Assuming we can believe SolarWinds now, in June of 2020 they suffered a breach that we didn’t learn about until December, thanks to FireEye.  Their CISO finally filed a breach report on December 14^th, 2020.  In October 2023, the SEC filed charges against the company and Timothy G. Grown, the company’s CISO.   This has caused many CISOs across the country to grow concerned about their own financial liability.

In fact, I have fielded calls from Clients with the same concern.  Fortunately, I have friends in the insurance business, including one Zach Finn from Henriott Group in Lafayette, Indiana, who has this to say:

CISO’s should only be personally liable for wrongful acts impacting their company to the extent they are Directors &/or Officers of the corporation. In that case, this exposure would be covered under a director and officers liability policy. Wrongful Acts include any error, misstatement, misleading statement, act, omission, neglect, or breach of duty committed or allegedly committed by an Insured Person in their Insured Capacity or by the company itself. 

Directors and Officers (D&O) Liability Coverage protects all past, present, and future directors, officers, trustees, managers, members and employees for any actual and/or alleged “wrongful acts” brought by an independent third party for breach of fiduciary duty in the over-site and management of the Company.  This will include “claims” brought by shareholders, regulators, administrative agencies for individual liability (SEC), customers, vendors, and any other stakeholders. D&O coverage will provide funds to cover the indemnification obligation provided by the company to any Insured Person, at whatever level payments are made, up to the selected policy limit of liability (subject to all the policy terms, conditions and exclusions).  Defense costs, judgments and settlements are considered a “Loss” and are included within the limit of liability. In addition, these policies typically include provisions to provide direct reimbursement to any Individual Insured Person if the company cannot indemnify them because of financial insolvency or is precluded to indemnify by State or Federal statute, such as derivative actions.

Zach went on to explain the details and intricacies of a good Directors and Officers insurance policy, as well as the basics of cybersecurity insurance policy.  And then he ended with the following:

In my opinion, a robust Risk Management strategy to protect the CISO would include the three legged stool of a strong insurance program, including: 

• Appropriate D&O and Cyber Liability coverage;
• A strong corporate indemnification agreement indemnifying the director or officer for their financial liability to the fullest extent permitted by the corporation’s bylaws or by State or Federal statute. Though some actions like gross negligence or intentional misconduct are very likely to be excluded from indemnification; and
• Strong Risk Management policies and procedures, i.e., intrusion testing, MFA, etc., and coordination between IT, Legal, & Risk Management tailored to the organization’s specific industry and threat landscape.” 

The good news is that, as a bank, you already have the most difficult leg of the stool in place.  (Risk Management).

The indemnification agreement may be a bit more difficult to secure, since you’ve already negotiated your compensation.  But you may want to raise it anyway – next performance review.

If you work in a bank, the insurance aspects of the three-legged stool should bring more good news:  you have cybersecurity insurance as a part of your risk transference strategy.  It’s a natural result of having good risk management in place.  Regarding the D&O insurance, more good news:  most of our small community banks have still not made their ISO an official “officer of the corporation,” meaning they can’t be held liable. Also, not having the title of “officer” does not automatically eliminate D&O coverage for CISOs. Even without the official title, if the CISO has officer-like duties and decision-making power, they might still be considered an officer in the eyes of the courts and thus potentially covered by D&O insurance.

But if you are an officer, we find it very unlikely your bank will not have D&O insurance.  Having said that, it’s still worth an ask, and if your bank DOES need to look into it, Henriott, where Zach works, is a great company!

When Henriott took over our insurance, it was like night and day, from the insurance company we were using out of Kokomo. They’ve out-performed any of the other insurance companies I’ve worked with, in the four companies I have owned over my career.

Where most insurance companies ask you to read the policy, they walked through it with us. Those of you who know how detailed I can be can imagine what that was like. But they brought us way up to speed, in a very effective manner.

With expertise spanning risk management, enterprise risk management, commercial insurance, crisis preparedness, and more, Zach Finn has over a decade of experience. As a former Academic Director at Butler University and Global Risk Manager for The J.M. Smucker Company, Zach developed comprehensive risk management programs and navigated complex mergers and acquisitions. His focus on accessibility drives him to educate clients on developing robust risk management strategies beyond mere insurance purchases. Zach has been published extensively on risk-related topics and appeared in prominent media outlets. Holding degrees from Indiana State University and Florida State University, along with professional designations, Zach is based in Brownsburg, Indiana, spending time with his family and indulging in hobbies ranging from competitive poker to vintage toy collecting.