Chief Information Security Officers (CISOs) face a variety of daily challenges, including defending against constant attacks from cybercriminals, finding misconfigured servers, and presenting to their users corporate boards of directors to raise additional funding to meet regulatory requirements and prevent zero-day attacks. Now they have a new worry: finding her personal insurance coverage against cyber liability where they are not covered by a corporate directors and officers (D&O) insurance policy.
According to “Global Chief Information Security (CISO) Survey 2023” from executive search firm Heidrick & Struggles, 38% of CISOs are not covered by their organization’s D&O insuranceand another 18% don’t know if they’re covered. Additionally, 55% of respondents said they were not covered by a severance package.
“The best-positioned CISOs should be able to ensure executive-level protections that allow them to do their jobs without the risk of career risks,” the report states.
Don’t accept all the responsibility, none of the power
New Securities and Exchange Commission regulations now place personal liability for data breaches on CISOs, notes David Anderson, vice president of cyber liability at Woodruff Sawyer, a national insurance brokerage firm.
“[CISOs] you can’t create the funding for solutions to solve the problem [cybersecurity] problems. They personally can’t do what the regulator wants,” she says. “And yet, you know, now they have this target on their backs.”
CISOs find themselves in a conundrum where they have all the responsibility to stop cyberattacks, but lack the authority to fund technology defenses and hire the workforce required by regulations.
A item Published on the Institute for Applied Network Security (IANS) blog, it details the situations CISOs and CSOs face when it comes to regulatory liability.
“Many corporate statutes do not consider the CISO to be a corporate officer and, therefore, CISOs may not be covered by D&O insurance,” the organization noted. “Some jurisdictions do not allow CISOs to serve as corporate directors, which also reduces the likelihood of being covered by D&O insurance. Ineligibility does not reduce risk.”
Negotiate insurance coverage
The first question a potential CISO should ask when interviewing for the position is whether the job is covered by company D&O insurance, says James Tuplin, senior vice president and international cyber lead at Mosaic Insurance in London. If not, the candidate should insist on it as a condition of employment.
Because of new regulatory requirements, D&O coverage for CISOs is now a must, rather than a welcome thing, in compensation packages, says Deron Grzetich, head of cybersecurity at consultancy West Monroe Partners. However, like any negotiable compensation component, this has become an issue for budding security professionals who may be balancing personal risk with the opportunity to finally earn the title of CISO.
Ultimately, if the CISO can’t get coverage through a company policy, they need to find their own policy, Grzetich says.
“But I think that raises the question: If the liability is due to my employment with the organization or company, why doesn’t the company pay for it versus the individual?” he says.
Grzetich’s concern is that, if a company is not willing to cover for the CISO – especially considering that adding a person to a company policy has a relatively low cost – then what are the company’s priorities and how much will the CISO defend in case of violation? Does the company truly value the CISO as a valuable member of the executive team?
Grzetich has a simple solution if the company does not provide D&O coverage for the CISO.
“Don’t take the title of CISO. Take the title of director of cybersecurity, get paid the same, and reduce your liability too,” he advises.