Confusion about D&O insurance…
If you go to a talk for CISOs these days invariably someone will ask about the importance of D&O insurance for security leaders, to ensure they are protected. It’s a confusing topic, and seems to get more confusing every time someone speaks about it.
A friend sent me this video and said - now people are saying “you don’t need D&O”! youtube.com/watch?v=0xtgZo1sLvg
I listened to the dialogue and can see why it is confusing. I think that what was said was: if you have an employment contract that gives you indemnity to the full extent of the law, you don’t need to be a named officer of the company or get formal confirmation of D&O coverage. That makes sense to me.
As I understand it, D&O is the backstop insurance coverage for giving indemnity to senior employees. So if the company gives an assurance that you get indemnity then it is really irrelevant to the CISO but in the interest of the company to get the insurance against the risk of them having to pay the indemnity. But there is no need to force the company to get insurance – as long as they will actually indemnify.
Becoming named officers is also not something CISOs need to fight for – that is almost always a small subset of the top execs, probably primarily related to SEC obligations – so many companies just have CEO/COO/CFO and GC as named. When in the CISO context people talk about becoming named officers, it is just a different way of essentially automatically being covered by D&O policies.
The flaw in the interpretation of the video (and perhaps in the words of the speakers) is the assumption that most CISOs are getting full indemnity in their contracts. Many CISOs don’t even have employment contracts.