Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Directors and officers (D&O) liability insurance covers the directors and officers of a company against lawsuits alleging a breach of duty. This report explains the importance of D&O insurance for CISOs and offers tips for getting leadership buy-in.
The possibility of a lawsuit arising from a cybersecurity incident is nothing new. Cyber-related litigation has been a recurring theme for several years now. Lawsuits can come from various sources, including regulators, shareholders and stakeholders. Recent examples include:
With the increased legislation and regulation comes the likelihood that cyber-related legal actions will only increase. For example, consider the cybersecurity-related disclosure rules approved by the SEC in July 2023. Those are the first of three proposed sets of cybersecurity rules from the SEC. Regulation is not only increasing at the federal level, but we are seeing new regulation and laws at the state level, as well.
Organizations often use D&O insurance to attract and retain qualified directors and officers. With the increased importance of cybersecurity to the business, the inclusion of CISOs on that list becomes paramount.
But what exactly is D&O insurance and what does it include? Let’s start with some basic definitions:
The following personnel are eligible for D&O liability insurance:
D&O insurance can have up to four core, separate agreements:
Additional or supplemental agreements may also exist and would be documented in Sides E, F, G and so on. Illegal acts and illegal profits are generally not covered.
As cybersecurity and the role of the CISO evolve, it will take time for legislation, insurance products, and regulations to catch up. Many corporate charters do not regard the CISO as a corporate officer, and, therefore, CISOs cannot be covered by D&O insurance. Some jurisdictions do not permit CISOs to serve as corporate directors, which also reduces the likelihood of being covered by D&O insurance.
Ineligibility does not reduce the risk, however. Regulatory actions, like the Wells notice sent to the CISO of SolarWinds, or shareholder actions, like those against Okta and Dish, do not go away because a CISO is not covered by D&O insurance. Even if the case is eventually dismissed or the accused is found not guilty, such CISOs can suffer large personal losses—even more so if an award is made in favor of the plaintiff.
Indemnification is a different matter. Companies have far more latitude (and lower cost) in providing indemnification than they do in providing D&O insurance coverage. Indemnification is usually documented in an employee agreement, subject to state and federal laws. A review of the CISO’s employment agreement is warranted. It is highly recommended the CISO be provided indemnification. The CISO is recommended to also seek legal counsel. Some states provide for indemnification even if no agreement exists, while others limit the indemnification.
READ: Black Hat 2023: Key Takeaways and InfoSec Trends
Organizations often have D&O insurance to attract and retain qualified directors and officers. The same is true for indemnification. As CISOs become more involved in key business decisions, organizations need to consider the protections they offer their CISOs. Use these steps as guidelines:
READ: Cyber Incident Communications Checklist
Join our Webinar: CISO Liability Is Increasing – What Can You Do About It?
Cyber-related litigation is becoming more common, a trend expected to continue with the new SEC breach disclosure rules. In this environment, CISOs must take action to protect themselves from the personal financial risk associated with legal action, as the broad corporate protections they’ve traditionally relied on may not apply to their role.
Join IANS Faculty Justin Daniels, Epic Brokers Managing Principal Kelly Geary, and Artico Search Partner Steve Martano on Tuesday, October 10th at 1:00 PM ET for an IANS webinar which will demystify the complex legal landscape CISOs face covering key topics including:
Register yourself or a colleague today! Click here.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
November 30, 2023
By IANS Research
CISOs, find guidance on what to focus on within the first 30 days, 6 months and first year of your tenure to ensure a fast, successful start.
November 28, 2023
Use this checklist of best practices, designed to help CISOs and cybersecurity leaders protect their organizations and avoid SEC compliance missteps.
November 21, 2023
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Organization and Compensation Benchmark Report. Gain valuable insights on functional leadership compensation to hire and retain top security talent.