Fact Check
CISOs at High Legal Risk Without Personal Cyber Insurance in VUCA World
The role of the Chief Information Security Officer (CISO) is inherently high-stakes, exposing both the organization and the individual to significant risks. Recent years have highlighted these personal risks, particularly with high-profile cases like that of former Uber CISO Joe Sullivan. His felony conviction served as a stark warning to CISOs everywhere, illustrating that they could face severe legal repercussions in connection with cybersecurity incidents. The takeaway: CISOs can be personally liable for workplace failures.
Given this reality, having directors and officers (D&O) insurance is essential for CISOs. D&O insurance provides critical protection against legal claims from various parties, such as employees, stakeholders, or regulatory bodies. However, there is a significant challenge: many companies do not recognize CISOs as traditional corporate officers. Consequently, they are often excluded from the D&O policies that cover other executives like the CEO, CFO, or COO.
Why is D&O insurance crucial for CISOs?
D&O insurance shields corporate officers from personal liability arising from incidents that result in financial losses, reputational damage, or legal consequences. Without it, CISOs are left exposed, underscoring the need for their inclusion in an organization’s risk management strategy. The increasing frequency and sophistication of cyberattacks, along with heightened regulatory requirements, put CISOs under intense pressure. Regulatory agencies are ramping up their focus on corporate governance and cybersecurity practices, making it imperative for CISOs to be prepared for potential legal challenges.
ALSO READ: FCRF Launches ‘Cyber Safe Uttar Pradesh’ Initiative to Combat Rising Cyber Crime
D&O insurance provides both legal defense and indemnity coverage, allowing CISOs to focus on protecting their organization’s digital assets without the constant fear of financial ruin. Additionally, offering D&O coverage can help companies attract top cybersecurity talent, as it demonstrates a commitment to protecting all executives. Organizations that prioritize this protection can better manage cybersecurity governance and foster an environment where CISOs can lead effectively without undue concern about personal risk.
According to the “2023 Global Chief Information Security (CISO) Survey” by executive search firm Heidrick & Struggles, 38% of CISOs are not covered by their companies’ D&O insurance, and an additional 18% are unsure if they have coverage. CISOs must have a candid conversation with their employers, particularly with the risk manager or whoever handles the company’s insurance, to determine if they are included in the D&O policy, advises Paul Larson, president of financial lines at Liberty Mutual Insurance.
For those CISOs who are not covered, the implications are severe. They could be personally liable for a breach, regardless of whether data was lost, under rules recently implemented by the U.S. Securities and Exchange Commission (SEC). Given today’s regulatory landscape, CISOs should be recognized as corporate officers and included in D&O policies, according to Jennifer Sharkey, national managing director and Northeast regional leader of the executive and financial risk practice at Gallagher. Concerns about personal liability among CISOs have surged, especially as government agencies increasingly target individual employees for their roles in cybersecurity failures.
For example, in October 2023, the SEC charged SolarWinds and its CISO, Timothy Brown, with alleged securities violations related to a significant cyberattack that began in September 2019. This marked the first time the SEC had charged a CISO individually. Although the case is ongoing, it underscores the risks CISOs face, particularly at publicly traded companies where securities regulation applies.
ALSO READ: FutureCrime Summit: Biggest Conference on Cyber Crimes Set to Return in February 2025
D&O insurance is also critical for CISOs at private companies, according to David Lindner, CISO at privately held Contrast Security. Even though private companies are not regulated by the SEC, they still need coverage due to contractual obligations and breach notification laws. Lisa Hall, CISO at privately held Safebase, agrees that D&O insurance is becoming increasingly important for CISOs at all companies. Many CISOs are also taking out personal errors and omissions (E&O) insurance for additional protection.
As the regulatory environment becomes more complex, the CISO community is increasingly advocating for better protection. CISOs want to feel confident in making the right decisions for their companies without fear of personal liability. Some are even negotiating for D&O coverage as part of their employment agreements or considering alternative titles to secure protection.
The CISO Executive Network, a peer-to-peer organization, strongly recommends that its members seek D&O insurance coverage from their companies. William Sieglein, the network’s founder, noted that recent legal cases have heightened concerns among CISOs about personal liability. Many attorneys who speak at the network’s events also emphasize the importance of D&O insurance for CISOs. Several members have successfully negotiated D&O coverage after raising the issue with their employers, demonstrating that it has become a crucial part of their compensation and employment agreements.
Follow The420.in on
Telegram, Facebook, Twitter, LinkedIn, Instagram and YouTube