A national insurance company is bringing CISOs’s wildest dreams to life by rolling out professional liability insurance designed specifically for the fall guys themselves.
The new policy—which touts perks such as no-deductible defense costs and coverage for claims that emerge from criminal proceedings—is the brainchild of Crum & Forster (C&F), and can be purchased by organizations looking to provide additional protection for their CISO or by liability-conscious professionals.
The offering intends to provide additional shielding to CISOs who may lack protection under directors and officers (D&O) liability insurance. According to C&F, a number of CISOs are not formally recognized as corporate officers, causing them to experience coverage gaps under traditional D&O insurance. Of CISOs surveyed in a 2023 Heidrick & Struggles report, 38% said that their position was not covered by D&O insurance at their organization.
Liability jitters. The policy comes after the unfolding of several high-profile events involving CISOs in recent years. Last year, the industry watched as the SEC hurled charges, now largely dismissed, against SolarWinds and its CISO Timothy Brown for misrepresenting its cybersecurity practices to investors and customers. In the year prior, the industry witnessed former Uber CSO Joe Sullivan get convicted of federal charges for trying to conceal a 2016 data breach.
The offering also comes at a time when personal liability continues to keep some CISOs up at night. A recent Proofpoint report found that personal, financial, and legal liability remains an area of concern for roughly 66% of global CISOs.
Yay or nay? Steven Hadwin, counsel at A&O Shearman, told IT Brew that CISO-specific insurance is a relatively new concept within the industry and said that the offering may be attractive to CISOs looking for standalone coverage in their role.
“If you were to purchase this new product, what that gives you is a ring-fenced amount of cover that is allocable specifically to the CISO,” Hadwin said. “Traditional D&O insurance works on the basis that it’s a pot of money which is accessible to all insured persons, but it’s a finite pot of money.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Priya Cherian Huskins, SVP of management liability at Woodruff Sawyer, an independent insurance brokerage and consulting firm, added that the policy may be a good investment for organizations looking to lure top talent.
“Certainly, if the CISO had two offers that were exactly the same, except…one employer offered this insurance, you can imagine that the employer that is offering this insurance would be the more attractive employer,” she said.
Cherian Huskins, among others, however, noted that CISOs will typically have some coverage under D&O insurance, especially in the worrisome event that the SEC pursues them over securities claims. And while personal liability anxiety continues to persist, she added that CISOs should understand that it is unlikely that they would be personally targeted.
“It doesn’t serve anybody to get over-hyped about a risk when the risk is actually very unusual,” she said.
Whether or not CISO-specific insurance will become widely adopted within the industry remains unclear. Alex Sharpe, principal at Sharpe Consulting, told IT Brew that the coverage can be a “game changer” for CISOs, but that it may first garner widespread suspicion from onlookers.
Hadwin added that the role of a CISO will continue to require individuals to be in the line of “enhanced potential personal liability,” triggering the ongoing need for adequate protection.
“I think the need to have appropriate protection in place won’t change,” Hadwin said. “Now, how that develops within the insurance market, I don’t know, but there will be a demand for protection in one form or another for sure.”