This article was originally written by our North American colleagues for a U.S. audience. We have shared this article for informational purposes only as it may be of interest to our global clients. Please speak to your local office contact to further discuss any of the points raised in this article.
Chief Information Security Officers (CISOs) have a tough enough job protecting their company and customers, but increasingly they also have to worry about protecting themselves. First the SEC raised the stakes with sweeping disclosure rules, supplemented recently by a rule requiring disclosures of cybersecurity incidents within four days after an entity determines that the incident was material, then it actually sued a CISO.
On October 30, 2023, the Securities and Exchange Commission (SEC) sued SolarWinds Corp., along with its CISO Tim Brown, in connection with alleged “misstatements, omissions and schemes that concealed both the company’s poor cybersecurity practices and its heightened -and increasing- cybersecurity risks” related to the 2020 supply chain cyber-attack on the company’s Orion Platform. The basis for these allegations, according to the SEC complaint filed in the Southern District of New York, is the discrepancy between what Brown disclosed in internal company documents and what was actually told to investors in several public disclosures, including “a security statement” on its website and reports filed with the SEC.
This move by the SEC marks the first time the SEC has sued a company that has been victim to a cyberattack (although in March the SEC did charge and simultaneously settle with Blackbaud, an educational software company, over misleading statements about a 2020 ransomware attack). This is also the first time that the SEC has sued a CISO (despite not suing any other individuals in this matter). The SEC singled out the CISO because he was allegedly "primarily responsible for creating and approving the Security Statement before it was posted,” and he “disseminated the Security Statement, or a link to the Security Statement, to customers seeking more information about SolarWinds’ security practices.”
In addition to monetary relief, the SEC seeks a permanent officer and director ban against the SolarWinds CISO. It should be noted that the SolarWinds CISO had previously been sued, along with the company and other officers, in a securities class action which recently settled for $26 million, and over the last few years a few other CISOs have been named in private litigation, but in light of the facts and the SEC interest Solar Winds may be considered a special case.
Another seeming first in the SEC complaint against SolarWinds and its CISO is the use of Section 13 of the Securities Exchange Act (accounting for 6 out of 10 counts in the complaint). Defense attorneys have opined that “[t]he SEC’s application of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 - which requires public companies to devise a system of internal accounting controls that prohibit access to a company’s assets without management authorization, among other things- stretches the “assets” under the purview of this statute from monetary assets to a company’s “information technology network environment, source code, and products.”
This unprecedented action by the SEC has certainly caught the attention of CISOs everywhere and is leading them to reevaluate whether they are adequately protected.
When it comes to coverage for CISOs under a cyber policy, it is first important to recognize that CISOs are generally insureds under most cyber policies as employees of the insured entity, as long as they are acting within their capacity as such. Further, as insureds, CISOs generally have third-party liability coverage for claims, which can include regulatory actions, made against them alleging a security or privacy wrongful act.
The concern, however, is that most cyber policies contain some form of a securities violation exclusion, which could preclude coverage for litigation or regulatory actions for actual or alleged violations of securities laws or regulations. While some cyber policies do provide limited carvebacks to their securities law exclusions, for regulatory actions brought under SEC Regulation S-P alleging a failure to provide notice to customers about their privacy policies and practices, they are increasingly difficult to obtain and not the crux of the current SEC action against the SolarWinds CISO. As a result, while cyber policies may be the coverage of choice for claims by consumers and/or regulators other than the SEC, D&O policies are likely to be the most responsive to securities-related claims.
To some extent, coverage under a D&O policy and a cyber policy can be mutually exclusive depending on how each policy defines “securities claim”. However, it is possible to have overlap (which is not necessarily a positive if it leads to finger-pointing between insurers) or gaps, so careful attention must be paid.
Directors and officers generally have substantial coverage in relation to securities litigation, investigations and inquiries, but recently CISOs have expressed concern over whether they specifically are entitled to that coverage. Unfortunately, the status of a CISO under a D&O policy is not always completely clear (prompting increasing efforts to get clarity).
For private companies and not for profit entities, the D&O policy typically identifies all employees of the organization as Insured Persons and doesn’t distinguish between the coverage offered to executives and other employees. For these organizations, there should not be any need to proactively modify wording to ensure basic coverage is in place. Relatedly, although cyber exclusions have become common on private and not for profit D&O policies, they generally only limit the entity coverage provided by such policies and do not affect coverage for individual insured persons such as CISOs.
For public companies, the term “Directors and Officers,” referred to in some policy forms as “Executives” or other similar names, will be defined to include “duly elected or appointed” officials. But is anyone with an officer title an “Officer” or “Executive” for coverage purposes? There is little case law on the issue. While it seems clear that the term includes executive level officials who are designated in securities filings as Officers under Section 16 of the 1934 Securities Exchange Act, beyond that the issue can become less clear. While an increasing number of companies are designating CISOs as Section 16 officers now, some companies still do not.
Generally, all “employees” will be insured persons under a public company policy in relation to securities claims. Claims brought by shareholders or by the SEC are likely to meet most definitions of securities claims, but wrinkles may occur if a policy only cover employees on a co-defendant basis. Bottom line, though, is that in most foreseeable “SolarWinds” types of situations, the CISO would typically be covered, even if they are not technically a Section 16 officer. Note also that policies which provide pre-claim inquiry and/or investigation coverage for Insured Persons usually (but not always) provide such coverage to all employees.
An additional wrinkle can exist, when a company utilizes a CISO who may be considered an independent contractor but is entitled to indemnification from the entity. Such an individual is unlikely to have full coverage without a negotiated endorsement.
Notwithstanding the securities claim-related coverage available under D&O policies, as discussed above, there are foreseeable claims in which a non-Executive CISO of a public company could be involved where coverage may be problematic:
As discussed above, the first two claim scenarios above would hopefully find coverage under a cyber policy. However, to address the third scenario, and any other lingering doubts or uncertainties, endorsements are increasingly available and may be desirable to clarify coverage for CISOs, ranging from basic clarifications to enhanced protection.
While potential exposures for CISOs are rapidly proliferating, they can take comfort that cyber and D&O policies provide substantial protection, particularly if the coverage is optimally coordinated. Furthermore, clarifications and enhancements are available and can be worth working with brokers to explore.