Why CISOs Need Indemnification

What is it and why it matters in light of new SEC rules

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Data Breaches | Cybersecurity For Executives

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I’m not a lawyer and you should talk to one if this applies to you. But I did speak with a lawyer who formally worked for the SEC on this matter, Paul Swegle.

The US Securities and Exchange Commission (SEC) recently charged a CISO personally for a data breach, not just his company.

What does that mean for you?

Well first of all, the SEC governs publicly traded companies.

If you do not work for a publicly traded company this particular legislation does not apply to you.

You can view the list of SEC rules and regulations here:

However, the SEC is not the only organization that governs data breaches. The FTC also governs data breaches. Here’s one rule related to health care breaches.

You can review the full list of FTC rules here:

Might the FTC also enact rules similar to those created by the SEC?

Each individual state and different governments and even industries around the world have various laws that may impact you. Whether or not those laws apply to your scenario depends on the verbiage in the law itself, where you do business (the jurisdiction), the type of business entity you have or work for, and if you have customers in the jurisdictions where the laws apply.

To be safe as possible from personal liability (in other words paying money out of your own pocket for legal expenses) CISOs should ensure that their contracts with the organizations they work for indemnify them to the fullest extent of the law.

What does indemnification mean anyway? It means that if you get sued or get into legal trouble related to your employment, your company will pay the bills (but consult a lawyer as to the extent and accuracy of that statement based on your particular scenario).

Indemnification, also referred to as indemnity, is an undertaking by one party (the indemnifying party) to compensate the other party (the indemnified party) for certain costs and expenses, typically stemming from third-party claims. Indemnification can also cover direct claims, which are claims or causes of action that one contracting party has against the other.

When such a contract is created, you need someone who understands all the applicable laws, because some will limit how much your employer can indemnify you. The law supersedes your contract. There are certain violations of the law for which you can be held personally liable and cannot be indemnified by a contractual agreement.

In addition, the indemnification clause itself may have certain limits which can affect either party — the employer or the employee — which must be properly understood. You want a fair and balanced indemnification clause that reasonably protects both parties. For example, indemnification might not apply if you do something willfully, in bad faith, or for your own personal gain rather than the best interest of your employer or client. There may be certain caps on the the amount paid related to indemnification.

Some companies offer insurance to cover any personal liabilities for their officers. This may or may not be available from a particular company or in certain jurisdictions, but you should be able to add an indemnification clause to your employment agreement.

If you are facing these issues, you will likely want to find a lawyer who is well versed in contract law and the applicable cybersecurity laws that apply to your specific scenario.

If you are new to contract law, check out this book from Paul Swegle on Amazon, but it is geared more towards startups than publicly traded companies so the SEC regulations I’m writing about here may not be applicable.

I’m going to dig into this topic bit more in another upcoming post.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2024

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab