Why CISOs Need D&O Liability Insurance Coverage Now

Directors and officers (D&O) liability insurance covers the directors and officers of a company against lawsuits alleging a breach of duty. This report explains the importance of D&O insurance for CISOs and offers tips for getting leadership buy-in.

CISOs’ Liability Increases with Increased SEC Regulation

The possibility of a lawsuit arising from a cybersecurity incident is nothing new. Cyber-related litigation has been a recurring theme for several years now. Lawsuits can come from various sources, including regulators, shareholders and stakeholders. Recent examples include:

• Uber’s former CSO was sentenced to three years’ probation and 200 hours of community service for covering up a data breach.
• The SEC issued a Wells notice to executives of SolarWinds, including the CISO, over the company’s massive 2020 data breach. The SEC issues Wells notices to firms when it is planning to bring an enforcement action.
• Shareholders initiated a class action lawsuit against Okta. The court subsequently dismissed the cyber-related claims.
• A shareholder filed a securities class action lawsuit against Dish Network for a cybersecurity incident involving its internal communications network.
• Aerojet agreed to pay $9 million to the U.S. government to settle allegations that it misrepresented its compliance with cybersecurity requirements when entering contracts with NASA and the Department of Defense.

With the increased legislation and regulation comes the likelihood that cyber-related legal actions will only increase. For example, consider the cybersecurity-related disclosure rules approved by the SEC in July 2023. Those are the first of three proposed sets of cybersecurity rules from the SEC. Regulation is not only increasing at the federal level, but we are seeing new regulation and laws at the state level, as well.

Liability Insurance and Indemnification Explained

Organizations often use D&O insurance to attract and retain qualified directors and officers. With the increased importance of cybersecurity to the business, the inclusion of CISOs on that list becomes paramount.

D&O Insurance Definitions

But what exactly is D&O insurance and what does it include? Let’s start with some basic definitions:

• Liability insurance: This protects the insured from personal financial loss imposed by lawsuits and similar claims within the coverage of the policy.
• Indemnification: A contractual obligation of one party to compensate the loss incurred by another party. In this case, the company would indemnify the CISO. The indemnification would be documented in the employee agreement subject to state and federal laws.

D&O Eligibility for Security Leadership

The following personnel are eligible for D&O liability insurance:

• Directors: They are elected by the shareholders to set strategy and protect the interests of shareholders and stakeholders. They serve on the board of directors, and every public company is required by law to have a board of directors. Some organizations have employees with the title of director. While the term is similar, these directors are employees, not corporate directors elected by shareholders. Corporate directors are eligible for D&O insurance, but employees with the title of director are not.
• Corporate officers: They run the company’s day-to-day operations. Corporate officers are chosen by the board of directors. The number and titles of these officers vary based on the corporate charter; bylaws; governance structure; internal policies; and local, state, and national governing laws. In general, corporate officers include a CEO, president, treasurer, and secretary. However, simply having a C-level title or the word “officer” in a title does not automatically designate the person as a corporate officer.
• Employees: They are not typically covered by D&O Insurance, but employees are sometimes covered as a co-defendant with a director or corporate officer in a specific action. Whether an employee is covered is highly dependent on the policy and the specific situation.

D&O Coverage Agreements

D&O insurance can have up to four core, separate agreements:

• Side A: Covers claims against directors and officers not indemnified by the corporation.
• Side B: Provides for reimbursement to the corporation when the corporation indemnifies the directors and officers.
• Side C: For securities claims against publicly traded companies. What constitutes a “securities claim” is defined in the policy. In general, securities claims are class actions and derivative lawsuits by shareholders. They often allege breaches of disclosure or fiduciary duties, or misleading and deceptive conduct that resulted in a loss of market value (e.g., share price).
• Side D: For derivative investigative coverages. Derivative investigation costs will be defined in the D&O policy. Typically, this means any reasonable and necessary fees, like attorneys' fees, experts' fees, and expenses.

Additional or supplemental agreements may also exist and would be documented in Sides E, F, G and so on. Illegal acts and illegal profits are generally not covered.

CISOs are in a Transition Phase

As cybersecurity and the role of the CISO evolve, it will take time for legislation, insurance products, and regulations to catch up. Many corporate charters do not regard the CISO as a corporate officer, and, therefore, CISOs cannot be covered by D&O insurance. Some jurisdictions do not permit CISOs to serve as corporate directors, which also reduces the likelihood of being covered by D&O insurance.

Ineligibility does not reduce the risk, however. Regulatory actions, like the Wells notice sent to the CISO of SolarWinds, or shareholder actions, like those against Okta and Dish, do not go away because a CISO is not covered by D&O insurance. Even if the case is eventually dismissed or the accused is found not guilty, such CISOs can suffer large personal losses—even more so if an award is made in favor of the plaintiff.

Indemnification is a different matter. Companies have far more latitude (and lower cost) in providing indemnification than they do in providing D&O insurance coverage. Indemnification is usually documented in an employee agreement, subject to state and federal laws. A review of the CISO’s employment agreement is warranted. It is highly recommended the CISO be provided indemnification. The CISO is recommended to also seek legal counsel. Some states provide for indemnification even if no agreement exists, while others limit the indemnification.

READ: Black Hat 2023: Key Takeaways and InfoSec Trends

Steps to Reduce D&O Risk

Organizations often have D&O insurance to attract and retain qualified directors and officers. The same is true for indemnification. As CISOs become more involved in key business decisions, organizations need to consider the protections they offer their CISOs. Use these steps as guidelines:

• Review your current coverage: The first step would be to understand which roles are considered officers, as well as the D&O coverage and indemnification afforded to those roles. The chairman of the board, CEO and general counsel are good places to start. A review of public records, including yearly reports and corporate filings, would provide insight.
• Consult a lawyer and watch the jurisdiction: After doing your research, seek counsel from an attorney experienced in these matters. Lawyers with this expertise often position themselves as executive compensation or D&O liability attorneys. An attorney who typically represents individuals and is familiar with the laws of your jurisdiction is best. Jurisdiction may be tricky. Where you are physically based, the corporate nexus and incorporation state could differ. Most publicly traded companies are incorporated out of Delaware.
• Do your homework and extend coverage to CISOs: Whether that is D&O insurance or indemnifications, it is realistic to expect coverage to be extended to the CISO, given the increased importance of cybersecurity (and, therefore, the CISO) to the business.
  

READ: Cyber Incident Communications Checklist

Watch our Webinar: CISO Liability Is Increasing – What Can You Do About It?

Cyber-related litigation is becoming more common, a trend expected to continue with the new SEC breach disclosure rules. In this environment, CISOs must take action to protect themselves from the personal financial risk associated with legal action, as the broad corporate protections they’ve traditionally relied on may not apply to their role.

Join IANS Faculty Justin Daniels, Epic Brokers Managing Principal Kelly Geary, and Artico Search Partner Steve Martano for an IANS webinar which will demystify the complex legal landscape CISOs face covering key topics including:

• D&O insurance coverage rules and how they apply to CISOs
• Cyber insurance policies that offer legal action coverage
• Alternative options for corporate-sponsored financial protection against liability, including key employee insurance and indemnity
• What to look for in umbrella insurance and guidance from a personal lawyer to supplement corporate policies if necessary
  

Register and watch today! Click here.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.