2.7k views4 Comments

VP, Director of Cyber Incident Response in Finance (non-banking), 10,001+ employees
When I got my administration promotion, I had to sign the paperwork that said I could be held personally liable—all of a sudden, I wasn't sure I wanted to be promoted.
Global CIO & CISO in Manufacturing, 201 - 500 employees
Due diligence, due care and the interpretation of that—plus the ability to prove that from a directors and officers liability insurance (D&O insurance) standpoint—should scare every director into making sure that they have a specific security, cybersecurity, and IT focus in one of the committees, or as a fully subset committee. You can ask quite a few technology companies who will tell you that if they keep their security under one of the other groups, it's a massive liability. Depending on the incorporation documentation, I believe that every director at the board level would be held liable.
Director of Information Security in Energy and Utilities, 5,001 - 10,000 employees
Yes. If they fail to complete at least certain level of due diligence and invest adequate resources into cybersecurity (publicly traded companies at least).
Chief Information Officer in Healthcare and Biotech, 1,001 - 5,000 employees
This is a great question! In my experience, there is nothing to stop shareholders from pursuing derivative or private lawsuits around data breaches. From what I have seen in the media, there have been no individual directors and officers held personally liable for the costs of a data breach to date. But I suspect that will change very soon. However, the risk of individual liability can be mitigated by taking appropriate security proactive measures.

If I remember correctly in the Caremark decision, a Delaware court indicated that directors CAN be held personally liable for failing to monitor and supervise the enterprise. It is a general understanding that a company's board of directors must make a good faith effort to implement an adequate corporate information and reporting system. Failing to do so could be considered a failure of the board to act in preventing a loss resulting from a breach.

I fully expect the Federal Trade Commission to step up the enforcement of corporate data security standards via regulatory actions in the near future.

Content you might like

SANS Cyber Security Leadership NOVA10%

ENISA Cybersecurity Standardisation Conference 202343%

Gartner Security & Risk Management Summit13%

SANS Cyber Security East (Feb edition)3%




Poor efficiency of the detection and threat hunting solution (SIEM/SOAR, EDR solutions)49%

Too much time wasted on false positive alerts64%

Lack of security skills and defined processes46%

Not enough demand in the market6%


567 views1 Upvote