Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

New Regulations Make D&O Insurance a Must for CISOs

CISOs currently hold all of the responsibility to stop cyberattacks yet have none of the authority to fund the technological defenses that regulations require.

3 Min Read
Directors and Officers Liability D&O insurance application form
Source: designer491 via Alamy Stock Photo

Chief information security officers (CISOs) face a number of daily challenges, including defending against constant attacks from cybercriminals, finding misconfigured servers, and presenting to their corporate boards to drum up additional funding to meet regulatory requirements and prevent zero-day attacks. Now they have a new concern: finding personal cyber-liability insurance coverage in cases when they are not covered by a corporate directors and officers (D&O) insurance policy.

According to the "2023 Global Chief Information Security (CISO) Survey" from executive search firm Heidrick & Struggles, 38% of CISOs are not covered by their organizations' D&O insurance, and another 18% do not know whether they are covered. Additionally, 55% of respondents said they are not covered by a severance package.

"The best-positioned CISOs should be able to command executive-level protections that enable them to do their jobs unencumbered by the threat of career risk," the report states.

Don't Accept All the Liability, None of the Power

New regulations from the Securities and Exchange Commission now place personal responsibility for data breaches on CISOs, notes David Anderson, vice president of cyber liability at Woodruff Sawyer, a national insurance brokerage.

"[CISOs] can't create the funding for the solutions to fix the [cybersecurity] problems. They personally cannot do what the regulator want done," he says. "And yet, you know, they now have this target on their back."

CISOs are caught in a conundrum where they hold all of the responsibility to stop cyberattacks but have none of the authority to fund the technological defenses and hire the workforce that regulations require.

An article posted to the Institute for Applied Network Security (IANS) blog details the catch-22 CISOs and CSOs face when it comes to regulatory liability.

"Many corporate charters do not regard the CISO as a corporate officer, and, therefore, CISOs cannot be covered by D&O insurance," the organization noted. "Some jurisdictions do not permit CISOs to serve as corporate directors, which also reduces the likelihood of being covered by D&O insurance. Ineligibility does not reduce the risk."

Negotiate for Insurance Coverage

The first question a prospective CISO should ask when interviewing for the position is whether the job is covered by corporate D&O insurance, says James Tuplin, senior vice president and head of international cyber at Mosaic Insurance in London. If it is not, the candidate should insist on it as a condition of employment.

Due to new regulatory requirements, D&O coverage for CISOs is now a must-have, rather than a nice-to-have, in compensation packages, says Deron Grzetich, cybersecurity lead at consulting firm West Monroe Partners. However, like any negotiable compensation component, this has become an issue for budding security pros who might balance personal risk against the opportunity to finally get that CISO title.

Ultimately, if the CISO cannot obtain coverage through a corporate policy, they need to find their own policy, Grzetich says.

"But I think that that brings up the question of, if the liability is due to my employment with the organization or the company, why is the company not paying for that versus the individual?" he says.

Grzetich's concern is that, if a company is unwilling to cover the CISO — especially considering that adding one person to a corporate policy is relatively low cost — then what are the company's priorities and how much will it defend the CISO if a breach occurs? Does that company really value the CISO as a valued member of the executive team?

Grzetich has an easy work-around if the company will not provide D&O coverage for the CISO.

"Don't take the CISO title. Take the director of information security title, get paid the same, and reduce your liability as well," he advises.

About the Author(s)

Stephen Lawton, Contributing Writer

Stephen Lawton is a veteran journalist and cybersecurity subject matter expert who has been covering cybersecurity and business continuity for more than 30 years. He was named a Global Top 25 Data Expert for 2023 and a Global Top 20 Cybersecurity Expert for 2022. Stephen spent more than a decade with SC Magazine/SC Media/CyberRisk Alliance, where he served as editorial director of the content lab. Earlier he was chief editor for several national and regional award-winning publications, including MicroTimes and Digital News & Review. Stephen is the founder and senior consultant of the media and technology firm AFAB Consulting LLC. You can reach him at [email protected].

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights