A national insurance firm is offering liability insurance coverage for chief information security officers (CISOs), who are facing an increasingly complex cybersecurity landscape while often not being given the same legal protections as other officers in a corporation.

Crum and Foster, which offers a broad array of national property, casualty, accident, and health insurance programs, this week announced professional liability coverage for CISOs to better protect them against evolving federal government cybersecurity regulations and possible criminal charges that can now arise from a data breach.

“CISOs are the front line of defense against cyber threats, yet their role may leave them exposed to personal liabilities – particularly in light of the Securities and Exchange Commission’s (SEC) new cyber disclosure rules,” Nick Economidis, senior vice president of eRisk at Crum and Forster, said in a statement. “Our CISO Professional Liability Insurance is designed to bridge that gap, providing an essential safety net by offering CISOs the protection they need to perform their jobs with confidence.”

The new insurance program by the Morristown, New Jersey-based law firm comes in the wake of charges against software maker SolarWinds and its CISO, Tim Brown, being dismissed by a federal court judge. The charges were made in connection with the massive software supply chain attack in 2020 by a threat group supported by Russia’s foreign intelligence services. In addition, former Uber Chief Security Officer Joseph Sullivan last year being placed on probation for three years and fined $50,000 for covering up a 2016 data breach involving the personal records of more than 50 million Uber customers and drivers.

Caught in a Bind

The court cases sent shockwaves through the rapidly evolving world of CISOs, who find themselves in a no-win situation of being responsible for protecting their organizations against such breaches at a time when the number and sophistication of cyberattacks – thanks to such emerging technologies as AI and automation – are growing while not always having the legal protection of corporate officers or a say over their budgets.

A report last year by executive search firm Heidrick and Struggles put these issues into perspective, noting that 38% of CISOs are not covered under their organizations’ corporate director and officer insurance (D&O) policies and 18% not knowing if they’re covered.

The report said that in 2023, the percentage of CISOs who sit on corporate boards more than doubled but was still low and that new U.S. Securities and Exchange Commission (SEC) rules – that include requiring organizations to disclose data breaches and outlining their cybersecurity programs – also asks public companies to “disclose which board members, if any, have cybersecurity experience, thus elevating the role even further.”

The Institute for Applied Network Security (IANS) wrote in a blog post last year that “with the increased legislation and regulation comes the likelihood that cyber-related legal actions will only increase. … Regulation is not only increasing at the federal level, but we are seeing new regulation and laws at the state level, as well.”

“As cybersecurity and the role of the CISO evolve, it will take time for legislation, insurance products, and regulations to catch up,” the Boston-based company wrote. “Many corporate charters do not regard the CISO as a corporate officer, and, therefore, CISOs cannot be covered by D&O insurance.”

Good for CISOs and Businesses

Geoffrey Fehling, a partner with law firm Hunton Andrews Kurth, argued in a blog post that D&O policies need to be tailored to include cybersecurity executives, adding that it would benefit both the CISOs and the companies.

“As personal liability risks for CISOs continue to evolve, the availability and scope of D&O insurance will remain a critical factor in recruiting and retaining top cybersecurity talent,” Fehling wrote. “Companies that offer robust insurance protection may gain a competitive advantage in the tight market for skilled security leaders.”

SolarWinds’ Brown in a September interview with The Financial Times called for tighter cybersecurity laws, saying that uncertainty in regulations are complicating CISOs’ jobs.

“When you don’t have rules to follow, it’s very hard to follow them,” he said, adding that “the cyber issues are 20 to 30 years old. Other regulatory issues are hundreds of years old. So we’re just kind of catching up on the maturity of that model.”

Broad Liability Coverage

Key parts of Crum and Forster’s new CISO liability insurance programs include comprehensive professional coverage – including CISO consulting services for the organization and through pro bono IT security work – and covering defense costs without a deductible.

The coverage includes claims stemming from arrests, indictments, or other criminal proceedings and protections as regulatory pressures grow.