Is your CISO adequately protected from risk?
Discover how both D&O and cyber policies can offer enhanced protection for your CISO.
by Eileen Garczynski, Esq | July 10, 2023
With escalating cyber threats and increasing legal and financial risks, chief information security officers (CISOs) are on the front lines of protecting their organizations’ digital assets and ensuring compliance with regulations. As cybercriminals have upped their game, CISOs now face greater likelihood of legal scrutiny following a significant breach. Accordingly, employers may need to revisit their insurance to protect these key executives and their organizations.
Consider: Uber’s former CISO, Joseph Sullivan, recently was convicted after the Department of Justice brought charges in federal criminal court stemming from his role in the 2017 Uber data breach and failure to disclose it. In addition, Solarwinds was involved in a $26 million settlement of a shareholder class action suit paid by its directors and officers (D&O) liability insurance. The suit named its CISO and alleged violations of the Securities Act.
So, it’s not surprising that as CISOs are exposed to more liability, their interest in having adequate insurance protection is growing. Today, D&O and cyber security insurance are increasingly valuable for protecting CISOs and their companies, as well as for attracting and retaining top-tier CISO talent. Nonetheless, many employers still lack appropriate coverage.
D&O insurance protection for CISOs and their companies
Well-designed D&O policies provide several benefits for CISOs and their organizations, including:
1. Personal liability protection. As high-ranking executives, CISOs may be held personally liable for their decisions and actions in the event of a cybersecurity incident or data breach. D&O insurance provides financial protection for the CISOs’ personal assets in case they are sued for alleged negligence, breach of fiduciary duty, or mismanagement. Without this coverage, the CISO may face significant financial risks, including the costs of legal defense and potential settlements.
2. Legal compliance. CISOs are responsible for ensuring their organizations comply with relevant laws and regulations related to cybersecurity. In the event of a violation, regulatory bodies may impose fines and penalties on the organization and its executives. D&O coverage can help mitigate these financial risks, protecting the CISO from personal liability for regulatory fines and related legal expenses.
3. Protection from shareholder lawsuits. Shareholders have the right to bring lawsuits against a company and its directors and officers if they believe their investment has been harmed due to mismanagement or negligence. This risk is particularly relevant in the case of cybersecurity incidents, where shareholders may argue that the CISO and other executives failed to adequately protect customer data or prevent a breach. D&O insurance provides protection for the CISO in the event of a shareholder lawsuit, covering legal defense costs and potential settlements.
4. Reputational protection. Data breaches can result in significant reputational damage to the organization and its executives. CISOs need to protect their personal reputation and professional standing, especially in an industry where trust and credibility are critical. D&O insurance coverage demonstrates to stakeholders that the CISO has taken proactive measures to protect the organization’s cybersecurity and can help in reputation management efforts.
Even though D&O insurance can cover the company and its directors and officers for personal liability for shareholder litigation — or regulatory action against an individual director or officer — CISOs aren’t always considered officers of the company. In addition, some D&O policies have exclusions for anything cyber-related or limit coverage if a claim involves a cyber event.
To address these issues, risk managers should work with their firm’s management committee and insurance broker to make sure the CISO is added as an officer of the company. This may involve amending the company’s bylaws. Make sure the CISO is explicitly listed in the definition of who is insured on the firm’s D&O insurance policy and that there is no exclusionary language for a cyber-related claim.
The role of cyber liability insurance
In addition to providing protection for the CISO, cyber liability insurance policies offer a critical backstop in the event of a cyber incident. Here are some of the ways these policies can strengthen an insured organization’s response to a loss event:
1. Protection against financial loss. Cyber liability insurance helps protect the CISO and the organization from financial losses resulting from a cyberattack or data breach. These incidents can lead to significant costs, including investigations, legal fees, data recovery, notification and credit monitoring for affected individuals, PR and reputation management efforts, and potential regulatory fines. Cyber liability insurance can cover these expenses and help mitigate the financial impact on the CISO and the organization.
2. Data breach response and recovery. Cyber liability insurance often includes coverage for data breach response and recovery expenses. In the event of a breach, the CISO needs to take immediate actions to investigate the incident, secure the affected systems, notify individuals and regulatory authorities, and provide assistance, such as credit monitoring. Cyber liability insurance can cover the costs associated with these activities, ensuring a swift and comprehensive response.
3. Coverage for third-party claims. Cyberattacks and data breaches can result in claims and lawsuits by affected individuals, customers, partners, or other third parties. Cyber liability insurance provides coverage for legal defense costs and potential settlements or judgments in such cases. The CISO may be personally named in these claims, and cyber liability insurance can protect their personal assets and provide professional indemnity coverage.
4. Regulatory compliance. CISOs are responsible for ensuring that their organizations comply with various cybersecurity laws and regulations. These regulations often impose fines and penalties for non-compliance, especially in the case of data breaches. Cyber liability insurance can help cover regulatory fines, penalties, and other related expenses, providing a layer of financial protection to the CISO and the organization.
5. Safeguard against business interruption and loss of income. Cyberattacks often can disrupt business operations, resulting in loss of income and additional costs to restore systems and services. Some cyber liability insurance policies may include coverage for business interruption, loss of income, and extra expenses incurred as a consequence of a cyberattack. This coverage helps mitigate the financial impact on the organization and supports the CISO in managing the aftermath of an attack.
6. Satisfy vendor and client requirements. Many firms require their vendors and partners, including their CISOs, to carry cyber liability insurance as a condition of doing business. This requirement ensures that all parties involved have the necessary financial protection in the event of a cyber incident. Having cyber liability insurance coverage not only fulfills contractual obligations but also demonstrates the CISO’s commitment to risk management and aligning with industry best practices.
In assessing cyber insurance policies, check the coverage available for consumer or customer class action litigation following a security breach. The policy should also cover regulatory actions brought against a company or its C-Suite as a result of a covered cyber incident. Today, most cyber insurance policies cover individual employees as insured persons — which provides the appropriate coverage for members of a firm’s C-Suite when named in an enforcement action.
Together, D&O insurance and cyber insurance are vital for CISOs; they can provide personal liability protection, ensure legal compliance, safeguard against shareholder lawsuits, and protect personal reputation. Additionally, their placement can help attract and retain top cybersecurity talent. Notably, with ever-increasing cyber threats and legal risks associated with cybersecurity incidents, these insurance coverages provide CISOs with peace of mind and financial protection, allowing them to focus on their critical role as guardians of their organization’s digital assets.
Eileen Garczynski is a senior vice president and equity partner of Ames & Gough. With over 30 years of insurance and legal experience, she leads the law firm initiative, focusing on the risk management and insurance needs of law firms. She is also a liaison to and former appointed member of the American Bar Association’s Standing Committee on Lawyers’ Professional Liability and the former vice chair of the Insurance & Risk Management Committee for the Section of Intellectual Property Law of the ABA.