CISOs face increasing personal and criminal liability for improper or incomplete risk management and disclosure during cyber incidents. The SEC, DOJ and international regulators are targeting executives who knowingly omit or distort cyber risk information.

Increasing attacks on IoT and OT device vulnerabilities

Cyberattacks are increasingly driven by software vulnerabilities embedded in OT and IoT devices. The 2025 Verizon Data Breach Investigations Report noted that 20% of breaches were vulnerability-based, which is a close second to credential abuse, accounting for 22% of breaches. Year over year, breaches resulting from software vulnerabilities increased by 34%.

The dramatic rise in device vulnerability-based cyberattacks has precipitated growing regulatory compliance requirements and legal actions.

Growing regulatory scrutiny

Governments and industry bodies worldwide are tightening cybersecurity mandates to improve accountability and resilience across the digital ecosystem. Emerging regulations include the US Executive Order 14028 on Cybersecurity in the US, NIS2 and Cyber Resilience Act (CRA) in the EU as well as their peers around the world. Regulators are mandating device Software Bill of Materials documentation and vulnerability awareness, as these elements help enterprises to proactively manage risk in their device portfolios.

Today, the regulatory burden sits with the device manufacturers; however, the owners of these devices are also liable when they are breached.

What CISOs are being held responsible for:

• Inability to disclose an accurate inventory of impacted assets.
• Inadequate governance, including third-party risk management.
• Providing misleading or incomplete board communications on risk posture.
• Not reporting on breaches accurately and promptly.
• Certifying compliance (SOX, ISO 27001) without verifying reality.

Enterprises refining governance, compliance, and risk approaches

Enterprises are making policy and resource changes to meet the evolving threat and liability landscape. A Fastly report of 1,800 IT leaders shows 93% of organizations have updated policies to address CISO liability:

• 41% involve CISOs more deeply in strategic board decisions.
• 38% provide increased legal support for security teams.
• 38% impose additional scrutiny on security disclosures from regulators.
• 21% remind CISOs that they “are not above the law.”

Enterprises are also working to provide CISOs with improved technical tools to address security and associated liability risks. Boards and leadership teams are evolving their CISOs’ capabilities from rapid incident response to proactive cyber risk management in response to the regulatory emphasis.

The need for better asset inventory and intelligence

A central component of proactive security management is the complete documentation of IoT devices, including their attack surfaces and software vulnerabilities. Inventory information is scattered across fragmented organizational silos and third-party partners. It must be manually gathered, consuming significant time and human resources to correlate and maintain the intelligence needed to secure and document IoT devices.

The SomosID solution

As an FCC-trusted administrator, Somos maintains identity information for over 7 billion phone numbers. These digital identifiers help enable trusted communications every day. In the same way that Somos has long ensured integrity and trust in numbering, Somos is extending this expertise into the IoT ecosystem with SomosID for IoT. SomosID device intelligence service correlates and maintains critical intelligence for IoT devices, including: 

• Inventory and Identity
• Software information, including SBOM and vulnerabilities
• Other asset attributes, including communication capabilities and certifications

By linking the discipline of managing trusted digital identifiers with comprehensive IoT device intelligence, Somos helps enterprises and service providers establish a verifiable chain of trust across both human and machine communications. The resulting dataset facilitates proactive security, device portfolio planning, technical support and compliance reporting. It is meant to be provided not only to the enterprises that own the devices but also to their service providers to facilitate operations and reporting.

Explore how SomosID can help organizations like yours reduce your CISO liability and strengthen your compliance posture.  Contact us today to schedule a demo or join our complimentary Webinar on November 13 from 2 PM to 2:30 PM ET to learn more.