New Regulations Make D&O Insurance a Must for CISOs

Chief information security officers (CISOs) face a number of daily challenges, including defending against constant attacks from cybercriminals, finding misconfigured servers, and presenting to their corporate boards to drum up additional funding to meet regulatory requirements and prevent zero-day attacks. Now they have a new concern: finding personal cyber-liability insurance coverage in cases when they are not covered by a corporate directors and officers (D&O) insurance policy.

According to the "2023 Global Chief Information Security (CISO) Survey" from executive search firm Heidrick & Struggles, 38% of CISOs are not covered by their organizations' D&O insurance, and another 18% do not know whether they are covered. Additionally, 55% of respondents said they are not covered by a severance package.

"The best-positioned CISOs should be able to command executive-level protections that enable them to do their jobs unencumbered by the threat of career risk," the report states.

Don't Accept All the Liability, None of the Power

New regulations from the Securities and Exchange Commission now place personal responsibility for data breaches on CISOs, notes David Anderson, vice president of cyber liability at Woodruff Sawyer, a national insurance brokerage.

"[CISOs] can't create the funding for the solutions to fix the [cybersecurity] problems. They personally cannot do what the regulator want done," he says. "And yet, you know, they now have this target on their back."

CISOs are caught in a conundrum where they hold all of the responsibility to stop cyberattacks but have none of the authority to fund the technological defenses and hire the workforce that regulations require.

An article posted to the Institute for Applied Network Security (IANS) blog details the catch-22 CISOs and CSOs face when it comes to regulatory liability.

"Many corporate charters do not regard the CISO as a corporate officer, and, therefore, CISOs cannot be covered by D&O insurance," the organization noted. "Some jurisdictions do not permit CISOs to serve as corporate directors, which also reduces the likelihood of being covered by D&O insurance. Ineligibility does not reduce the risk."

Negotiate for Insurance Coverage

The first question a prospective CISO should ask when interviewing for the position is whether the job is covered by corporate D&O insurance, says James Tuplin, senior vice president and head of international cyber at Mosaic Insurance in London. If it is not, the candidate should insist on it as a condition of employment.

Due to new regulatory requirements, D&O coverage for CISOs is now a must-have, rather than a nice-to-have, in compensation packages, says Deron Grzetich, cybersecurity lead at consulting firm West Monroe Partners. However, like any negotiable compensation component, this has become an issue for budding security pros who might balance personal risk against the opportunity to finally get that CISO title.

Ultimately, if the CISO cannot obtain coverage through a corporate policy, they need to find their own policy, Grzetich says.

"But I think that that brings up the question of, if the liability is due to my employment with the organization or the company, why is the company not paying for that versus the individual?" he says.

Grzetich's concern is that, if a company is unwilling to cover the CISO — especially considering that adding one person to a corporate policy is relatively low cost — then what are the company's priorities and how much will it defend the CISO if a breach occurs? Does that company really value the CISO as a valued member of the executive team?

Grzetich has an easy work-around if the company will not provide D&O coverage for the CISO.

"Don't take the CISO title. Take the director of information security title, get paid the same, and reduce your liability as well," he advises.