CISOs Need to Be Covered Under Their Companies’ D&O Insurance Policies

Cyber incidents are the top risk facing global businesses, according to the Allianz Risk Barometer Survey. This elevates the importance of Chief Information Security Officers (CISOs), who are responsible for protecting an organization’s sensitive data and defending against cyberattacks. With this responsibility comes significant personal risk, making it imperative for CISOs to be covered under their companies’ Directors and Officers (D&O) insurance policies.

The Increasing Accountability of CISOs

On December 18, 2023, the US Securities and Exchange Commission (SEC) introduced new cybersecurity disclosure rules for publicly traded companies, placing significant responsibilities on CISOs. They must ensure accurate and non-misleading public statements about security, prepare disclosures about risk management processes, and report material cybersecurity incidents within four days of discovery. Additionally, CISOs and executives face personal risks, including fines up to $5 million and imprisonment for up to 20 years for willful violations of data accuracy and security controls. For example, on May 4, 2023, Joseph Sullivan, Uber’s CISO, was convicted of a felony and sentenced to three years of probation for covering up a 2016 data breach.

This accountability can result in significant financial liability, legal costs, and reputational damage. Covering CISOs under D&O insurance policies provides a safety net, protecting them from personal financial loss and legal exposure. However, many companies don’t consider the CISO as a corporate officer in the traditional sense, so they’re not covered under the D&O policies that protect the CEO, CFO, and COO.

The Role of D&O Insurance

D&O insurance is designed to protect corporate directors and officers from personal losses if they are sued as a result of serving in their roles. It covers legal defense, indemnity, and other costs the organization may incur as a result of such lawsuits. Extending this coverage to CISOs is crucial given the unique risks they face, allowing them to focus on protecting the organization without fear of financial ruin, and helping companies recruit top talent.

1. Protection Against Legal Action - In the wake of a cybersecurity incident, affected parties may file lawsuits against the organization and its executives, including the CISO. D&O insurance provides coverage for defense costs, settlements, and judgments, ensuring that the CISO is not personally or financially liable.

1. Regulatory Investigations and Fines - Regulatory bodies may impose fines and penalties on organizations for failing to meet cybersecurity standards or for data breaches. CISOs, as the individuals responsible for compliance, may be targeted in these investigations. D&O insurance can help cover the costs associated with regulatory actions.

1. Private vs. Public Companies - Whether a company is private or public, the need for D&O insurance coverage for CISOs remains critical. Cybersecurity incidents can occur in any organization, regardless of its public status. Private companies are not immune to legal actions, regulatory scrutiny, or reputational damage resulting from cyber incidents. Ensuring that CISOs in private companies are also covered under D&O insurance policies is essential for protecting them from personal financial risks and legal liabilities, and for maintaining robust cybersecurity defenses.

1. Attracting and Retaining Talent - Including D&O coverage for CISOs can be a key factor in attracting and retaining top cybersecurity talent. Knowing that they are protected in the event of legal action gives CISOs the confidence to make bold decisions and implement robust security measures without fear of personal financial ruin.

1. Mitigating Reputational Damage - A security breach can tarnish the reputation of both the organization and its executives. D&O insurance can cover the costs of public relations efforts to manage and mitigate reputational damage, helping the organization and its leaders recover more quickly from an incident.

CISOs play a vital role in maintaining cybersecurity and protecting sensitive information. The increasing complexity and severity of cyber threats, coupled with growing regulatory scrutiny, make it essential for CISOs to be covered under their companies’ D&O insurance policies. This coverage not only protects CISOs from personal financial liability but also underscores the importance of their role within the organization, helping to attract and retain top talent and ensuring a more secure and resilient business environment.