Chief information security officers are likely to become targets of regulators and plaintiff attorneys in connection with data breach litigation, making it critical they verify they are covered under their company’s directors and officers insurance programs, experts say.

The good news for CISOs is that in the current competitive market D&O insurers are generally willing to add CISOs as insureds under their policies without additional charge, these experts said.

They point to the U.S. Securities and Exchange Commission lawsuit filed against Solar Winds Corp., which names its CISO as a defendant, along with the company itself, as a signal CISOs and their companies should be concerned about this issue.

The lawsuit, Securities and Exchange Commission v. SolarWinds Corp. and Timothy G. Brown, filed in U.S. District Court in New York on Oct. 30, charges that SolarWinds and Mr. Brown defrauded investors by overstating the company’s cybersecurity practices and understating, or failing to disclose, known risks. SolarWinds was the target of a massive, nearly two-year-long cyberattack.

Complicating the issue facing companies are new SEC cybersecurity rules that require companies to determine which cyber breaches are material and report them to the agency within four business days. The incident disclosure requirements take effect for most companies on Dec. 18, with smaller companies eligible for an extension.

Regulators “are trying to stress that individuals are vulnerable to prosecution or enforcement action, particularly if they mislead the market,” and shareholders and data breach victims are becoming more litigious, said attorney Jonathan Armstrong, a partner with Cordery Compliance Ltd. in London.

“I’m not sure (CISOs) are going to be named in all securities litigation,” but certainly there is a heightened risk, said Andrew Doherty, New York-based national executive and professional risk solutions practice leader for USI Insurance Services LLC.

“The exposure has been on the upswing for a little while without being noticed,” said Larry Fine, New York-based management liability coverage leader for Willis Towers Watson PLC.

There will be more litigation, he said.  “I’m not sure it’ll be an avalanche, but we’re going to see CISOs highlighted for more potential liability, more than we did in the past,” he said.

“The plaintiff attorneys love these types of scenarios, and I expect that they will be eager to file suits when there is a pattern or appearance of a wrongful act,” said James Rizzo, New York-based underwriter for U.S. executive risk at Beazley PLC.

“There’s definitely coverage” under D&O policies, which are “really designed to provide protection to high-level executives,” said Matthew McLellan, Washington-based managing director and D&O product leader for Marsh LLC.

However, CISOs “really need to confirm whether they are an officer of the company, and, if not, they should push to ensure they’re affirmatively insured under the D&O policy,” said Sarah Downey, managing director at Lockton Cos. LLC in New York. 

“The question is whether a CISO is an executive as defined by that policy or that carrier,” Mr. Fine said. The definitions of officers in public company D&O policies “are surprisingly unclear,” he said.

“There’s a continuum,” where one would assume if you are an official you are definitely an insured executive, Mr. Fine said. “But as you go down the line,” that becomes less clear, “which is why many insureds are now seeking more clarity about the status of CISO coverage,” he said.

If the CISO does not qualify as a company officer indemnified under the company’s D&O policy, they should seek to have an endorsement added to provide that coverage, Ms. Downey said.   “The markets are amenable to that,” she said.

There’s “an openness and willingness” to answer questions, revisit policy language and make changes, Mr. McLellan said.

Arturo Perez-Reyes, senior vice president and cyber strategist at San Francisco-based Newfront Insurance, said this is less of an issue for private company D&O policies, which are more broadly worded than those for public companies.

David B. Anderson, vice president, cyber, at Woodruff Sawyer & Co. in San Francisco, said there may be a problem for those who function as CISOs at small companies, but do not necessarily have the title.

“There are so many committed, caring professionals who are doing the job” of CISO but have titles such as senior vice president of networks, he said. 

“You really need to make sure” D&O insurance coverage includes those who act as the functional equivalent of CISOs, he said, and work with brokers “to ensure that any cyber-related exclusions are as limited as possible.”

Another concern is third-party contractors who may function as companies’ CISO, Mr. Rizzo said. 

Companies “might want to look at some sort of external professional liability product” to ensure that these contractors are indemnified, he said.