top of page
Writer's pictureAmri Tarsis

Have you been Promoted to CISO to protect the company? Protect yourself as well in case of a cyber incident with D&O Insurance.



As Chief Information Security Officers (CISOs), we are a community of heroes, proud to protect our companies against the growing threats in cybersecurity. However, it's crucial to remember that we must also protect ourselves. The personal liability risks in case of a Cyber Incident are not to be underestimated. D&O Insurance is one option for CISOs and Cyber Security Leaders to consider.


Cybersecurity and, therefore, the CISO role is becoming more relevant and, at the same time, more regulated due to the risk of materiality errors that may impact investors in large public corporations. CISOs or Cyber Security leaders are more exposed to being named in a lawsuit. The implications are daunting because Security Leaders may have their personal assets at risk if found guilty. In addition to the growing number of state regulations in the US, At the Federal Level, cybersecurity-related disclosures under the SEC's new rules may trigger a Lawsuit from regulators. Still, claims may be brought by consumers alleging privacy violations and shareholders of the company.


SolarWinds CISO Lawsuit: A Case in Point

Source: SEC.gov Press Release 2023-227


The SolarWinds Case serves as a significant turning point for CISO exposure. Former SolarWinds CISO Timothy Brown was charged by the SEC with fraud and internal controls failure in connection with the cybersecurity practices that led the company to have a major cyber attack in 2020.


“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” 


The irony of this statement is that those working in the Cyber Security Industry know that getting the budget approved to do what is necessary to lower the risk is not easy; internal resources to manage the security posture are scarce, and educating the entire organization to avoid the human factor in threats like social engineering requires a lot of effort.


So, how can CISOs be protected? This is a question we all need to consider.


1) Legal Advice—Before signing up to become the CISO, a lawyer may provide legal advice on the job agreement and good practices that help you defend yourself in case of cyber incident lawsuits. For example, documenting internal communication related to the company's risk level is critical.


2) Cyber Risk Quantification—Translating Cyber risk in financial terms, using advanced risk management practices such as CRQ Platforms, is essential to estimate upfront the monetary risk of a potentially catastrophic loss in worst-case scenarios.


3) D&O Insurance—Make sure your company has a D&O Policy and that you are covered by it. This is especially important if you play the CISO role as a Security Leader but are not formally a company director, and you may not be covered by default.


What is D&O Insurance?


Directors & Officers Insurance (D&O) was initially created to protect individuals named in legal actions related to wrongful acts in their capacity as Directors and Officers. It may include a broad range of wrongdoings, such as mismanagement of the organization, failure to deliver services, and unfair trade practices. False materiality disclosures or misleading information is one of the coverages that may apply to cybersecurity legal cases naming CISOs.


D&O Coverages


-Breach of Fiduciary duties

-Misuse of Corporate Assets

-Negligence

-Mismanagement

-Fraud


Who and what is covered?


Insurance policies are not made equal; by default, a D&O policy is designed to protect the Board of Directors (Directors) and C-Level Executives (Officers), such as CEOs, CFOs, COOs, etc.

Insureds are protected from personal financial loss imposed by lawsuits and similar claims requiring direct payment, such as expenses to defend those individuals, or via indemnification. In the indemnification approach, the CISO's employment agreement would include those terms, so legal advice is essential before signing up for the CISO role.


Exclusions may include a willful violation of the law actions for personal profit. Perhaps what can make one policy better than others is the coverage extension beyond "Directors & Officers," including some or all employees. This is especially important for Cyber Security Leaders working in the CISO capacity but not having the formal designation as Directors & Officers of the organization. The fact that the company may have D&O Insurance does not necessarily protect the cybersecurity leader in this case. Hence, attention to the details of the policy is crucial to contract or renew it.


D&O differs from other types of insurance like Professional Liability (Errors & Omissions). E&O is designed to protect professionals and companies from delivering specific services to other companies and will protect against liabilities related to wrongful acts or negligence in providing such services. A Fractional CISO should consider it to play the Cyber Security role in other companies. For employees or board members of the company, D&O is the appropriate insurance for protecting individuals who deliver services for their own company.


Is it just for large organizations?


D&O is a must-have for large corporations but is also available for LLCs and Non-Profit Organizations. Some Venture Capital firms may require a D&O policy before committing to investing in a Startup. Despite the applicability for CISOs to protect their assets in case of a cyber incident, the D&O may respond to other mismanagement issues. Board Members are also protected by D&O, so again, if you are invited to join a Board due to your Cyber Security background and or to lead the Cyber Security Governance committee, remember to make sure the company has a D&O policy in place


8 views

留言


bottom of page