CISOs Under the (Liability) Gun

Chief information security officers (CISOs) face an increased likelihood of legal scrutiny after a significant breach. This has them asking questions about insurance support.

Chief information security officers (CISOs) face an increased likelihood of legal scrutiny after a significant breach. It’s par for the course for CISOs to be scrutinized when security programs don’t hold up under attack—but that used to mean the potential loss of their job. Today, legal scrutiny adds to the worries of CISOs and has them asking questions about insurance support.

Cyber Security laptop

Liability in the News

A few companies have been making headlines as their CISOs and officers are involved in lawsuits and regulatory actions:

  • SolarWinds' CISO was named in a shareholder class action suit, alleging violations of the Securities Act. The shareholder litigation was just settled for $26 million, payable under the company's D&O policy. A Delaware judge dismissed a derivative suit alleging that SolarWinds corporate directors failed to adequately oversee cyber risk.
  • Uber’s ex-CISO, Joseph Sullivan, was recently convicted in federal criminal court on charges stemming from his role in the 2017 Uber data breach and failure to disclose it. The Department of Justice brought the charges.
  • Drizzly faced an enforcement action from the Federal Trade Commission due to its recent breach—and the CEO is personally being held accountable in the settlement.
Cybercriminals are bypassing existing layers of security using advanced tactics and continuously adapting their techniques, making it difficult for CISOs and their teams to keep up.
Learn seven ways to boost cybersecurity controls in the face of evolving cyberattacks.

The Insurance Response is Complicated

Multiple insurance policies can and should respond to CISO and C-suite concerns—including cyber insurance and directors and officers (D&O) insurance policies. How coverage applies can depend on many factors, including:

  • Is the case criminal or civil?
  • Is it brought by customers, consumers, regulators, or shareholders?
  • Which government regulator is bringing the action?

Cyber insurance should cover consumer or customer class action litigation following a security breach. It should also cover regulatory actions brought against a company or its C-Suite as a result of a covered cyber incident, such as the FTC action against Drizzly and its CEO. It’s important to note that cyber insurance policies cover individual employees as insured persons—which provides the necessary coverage for members of the C-Suite when named in an enforcement action.

D&O insurance policies will cover the company and its directors and officers for personal liability for shareholder litigation—or regulatory action against an individual director or officer.

However, CISOs aren’t always considered an officer of the company. They either need to be named explicitly as covered in the D&O policy, or the company must amend its charter and bylaws to include the CISO as an officer.

The latter is easier to accomplish, as D&O underwriters are often skeptical of naming individual roles as covered under their policies.

Our recent blog explains how a cyberattack triggers multiple parts of a cybersecurity insurance policy, covering a hypothetical scenario of a payment processor experiencing a ransomware attack and its response.

When Coverage Gets Tricky

It may sound wonderful to have multiple insurance policies responding in your time of need. Sadly, that’s not always the case in the complex world of insurance claims. Often when there are two policies impacted by a single event, each will point the finger at the other to pay their limits first—sometimes delaying the appropriate insurance response.

A good broker can advise you on the most practical approach for maximizing your insurance coverage, including which policy should be designated to respond first.

There are numerous factors to consider, such as:

  • The self-insured retention of each applicable policy
  • The dilution of limits under each policy by expenses incurred responding to the incident. For example, breach response costs—such as computer forensics investigation costs or ransom payments - may have left little money remaining for ensuing litigation or enforcement actions under a cyber insurance policy.

The interaction of cyber and D&O insurance policies is growing as cyber events have greater impact on companies. Some companies have found benefits to placing each line of coverage with the same carrier and broker to ease the claim process and better understand the nuanced interplay of the two policies.

Why CISOs Should Pay Attention to Insurance

As CISOs are exposed to more liability, their interest in insurance is growing. Insurance is a foreign language to many CISOs, and having a clear understanding of the applicable insurance policies and what is covered can set their minds at ease—especially when reading scary headlines. At Woodruff Sawyer, we understand CISO liability when it comes to cyber risks, and we keep their personal interest in mind as we build cyber insurance solutions to address the latest trends in cyber risk.

Check out our Cyber 101 blog post, for more details about what cyber insurance covers.


Table of Contents