Standards, Regulations & Compliance , Training & Security Leadership , Video

Securing the CISO: Navigating Liability and Investigations

Stephen Reynolds, Partner at McDermott, on How to Prepare for Legal Depositions
Stephen Reynolds, partner, McDermott Will & Emery

Recent instances of high-profile prosecutions and regulatory actions against CISOs have spawned a debate on whether individual security leaders should be held accountable for their roles in security incidents.

See Also: What to Do Based on 2022: Expert Analysis of TPSRM Survey

How should CISOs manage this shifted liability? Stephen Reynolds, partner at McDermott Will & Emery, said real-time documentation and collaboration with law enforcement during security incidents are critical.

"A regulatory investigation often happens years after the event - literally years or months later - and memories fade. We may forget things and may not recall why we made certain decisions at that time based on the information available," Reynolds said. "Someone looking back on actions that you took years ago during a breach may not understand what information you knew at what particular time."

The potential consequences for security leaders can be immense, ranging from civil liabilities and monetary penalties to career setbacks and even criminal charges. Reynolds counsels security leaders in preparation for depositions and investigations.

"The number one thing is to tell the truth. Another important thing is: If you don't know the answer, it's OK to say, 'I don't know,' or 'I can consult a document to provide you with that answer,'" he said.

In this video interview with Information Security Media Group at Black Hat USA 2023, Reynolds discussed:

  • The motive behind targeting individual security leaders;
  • The importance of retaining communication with legal counsel during a security incident;
  • How to prepare for regulatory investigations.

Reynolds advises some of the world's largest technology and social media companies in privacy and data security planning, investigations and breach responses. He uses proactive preventative measures to mitigate cyberthreats, navigate regulatory investigations and defend litigation on behalf of companies ranging from Fortune 500 firms to small businesses.

About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.