Managing D&O and cyber risk: Pull up a seat at the table for the CISO

What companies should do now to protect themselves and their employees responsible for cybersecurity

by Susan Friedman, Esq., John Doernberg, Gallagher

Companies systematically work to identify and mitigate the key vulnerabilities they have at any given time, while understanding that they cannot eliminate all cyber risk.

The “risk of regulatory enforcement” has shifted from being primarily a cybersecurity talking point. It’s a growing exposure, affecting a wide range of companies — and individual employees as well.

Chief information security officers (CISOs) and other corporate cybersecurity employees are increasingly worried about being swept into claims that could expose them to personal liability. In the article Worlds Collide: Directors and Officers Liability and Cyber Insurance Policies Confront New Overlapping Issues, we wrote about the risks of personal liability that corporate officers may face in connection with cyber events. Those concerns have recently spiked as government agencies may look to target individual employees for their roles in alleged cybersecurity failures and weaknesses.


Companies continuously prioritize their cybersecurity actions and investments based on their periodic reassessments of their changing risk exposures. The popular National Institute of Standards and Technology (NIST) Cybersecurity Framework in effect treats cybersecurity as a journey during which organizations will continue to improve their readiness over time. It’s a marathon, not a sprint.


continue reading »