CISO Protection

The Importance of D&O Insurance for CISOs

Hitch Partners believes CISOs must be named in their company's Directors and Officers (D&O) Policy, and over the last few years, we have worked hard to ensure that 90% of our placements are covered. Notably, during our most recent CISO survey, we discovered that only 42% of public company CISOs polled are covered, a statistic made all the more alarming when considering the number of recent, high-profile incidents. The July 26, 2023, SEC ruling further highlighted the increased exposure to CISOs.

The significance of the D&O Policy in shaping the future of the CISO role cannot be overstated.

The role of a CISO continues to evolve as technology and information security threats advance, and their exposure to legal and regulatory ramifications in the event of a security breach or data mishap is more substantial than ever. The SEC's recent ruling is emblematic of a regulatory shift recognizing a CISO's direct involvement in areas that transcend technological operations and directly impact a company's governance and financial stability. This legal perspective increases CISOs' accountability and further emphasizes the importance of coverage in D&O Policies.

In conclusion, Hitch Partners underscores the criticality of including CISOs in a company's D&O Policy, a practice we have diligently championed. The recent survey results and regulatory developments highlight the urgency of rectifying the prevailing low percentage of CISOs covered by D&O Policies. As the information security landscape continues to evolve, aligning insurance practices with the evolving roles of key personnel is indispensable to comprehensive risk management and corporate governance.


TechTarget highlighted takeaways from a panel discussion at the 2023 RSA Conference, outlining several ways to mitigate CISO liability (see the full article at the bottom of the page)

"The CISO's job is not to lawyer breaches -- it's to remediate them and respond to them," Stewart Baker, cybersecurity and data protection lawyer.

DEFINE YOUR LANE

Staying in your lane means educating business executives on a given situation's risks, offering context and recommendations and no more.

"Let's talk about the edge of your lane: You're not there to make business decisions," Alyssa Miller, CISO for Epiq Global, said. "Make them make those decisions."

TREAT SECRETS AS RED FLAGS

To minimize CISO liability issues, remember that the cover-up is worse than the crime.

Miller suggested security leaders stay alert for one major red flag. "When you find yourself asking the question, 'How can we keep this a secret?' that should be your indication that maybe that's not the road you want to go down."

HOLD CRISIS COMMUNICATION TABLETOP DRILLS

Executives who have practiced thinking on their feet during crisis drills that focus on communications and ethical dilemmas will likely make better choices when the time comes.

GET IT IN WRITING

Most CISOs in the U.S. don't have employment contracts outlining the scope of their responsibilities and the legal protections their organizations afford them.

Another option for CISOs who do not have a formal employment contract is to articulate in their incident response plans who bears responsibility for making certain decisions.

FIND A PERSONAL LAWYER

The panelists reminded CISOs that corporate lawyers are not personal lawyers. A corporate lawyer’s first responsibility is to the company.

The best time to negotiate a contract is before accepting a job.

USE PRECISE TERMINOLOGY

Unilever CISO, Kirsten Davies urged CISOs to use language that accurately differentiates between security events, incidents, and breaches, saying, "If it's an actual breach, then there are regulatory requirements in certain jurisdictions."

"Stop using the term 'breach' unless your law department has said, 'This meets the legal threshold and definition.'" Kirsten Davies, Unilever CISO

Safeguard your Leadership