Protecting the Protectors: Why CISOs Need D&O Insurance

By John W. Barker, Esq.

Partner, The CISO Law Firm

The modern CISO's role is more demanding and higher-stakes than ever before. They are not just technical experts but strategic leaders responsible for safeguarding critical information assets and navigating a complex regulatory landscape. This increased responsibility brings with it a heightened risk of personal liability. This article makes the case for why CISOs need to be covered by their employer's Directors and Officers (D&O) insurance policy, exploring key considerations, real-world examples, and practical steps to secure this essential protection.

The Growing Need for D&O Coverage

CISOs face potential personal liability from various sources, including:

• Shareholder lawsuits: In the event of a data breach or other cybersecurity incident, shareholders may sue the company and its officers, including the CISO, alleging negligence, mismanagement, or breach of fiduciary duty.

• Employee lawsuits: Employees may sue the CISO for failing to protect their personal.

• Regulatory actions: Regulatory bodies, such as the FTC, SEC, or state attorneys general, may investigate and take action against CISOs for alleged non-compliance with data protection laws or for misleading statements about the company's cybersecurity posture.

• Third-party claims: Customers, vendors, or other stakeholders may sue the CISO for damages resulting from a cybersecurity incident that impacted their data or operations.

A Strong Argument for Coverage:

The time and resources required to defend against these claims can significantly divert a CISO's attention from their core mission: securing the company's information systems and data. D&O insurance provides a critical safety net, allowing CISOs to focus on their primary responsibilities without the constant worry of personal financial ruin.

Is the CISO a Corporate "Officer"?

The first step in determining D&O eligibility is to examine the company's governing documents. The "O" in D&O stands for "Officer." Does the corporate charter or bylaws explicitly identify the CISO as a corporate officer? This designation is crucial for accessing D&O coverage. Publicly held companies that lack a cybersecurity-first culture often view only board members, and the CEO, CFO, and COO as the “true” corporate officers. The CIO or CTO, to whom a CISO might report, may or may not fight for the CISO to be included.  Indeed, not all CIOs and CTOs are considered corporate officers for purposes of D&O coverage.  CISOs must be proactive in determining their status as an officer.

The CISO Knowledge Gap:

A 2023 Global CISO Survey by Heidrick & Struggles revealed a concerning lack of awareness among CISOs regarding D&O coverage:

• Globally: 38% of CISOs reported not being covered by D&O insurance, and another 18% were unsure of their coverage status.

• Regionally: The lack of coverage was particularly pronounced in Australia (51%), Europe (45%), and the US (34%).

These findings highlight the urgent need for CISOs to proactively address this issue and seek clarity on their D&O coverage.

Real-World Examples: Uber and SolarWinds

The cases of Uber and SolarWinds illustrate the potential consequences of cybersecurity failures, and the role D&O insurance can play in mitigating personal liability:

Uber:

• Joseph Sullivan, Uber's former CSO, was convicted of obstruction of justice for attempting to conceal a data breach. While D&O insurance may not have covered all his expenses, it could have helped with legal defense costs during the investigation and trial.

SolarWinds:

• Although the SolarWinds CISO wasn't directly charged in the SEC's action against the company, D&O insurance covered the $26 million settlement of a shareholder class action lawsuit in which SolarWinds’ CISO was named as a defendant.

What D&O Policies Typically Cover:

• Legal defense costs: Attorney fees, court costs, and expert witness fees.

• Settlements and judgments: Monetary awards paid to plaintiffs.

• Investigation costs: Expenses related to internal or regulatory investigations.

• Independent legal counsel: In cases of conflict with the company, D&O insurance can allow the CISO to hire their own attorney.

Typical D&O Policy Exclusions:

• Criminal fines: D&O insurance usually doesn't cover fines imposed for criminal convictions.

• Intentional illegal acts: Deliberate criminal acts or fraud are typically excluded.

• Bodily injury/property damage: These are usually covered by general liability insurance.

• Pollution: Environmental liability requires specialized policies.

• Cyberattacks (sometimes): Some policies may have specific exclusions for cyber incidents, making separate cyber insurance advisable.

Insights for CISOs:

• Policy Review: Carefully review your employer's D&O policy with legal counsel to understand its scope, exclusions, and limitations.

• Negotiate for Coverage: If you're not covered, work with your employer to amend the policy or obtain separate coverage.

• Document Everything: Maintain meticulous records of your cybersecurity decisions and actions to support your defense in potential legal actions.

• Understand Reporting Requirements: Know the procedures for reporting potential claims to the insurer to ensure timely coverage.

• Consider Supplemental Coverage: Explore options like individual professional liability insurance to complement your D&O coverage.

Conclusion:

While D&O insurance will not cover all costs a CISO might incur personally as a result of a cyber incident at the CISO’s employer, D&O insurance is a vital safeguard for CISOs in today's complex and litigious environment. By proactively seeking coverage, understanding their policy, and staying informed about evolving risks, CISOs can protect themselves and their organizations from the potentially devastating consequences of cybersecurity incidents and legal challenges.