Smaller firms are far less likely than multinationals to protect their CISOs from personal liability for security breaches, according to a study by RSAC.
Experts quizzed by CSO said the finding was concerning because without protection CISOs face legal and financial risk tied to decisions made in their role.
The vast majority (88%) of CISOs from Fortune 1000 firms are legally indemnified by their companies, but this figure drops to just 53% for CISOs from organizations with 500 or more employees, according to the survey by RSAC (formerly RSA Conference).
Directors’ and officers’ (D&O) insurance is the most common indemnification vehicle for both groups, and 70% of the Fortune 1000 CISOs surveyed report being covered by it.
Kelly Rittenberry Culhane, co-founder of CM Law, told CSO the finding is a concern for security leaders and midsize employers alike, given that, midsize or multinational, organizations face similar risks.
“While the complexity and scale of operations may differ in a midsize company, the cybersecurity risks — ransomware, data breaches, regulatory compliance failures — are equally severe,” Rittenberry Culhane says. “Without indemnification, CISOs risk personal liability, which can deter highly qualified professionals from accepting these roles.”
As a result, midsize organizations put themselves at greater risk by not offering to protect from personal liability the top security leader they employ.
D&O for CISOs on the rise
CISOs have the potential for more than one safety net, the first of which is a company’s indemnification provisions — rules typically embedded in the company’s articles of incorporation and bylaws.
“The language of a company’s indemnification provisions must be properly worded — typically achieved by the general counsel and a board vote — to provide indemnification for a CISO equal to every other director or officer of a company,” explains John Peterson of World Insurance Associates, a provider of employment practice liability insurance.
The second safety net for a CISO is the D&O liability insurance policy procured by the CISO’s company through an insurance broker. Even when a company has D&O insurance in place, Peterson advises CISOs to review those policies to make sure they are covered as an “insured person.”
According to the latest IANS Research + Artico Search’s CISO Compensation Report, inclusion of CISOs in D&O insurance policies is increasing.
More than 50% of CISOs in the US and Canada received this insurance benefit as part of their compensation package, according to the 2025 edition of the study. This figure is up from the 40% who said they received this protection in last year’s edition of the CISO Compensation Report.
One in 5 CISOs also reported to IANS Research that they have access to external counsel — typically for investigations or audits.
A question of indemnity
But Ryan Griffin, US cyber leader at insurance broker McGill and Partners, points out that the difference between D&O insurance and a direct indemnification agreement is often misunderstood.
“The most crucial tool for a CISO’s protection is the indemnification agreement with their employer,” Griffin explains. “The D&O policy is how the company pays to protect its officer, but the indemnification agreement is what actually legally guarantees that protection.”
Without a formal indemnification agreement, CISOs are at great risk, Griffin warns.
“They would be responsible for covering their own legal defense costs, forcing them to rely on personal savings or a personal umbrella insurance policy,” Griffin tells CSO. “Beyond the financial hit, their career could be severely damaged.”
Griffin adds: “An enforcement action, even if it’s ultimately dismissed, could result in penalties that bar them from serving as an officer for a public company for years, which seriously limits future job prospects.”
Blame game
Central to the issue as well is accountability, which almost always lands on the shoulders of the person perceived to be “in charge of security,” according to Kenrick Bagnall, president and co-founder of RB-Cyber Assurance.
“Whether that’s the CISO of a Fortune 500 company or the sole IT director of a 100-person manufacturing firm, when things go wrong, someone has to answer for it,” says Bagnall, a former detective constable with the Toronto Police Service.
The difference between a multinational and a midsize company isn’t the exposure, Bagnall says; it’s the resources.
While enterprise CISOs often have access to legal teams and crisis PR advisors to help shield them, a midrange firm often has one or two people — possibly more — wearing multiple hats, like compliance, IT, and security all rolled into one.
This can become an issue because “regulators, customers, and even the courts won’t lower the expectations just because the company is smaller,” Bagnall says.
“Without legal protection, CISOs face significant personal and professional risk,” Bagnall said. “They can be blamed for systemic failures outside of their control — things like legacy systems that were never budgeted for replacement, or business units that refuse to adopt security controls because they’re ‘too disruptive.’”
SolarWinds case continues to cast lingering shadow
The SEC’s 2023 lawsuit against SolarWinds’ CISO Timothy Brown over allegations that he misled investors and failed to accurately report the vendor’s cybersecurity measures is far from an isolated case. Even though the ultimate dismissal of this high-profile lawsuit eased immediate fears that many CISOs might be held personally liable for security incidents the issue has far from gone way.
“Cybersecurity leaders are increasingly held accountable for breaches and their handling of incidents,” CM Law’s Rittenberry Culhane says. “Regulatory bodies, shareholders, and courts are naming CISOs in lawsuits — even when they acted in good faith.”
Midsize companies tend to have more limited legal and compliance resources, making indemnity insurance even more important as a potential safety net for security professionals employed by midrange firms.
“D&O insurance should always be obtained but that doesn’t always cover all the risk,” Rittenberry Culhane says.
Rittenberry Culhane, a former general counsel turned attorney whose practice specializes in advising corporations on risk management and insurance, offered CISOs a best practice checklist:
Confirm CISO coverage under your D&O policy
Review policy limits and exclusions for cyber-related claims
Consider supplemental indemnification agreements for CISOs and security leaders
Align indemnity provisions with incident response and disclosure policies
For more, see “Navigating personal liability: post data-breach recommendations for CISOs.”
Governance structures need revamping
The CISO role has evolved faster than the governance structures that protect it, according to RB-Cyber Assurance’s Bagnall.
“We now ask security leaders to be part strategist, part technologist, part crisis responder, and part scapegoat,” Bagnall says. “Until organizations, especially midsized ones, recognize that and build legal and contractual protections accordingly, we’ll continue to see talented leaders hesitate to take on these roles, resulting in organizations of all sizes not getting the proper tech and information security guidance they need.”
“The CISO isn’t just defending the network — they’re defending the business’s reputation, its trust, and its future,” Bagnall adds. “That responsibility deserves protection.”
No Responses