Change in CISO liability policies at 93% of businesses

Fastly has released research indicating that 93% of organisations have altered policies over the past year to address rising concerns regarding the increased personal liability faced by Chief Information Security Officers (CISOs).

This includes 41% of organisations enhancing the involvement of CISOs in board-level strategic decisions. The research arises in response to recent regulations, such as the SEC rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, which have heightened the attention on corporate accountability for data breaches and consequently, CISO liability.

To mitigate potential liability risks, 38% of survey respondents have increased scrutiny of security disclosure documentation from supervisory agencies, and a similar proportion has improved legal support for cybersecurity staff, including the introduction of liability insurance.

Marshall Erwin, CISO at Fastly, has raised concerns about the adequacy of these measures in truly safeguarding organisations and their cybersecurity teams. "It's encouraging to see the vast majority of companies making changes to liability disclosure given the inevitability of another worldwide outage that will put CISO accountability back into the spotlight. However, while investing in legal protection is an important step, this change is often more about shielding organisations from legal risk rather than fostering meaningful accountability to drive better security practices," he stated.

He further emphasised, "Proper accountability requires moving beyond liability insurance and disclosure edits. For meaningful change, we need to view accountability as a positive force to incentivise better security. For that, we need better, clearer standards from regulators and enforcers that distinguish between unavoidable incidents and avoidable ones resulting from truly deficient security practices."

The research also highlighted a lack of clarity in responsibility in the event of cybersecurity incidents, with nearly half of the organisations surveyed unclear about who holds ultimate responsibility and only 36% having clearly delineated roles and responsibilities within their teams.

Marshall Erwin elaborated on this issue, stating, "CISOs do not make the final call on every decision. When it comes to security risks, the question a board should be asking is, 'Are we aligning the budget to address the risks the CISO has communicated to us?' This is where accountability should start - at the senior leadership level, with clear communication and alignment of resources."

He continued by emphasising the importance of collective responsibility: "This responsibility doesn't just fall on one person - it requires clear communication at every level of the organisation to understand how and why cybersecurity risks should be mitigated and how efforts should be aligned to reduce exposure."

The report suggests that the industry needs to prepare for future high-profile incidents with more robust frameworks for accountability that encourage meaningful actions beyond mere compliance. Furthermore, as regulatory standards develop, organisations should see CISO liability as an opportunity to reinforce their security frameworks and drive comprehensive change across the board.

The research by Fastly involved a survey of 1,800 IT decision-makers involved in cybersecurity, conducted by Sapio Research in September 2024. Respondents were from large organisations across various industries spanning North, Central, and South America, Europe, Asia-Pacific, and Japan.