Evolving CISO liability: How U.S. legal frameworks have shifted in the past five years

Welcome reader to a 🔒 pro subscriber-only deep dive 🔒.

Brought to you by:

👉 Cypago - Cyber governance, risk management, and continuous control monitoring in a single platform

🧠 Ridge Security - The AI-powered offensive security validation platform

Forwarded this email? Join 70,000 weekly readers by signing up now.

#OpenToWork? Try our AI Resume Builder to boost your chances of getting hired!

—

Get lifetime access to our deep dives, weekly cyber intel podcast report, premium content, AI Resume Builder, and more — all for just $799. Corporate plans are now available too.

Executive Summary

The role of the Chief Information Security Officer (CISO) has undergone a profound transformation over the past five years. Once primarily responsible for technical cybersecurity functions, CISOs now navigate a complex legal landscape with significantly increased personal liability risks. This whitepaper analyzes the evolution of legal frameworks governing CISO liability in the United States from 2020 to 2025, examining key regulatory developments, precedent-setting cases, and their implications for cybersecurity executives.

Our analysis reveals that CISO liability has expanded substantially through four primary mechanisms:

1. Securities law enforcement that targets individual executives for misrepresentations about cybersecurity posture and breach disclosures

2. Criminal prosecutions establishing precedent for personal liability in cases of negligence or misconduct

3. Regulatory frameworks mandating specific security practices, with personal certifications required from security executives

4. Civil litigation increasingly naming CISOs as defendants in data breach lawsuits

These developments have created what we term the "responsibility without authority paradox," where CISOs face mounting accountability without commensurate organizational power to implement necessary security measures. This paradox has reshaped how organizations structure security governance, insurance coverage, and executive contracts to protect their security leaders.

For CISOs navigating this high-stakes environment, we recommend comprehensive strategies including governance documentation, robust incident response planning, strategic risk transfer, and proactive management engagement. Organizations must rebalance authority with responsibility, providing CISOs appropriate resources, board-level support, and formal protections to effectively execute their expanding duties.

The transformation of CISO liability represents a watershed moment in cybersecurity governance. By understanding these shifts and implementing strategic responses, security leaders can better protect both their organizations and their personal interests in this new legal landscape.

Introduction: The Expanding Scope of CISO Liability

The cybersecurity landscape in 2025 bears little resemblance to that of five years ago. While technical threats have evolved, perhaps the most significant transformation has occurred in the legal frameworks governing cybersecurity leadership. Chief Information Security Officers, once primarily technical functionaries, now operate in an environment where personal liability for security failures is not merely theoretical but an established reality, with precedent-setting cases demonstrating the serious consequences of inadequate security governance.

This whitepaper examines how U.S. legal frameworks governing CISO liability have evolved over the past five years (2020-2025), analyzing key regulatory developments, landmark court decisions, and their implications for cybersecurity leaders. We identify emerging trends in how organizations are responding to these shifts and provide strategic recommendations for CISOs navigating this complex landscape.

The stakes for CISOs have never been higher. In 2020, personal liability for cybersecurity failures was largely theoretical, with limited precedent for individual prosecution or significant penalties. By 2025, we have witnessed criminal convictions, SEC enforcement actions against individual security officers, and multi-million-dollar settlements where CISOs were named defendants. These cases have established that security executives can face:

• Criminal charges for concealment of breaches

• Civil liability for misrepresentations about security posture

• Regulatory penalties for compliance failures

• Personal financial consequences from shareholder lawsuits

Our analysis draws on comprehensive review of legal cases, regulatory actions, and industry surveys to provide security leaders with actionable insights for this new era of accountability. The findings reveal how organizations must fundamentally reconsider the structure, authority, and protections afforded to their security executives to adapt to this transformed legal landscape.

The Evolution of the Legal Landscape

From Corporate to Personal Liability: Key Developments

The shift toward increased CISO liability can be traced through several pivotal legal and regulatory developments between 2020 and 2025. These changes have progressively expanded the scope of personal responsibility while raising the stakes for security failures.

Securities and Exchange Commission (SEC) Enforcement Actions

The SEC has emerged as one of the most consequential regulators shaping CISO liability through:

1. The 2023 Cybersecurity Disclosure Rule: This landmark regulation requires public companies to disclose material cybersecurity incidents within four business days of determining materiality and to provide annual disclosures on their cybersecurity risk management, strategy, and governance. Crucially, it necessitates disclosure of board oversight and management expertise in cybersecurity, creating a formal record of responsibility that can later be scrutinized in enforcement actions.

2. SolarWinds CISO Case (2023-2025): The SEC's action against SolarWinds and its CISO, Timothy Brown, established precedent for holding security executives personally liable for alleged misrepresentations about cybersecurity. The case centered on claims that SolarWinds and Brown made misleading statements about security practices despite internal documentation showing awareness of significant vulnerabilities. While a federal judge dismissed some charges in 2024, securities fraud claims were allowed to proceed based on the discrepancy between internal security assessments and public statements.

3. Expansion of "Controls Person" Liability: The SEC has increasingly applied the "control person" provisions of securities laws to cybersecurity contexts, holding executives liable for failures to implement adequate controls over cybersecurity disclosures and practices. This approach enables the SEC to reach individual executives even without proving direct fraudulent intent.

As one securities attorney noted in our interviews: "The SEC's message is clear: CISOs who sign off on misleading statements about cybersecurity, whether in SEC filings, press releases, or investor communications, are now squarely in the enforcement crosshairs."

Department of Justice Criminal Prosecutions

Criminal prosecutions have created some of the most sobering precedents for CISO liability:

1. United States v. Sullivan (2022-2023): In the watershed Uber case, former CSO Joe Sullivan was convicted of obstruction of justice and misprision of a felony for his role in concealing a 2016 data breach. Sullivan authorized a $100,000 payment to hackers under a bug bounty program and had them sign NDAs rather than disclosing the breach to regulators and affected users. His conviction resulted in a three-year probation sentence and established that security executives have affirmative disclosure obligations that cannot be circumvented even under corporate pressure.

2. DOJ's 2022 Civil Cyber-Fraud Initiative: This program uses the False Claims Act to pursue government contractors who misrepresent their cybersecurity practices or fail to report breaches. The initiative has led to settlements with individual liability provisions, extending beyond corporate penalties to reach responsible executives.

3. Expansion of CFAA Application: Courts have broadened the application of the Computer Fraud and Abuse Act to include cases where security professionals failed to implement adequate protections, creating potential criminal liability for negligent security practices that facilitate breaches.

State Regulatory Frameworks

State regulations have significantly shaped CISO liability, particularly:

1. NYDFS Cybersecurity Regulation Amendments (2023): New York's Department of Financial Services updated its influential cybersecurity regulation to require annual certification by senior officers that the company maintains a comprehensive cybersecurity program. The amendments explicitly hold executives accountable for the accuracy of these certifications, with potential personal liability for false statements.

2. California Privacy Rights Act Implementation (2023): California's enhanced privacy framework includes provision for executive liability in cases of willful violations or patterns of non-compliance. While primarily focused on privacy officers, it has expanded to include cybersecurity officers in cases where security failures lead to privacy violations.

3. State Attorney General Enforcement Actions: State AGs have increasingly named individual executives in enforcement actions following major breaches, particularly when investigations reveal patterns of negligence or misrepresentation about security practices.

Civil Litigation Trends

Civil litigation has created additional liability exposures for CISOs:

1. Shareholder Derivative Suits: Following major breaches, shareholders have increasingly filed derivative actions claiming board and executive failures in cybersecurity oversight. These suits now regularly name CISOs as defendants alongside other executives, seeking to hold them personally liable for damages to the company resulting from inadequate security governance.

2. Class Action Lawsuits: Consumer class actions following breaches have begun naming CISOs individually, particularly in cases where plaintiffs can demonstrate knowledge of security deficiencies prior to incidents.

3. D&O Insurance Coverage Disputes: Several high-profile cases have involved disputes over whether Directors and Officers insurance covers cybersecurity-related claims against CISOs, raising questions about whether traditional corporate insurance adequately protects security executives.

Regulatory Convergence: The Unified Front of Federal Agencies

A significant trend in the evolving legal landscape has been the increasing coordination among federal agencies in cybersecurity enforcement. This "whole of government" approach has created overlapping liability risks for CISOs:

1. SEC-DOJ Coordination: The agencies have established formal collaboration mechanisms for cybersecurity enforcement, with SEC investigations potentially triggering criminal referrals to DOJ when evidence suggests willful misconduct.

2. FTC's Expanded Authority: The Federal Trade Commission has asserted broader authority over cybersecurity practices, exemplified by the landmark Drizly case (2022), which not only sanctioned the company for inadequate security but took the unprecedented step of binding the CEO personally to implement cybersecurity programs at future employers.

3. CISA's Increasing Regulatory Role: While the Cybersecurity and Infrastructure Security Agency began primarily as an advisory body, its role has expanded to include compliance oversight for critical infrastructure, creating additional reporting obligations for CISOs in designated sectors.

4. Cross-Agency Cyber Incident Reporting: The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) implemented in 2024 created mandatory reporting requirements across sectors, with penalties that can reach individual executives who fail to ensure compliance.

As one cybersecurity attorney observed: "CISOs now face a multi-headed regulatory hydra. A single incident can trigger simultaneous investigations from SEC, DOJ, FTC, and sector-specific regulators, each with their own enforcement mechanisms and potential penalties."

Subscribe to CybersecurityHQ Newsletter to unlock the rest.