Recent high-profile cases involving Chief Information Security Officers (CISOs) have spotlighted the need for robust directors and officers (D&O) liability insurance tailored to cybersecurity executives. The SEC charges against the former SolarWinds CISO—which were not dismissed in the highly-anticipated decision truncating the SEC’s case against the company—and the 2022 criminal conviction of Uber’s former CISO underscore the growing personal liability risks faced by security leaders.
Here are some of the key D&O insurance considerations for policyholders to consider:
- Increasing liability: The SolarWinds SEC case shows increasing regulatory risks for individuals, while the Uber CISO felony conviction for obstruction of justice highlights potential criminal liability for CISOs. The cost of cybersecurity events can be staggering ($9.48 million on average in the US), often eroding if not exhausting cyber policy limits in the immediate aftermath of an incident, leaving policyholders to look to other policies to provide coverage for follow-on claims by regulators, customers, and other litigants.
- Are CISOs “insureds”: Historically focused on board members and C-suite executives, D&O policies may not adequately cover the unique risks CISOs face. One recent survey reported that 38% of CISOs are not covered by their company’s D&O insurance policy. Depending on corporate hierarchy and governance documents, CISOs may not fit the policy’s definition of “insured.”
- Criminal versus civil actions: D&O policies typically cover civil liabilities based on negligence or non-intentional conduct, but they often exclude criminal or deliberately fraudulent activities. The Uber CISO’s felony conviction shows the importance of limiting those exclusions, such as by robust “final adjudication” requirements.
- Government investigation coverage: Regulatory coverage varies widely based on public versus private companies and whether regulators are investigating or taking action against individuals versus the company. Policyholders should request affirmative coverage and understand any limitations, like sublimits, that may reduce coverage for regulatory action prior to a formal enforcement action.
- Cyber exclusions: Some policies may have broad exclusions barring coverage for claims arising from cyber incidents, potentially leaving CISOs exposed. Eliminating those exclusions, or at least negotiating carve backs or narrower lead-in causation language, can help avoid rendering D&O insurance illusory for a large segment of cyber-related claims.
- Corporate indemnification: D&O insurance presumes broad corporate indemnification unless the company is unable to do so. Similar to CISOs sometimes falling through the cracks in meeting the definition of “insured,” companies also may need to reassess their indemnification agreements with CISOs to ensure alignment with available insurance coverage.
- Review insurance programs, not just policies: Cyber-related risks may fall through gaps in traditional liability policies, which increasingly have exclusions or similar limitations to shift risks into cyber policies. Despite that, many traditional policies, including D&O coverages, can provide coverage for critical cyber risks. Policyholders should audit their program as a whole and not focus on single policies, especially solely the cyber policy, to assess and improve potential coverage for cyber exposures.
As personal liability risks for CISOs continue to evolve, the availability and scope of D&O insurance will remain a critical factor in recruiting and retaining top cybersecurity talent. Companies that offer robust insurance protection may gain a competitive advantage in the tight market for skilled security leaders. Policyholders should proactively engage with brokers, coverage counsel, and other risk professionals to understand the scope of existing coverage and explore options for enhanced protection that addresses these growing liability risks.