Legislation & Litigation , Standards, Regulations & Compliance , Training & Security Leadership
Securing the CISO: Navigating Liability and Investigations
Stephen Reynolds, Partner at McDermott, on How to Prepare for Legal DepositionsRecent instances of high-profile prosecutions and regulatory actions against CISOs have spawned a debate on whether individual security leaders should be held accountable for their roles in security incidents.
See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware
How should CISOs manage this shifted liability? Stephen Reynolds, partner at McDermott Will & Emery, said real-time documentation and collaboration with law enforcement during security incidents are critical.
"A regulatory investigation often happens years after the event - literally years or months later - and memories fade. We may forget things and may not recall why we made certain decisions at that time based on the information available," Reynolds said. "Someone looking back on actions that you took years ago during a breach may not understand what information you knew at what particular time."
The potential consequences for security leaders can be immense, ranging from civil liabilities and monetary penalties to career setbacks and even criminal charges. Reynolds counsels security leaders in preparation for depositions and investigations.
"The number one thing is to tell the truth. Another important thing is: If you don't know the answer, it's OK to say, 'I don't know,' or 'I can consult a document to provide you with that answer,'" he said.
In this video interview with Information Security Media Group at Black Hat USA 2023, Reynolds discussed:
- The motive behind targeting individual security leaders;
- The importance of retaining communication with legal counsel during a security incident;
- How to prepare for regulatory investigations.
Reynolds advises some of the world's largest technology and social media companies in privacy and data security planning, investigations and breach responses. He uses proactive preventative measures to mitigate cyberthreats, navigate regulatory investigations and defend litigation on behalf of companies ranging from Fortune 500 firms to small businesses.