Top 5 Questions Every CISO Should Ask
Privacy Plus+
Privacy, Technology and Perspective
Top 5 Questions Every CISO Should Ask. This week, let’s consider some questions that Chief Information Security Officers (CISOs) should ask in the current climate where that role is increasingly fraught with potential personal liability—here, you can consider the recent prosecution of Uber’s CISO or the recent announcement by SolarWinds that its own CISO received a Wells Notice. Two of our previous posts covering those subjects can be found at the following links:
https://www.hoschmorris.com/privacy-plus-news/cyber-liability-for-directors-and-officers
https://www.hoschmorris.com/privacy-plus-news/solarwinds-executives-may-face-personal-liability
The CISO holds a critical role within an organization, responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately secured. Unfortunately, many companies do not empower or protect their CISO’s sufficiently. Especially before accepting a new role, here are five questions every CISO should ask:
1. Am I truly considered to be an “Officer” of the organization? Your status as an officer – or not – can significantly impact your exposure to risk and the protections afforded to you. Officers have a fiduciary duty to the organization, and their decisions have broader implications that could potentially lead to litigation. Being an officer, however, typically provides a safety net against personal losses from legal action. If you aren't considered an officer, these protections may not apply. Therefore, clarify your status, its implications, and necessary protections before accepting a role. Remember that most often, the CISO is an officer in name only.
2. How comprehensive is the organization's Directors & Officers (D&O) insurance, and does it provide adequate protection for me in my role as CISO? Directors and Officers (D&O) insurance is designed to protect directors and officers of an organization against personal losses if they are sued as a result of serving in that capacity. It also can cover legal fees and other costs the individual may incur because of such a suit.
Your first question should be whether the organization’s D&O coverage would extend to you in your role as CISO. (You want to see that in writing.) If not, ask that it be extended to cover you as well.
In asking whether you would actually be an “officer” and exploring D&O coverage (and indemnity), remember that the company’s lawyer is not your lawyer. It would be wise to have your own lawyer analyze this for you.
Your next question should be whether the D&O coverage would really be as broad and effective as you imagine. Here are some important considerations:
· Coverage scope: You should have a clear understanding of what types of claims are covered under the D&O policy. This could include actions alleged to be wrongful acts, errors, or omissions by the directors or officers. Given the CISO's responsibilities, it's particularly important to know if the policy covers cyber risk, which can be a significant source of potential liability.
· Policy limits: Be clear on the policy limit, which is the maximum amount the insurer will pay. Keep in mind that SolarWinds recently invoked its D&O insurance to pay $26 million to settle a derivative action brought against its Directors. (For more on that, see the first link above). It's also important to know whether costs of defense are taken out of this policy limit, and whether there are separate or shared limits for individual directors and officers and the organization as a whole.
· Side A coverage: Does the D&O policy include "Side A" coverage? This provides direct coverage to individual directors and officers, without a deductible, for loss not indemnified by the corporation. It's particularly relevant in circumstances where the organization is unable or unwilling to indemnify you.
· Indemnification interaction: How does the D&O policy interact with the organization's indemnification policy? If the organization has broad indemnification obligations, it's important to ensure the D&O policy has adequate limits to cover potential claims. Also, you'll want to know the sequence of payments in the event of a claim.
· Defense costs: Does the D&O policy provide for the advancement of defense costs? Legal fees can accumulate quickly, so knowing whether defense costs will be advanced by the insurer rather than reimbursed after the fact can be crucial.
3. What is the organization's indemnification policy? The organization's indemnification policy is critical. Indemnification provisions are supposed to protect directors and officers from personal liability and financial loss in the event of legal proceedings resulting from their good-faith service to the organization. It's essential to know under what circumstances the organization will indemnify its officers and directors, the extent of this indemnification, and if it aligns with industry standards. Also, keep in mind that in some jurisdictions, there may be statutory limitations on indemnification. Knowing these can help you understand whether the organization's indemnification policy provides sufficient protection for your role as CISO. It's always advisable to consult with a legal professional to ensure a full understanding of these provisions and any potential gaps in coverage.
4. Who is my direct report? As the CISO, your position within the organization's structure can significantly impact your ability to execute your duties effectively. The conventional structure often sees the CISO reporting to the Chief Information Officer (CIO) or Chief Technology Officer (CTO). But there's a growing trend that in order ensure a balanced and comprehensive approach to cybersecurity, the CISO should report directly to the CFO, COO, or even CEO and the board, not the CIO. This reporting line reflects the growing importance of cybersecurity and data governance within the business strategy. It also helps avoid potential conflicts of interest that may arise when security decisions could impact IT operations. Some commentators also think having a direct line to the CEO and the board may protect the CISO from becoming a “fall-guy” in the event of a security incident, though we think that is debatable. Regardless, keep in mind that this reporting line might not be best in every organization. The nature of the business, the size of the organization, and the complexity of its IT infrastructure could all impact the most effective reporting structure.
5. Who was the last CISO, how long was their tenure, and why did they leave the organization? Gaining insight into your potential predecessor's experience is a valuable step when considering a new role. The tenure of the previous CISO(s) can reveal much about the stability of the role and the organization's commitment to security. A short tenure could indicate internal challenges, while a long tenure may suggest a supportive environment. Understanding why the previous CISO(s) left is equally critical. Advancing to greater roles or leaving for retirement might be positive signs, whereas being let go or leaving abruptly – especially if the average tenure of the organization’s CISOs has been puzzlingly short -- could suggest potential issues such as internal conflicts, inadequate resources, unrealistic expectations, or even whiffs of trouble coming. All of these must be interpreted within the context of the company culture and environment, with respect for privacy and without undue speculation; but ultimately, these insights can help you identify potential challenges or opportunities as the new CISO.
Remember, the goal is not only to secure the role, but to ensure that it’s a good fit for you, that you are protected, and that you will have the necessary support and resources to protect the organization.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.