CISOs face D&O cover risks as hacks spread

Companies should review their directors and officers liability and cyber liability policies to ensure chief information security officers are adequately covered amid increased federal scrutiny of cyber breach reporting, experts say.

The executives face potential gaps in coverage with D&O policies typically excluding coverage for cyber-related events and cyber policies carving out securities-related claims, they say.

The interplay between D&O and cyber coverage is a critical issue in management liability, said Hartford, Connecticut-based Lee S. Siegel, an insurance coverage partner at Hurwitz Fine PC.

“D&O insurers don’t want to be cyber insurers and create backdoor coverage for claims that weren’t priced and included in the underwriting,” he said.

D&O insurers are trying to expand cyber exclusions to eliminate coverage for those claims, he said.

Data breaches and other hacks can result in securities claims and regulatory investigations necessitating D&O coverage and other losses that trigger a cyber policy.

The threat of business interruption losses caused by a cyber event may necessitate at least $10 million in coverage and have the potential to rapidly erode cyber limits before a subsequent regulatory action or putative class action arises, said Andrea DeField, a Miami-based insurance recovery partner at Hunton Andrews Kurth LLP.

In addition, cyber events are increasing, placing CISOs in the crosshairs of securities litigation and regulatory investigations, she said.

The executives face increased workloads resulting in exposure to more risks that would fall under both policies, Ms. DeField said.

Compliance with the U.S. Security and Exchange Commission’s 2023 disclosure rule for cyber events requires regulated companies to determine materiality issues, leaving CISOs wondering about their own risks as the rule highlights company controls, she said.

CISOs are also becoming more involved in the insurance process.

“CISOs are now often tasked with reviewing or taking the lead on 90-page insurance applications for a cyber policy; so now they’re actually starting to think about insurance when, maybe a few years ago, that was completely siphoned off to the risk manager who was in charge of it, along with maybe legal or the CFO,” Ms. DeField said.

Because they are more involved in the process, they are advocating to ensure that they are covered, she said.

CISOs can also be subject to depositions if a party in litigation is unhappy with responses to a request for electronically stored information or the format in which it is produced, said Jonathan Meer, a New York-based insurance coverage partner at Wilson Elser Moskowitz Edelman & Dicker LLP.

The costs of responding to a CISO’s deposition would likely be covered by the insurer defending the case, said Washington-based Ruth Kochenderfer, D&O product leader for the U.S. and Canada at Marsh LLC.

Concern about D&O coverage for CISOs skyrocketed after the hack of Tulsa, Oklahoma-based software company SolarWinds was disclosed in December 2020 and the conviction of former Uber Technologies Inc. CISO Joseph Sullivan in October 2022 for covering up a 2014 data breach.

In October 2023, the SEC alleged SolarWinds and its CISO, Tim Brown, defrauded investors about the cybersecurity of its products and downplayed the severity of the attack. A federal judge in New York dismissed the SEC’s suit against SolarWinds and Mr. Brown in July.

Companies going public and smaller companies considering adding a CISO are also inquiring about D&O coverage for the role, Ms. Kochenderfer said.

Having a CISO added as an insured person can be as simple as adding an endorsement to a policy, said New York-based Peter Halprin, an insurance recovery partner at Haynes Boone LLP.

The endorsement should expressly state which C-suite executives are covered, Ms. DeField said.

“Don’t try and fit your board and executives into an ambiguous definition. It behooves both the policyholder and the insurer to have clarity in what the policy is going to cover, and that’s going to avoid coverage disputes,” she said.

Insurers have been receptive to requests to have CISOs added as an insured person under D&O policies, said San Francisco-based Nick Reider, deputy D&O products leader for the west region in the financial services group at Aon PLC.

In the current soft market for D&O coverage, buyers may also be successful if they push to narrow cyber exclusions, he said.

Companies seeking to fill coverage gaps for CISOs should also review their cyber policy and ask if any problematic regulatory exclusions can be removed, Ms. DeField said.

“Don’t put blinders on and look just at cyber or D&O. You have to understand how they work together and fill those gaps between policies with endorsements or another product,” she said.

---

Wordings key to ensuring protection

Having a chief information security officer added as a named insured under a directors and officers liability policy can be as simple as adding an endorsement, but there is a difference in how much coverage a named insured gets compared with a director or officer on the policy.

“Most policies give executive-level coverage, which is often the broadest, to duly appointed or elected directors and officers. The question to the client is, ‘Is your CISO a duly appointed or elected officer under your articles of incorporation or bylaws?’” said Washington-based Ruth Kochenderfer, D&O product leader for the U.S. and Canada at Marsh.

Private company CISOs generally have coverage similar to a duly appointed or elected director or officer, but if CISOs at a public company are not a duly appointed or elected director or officer, they typically have coverage only for securities-related claims unless the individual is a co-defendant with a board member or officer, she said.

Public company D&O policies typically include CEOs, chief financial officers, chief operating officers, general counsel and their “functional equivalents” as covered directors and officers.

The term “functional equivalent,” though, is ripe with ambiguity because CISOs often report to board members, said Miami-based Andrea DeField, an insurance recovery partner at Hunton Andrews Kurth LLP.

“I could see an insurer saying that a functional equivalent does not include someone who reports up,” she said.

She recommends adding a clearly worded endorsement naming a CISO as a board member for D&O coverage.