In the not so distant past, the role of a chief information security officer (CISO) was either non-existent or an afterthought for many top companies. Fast-forward to today’s digital and interconnected world where the average cost of a data breach in the United States exceeds $9 million, and the importance of CISOs to design and implement a robust cybersecurity program has never been more vital.
Despite this critical work, CISOs and related C-suite executives, such as chief information officers or chief privacy officers, may be overlooked when it comes to ensuring adequate indemnification protections and insurance coverage under cyber insurance policies (which CISOs may have a hand in reviewing prior to binding) and directors and officers (D&O) liability policies. The case of former Uber CISO Joe Sullivan who was recently convicted of obstructing justice and failing to report a crime related to Uber’s 2016 breach, highlights the importance and need of such protections.
D&O insurance protects the personal assets of officers, directors, and other key personnel from personal liability if the company is unable or unwilling to indemnify them. Of course, like any other contract, the terms of the policy will dictate coverage. But CISOs and companies must ask themselves whether the company’s standard form D&O policies adequately protect CISOs or whether changes or additions to coverage are required to catch up to today’s modern cybersecurity environment.
Are CISOs insured persons?
Companies have to consider if CISOs are even covered individuals under standard D&O policies. The policy’s definition of “insured person” dictates those individuals who qualify for coverage.
D&O policies typically cover duly appointed or elected directors and officers. More likely than not, a CISO does not qualify as a “director.” Directors are the members of the board, and they are placed to oversee a company’s business and affairs. That’s not to say companies can’t cover CISOs if they are later appointed as a director, but in a singular role as a CISO, it’s unlikely the company will have the coverage that a CISO requires.
CISOs as ”officers” pose a different issue. In corporate organization charts, a CISO may be identified as a lower-level employee reporting to other C-level positions, rather than as a true C-suite position. There’s no universal definition of “officer,” and bylaws, indemnification agreements and state law may not clearly delineate the CISO role and where it fits within the company’s hierarchy. This can create further confusion as to whether a CISO is an officer of the company for the purposes of seeking indemnification or insurance protection under the company’s charter, bylaws, or D&O insurance policy.
So what’s the solution to make sure CISOs are insured persons under a D&O policy? Start by checking the D&O policy’s definition of insured person. More likely than not, CISOs are not expressly named as insured persons. If that’s the case, clarify the company’s bylaws or other organizational documents so a CISO meets the definition, such as being a duly appointed corporate officer. This would also typically ensure that in any proceeding brought against the CISO, the CISO would be indemnified and have his or her legal expenses advanced by the corporation pursuant to its charter or bylaws. While obtaining clarity on the CISO’s status as an “officer” under the corporate governance documents is probably advisable, obtain an endorsement to the D&O policy that specifically includes the CISO among the policy’s insured persons. This removes any doubt from the policy and prevents an insurer from barring coverage on the basis that the CISO is not an insured person.
Strengthen defense coverage
Confirming insured person status is only part of the solution, since the protections afforded to insured persons are only as strong as the policy’s coverage. Focus on the scope of the policy’s defense coverage. D&O policies protect insureds not only from an adverse judgment or settlement, but also from the substantial litigation fees and expenses in defending against suits and other claims. But coverage for defense costs can come with limitations that can prove costly, especially when individuals face six- or seven-figure legal bills. So even if a CISO escapes criminal liability, the massive cost of that not guilty verdict could have a detrimental effect on personal finances in the absence of insurance.
Consider the criminal conduct exclusion, which bars coverage for claims arising out of deliberate criminal or fraudulent acts by the insured. Thankfully, most modern D&O policies include a “final adjudication” requirement that prevents an insurer from denying coverage until the prohibited criminal or fraudulent acts at issue are fully and finally adjudicated by a court. But not all policies are created equal, and criminal conduct exclusions and their final adjudication language can vary greatly. For instance, does the exclusion allow for final adjudications only in the underlying proceeding or in any proceeding (including an insurer’s declaratory judgment action)? Is the exclusion limited to adjudications in “judicial” proceedings rather than any proceeding? This distinction can protect CISOs in the event regulators pursue administrative or regulatory action that results in a settlement, but where the government forces individuals to admit to certain wrongdoing as a condition of settlement.
The above permutations of the final adjudication trigger highlight but one insurance provision that companies can significantly strengthen through endorsements at renewal—often preserving thousands or even millions of dollars in defense coverage—to further protect CISOs and similarly-situated insureds.
Other provisions and policies
These issues are just a few considerations that a CISO must think about when considering coverage under a D&O policy. There are a host of other terms that may come into play, including exclusions for cyber breach, electronic publication, invasion of privacy, and consumer protection statutes. If an insurer funds the defense of criminal charges against a CISO, can it later turn around and seek repayment of those amounts and, if so, under what terms? If the insurer breaches its obligations to defend or indemnify a CISO, can the CISO file suit in his or her preferred venue or does the policy force that all claims get resolved in the insurer’s preferred arbitration forum? The list goes on and on.
In addition to varied terms within each policy, our discussion covers only one type of policy. Most companies employing CISOs will also have cyber, E&O, and EPL policies, amongst many others, that may work in tandem to fill gaps in coverage, and similar coverage issues for CISOs will arise under all of them. Indeed, cyber-specific insurance policies contain the same criminal conduct/willful violation of the law exclusion as in D&O policies. And, for these cyber-specific policies, it’s equally important to ensure that the exclusion gets carved back to require the insurer to defend the CISO until there’s a final adjudication of such conduct in the underlying court proceeding.
Further, with respect to multiple policies, for a robust executive protection program, it’s important to have coordination between policies to minimize uninsured losses and maximize recovery. In the event of a major cyber incident, many insureds quickly exhaust the limits of their cyber-specific policies. This results in directors and officers having to rely on their D&O program having sufficient limits, adequate coverage terms, and no cyber exclusions, to respond to the follow-on lawsuits, regulatory actions, and other liabilities following a cyber incident.
The best time to ensure that the organization’s insurance program has adequate coverage for CISOs and other information and privacy executives takes place at policy placement or renewal. Of course, it’s never too early to start discussions with experienced coverage counsel, brokers and other risk professionals to evaluate existing coverage and determine whether any improvements are necessary to meet the threat of civil, and potential criminal, liability CISOs may face following a major incident. This type of coverage has also become an increasingly important process for CISO’s evaluating an employment offer at a new company.
Andrea DeField, Geoffrey B. Fehling, Shafkat Rakib, are attorneys at the law firn Hunton Andrews Kurth.