Cyber Webinar Series | Cyber and D&O: How to Protect an Executive’s Personal Assets

Quick Overview

As cybersecurity threats intensify, executives—especially CISOs—face growing personal liability risks. This session explored how Directors & Officers (D&O) insurance intersects with cyber coverage to protect individual assets. Key takeaways include understanding policy language, coverage limitations, and the importance of proactive risk management and legal coordination.

To view the webinar recording, click here (passcode:Cybersession2!).

Recent Events Driving Concern

Recent high-profile cases, such as Joe Sullivan (Uber) and Tim Brown (SolarWinds), have highlighted the legal exposure CISOs may face in the wake of data breaches and regulatory scrutiny.

Executive Coverage Considerations for CISOs

• CISOs should ensure their role is clearly defined within insurance policies. Even without an official officer title, “functional equivalent” language may extend D&O coverage. Engaging leadership to formalize titles and secure personal asset protection is key.
• Determining the right amount of coverage depends on the organization’s risk profile. Benchmarking against industry peers and aligning with available insurance budgets can help guide these decisions. D&O policies typically cover civil, criminal and administrative actions, but the scope and depth vary by policy. Legal representation depends on whether the policy is structured as Duty to Defend or Indemnity.

Additional Coverage Insights

• Prompt reporting to insurers is essential, ideally in writing and in coordination with risk management. Some policies may cover early defense costs.
• Exclusions should be reviewed carefully, especially where cyber and D&O policies intersect. Cyber insurance addresses damage and liability, while D&O focuses on oversight. Coordinated brokerage ensures complementary coverage.
• Most D&O policies cover past, present and future employees, with coverage triggered by the policy in place at the time of the claim. International claims are often included, though jurisdiction matters. After a breach, understanding policy language and triggers is critical. Side A coverage, which protects individuals, is non-rescindable and cannot be revoked by the company.
• Coverage for external CISOs and independent contractors varies by policy. While many cyber policies include contractors, confirmation is essential to ensure protection is in place.

D&O Coverage Nuances

• Coverage hinges on officer status and policy form.
• Affirmative endorsements may be needed.
• D&O covers oversight and governance, not E&O or professional services.

Potential Accusations Against CISOs

• Obstruction of justice (e.g., failure to disclose breach)
• Misleading cybersecurity disclosures
• Improper vendor selection/oversight
• Mismanagement of material risks
• Inadequate cybersecurity measures
• SEC disclosure violations
• OFAC violations (e.g., ransom payments to sanctioned entities)

Important D&O Terms and Conditions for CISOs

• Cybersecurity exclusions: seek deletion or carve-backs
• Conduct exclusions: prefer “final adjudication” language
• Professional services exclusions: look for supervision carve-backs
• Definition of “Insured”: clarify employee vs. officer coverage
• Independent Contractor Extension: confirm inclusion
• Duty to defend vs. indemnity: impacts defense cost allocation
• Dedicated Side A DIC: protects individuals

Vendor Contracts

Commercial contracts often require vendors to carry cyber liability insurance.

• Customer concerns: coverage amount, policy review and recovery process.
• Vendor concerns: reasonable coverage levels and named insured/loss payee issues.

Passcode: Cybersession2!