By Scott M. Giordano, AIGP, FIP, CISSP, CCSP

Partner and Co-Founder, The CISO Law Firm LLP

The lack of a Sarbanes-Oxley regulatory regime for cybersecurity, a shifting legal landscape, and an often-tenuous position vis-à-vis the Board necessitates CISOs having their own attorneys to provide independent advice and counsel.

The saga of the 2016 data breach of ride-sharing application company Uber, including the payment of ransom by the company to those responsible, and concluding with the conviction and sentencing of then-CISO Joe Sullivan, is well known to CISOs in North America and potentially around the world.  In a November 28, 2023 article on Dark Reading, Sullivan said something quite remarkable about the breach and his subsequent October 2022 conviction on charges stemming from his response to it: "The thing we didn't do was insist that we bring in a third party to validate all of the decisions that were made," he says. "I hate to say it, but it's more CYA."  In this respect, Sullivan is correct; more CYA was needed.  In fact, what Sullivan really needed was his own independent counsel to advise him on the potential for his becoming the fall guy.  The fact that Sullivan was a former federal prosecutor and (evidently) didn’t realize the danger he was in underscores how easy it is to be overwhelmed by events during the response to a breach or other high-stress assault by threat actors.

The Sullivan Prosecution Was Not a One-Off

During the saga of the Uber data breach, another one began, this time at IT software publisher SolarWinds.  In September 2019, threat actors (likely the Russian Foreign Intelligence Service) gained unauthorized access to SolarWinds’ network.  In December 2020, some fifteen months later, cybersecurity firm FireEye disclosed that it and their customers were victims of the attack.  Approximately 18,000 customers were affected, notably the U.S. Depts. of Homeland Security, State, Commerce and Treasury.  In October 2022, the U.S. Securities and Exchange Commission (SEC) sent SolarWinds a so-called “Wells Notice,” indicating the substance of the charges that the SEC was intending to bring against SolarWinds for alleged cybersecurity failures related to the breach.  What was truly remarkable, however, was that in June 2023 the SEC sent a Wells Notice to SolarWinds’ CFO, J. Barton Kalsu, and CISO, Timothy Brown, as individuals, something likely unprecedented.  On October 30, 2023, the SEC filed a civil complaint against SolarWinds and Brown.  Not only was this remarkable, but even more so was the fact that among the charges that the SEC brought was one of “scienter”-based fraud against Brown, meaning that he was conscious of what he was doing and not merely negligent.  A July 18, 2024, decision of the U.S. District Court for the Southern District of New York dismissed all but one of the charges; the remaining one was for fraud based on claims made on the SolarWinds website about the efficacy of the company’s cybersecurity posture.  While this dismissal was likely a cause for celebration for the defendants, the SEC’s aggressive approach should give pause to all CISOs.

There is No Sarbanes-Oxley for Cybersecurity

The Sarbanes-Oxley Act of 2002 was the U.S. Congress’ response to the financial frauds committed by publicly-traded firms such as Enron, WorldCom, and Tyco International in the early 2000s.  The law was designed to protect shareholders by imposing rigorous reporting standards not just for publicly-traded companies but for their auditors as well.  Moreover, it advanced the idea of offering access to the highest authority (e.g., the audit committee) of a company by ordinary employees in the event that violations of the Act were suspected.  Arguably, the law has been a success, given that no Enron-scale frauds by publicly-traded firms have been perpetrated since the Act’s going into force.  A review of the financial industry literature (e.g., here, here, and here) seems to confirm this, and the goal of restoring investor confidence in U.S. securities markets seems to have been achieved.  All of this, then, raises a question about the integrity of those firms’ IT systems – isn’t it equally as important as that of their financial systems?  The fact that the duty of securing a firm’s financial systems falls to the InfoSec team underscores this.

The fact of the matter is that we don’t have a Sarbanes-Oxley for cybersecurity, with its attendant standards for firms and their auditors, and with a prescribed path to an appropriate committee of the board in the event that the CISO finds trouble and can’t get anyone in management to listen.  Until CISOs legally receive the same dignity afforded to CFOs, we’ll continue to see the same constant drip-drip-drip of news of data breaches and ransomware attacks and seemingly little accountability by firms for the damage caused to the public.

Changes in Law and Jurisprudence Have Created Greater Exposure for CISOs

Over the past five or so years, there have been changes both in cybersecurity laws and in the jurisprudence of personal liability for corporate directors and officers, both of which create greater legal exposure for CISOs.  In July 2023 the SEC promulgated significantly updated rules for the reporting of cybersecurity incidents by publicly-traded companies; they went into effect in the latter half of December 2023.  Perhaps most noteworthy about the rules is the requirement that, upon a determination of materiality of the incident, afflicted companies must notify the SEC within four business days.  Moreover, those companies must also file an updated 8-K disclosure and include details about the disclosure in their 10-K.  The 186 pages that comprise the new rules are also noteworthy because a draft, 129-page version would have required covered companies to disclose if any member of the board of directors had cybersecurity expertise; this was later changed instead to require companies to disclose if any member of the management team had cybersecurity expertise.  The implication of this latter mandate is that the SEC wants companies to demonstrate to the market that someone is minding the (cybersecurity) store.

While the updated SEC rules translate into more work for CISOs, it’s the combination of this rule with changes to jurisprudence here in the U.S. that pose greater exposure for CISOs.  One change in particular is the threshold for personal liability for corporate directors via what is known as the “mission critical” standard.  Normally, when directors fail to implement appropriate management oversight mechanisms or fail to use them, they can be held personally liable, although the bar for that liability is relatively high.  This is sometimes referred to as the “Caremark” standard, after the court case that established it.  However, when oversight failures occur for a function that is core or “mission critical” to a company, that bar is lowered.  Examples include Boeing (related to the 737 MAX) and Blue Bell Creameries (related to an outbreak of listeria).  The concept and importance of the doctrine of mission criticality has recently been expanded to include cybersecurity.  One journal serving the corporate director community went so far as to say that boards should hire third parties to independently review their company’s cybersecurity program, noting (perhaps ironically) that “The CISO may not tell you that everything is falling apart[.]” 

Completing this legal trifecta is the extension of personal liability to corporate officers.  In a so-called shareholders “derivative” lawsuit against fast-food giant McDonald’s, a Delaware court extended the Caremark standard to corporate officers.  In this case, the company’s chief people officer was accused of enabling a corporate culture of sexual harassment by ignoring red flags about misconduct at the company; he later was terminated for his own sexual harassment and misconduct.  The judge presiding over the matter essentially took Caremark’s concept of the board’s duty of oversight and extended it to corporate officers with respect to areas within their purview.  Given that the purview of McDonald’s chief people officer was establishing a system to preview sexual harassment, extending Caremark duties to him was not difficult in this case.  Moreover, it’s easy to see how this standard could be applied to CISOs in the case of derivative lawsuits stemming from a data breach, ransomware incident, or some other alleged cybersecurity failure.

The Very Tenuous Position of CISOs

CISOs exist in a very tenuous position vis-à-vis their corporate employers, especially compared to their C-Suite counterparts.  A 2024 report on the global CISO workforce saw CISOs citing personal, financial and legal liability as a particular concern; notably, 66% of those surveyed cited such liability, up from 62% in 2023.  Undoubtedly, the criminal and civil actions taken against CISOs described earlier and the attendant publicity have contributed to this concern.

CISOs’ relationships with their respective boards of directors or, more significantly, the lack thereof, is another contributor to this problem.  Unless a CISO is “duly appointed” by a board, he/she is not a true corporate officer and likely not covered by the organization’s D&O insurance.  A 2023 global CISO workforce report shed some light on this: 38% of CISOs surveyed are not covered by D&O insurance, and another 18% do not know whether they are covered; this latter statistic is particularly troubling, evincing that tenuous relationship. 

When CISOs do brief boards on the state of a firm’s cybersecurity posture, they likely will get about 15 minutes to cover risks and ask for the needed resources, something that can be an uphill climb, even given how often ransomware and other attacks are featured in news reports and industry periodicals.  A 2024 report on security budgets showed that while the average growth of cybersecurity budgets has risen from 6% in 2023 to 8% in 2024, this is only about half of growth rates in 2021 (16%) and 2022 (17%).  Moreover, obtaining the necessary personnel is a problem.  The report cited that staff growth decreased from 31% in 2022 to 12% in 2024. 

Another 2023 report on the global CISO workforce cites a statistic that is likely familiar to CISOs but is perhaps surprising to others: the average tenure for a CISO is only estimated at 18 to 26 months, in contrast to an average tenure of 4.9 years for the C-Suite.  The report went on to cite an estimate by analyst firm Gartner that, by 2025, nearly half of cybersecurity leaders will change roles and 25 percent will transition to entirely different positions.  This turnover of cybersecurity leaders charged with protecting their organizations is likely a contributing factor, perhaps significantly so, to the seeming inability of those organizations to keep threat actors out of their networks.

Why CISOs Need Their Own Attorneys

The time has come for CISOs to have their own legal representation.  Some examples where this is particularly applicable include:

• Employment and contractor agreements.  Employment and independent contractor agreements are often lengthy and dense and contain all manner of traps for the unwary.  The surrender of IP rights can be especially difficult to navigate if the candidate CISO has already developed his/her own IP or is planning to.  Non-compete clauses are another aspect that requires close scrutiny.  If the candidate is joining a start-up, early stage, or growth stage company, the matter of stock options vs. warrants is another consideration that merits scrutiny.

• Standing vs. the Board.  A CISO’s relationship with a company’s board of directors is arguably his/her most important one at a company.  Access to the board and the ability to brief the board on a regular basis (more than once a year) is key to every CISO’s success and to protecting the company.   As a CISO, being duly appointed (or not) by a company’s board of directors has very important implications. Advice from outside counsel can help prevent dangerous assumptions on the part of the CISO.

• Directors & Officers Insurance.  CISOs are not automatically covered by D&O insurance.  As mentioned earlier, D&O insurance is a complex topic but a critical one for CISOs to understand.  Moreover, there are many types of insurance and their coverage is often riddled with exceptions.  Understanding those nuances can prevent a business problem from turning into a personal disaster.

• Trouble on the horizon.  There are times at an organization when it becomes apparent to the CISO that there is trouble on the horizon, and if it does materialize, it will likely land on him or her.  Perhaps it’s the lack of funding for necessary staffing and/or technology, or a regulatory agency inquiry, or an incident that is bigger than management wants to acknowledge.  In any case, getting legal representation in place early can help positively shape the outcome.   

• Second opinions.  Sometimes, a CISO needs a second opinion.  It may be with respect to a relationship with a vendor, an interpretation of a regulatory mandate, or challenges internal to the InfoSec team.  While a company’s General Counsel may be able to offer some perspective, it always will be in the context of what’s best for the company.  The ability to pick up the phone and get an opinion as to what’s best for the CISO can be invaluable.

In summary, this need for legal representation owes much to the often-tenuous positions that CISOs find themselves in vis-à-vis their employers, a shifting regulatory and jurisprudential landscape, and a constantly-evolving cybersecurity threat matrix.  All of this creates an environment where the CISO is being set up to be the fall guy, and it’s not difficult to see why recruitment of CISOs is currently such a challenge.  Previously, as a practical matter, CISOs had no one to turn to.

Now, they do.

By John W. Barker, Esq.

Partner, The CISO Law Firm

The modern CISO's role is more demanding and higher-stakes than ever before. They are not just technical experts but strategic leaders responsible for safeguarding critical information assets and navigating a complex regulatory landscape. This increased responsibility brings with it a heightened risk of personal liability. This article makes the case for why CISOs need to be covered by their employer's Directors and Officers (D&O) insurance policy, exploring key considerations, real-world examples, and practical steps to secure this essential protection.

The Growing Need for D&O Coverage

CISOs face potential personal liability from various sources, including:

• Shareholder lawsuits: In the event of a data breach or other cybersecurity incident, shareholders may sue the company and its officers, including the CISO, alleging negligence, mismanagement, or breach of fiduciary duty.

• Employee lawsuits: Employees may sue the CISO for failing to protect their personal.

• Regulatory actions: Regulatory bodies, such as the FTC, SEC, or state attorneys general, may investigate and take action against CISOs for alleged non-compliance with data protection laws or for misleading statements about the company's cybersecurity posture.

• Third-party claims: Customers, vendors, or other stakeholders may sue the CISO for damages resulting from a cybersecurity incident that impacted their data or operations.

A Strong Argument for Coverage:

The time and resources required to defend against these claims can significantly divert a CISO's attention from their core mission: securing the company's information systems and data. D&O insurance provides a critical safety net, allowing CISOs to focus on their primary responsibilities without the constant worry of personal financial ruin.

Is the CISO a Corporate "Officer"?

The first step in determining D&O eligibility is to examine the company's governing documents. The "O" in D&O stands for "Officer." Does the corporate charter or bylaws explicitly identify the CISO as a corporate officer? This designation is crucial for accessing D&O coverage. Publicly held companies that lack a cybersecurity-first culture often view only board members, and the CEO, CFO, and COO as the “true” corporate officers. The CIO or CTO, to whom a CISO might report, may or may not fight for the CISO to be included.  Indeed, not all CIOs and CTOs are considered corporate officers for purposes of D&O coverage.  CISOs must be proactive in determining their status as an officer.

The CISO Knowledge Gap:

A 2023 Global CISO Survey by Heidrick & Struggles revealed a concerning lack of awareness among CISOs regarding D&O coverage:

• Globally: 38% of CISOs reported not being covered by D&O insurance, and another 18% were unsure of their coverage status.

• Regionally: The lack of coverage was particularly pronounced in Australia (51%), Europe (45%), and the US (34%).

These findings highlight the urgent need for CISOs to proactively address this issue and seek clarity on their D&O coverage.

Real-World Examples: Uber and SolarWinds

The cases of Uber and SolarWinds illustrate the potential consequences of cybersecurity failures, and the role D&O insurance can play in mitigating personal liability:

Uber:

• Joseph Sullivan, Uber's former CSO, was convicted of obstruction of justice for attempting to conceal a data breach. While D&O insurance may not have covered all his expenses, it could have helped with legal defense costs during the investigation and trial.

SolarWinds:

• Although the SolarWinds CISO wasn't directly charged in the SEC's action against the company, D&O insurance covered the $26 million settlement of a shareholder class action lawsuit in which SolarWinds’ CISO was named as a defendant.

What D&O Policies Typically Cover:

• Legal defense costs: Attorney fees, court costs, and expert witness fees.

• Settlements and judgments: Monetary awards paid to plaintiffs.

• Investigation costs: Expenses related to internal or regulatory investigations.

• Independent legal counsel: In cases of conflict with the company, D&O insurance can allow the CISO to hire their own attorney.

Typical D&O Policy Exclusions:

• Criminal fines: D&O insurance usually doesn't cover fines imposed for criminal convictions.

• Intentional illegal acts: Deliberate criminal acts or fraud are typically excluded.

• Bodily injury/property damage: These are usually covered by general liability insurance.

• Pollution: Environmental liability requires specialized policies.

• Cyberattacks (sometimes): Some policies may have specific exclusions for cyber incidents, making separate cyber insurance advisable.

Insights for CISOs:

• Policy Review: Carefully review your employer's D&O policy with legal counsel to understand its scope, exclusions, and limitations.

• Negotiate for Coverage: If you're not covered, work with your employer to amend the policy or obtain separate coverage.

• Document Everything: Maintain meticulous records of your cybersecurity decisions and actions to support your defense in potential legal actions.

• Understand Reporting Requirements: Know the procedures for reporting potential claims to the insurer to ensure timely coverage.

• Consider Supplemental Coverage: Explore options like individual professional liability insurance to complement your D&O coverage.

Conclusion:

While D&O insurance will not cover all costs a CISO might incur personally as a result of a cyber incident at the CISO’s employer, D&O insurance is a vital safeguard for CISOs in today's complex and litigious environment. By proactively seeking coverage, understanding their policy, and staying informed about evolving risks, CISOs can protect themselves and their organizations from the potentially devastating consequences of cybersecurity incidents and legal challenges.

By John W. Barker, Esq.

Partner, The CISO Law Firm

D&O is the acronym for directors and officers insurance.  Previously we alerted CISOs to verify with their boards and their c-suites that they are covered by D&O policies.  Generally, coverage exists when the CISO is a duly appointed corporate officer.  An additional step is to verify the language of the policy, specifically, whether cyber exclusions exist.  Possible exclusion types include the following: 

If your employer is a privately held business or a non-profit organization, there is a possibility that the applicable policy covers cyber liability only for the organization but excludes coverage for CISOs. There might be an exclusion for expenses associated with investigations of individually insured persons. Virtual CISOs who work as an independent contractor might be excluded from coverage by their clients’ D&O policies. 

These exclusions can leave CISOs personally liable for costly legal fees and settlements stemming from cyber incidents. In today's increasingly complex threat landscape, understanding your D&O coverage is more crucial than ever. Let's delve deeper into why these exclusions exist and how CISOs can protect themselves. 

Why Cyber Exclusions Exist in D&O Policies 

D&O insurance was traditionally designed to protect directors and officers from lawsuits alleging wrongful acts in their management roles, such as breaches of fiduciary duty, misrepresentation, or shareholder lawsuits. Cyber risks, with their unique challenges and potentially massive financial consequences, were not initially contemplated in these policies. 

As cyberattacks became more prevalent and sophisticated, insurers became wary of the potential for significant payouts related to cyber incidents. To mitigate their risk, they started incorporating cyber exclusions into D&O policies. This allows them to limit their exposure to cyber-related claims while still providing coverage for traditional D&O risks. 

Types of Cyber Exclusions in D&O Policies 

• Entity vs. Individual Coverage: Some policies might cover the organization for cyber liabilities but exclude individual directors and officers, including CISOs. This is more common in privately held companies and non-profits where the perceived risk to individuals is lower. 

• Investigation Costs: Policies may exclude coverage for the costs associated with internal or regulatory investigations into the actions of individual insureds following a cyber incident. This can leave CISOs bearing the financial burden of legal representation during inquiries. 

• Independent Contractor Exclusion: This exclusion is particularly relevant for virtual CISOs who operate as independent contractors. Their client's D&O policy may not extend coverage to them, leaving them vulnerable in the event of a cyber incident. 

• Bodily Injury/Property Damage: While less common, some policies may exclude coverage for claims arising from bodily injury or property damage linked to a cyber incident. This could be problematic if a data breach leads to physical harm or property damage. 

How CISOs Can Protect Themselves 

• Review Your Policy: Don't assume you're covered. Carefully review your organization's D&O policy, paying close attention to any clauses related to cyber incidents or exclusions. 

• Seek Clarification: If you find any ambiguous language or potential exclusions, don't hesitate to seek clarification from your broker, legal counsel, or the insurance carrier directly. 

• Negotiate Coverage: If your current policy has broad cyber exclusions, try to negotiate for better terms. This might involve removing specific exclusions, adding endorsements for cyber coverage, or even securing a separate cyber liability policy. 

• Stay Informed: The cyber insurance landscape is constantly evolving. Keep abreast of the latest trends, policy changes, and legal developments to ensure your coverage remains adequate. 

• Document Everything: Maintain thorough documentation of your cybersecurity practices, incident response plans, and any decisions related to cybersecurity. This can be invaluable in demonstrating due diligence and mitigating potential liability. 

The Importance of Adequate Coverage 

Cyberattacks can have devastating consequences for organizations and individuals. The costs associated with data breaches, regulatory fines, lawsuits, and reputational damage can be staggering. For CISOs, who are often on the front lines of cyber defense, having adequate D&O coverage is not just a financial safeguard; it's a career necessity. 

Without proper coverage, CISOs could face personal financial ruin in the event of a major cyber incident. Legal defense costs alone can be exorbitant, not to mention potential settlements or judgments. This can lead to significant stress, reputational damage, and even career derailment. 

Conclusion 

In today's interconnected world, cyber risk is an ever-present threat. CISOs must be proactive in understanding their D&O coverage and ensuring they have adequate protection against potential liabilities. By carefully reviewing policies, seeking clarification, negotiating for better terms, and staying informed, CISOs can mitigate their personal risk and focus on their critical role in safeguarding their organizations.