Are CISOs protected? – WTW
WTW – Larry Fine
The Securities and Exchange Commission (SEC) filed a lawsuit against SolarWinds Corp. and its CISO, Tim Brown, in connection with alleged misstatements and deceptive practices related to the company’s cybersecurity following the 2020 supply chain cyber-attack.
This lawsuit is notable as the first time the SEC has sued a company that was a victim of a cyberattack and the first time the SEC has sued a CISO.
The SEC attributed accountability to the CISO, alleging their involvement in disseminating misleading information about the company’s security practices.
In addition to financial relief, the SEC seeks a permanent ban on officer and director roles for the SolarWinds CISO.
CISOs are now evaluating their protection, especially concerning Cyber and D&O insurance.
Typically, CISOs are insured under cyber policies as employees of the insured entity, often with coverage for third-party liability for regulatory actions related to security or privacy.
However, most cyber policies contain securities violation exclusions, potentially limiting coverage for regulatory actions related to securities laws.
As a result, D&O policies are likely to be more responsive to securities-related claims.
CISOs at private companies and non-profit entities are typically covered under D&O policies as all employees, without specific distinctions for executives.
However, at public companies, the definition of “Directors and Officers” can be contentious.
Further complexities arise for CISOs who might be considered independent contractors and require negotiated endorsements for full coverage.
The evolving exposures for CISOs necessitate a thorough evaluation of cyber and D&O policies.
Measures such as enhancing coverage and coordinating policies could provide substantial protection for CISOs in light of these developments.
Link: https://www.wtwco.com/en-us/insights/2023/11/are-cisos-protected