Print This Article

One of the critical tenets of directors and officers (D&O) policies is personal liability protection for individual executives and board members from wrongful acts committed – or allegedly committed – as corporate officers. Chief Information Security Officers (CISOs) are increasingly important to corporate leadership teams as cyber risks and disclosures become more heavily scrutinized, so it’s important for them to understand the level of protection offered by D&O policies.

Recent criminal proceedings against a former CISO at a ride hailing company highlight the potential legal and regulatory risks CISOs face in the wake of cyber incidents. Cyber security breaches are complicated matters and regulatory requirements around the breadth and timing of disclosures continue to evolve.

Individuals should conduct a thorough review of their own coverage. However, D&O policies provide protection for directors and officers, when allegations of civil and criminal wrongdoing are brought against them in their capacity as an Insured Person. Insured Person definitions typically do not define what constitutes an “Officer,” relying instead on corporate bylaws and the definition found in Section 16 of the Securities and Exchange Act of 1934. CISOs should actively determine their status as a corporate officer, which could also govern indemnification owed to them by their employers in response to allegations of wrongdoing.

D&O policies typically provide coverage for both indemnified and unindemnified allegations. A critical component of the coverage is defense costs, which include legal fees to defend such matters once the policy is triggered. Claims that are indemnifiable by the company will likely be subject to a retention or deductible prior to any insurance company obligation. These retentions and deductibles can be significant, often in amounts of millions of dollars. This means it’s important that CISOs are clear about the limitations of their corporate indemnity benefits and the policy triggers if or when a dispute around indemnity obligations with their employer, or between their employer and their insurer(s), arises.

As with any directors or officers of a company, CISOs should be thoughtful about overall program limit adequacy. D&O limits, or components thereof, are often shared with the company itself and between all Insured Persons. Coverage options include to purchase a component of coverage dedicated solely to non-indemnifiable coverage for Insured Persons (often referred to as Side A Coverage). Aon’s proprietary A+ Protect Side A Form explicitly includes CISOs as an Insured Persons, taking the first step towards access to policy limits in the event of a covered claim. If you have any questions about coverage, or are interested in obtaining coverage, please contact Aon and we will connect you to a licensed broker.


Aon is not a law firm or accounting firm and does not provide legal, financial or tax advice. Any commentary provided is based solely on Aon’s experience as insurance practitioners. We recommend that you consult with your own legal, financial and/or tax advisors on any commentary provided by Aon. The information contained in this document and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity.