June 20, 2022 By Sue Poremba 3 min read

After a company discovers a cyber attack on its network, the finger-pointing begins. The CEO blames the chief information security officer (CISO). The CISO blames the financial officers for not setting aside enough money for cyber defenses. The chief information officer begins to look for a scapegoat further down the supply chain. Maybe they fire a low-level employee who made a mistake or point to a vulnerability within a third-party vendor’s security system. Or, if the incident took place in the cloud, is the cloud provider or the data owner at fault?

People can toss blame around, but when a cyber incident occurs, someone will be legally liable. But who is it – a single person, a department or the entire company as a single entity?

Business judgement rule and cybersecurity

After the SolarWinds cyber attack, shareholders decided to sue, claiming the company and its executives hyped corporate cybersecurity efforts although there was evidence the company leadership lacked an effective cybersecurity program. Cost-cutting measures came first, the lawsuit stated, and cybersecurity took a backseat to profits. The lawsuit targeted executives and the board of directors. It named names, with the CISO front and center.

The Business Judgement Rule often protects high-level executives and boards of directors. The Business Judgement Rule, as defined by LawShelf, is “a standard of judicial review of corporate director and officer conduct.” However, because corporations fall under state jurisdiction rather than federal, the standards of how the Business Judgement Rule is enforced are not always the same.

“The rule protects officers and directors from liability where they have made decisions in good faith and using appropriate procedures, even if those decisions turn out to be poor or unwise,” LawShelf added. Or, in other words, mistakes made by those leading the company don’t make them liable for the damage inflicted. That is likely true whether the mistake is accidental or a harmful cost-cutting measure.

The question of the Business Judgement Rule in cyber incidents came up in 2017. Shareholders sued Home Depot after its 2014 data breach. The suit questioned the competence of the company’s cybersecurity program. In particular, it noted the breach occurred after Home Depot’s leadership terminated a committee tasked with IT oversight. The judge ruled that employees regularly updated the board of directors about IT and cyber risks. Because the board made what the judge considered informed decisions regarding cybersecurity, the judge dismissed the suit.

Protecting the CISO from liability

According to a webinar from CISO Series, one organization’s employee contract set up the CISO to be the “designated felon” if the company was the victim of a cyber incident. The company designed this contract to protect the rest of the executive team from legal and financial fallout.

The CISO is the first in line for blame, termination and legal responsibility for a cyber incident within the company. The CEO may get the public shaming, but internally, it is the CISO that has the most to lose.

That’s why lawyers encourage CISOs to approach employment contracts with legal ramifications in mind. Some suggest requesting a different title. The job duties are mostly the same, but there are different assumptions when someone is part of the C-suite versus a vice president of cybersecurity, or some similar title without the suggestions of top executive involvement. It could provide a layer of job protection in the aftermath of a cyber incident. Others recommend a “golden parachute” written into the contract so if the CISO is held liable and fired, their financial future is protected.

Individual liability

Thanks to the Business Judgement Rule and other loopholes in the justice system, executives and boards of directors have largely gone unscathed in the legal aftermath of a cyber incident. The organization took the hit, but, legally, no one person or small group of people has been held liable. But now there are possible legal issues that could change that.

Uber, for example, has been the victim of cyber incidents, but legal action posed the question if Uber’s own behavior was behind a data breach. The outgoing CEO faced consequences for not properly disclosing all the details surrounding the cyber incident. Does failure to report an incident put the legal onus on the person who shirked that duty?

Cyber attacks open companies up to legal chaos. A simple mistake by a low-level employee can have a big impact. Unless the intent was malicious, the law likely won’t hold that employee liable. But whether a court can hold the leader who makes the decisions about cybersecurity strategy liable for a breach is murky. This area of law and cybersecurity continues to evolve.

More from Risk Management

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today