Safeguarding your CISO career

What security practitioners can do to manage personal and professional liability 

Ascending to the CISO seat is a career milestone but this career elevation comes with real legal and personal risks. The hard truth is that CISOs can be held personally liable for decisions made in their role, particularly when those decisions are factored into security breaches that harm the organization or its stakeholders. 

The good news is that protections exist for executive decision-makers both in the form of governance and insurance.  

Through Artico’s extensive engagement with the CISO community, we understand that liability concerns are among the most pressing issues CISOs face today. We’ve sponsored and hosted multiple CISO Liability seminars, bringing together security leaders, insurance professionals, and attorneys to give a diverse perspective on the topic. The below summary is a primer on our learnings and will serve as a resource for current and aspiring CISOs to best protect themselves and manage their own liability.

We aim to demystify the topic of CISO liability and highlight the importance of having proper business procedures, corporate duty, documentation, and insurance protections to best protect oneself. 

Proper Documentation is Critical

Documentation for corporate executives refers to “systematically recording and retaining all information related to your business activities.”

As a standard part of a breach post-mortem, a forensics study is typically undertaken to understand how and why the breach happened. Documentation around decision-making as part of standard working procedure helps CISOs and other leaders understand why decisions were made and by whom. The governance around such documentation can also protect CISOs from potential litigation and liability in the future. 

“The importance of documentation comes up in all our CISO panels because this is first-and-foremost the best way to codify decision-making. CISOs need to be conscious about the paper-trail being left behind when it comes to strategic initiatives and priorities to best mitigate the potential risk of finger-pointing in the future” – Steve Martano, Partner Artico Search 

The Executive Nomenclature Conundrum

One major challenge in the industry is that CISOs often don't know how or if they are protected until there is active litigation. Unlike CFOs or General Counsels, there's no organizational standard for CISO leveling, reporting, or scope, meaning there is no standardization for liability protection. 

What CISOs can do for their company and what their company can do for them

CISOs, as decision-making executives, must understand that they may be responsible for fulfilling core duties since most jurisdictions require these to be met for any insurance protection to kick in. In these cases, CISOs owe two fiduciary duties to the company and shareholders: the Duty of Care and the Duty of Loyalty. 

The law doesn't demand perfection — only that one has tried their best within reason to perform these duties. As Woodruff Sawyer notes, CISOs should identify critical risks, establish monitoring systems, pay attention and take corrective actions, and document everything. 

Importantly, expectations for CISOs are evolving in real-time. Following the SEC case against SolarWinds in 2023. CISOs are increasingly expected to enact stringent security measures before attacks happen and proactively report cyber vulnerabilities to the board. 

As for what a company can do to protect their security leaders, they can indemnify CISOs for the costs of certain potential lawsuits and penalties. While corporate bylaws may claim to indemnify executives "to the fullest extent permitted by law," these can lack process details exposing CISOs more than may have been expected. Waiting to negotiate these details after a lawsuit is filed puts enormous financial pressure on executives who need lawyers immediately. 

CISOs are not always included in their company’s indemnification agreements but can easily be added. CISOs should consult their legal team to understand how indemnification works at their specific company and fully understand corporate bylaws.

D&O Insurance: The Financial Safety Net

Even diligent CISOs can face litigation. D&O insurance protects executives when sued in their capacity as executives, regardless of the lawsuit's nature — what matters is CISOs being sued in an executive capacity.

D&O insurance operates through three coverage types: Side A protects personal assets when an individual is not indemnified by their organization, Side B reimburses the corporation for indemnification payments, and Side C covers the corporation itself in securities claims.

We recommend CISOs speak with an insurance broker to best understand how D&O insurance can protect themselves and their company.

The Path Forward

The evolving responsibilities of CISOs can create litigation risk, even when they are unaware of potential exposure. Understanding executive protections can mean the difference between having the company’s support in a lawsuit or being forced to defend oneself with personal assets and potentially losing them. 

Here at Artico Search, we are committed to leveraging our network of cyber experts to best support our partners. If you're a CISO seeking to learn more about potential protections in your role, we are happy to connect you with the right experts in the industry.