A question of indemnity: But Ryan Griffin, US cyber leader at insurance broker McGill and Partners, points out that the difference between D&O insurance and a direct indemnification agreement is often misunderstood.”The most crucial tool for a CISO’s protection is the indemnification agreement with their employer,” Griffin explains. “The D&O policy is how the company pays to protect its officer, but the indemnification agreement is what actually legally guarantees that protection.”Without a formal indemnification agreement, CISOs are at great risk, Griffin warns.”They would be responsible for covering their own legal defense costs, forcing them to rely on personal savings or a personal umbrella insurance policy,” Griffin tells CSO. “Beyond the financial hit, their career could be severely damaged.”Griffin adds: “An enforcement action, even if it’s ultimately dismissed, could result in penalties that bar them from serving as an officer for a public company for years, which seriously limits future job prospects.”
Blame game: Central to the issue as well is accountability, which almost always lands on the shoulders of the person perceived to be “in charge of security,” according to Kenrick Bagnall, president and co-founder of RB-Cyber Assurance.”Whether that’s the CISO of a Fortune 500 company or the sole IT director of a 100-person manufacturing firm, when things go wrong, someone has to answer for it,” says Bagnall, a former detective constable with the Toronto Police Service.The difference between a multinational and a midsize company isn’t the exposure, Bagnall says; it’s the resources.While enterprise CISOs often have access to legal teams and crisis PR advisors to help shield them, a midrange firm often has one or two people, possibly more, wearing multiple hats, like compliance, IT, and security all rolled into one.This can become an issue because “regulators, customers, and even the courts won’t lower the expectations just because the company is smaller,” Bagnall says.”Without legal protection, CISOs face significant personal and professional risk,” Bagnall said. “They can be blamed for systemic failures outside of their control, things like legacy systems that were never budgeted for replacement, or business units that refuse to adopt security controls because they’re ‘too disruptive.’”
SolarWinds case continues to cast lingering shadow: The SEC’s 2023 lawsuit against SolarWinds’ CISO Timothy Brown over allegations that he misled investors and failed to accurately report the vendor’s cybersecurity measures is far from an isolated case. Even though the ultimate dismissal of this high-profile lawsuit eased immediate fears that many CISOs might be held personally liable for security incidents the issue has far from gone way.”Cybersecurity leaders are increasingly held accountable for breaches and their handling of incidents,” CM Law’s Rittenberry Culhane says. “Regulatory bodies, shareholders, and courts are naming CISOs in lawsuits, even when they acted in good faith.”Midsize companies tend to have more limited legal and compliance resources, making indemnity insurance even more important as a potential safety net for security professionals employed by midrange firms.”D&O insurance should always be obtained but that doesn’t always cover all the risk,” Rittenberry Culhane says.Rittenberry Culhane, a former general counsel turned attorney whose practice specializes in advising corporations on risk management and insurance, offered CISOs a best practice checklist:
Confirm CISO coverage under your D&O policyReview policy limits and exclusions for cyber-related claimsConsider supplemental indemnification agreements for CISOs and security leadersAlign indemnity provisions with incident response and disclosure policiesFor more, see “Navigating personal liability: post data-breach recommendations for CISOs.”
Governance structures need revamping: The CISO role has evolved faster than the governance structures that protect it, according to RB-Cyber Assurance’s Bagnall.”We now ask security leaders to be part strategist, part technologist, part crisis responder, and part scapegoat,” Bagnall says. “Until organizations, especially midsized ones, recognize that and build legal and contractual protections accordingly, we’ll continue to see talented leaders hesitate to take on these roles, resulting in organizations of all sizes not getting the proper tech and information security guidance they need.””The CISO isn’t just defending the network, they’re defending the business’s reputation, its trust, and its future,” Bagnall adds. “That responsibility deserves protection.”
Confirm CISO coverage under your D&O policyReview policy limits and exclusions for cyber-related claimsConsider supplemental indemnification agreements for CISOs and security leadersAlign indemnity provisions with incident response and disclosure policiesFor more, see “Navigating personal liability: post data-breach recommendations for CISOs.”
Governance structures need revamping: The CISO role has evolved faster than the governance structures that protect it, according to RB-Cyber Assurance’s Bagnall.”We now ask security leaders to be part strategist, part technologist, part crisis responder, and part scapegoat,” Bagnall says. “Until organizations, especially midsized ones, recognize that and build legal and contractual protections accordingly, we’ll continue to see talented leaders hesitate to take on these roles, resulting in organizations of all sizes not getting the proper tech and information security guidance they need.””The CISO isn’t just defending the network, they’re defending the business’s reputation, its trust, and its future,” Bagnall adds. “That responsibility deserves protection.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4107332/do-liability-protection-rising-for-security-leaders-unless-youre-a-midtier-ciso.html
