Companies must ensure CISOs are covered under D&O policies, experts say
Chief information security officers (CISOs) are likely to become targets for regulators and plaintiff attorneys in the US as part of data breach litigation, making it critical that they are covered under their company’s D&O policy, experts say.
The good news for CISOs is that in the current competitive market, D&O insurers are generally willing to add them as insureds without additional charge, these experts said.
They point to the US Securities and Exchange Commission (SEC) lawsuit filed against Solar Winds Corp, which names its CISO as a defendant, along with the company itself, as a sign that CISOs and their companies should be concerned about this issue.
The lawsuit charges that SolarWinds and CISO Timothy Brown defrauded investors by overstating the company’s cybersecurity practices and understating, or failing to disclose, known risks. SolarWinds was the target of a massive, nearly two-year-long cyberattack.
Complicating the issue facing companies are new SEC cybersecurity rules that require companies to determine which cyber breaches are material and report them to the agency within four business days. The incident disclosure requirements take effect for most companies on 18 December, with smaller companies eligible for an extension.
Regulators “are trying to stress that individuals are vulnerable to prosecution or enforcement action, particularly if they mislead the market”, and shareholders and data breach victims are becoming more litigious, said lawyer Jonathan Armstrong, a partner with Cordery Compliance in London.
“I’m not sure (CISOs) are going to be named in all securities litigation” but certainly there is a heightened risk, said Andrew Doherty, US national executive and professional risk solutions practice leader for USI Insurance Services.
“The exposure has been on the upswing for a little while without being noticed,” said Larry Fine, management liability coverage leader for WTW.
There will be more litigation, he said. “I’m not sure it’ll be an avalanche, but we’re going to see CISOs highlighted for more potential liability, more than we did in the past,” he said.
“The plaintiff attorneys love these types of scenarios, and I expect they will be eager to file suits when there is a pattern or appearance of a wrongful act,” said James Rizzo, underwriter for US executive risk at Beazley.
“There’s definitely coverage” under D&O policies, which are “really designed to provide protection to high-level executives,” said Matthew McLellan, managing director and D&O product leader for Marsh.
However, CISOs “really need to confirm whether they are an officer of the company, and, if not, they should push to ensure they’re affirmatively insured under the D&O policy”, advised Sarah Downey, managing director at Lockton.
“The question is whether a CISO is an executive as defined by that policy or that carrier,” Fine said. The definitions of officers in public company D&O policies “are surprisingly unclear”, he added.
One would assume that if you are an official you are definitely an insured executive, Fine said. “But as you go down the line” that becomes less clear, “which is why many insureds are now seeking more clarity about the status of CISO coverage”, he said.
If a CISO does not qualify as a company officer indemnified under the company’s D&O policy, they should seek to have an endorsement added to provide that coverage, Downey said. “The markets are amenable to that,” she explained.
There’s “an openness and willingness” to answer questions, revisit policy language and make changes, McLellan said.
Arturo Perez-Reyes, senior vice-president and cyber strategist at US-based Newfront Insurance, said this is less of an issue for private company D&O policies, which are more broadly worded than those for public companies.
David B. Anderson, vice president of cyber at Woodruff Sawyer & Co, said there may be a problem for those who function as CISOs at small companies, but do not necessarily have the title.
“There are so many committed, caring professionals who are doing the job” of CISO but have titles such as senior vice-president of networks, he said.
“You really need to make sure” D&O insurance coverage includes those who act as the functional equivalent of CISOs, and work with brokers “to ensure that any cyber-related exclusions are as limited as possible”, Anderson said.
Another concern is third-party contractors who may function as companies’ CISO, Rizzo said.
Companies “might want to look at some sort of external professional liability product” to ensure these contractors are indemnified, he said.
This article first appeared on our sister website Business Insurance. For further news from Business Insurance, please click here.