Personal Liability Risks for Compliance and Security Executives in 2025

Personal Liability Risks for Compliance and Security Executives in 2025

According to an article by Tom Fox on the Compliance Podcast Network, personal liability risks for Chief Compliance Officers (CCOs) and Chief Information Security Officers (CISOs) are becoming increasingly urgent as regulatory scrutiny intensifies. 

Fox cites recent enforcement actions suggesting regulators’ growing willingness to hold individual executives accountable for compliance and cybersecurity failures. High-profile cases involving Joe Sullivan (Uber), Carlos Abarca (TSB Bank), and Tim Brown (SolarWinds) illustrate the potential consequences for executives who fail to adhere to transparency and governance best practices. As regulatory frameworks evolve, both in the US and internationally, compliance professionals must proactively mitigate their personal risk exposure.

The Securities and Exchange Commission (SEC) has long prioritized individual accountability, reasoning that corporate penalties alone do not sufficiently deter misconduct. Fox says compliance professionals face liability risks in three primary situations: active participation in misconduct, misleading regulators, or failing to carry out compliance responsibilities. This trend is particularly evident in cybersecurity enforcement, where misrepresentations about security risks can trigger regulatory action. 

The Sullivan case demonstrated the severe consequences of concealing a data breach, while Abarca’s misstatements about an IT migration project led to personal fines. Though the charges were dismissed, Brown’s experience with the SEC underscores the risks of vague cybersecurity disclosures.

Global regulatory developments, including the EU’s Digital Operational Resilience Act (DORA) and the Cyber Resilience Act, further reinforce the accountability of compliance and security executives. With increasing regulatory obligations, expanded enforcement mechanisms, and the rise of shareholder lawsuits, professionals must anticipate greater scrutiny.

Fox recommends that CCOs and CISOs conduct thorough due diligence before accepting a position. They should ensure that the organization has a strong culture of compliance and a solid governance structure to help mitigate potential liabilities. Clearly defining job responsibilities and emphasizing oversight, rather than placing sole operational responsibility on one individual, can provide additional safeguards.

Fox also recommends key risk management strategies, such as obtaining comprehensive Directors and Officers (D&O) insurance, maintaining detailed documentation of compliance efforts, and ensuring accurate internal and external reporting.