CISOs can now obtain professional liability insurance
Professional liability insurance is designed to protect executives against claims of negligence or inadequate work arising from their services. Companies often use these policies to safeguard a business’s financial assets from the potentially high costs of lawsuits and settlements in the event someone alleges executives have failed to uphold their duties. The policies often cover CEOs, CFOs, and other board members, but often fail to include CISOs.
New Jersey-based insurer Crum & Forster is looking to change that. The company recently unveiled a policy specifically designed to shield CISOs from personal liability.
Nick Economidis, vice president of eRisk at Crum & Forster, told CyberScoop that the company saw an opportunity since CISOs may not be recognized as corporate officers under a directors and officers liability policy, which normally covers executive liability.
“CISOs are in a no-win situation,” Economidis said. “If everything goes right, that’s what people expect. If something goes wrong, they’re the person that everybody looks at and they’re left holding the bag. Then, there are potentially significant financial ramifications for them because they’re often not covered by traditional insurance policies.”
The policies, which can be obtained on behalf of a company or through a CISO themselves, can cover consulting done for the organization and subsidiaries, as well as moonlighting or pro bono IT security work.
“We find that it’s not unusual for CISOs to be doing consulting, either on a pro-bono basis or for a fee,” Economidis said. “That creates an exposure as well, and the policy will also cover that.”
The CISO role is one that is under increasing legal scrutiny, especially after high-profile security incidents. In October 2023, the Securities and Exchange Commission sued SolarWinds and its chief information security officer for failing to disclose poor cybersecurity defenses in the wake of Russian-government-linked hackers breaching its systems. A judge dismissed most of that lawsuit earlier this year.
The plan offers zero deductible defense costs for immediate and effective protection, along with broad claims coverage, even in criminal proceedings, ensuring CISOs have robust protection against personal liabilities. It also includes targeted regulatory protection to comply with SEC cyber disclosure rules, helping CISOs limit exposure to civil and criminal liabilities.
Economidis says policyholders can typically expect costs to range from $3,000 to $5,000 per insured person, depending on factors such as coverage limits and deductibles. Additional variables, including whether the company is public or private and the company’s years of experience, can also influence the pricing.
