CISOs Turn to Indemnity Insurance as Breach Pressure Mounts

Security

Most enterprise security leaders are now turning to personal indemnity insurance to mitigate mounting breach risks and boardroom pressure, according to Panaseer.

The continuous controls monitoring specialist interviewed 400 CISOs and similar in US and UK organizations in order to compile its Panaseer 2025 Security Leaders Report.

It revealed that 61% of organizations suffered a security breach over the past year because their policies, governance and/or controls weren’t working properly. As a result, 90% said they’re expected to provide greater assurances around the performance of security controls, while a similar share (85%) are facing greater boardroom scrutiny.

However, with only half (55%) confident that the data they present to the board is fully accurate, most (72%) are covering their backs by taking out personal insurance. A fifth (20%) said they are looking into it.

Read more on CISO liability: Liability Fears Damaging CISO Role, Says Former Uber CISO

“In the wake of highly publicized attacks – such as the Sunburst SolarWinds breach – regulators like the SEC are enforcing criminal charges and stringent rules on CISOs, who are under a corporate sword of Damocles,” argued Panaseer CEO, Jonathan Gill.

“Their feet are being held to the fire by boards and regulators, but they lack the data to provide accurate insights that would help hold the business accountable. After all it’s business risk, not CISO risk.”

Taking out personal indemnity insurance might help under-fire CISOs better navigate this corporate/regulatory blame game, but it won’t solve the underlying problems that are causing it, Gill added.

Time to Leave?

“If this blame-game culture continues whilst CISOs are left powerless to provide accurate assurances, many will leave the industry – either of their own volition, or at the behest of courts,” he said.

In fact, 15% told Panaseer they have considered leaving the industry, while two-fifths (41%) are feeling more anxious about their decision making. A quarter (28%) feel that personal liability for breaches is unfair and a similar share (23%) expressed anger at the situation.

“Ownership, accountability, and responsibility are positives in cybersecurity, but if those tenets go too far, they put undue stress on individuals, rather than the collective,” said Gill. “The industry must avoid putting a target on a single person’s back. CISOs shouldn’t be made scapegoats for security incidents, whilst ignoring all the good work they do.” 

Some 70% of security leaders said they have gaps in their risk visibility, while 67% don’t have the right analytical tools to provide accurate metrics on the performance of security controls.

It’s not just CISOs that are coming under greater scrutiny from regulators. The SEC’s new reporting rules and legislation like the NIS 2 Directive demands greater accountability from board members for serious breaches.

Products You May Like

Articles You May Like

Amazon MOVEit Leaker Claims to Be Ethical Hacker
Pro-Russian Hacktivists Target South Korea as North Korea Joins Ukraine War
Palo Alto Advises Securing PAN-OS Interface Amid Potential RCE Threat Concerns
New Flaws in Citrix Virtual Apps Enable RCE Attacks via MSMQ Misconfiguration
Massive Telecom Hack Exposes US Officials to Chinese Espionage

Leave a Reply

Your email address will not be published. Required fields are marked *