Proceed With Caution: CISOs May Be Personally Liable Under New Rules

The legal climate appears to be changing, potentially impacting the role of the CISO.

Boston, September 15, 2021Chief information security officers (CISOs) are rarely held personally liable for their professional actions unless those actions are clearly intentional attempts to conduct unlawful activities. However, several developments since August 2020 have blurred the lines between traditional cybersecurity management decisions and questionable conduct, potentially putting CISOs in the crosshairs for criminal prosecution and civil suits.

This Impact Brief identifies three narratives that point to potential for CISO liability and provides several recommendations for cybersecurity professionals to potentially limit the impact. It is based on discussions with several CISOs and legal professionals from May 2021 to August 2021, as well as the author’s personal experiences as a former CISO at publicly traded companies.

Clients of Aite-Novarica Cybersecurity service can download this nine-page Impact Brief. To learn more about the topic covered in this Impact Brief, please contact us at

Related Content

Retail Banking & Payments Fintech Spotlight: Q4 2023

Meeting customers where they are is the key to winning market share in today’s environment.

Fixed Income and OTC Derivatives Trading, Q3 2023: Behind the Numbers

Declining/negative primary dealer net positions in the post-pandemic landscape continue to pressure the already beleaguered U.S. credit markets.

Trends in Fraud in the Digital Channel

Fraudsters are as frisky as ever.

Get Summary Report

"*" indicates required fields