{"id":6255,"date":"2025-12-18T07:00:00","date_gmt":"2025-12-18T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6255"},"modified":"2025-12-18T07:00:00","modified_gmt":"2025-12-18T07:00:00","slug":"do-liability-protection-rising-for-security-leaders-unless-youre-a-midtier-ciso","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6255","title":{"rendered":"D&O liability protection rising for security leaders \u2014 unless you\u2019re a midtier CISO"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Smaller firms are far less likely than multinationals to protect their CISOs from personal liability<\/a> for security breaches, according to a study by RSAC.<\/p>\n

Experts quizzed by CSO said the finding was concerning because without protection CISOs face legal and financial risk<\/a> tied to decisions made in their role.<\/p>\n

The vast majority (88%) of CISOs from Fortune 1000 firms are legally indemnified by their companies, but this figure drops to just 53% for CISOs from organizations with 500 or more employees, according to the survey by RSAC<\/a> (formerly RSA Conference).<\/p>\n

Directors\u2019 and officers\u2019 (D&O) insurance<\/a> is the most common indemnification vehicle for both groups, and 70% of the Fortune 1000 CISOs surveyed report being covered by it.<\/p>\n

Kelly Rittenberry Culhane<\/a>, co-founder of CM Law, told CSO the finding is a concern for security leaders and midsize employers alike, given that, midsize or multinational, organizations face similar risks.<\/p>\n

\u201cWhile the complexity and scale of operations may differ in a midsize company, the cybersecurity risks \u2014 ransomware, data breaches, regulatory compliance failures \u2014 are equally severe,\u201d Rittenberry Culhane says. \u201cWithout indemnification, CISOs risk personal liability, which can deter highly qualified professionals from accepting these roles.\u201d<\/p>\n

As a result, midsize organizations put themselves at greater risk by not offering to protect from personal liability the top security leader they employ.<\/p>\n

D&O for CISOs on the rise<\/h2>\n

CISOs have the potential for more than one safety net, the first of which is a company\u2019s indemnification provisions \u2014 rules typically embedded in the company\u2019s articles of incorporation and bylaws.<\/p>\n

\u201cThe language of a company\u2019s indemnification provisions must be properly worded \u2014 typically achieved by the general counsel and a board vote \u2014 to provide indemnification for a CISO equal to every other director or officer of a company,\u201d explains John Peterson<\/a> of World Insurance Associates, a provider of employment practice liability insurance.<\/p>\n

The second safety net for a CISO is the D&O liability insurance policy procured by the CISO\u2019s company through an insurance broker. Even when a company has D&O insurance in place, Peterson advises CISOs to review those policies to make sure they are covered as an \u201cinsured person.\u201d<\/p>\n

According to the latest IANS Research + Artico Search\u2019s CISO Compensation Report<\/a>, inclusion of CISOs in D&O insurance policies is increasing.<\/p>\n

More than 50% of CISOs in the US and Canada received this insurance benefit as part of their compensation package, according to the 2025 edition of the study. This figure is up from the 40% who said they received this protection in last year\u2019s edition of the CISO Compensation Report.<\/p>\n

One in 5 CISOs also reported to IANS Research that they have access to external counsel \u2014 typically for investigations or audits.<\/p>\n

A question of indemnity<\/h2>\n

But Ryan Griffin<\/a>, US cyber leader at insurance broker McGill and Partners, points out that the difference between D&O insurance and a direct indemnification agreement is often misunderstood.<\/p>\n

\u201cThe most crucial tool for a CISO\u2019s protection is the indemnification agreement with their employer,\u201d Griffin explains. \u201cThe D&O policy is how the company pays to protect its officer, but the indemnification agreement is what actually legally guarantees that protection.\u201d<\/p>\n

Without a formal indemnification agreement, CISOs are at great risk, Griffin warns.<\/p>\n

\u201cThey would be responsible for covering their own legal defense costs, forcing them to rely on personal savings or a personal umbrella insurance policy,\u201d Griffin tells CSO. \u201cBeyond the financial hit, their career could be severely damaged.\u201d<\/p>\n

Griffin adds: \u201cAn enforcement action, even if it\u2019s ultimately dismissed, could result in penalties that bar them from serving as an officer for a public company for years, which seriously limits future job prospects.\u201d<\/p>\n

Blame game<\/h2>\n

Central to the issue as well is accountability, which almost always lands on the shoulders of the person perceived to be \u201cin charge of security,\u201d according to Kenrick Bagnall<\/a>, president and co-founder of RB-Cyber Assurance.<\/p>\n

\u201cWhether that\u2019s the CISO of a Fortune 500 company or the sole IT director of a 100-person manufacturing firm, when things go wrong, someone has to answer for it,\u201d says Bagnall, a former detective constable with the Toronto Police Service.<\/p>\n

The difference between a multinational and a midsize company isn\u2019t the exposure, Bagnall says; it\u2019s the resources.<\/p>\n

While enterprise CISOs often have access to legal teams and crisis PR advisors to help shield them, a midrange firm often has one or two people \u2014 possibly more \u2014 wearing multiple hats, like compliance<\/a>, IT, and security all rolled into one.<\/p>\n

This can become an issue because \u201cregulators, customers, and even the courts won\u2019t lower the expectations just because the company is smaller,\u201d Bagnall says.<\/p>\n

\u201cWithout legal protection, CISOs face significant personal and professional risk,\u201d Bagnall said. \u201cThey can be blamed for systemic failures outside of their control \u2014 things like legacy systems that were never budgeted for replacement, or business units that refuse to adopt security controls because they\u2019re \u2018too disruptive.\u2019\u201d<\/p>\n

SolarWinds case continues to cast lingering shadow<\/h2>\n

The SEC\u2019s 2023 lawsuit against SolarWinds\u2019 CISO Timothy Brown<\/a> over allegations that he misled investors and failed to accurately report the vendor\u2019s cybersecurity measures is far from an isolated case. Even though the ultimate dismissal of this high-profile lawsuit eased immediate fears that many CISOs might be held personally liable for security incidents<\/a> the issue has far from gone way.<\/p>\n

\u201cCybersecurity leaders are increasingly held accountable for breaches and their handling of incidents,\u201d CM Law\u2019s Rittenberry Culhane says. \u201cRegulatory bodies, shareholders, and courts are naming CISOs in lawsuits \u2014 even when they acted in good faith.\u201d<\/p>\n

Midsize companies tend to have more limited legal and compliance resources, making indemnity insurance even more important as a potential safety net for security professionals employed by midrange firms.<\/p>\n

\u201cD&O insurance should always be obtained but that doesn\u2019t always cover all the risk,\u201d Rittenberry Culhane says.<\/p>\n

Rittenberry Culhane, a former general counsel turned attorney whose practice specializes in advising corporations on risk management and insurance, offered CISOs a best practice checklist:<\/p>\n

Confirm CISO coverage under your D&O policy<\/p>\n

Review policy limits and exclusions for cyber-related claims<\/p>\n

Consider supplemental indemnification agreements for CISOs and security leaders<\/p>\n

Align indemnity provisions with incident response and disclosure policies<\/p>\n

For more, see \u201cNavigating personal liability: post data-breach recommendations for CISOs<\/a>.\u201d<\/p>\n

Governance structures need revamping<\/h2>\n

The CISO role has evolved faster than the governance structures that protect it, according to RB-Cyber Assurance\u2019s Bagnall.<\/p>\n

\u201cWe now ask security leaders to be part strategist, part technologist, part crisis responder, and part scapegoat,\u201d Bagnall says. \u201cUntil organizations, especially midsized ones, recognize that and build legal and contractual protections accordingly, we\u2019ll continue to see talented leaders hesitate to take on these roles, resulting in organizations of all sizes not getting the proper tech and information security guidance they need.\u201d<\/p>\n

\u201cThe CISO isn\u2019t just defending the network \u2014 they\u2019re defending the business\u2019s reputation, its trust, and its future,\u201d Bagnall adds. \u201cThat responsibility deserves protection.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Smaller firms are far less likely than multinationals to protect their CISOs from personal liability for security breaches, according to a study by RSAC. Experts quizzed by CSO said the finding was concerning because without protection CISOs face legal and financial risk tied to decisions made in their role. The vast majority (88%) of CISOs […]<\/p>\n","protected":false},"author":0,"featured_media":6256,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6255","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6255"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6255"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6255\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6256"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6255"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6255"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6255"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}