive II (NIS2), which recently went into effect, contains provisions that specifically enable regulators to hold CISOs and other individuals responsible for managing a corporate entity’s compliance with the regulation directly and personally liable for failing to comply with NIS2’s cybersecurity risk-management measures. NIS2 goes a step further by enabling authorities in certain cases to temporarily prohibit CISOs from executing managerial functions at their organizations. Notably, there is no requirement that a data breach occur for authorities to invoke these powers.

Planning for the future

The changing tide has not gone unnoticed by CISOs. According to a 2023 State of the CISO report, nearly 50% of CISOs are concerned about personal litigation stemming from breaches. Although these developments are clearly concerning for CISOs, the end of year budget cycle presents a great opportunity for CISOs to take the steps necessary to insulate themselves from the risks of personal liability.

First, CISOs can leverage these developments to obtain the resources and support they need to comply with regulations and adequately address risks in their cybersecurity organization during the end of year budget cycle. Importantly, corporate boards and CEOs carry similar risks to CISOs when it comes to personal liability for cybersecurity failings. CISOs can use this to their advantage as they advocate for resources and budget. However, to be effective in these advocacy efforts, it is imperative that CISOs have a strong grasp of their organization’s current regulatory obligations and industry best practices.

Second, as budgeting decisions are made, CISOs should document in real time the decisions that may later on prove to be the root cause of a cybersecurity incident or regulatory failure. CISOs who can show that their requests for resources, personnel and/or tools were denied are far less likely to be held accountable for the consequences of those decisions.

Third, documented end of year budgeting requests can serve as powerful evidence that the CISO takes their leadership role seriously, is up to speed on evolving threats to the organization, and has taken a proactive approach to their responsibilities as head of the cybersecurity organization. For example, one glaring risk area that has recently grown in prominence is a company’s APIs. According to a 2024 State of API Security report, within the last year, 34% of data breaches stemmed from API vulnerabilities, and 95% of organizations experienced security problems in production APIs. These figures are likely to increase exponentially as more companies leverage GenAI to rapidly accelerate API development and usage.

Many organizations do not have a firm grasp on their API environment let alone a solution in place to ensure that their APIs are secure from malicious exploitation. CISOs who can demonstrate that they advocated for and obtained the resources and funding to implement measures to understand their API environments and protect APIs will have successfully demonstrated a forward-thinking approach to their obligations and commitment to security that not only reduces the likelihood of a breach but also strengthens their legal defense should a breach occur.

The bottom line

While personal liability may seem like a scary concept, CISOs who are aware of these developments, educate themselves on their company’s regulatory obligations and industry best practices, advocate effectively for what their organizations need, and document the results of those efforts are far less likely to find themselves in the crosshairs than CISOs who fail to take these steps. The end of year budget cycle presents a natural inflection point for CISOs to take all of these steps so they get what they need to protect both their organization and themselves.