Promotion to the position of Chief Information Security Officer represents a career pinnacle for many cybersecurity professionals. That said, individuals who face such a promotion should carefully consider the increased responsibility that comes with this role, as becoming a CISO truly places one’s decision-making under a microscope. The comments and decisions that a CISO makes while serving in their role can expose their organization and themselves to liability, particularly those that may result in injuries to the organization, shareholders, employees, customers, or other affected parties.

However, protections are available from both a governance and an insurance perspective, should the CISO’s executive decision-making be called into question. Critically, individuals are not alone in protecting themselves and limiting their liability – indeed, well-governed organizations will institute protections for their executives as a matter of policy.

For an organization, protecting a CISO from personal liability risk is not limited to maintaining adequate indemnification and insurance policies, but also includes having effective governance structures in place to ensure that decisions are made and documented in a way that limits potential risk from occurring in the first place. Accordingly, both CISOs and the organizations they serve should carefully consider the liability concerns that a CISO role may present and examine methods to mitigate these concerns.

Oftentimes, executives do not know if they are afforded protection by their organization until they are enmeshed in a lawsuit. The CISO role has increasingly come under scrutiny from various regulatory authorities, including the SEC, for its responsibility in handling cybersecurity breaches, in some cases, even being named in litigation.

And yet, because there is no market standard on organizational leveling, reporting structure, or scope, the CISO is not always regarded as a corporate officer by the company, and therefore may not be fully indemnified and protected by the organization. Unlike positions such as General Counsel or Chief Financial Officer, the CISO role exists in a gray area, where some organizations may consider it a high-level executive position. In contrast, others view it as a firmly operational role.

Given the ongoing evolution of the CISO role, there is no immediate guarantee that a CISO will be considered an executive and, consequently, will be afforded the same protections as other executive officers. Accordingly, a CISO must determine whether they are entitled to the same insurance coverage as other executives, including that provided under the relevant directors and officers (“D&O”) insurance policy. CISOs should not assume that they would receive the same indemnification protections that other executive officers may be afforded under relevant insurance policies and, further, should be aware that liability from cyber & privacy exposures is excluded by D&O policies.

Therefore, for both the organization and the incoming CISO, it is imperative to clarify with legal counsel which protections CISOs are provided with, and how (or if) they are covered with D&O insurance.

CISOs should begin by understanding their principal fiduciary duties. Most jurisdictions require these duties to be adhered to for any protection to be active. The specific two fiduciary duties executives owe to the company and its shareholders are the duty of care and the duty of loyalty, and potential nonadherence to these duties could be used as a basis for liability.