CISOs Under the Microscope: Preparing for Executive Liability

By Danny Bradbury • 10 April 2025

Uber’s former CISO, Joe Sullivan, failed to clear his name last month, reopening a discussion about the personal risks that senior executives face over cybersecurity breaches.

Sullivan had appealed an October 2022 conviction for hiding a felony after he paid off cyber criminals who hacked customer accounts at his former employer. The 2016 hack compromised the personal information of 57 million customers and 600,000 Uber drivers. Sullivan paid the criminals $100,000 from the company’s bug bounty program and made them sign a non-disclosure agreement. He also failed to inform the Federal Trade Commission, which he was mandated to do under a 2014 settlement following a separate hack.

Sullivan, who had been sentenced to three years’ probation and a $50,000 fine for the conviction in May 2023, had appealed the ruling. The appeal argued that he had not committed ‘misprision’ – the act of concealing a felony from government authority – because the NDA retroactively authorized the hack. The court rejected that argument, along with some claims of procedural mistakes.

The court’s steadfastness on this issue once again raises the specter of personal executive liability for cybersecurity breaches and/or mishandling of incident response. These perceived transgressions came in various forms.

Some perceived CISO shortcomings revolve around misleading statements. The SEC personally pursued SolarWinds’ CISO Timothy G. Brown after the company’s 2019 and 2020 breaches, arguing that he made false statements about its cybersecurity in public filings even though it was aware of its weaknesses. A court later dismissed its allegations against Brown.

Others revolve around the lack of cybersecurity itself. James Rellas, CEO of alcohol delivery service Drizly, didn’t have a dedicated executive responsible for cybersecurity when a breach at his company exposed 2.5 million customers’ information. The FTC’s 2022 order held not just the company accountable for allegedly negligent cybersecurity behaviors, but him personally.

One personal penalty levelled against a CISO focused on fraudulent behaviour. Jun Ying, former CISO at Equifax U.S Information Solutions, got a four-month prison sentence after exercising his share options before a 2017 breach at the company was publicly revealed. Ying, who knew about the breach when he cashed in on his options, dodged over $117,000 in losses through the insider trading. The DoJ forced him to pay back the losses, along with a fine, and he was sentenced to a four-month prison sentence.

Executive Liability Outside The U.S.

It isn’t just U.S. executives who face personal liability for handling cybersecurity incidents. Kim Jin-Hwan, privacy officer of South Korean Travel agency Hana Tour Service, was personally fined 10 million Korean Won for negligence in a 2017 breach that affected 465,000 customers.

Regulations have also focused the lens on executives’ personal accountability. The EU’s 2022 NIS2 Directive (2022) mandates top management accountability for non-compliance with cybersecurity regulations, allowing for personal sanctions against individuals. These include temporary suspensions of executives deemed incapable of fulfilling their cybersecurity responsibilities.

Another EU regulation, the Digital Operational Resilience Act (DORA), focuses on ensuring financial organizations can maintain critical services in the face of systemic threats. It allows for fines of up to one million Euros against negligent executives.

Challenges For CISOs

The problem for CISOs lies in the ‘chilling effect’ that the danger of personal liability carries, warned many in letters to Judge William Orrick III, who presided over the original Uber case. The worry is that CISOs might feel unable to do their jobs under the threat of personal liability.

That concern is valid when you consider the rapidly growing attack surface of the average corporation. Companies are being encouraged to stay competitive by testing out rapidly evolving technologies, including AI, mobile and cloud computing. That increases the burden of executive oversight. If an individual who acts in good faith runs the risk of personal liability in the face of overwhelming cyber threats, it may discourage people from taking on the role.

However, the punitive incidents here seem to rest not so much on the cybersecurity breaches themselves but on handling incident response information before and after the fact. Sullivan wasn’t punished for the breach. He was punished because he tried to cover it up. Others knew about their vulnerabilities for years before their breaches and took little to no preventative action. And front-running news of a breach for your own equity trading purposes is clearly a bad-faith practice.

How To Protect Executives

As the risk of personal accountability grows, companies that follow well-established cybersecurity and risk management frameworks will be able to protect themselves—and their senior management—from regulatory or legal ramifications.

ISO 27001 is an essential tool in this context because it is a recognized international standard demonstrating proactive due diligence. Ohio’s Data Protection Act even offers explicit legal safe harbor for cybersecurity programs that reasonably conform to ISO 27001.

ISO 27001 offers some core practices that can help demonstrate due diligence and conscientiousness when following cybersecurity measures. These include establishing a clear, documented cybersecurity governance framework with top management involvement and implementing standards-based, documented incident response plans. Other measures include conducting regular training, audits, and continuous improvement processes.

Maintaining thorough documentation is recommended to provide evidence of executive oversight and risk management, carried out to the best of a management team’s capabilities.

However, the word ‘team’ is crucial. Senior executives should properly support those in charge of cybersecurity, and reasonable expectations should be placed on them. All too often, CISOs are expected to stop all attacks with no significant investment, and without proper support from a business focused entirely on pushing out the next product and maximizing profit. That’s a malaise that requires cultural change.

Danny Bradbury

Danny Bradbury has been a print journalist specialising in technology since 1989 and a freelance writer since 1994. He has written for national publications on both sides of the Atlantic and has won awards for his investigative cybersecurity journalism work.

Safe Harbor Review Means Business as Usual – For Now

September was a watershed month for companies in Europe wanting to share data with the US. The General Court of the European Union rejected a chall...

Danny Bradbury

Cyber security 23 September 2025

When Legacy Systems Fail: Lessons from the Federal Courts Breach

Cyber attacks happen every day, but some are especially chilling. An attack this summer on the US court system should have sent chills down every s...

Danny Bradbury

Cyber security 9 September 2025