When I began my legal career, I spent countless hours defending corporate officers and directors accused of securities fraud — making false or misleading statements or omissions to deceive investors for financial gain.
Today, CISOs face a range of legal issues around the financial impact of high-profile data breaches.
Many of these cases have the same feel. Back in the day, and even now, the dance with a plaintiff’s attorney works almost the same way every time:
The games begin when X Corp issues a formal “restatement,” after determining that its previously filed financial statements contained inaccuracies and that, as a result, X Corp was not as profitable as had been previously reported.
Almost immediately after filing a restatement, plaintiffs’ law firms, purporting to represent shareholders of X Corp, swoops down, filing shareholder class actions against the company, its officers and directors, alleging that they knew all along that X Corp’s profits were inflated and that they knowingly concealed this fact from shareholders, often while selling their own shares of X Corp.
Different plaintiffs’ law firms would bring separate “shareholder derivative actions” — lawsuits alleging that the corporation’s officers and directors breached their fiduciary duties by not adequately investigating and responding to this alleged fraud on their own.
Around the same time, X Corp would typically receive a letter from the Securities Exchange Commission (SEC) opening an investigation into the matter and requesting a large volume of documents from the company. That investigation might eventually lead to a civil enforcement action.
The company might receive a similar letter from the Financial Industry Regulatory Authority (FINRA), a self-regulatory body for the U.S. securities industry. The company’s officers and directors might also receive inquiries from the U.S. Department of Justice (DOJ) — which could lead to a criminal indictment - and potentially other state and federal regulators.
While some of these claims certainly had merit, many of these regulatory investigations ended without any charges of wrongdoing and most of the litigation was dismissed or settled. Only a tiny fraction of these claims went to trial and ended in a finding of wrongdoing.
Nonetheless, these claims were extremely expensive to defend — even those with little merit. It was not uncommon to run up millions of dollars in legal fees defending a single corporate officer. That’s not including the settlement, which even if settled for “nuisance value” — typically an amount less than or equal to the amount it would cost to litigate the case — might run into the tens, or in rare instances, even hundreds of millions.
Corporate officers and directors were aware that if they served in these roles for long enough, they would eventually find themselves as defendants in similar litigation and/or investigations. Thus, over time, it became standard for corporate officers and directors to receive certain contractual protections to reduce this risk:
Right of Defense: This provision would require the company to provide a corporate officer or director with a broad right of defense, meaning that if he or she became involved in any legal proceeding, investigation, or claim arising out of his or her duties, the company would have to promptly provide legal representation and cover all reasonable legal expenses, including attorney fees, court costs, and related expenses.
An acquaintance of mine recently became the subject of an aggressive regulatory investigation, which lasted multiple years, but ultimately ended in his exoneration. His legal bills, however, exceeded $10 million, so if they were not covered by his employer, there would have been no way he could have afforded to be vindicated.
Indemnification: The provision requires the company to indemnify and hold the officer or director harmless to the fullest extent permitted by applicable law. This includes indemnification for any sentences, settlements, damages, liabilities, expenses, or other losses reasonably incurred by the officer or director in connection with his or her role, as long as he or she acted in good faith and in a manner reasonably believed to be in the best interests of the company. The vast majority of these class actions and enforcement actions end in settlement, but those settlements can cost tens or hundreds of millions of dollars, so there are few (if any) CISOs who could meaningly contribute to such a settlement.
D&O Coverage: This provision requires the officer or director’s employer to maintain a directors and officers liability insurance policy (D&O policy), which includes coverage for him or her. The D&O policy would offer coverage for defense costs, settlements, judgments, and other liabilities incurred by the officer or director in connection with claims arising out of his or her role, subject to the terms and conditions of the policy. It’s important to have D&O coverage because without adequate insurance coverage, an officer or director’s company might not have sufficient funds to appropriately defend and indemnify him or her.
CISOs in the crosshairs
Historically, these protections were primarily afforded to CEOs, CFOs, COOs, and board members, as they were the corporate officers most likely to need these protections. With the SEC poised to require all SEC registrants to issue detailed disclosures regarding their cybersecurity management, strategy, governance, expertise, and incidents, CISOs will soon find themselves in the crosshairs.
Once all SEC registrants are required to publicly disclose detailed information about their cybersecurity program and governance, it’s safe to assume that as soon as these companies disclose a material breach, plaintiffs law firms will treat these breaches similar to restatements, and immediately bring class actions alleging that the companies and their CISOs made material misstatements and omissions when they touted the strengths of their security program in corporate filings. And the regulators are likely to follow.
Indeed, the CISO at SolarWinds was already individually named in a shareholder class action suit alleging violations of Securities Exchange Act. The case was ultimately settled for $26 million. In addition, the SEC recently sent this same CISO a Wells Notice indicating that it may file a civil enforcement action against him alleging violations of certain provisions of the U.S. federal securities laws.
Given the increased regulatory focus on cybersecurity, coupled with the fact that even the best CISO cannot prevent every breach, it’s important that companies start affording CISOs the same protections they offer more traditional corporate officers and directors. They should not limit these protections to CISOs of public companies as, based on prior experience, it’s likely regulators and civil plaintiffs will also take an aggressive stance when it comes to private organizations.
Some have argued that such protections for CISOs are expensive and unnecessary, but both are not true. If CISOs are actually at minimal risk, as some have argued, then these protections will not cost a lot of money, so there should be no obstacle to offering them.
Brian Levine, co-lead, cybersecurity and data privacy practice, EY
