Plaintext: Personal Liability Insurance for CISOs

Welcome to Dark Reading in Plaintext, brought to your inbox this week by CyberArk . In this issue of Plaintext, we look at how CISOs are being told they bear personal and legal responsibility for data breaches. Do CISOs need personal liability insurance? We also peek at reports that several members of Scattered Spider have been arrested. If you enjoy Plaintext, please share with friends and colleagues !

CISOs and Personal Liability. One of the things that came out of 2024 with new regulations and privacy laws is the idea that CISOs bear personal and legal responsibility for data breaches. CISOs need to take a proactive approach to legal exposure, for many, that means investing in directors and officers (D&O) insurance. In case of potential legal action, having D&O coverage can provide financial protection for CISOs.

However, getting covered is not as easy as it sounds, as a Heidrick & Struggles survey from last year found that 38% of CISOs are not covered by their organizations' D&O insurance. This puts the CISO in the position of needing to negotiate with their organization for coverage or buying their own. New Jersey-based insurer Crum & Forster recently unveiled a policy specifically designed to shield CISOs from personal liability, according to a CyberScoop report .

The plan, which can range from $3,000 to $5,000 per insured person, offers zero-deductible defense costs for immediate and effective protection, as per CyberScoop. In light of the fact that many CISOs consult on the side, the Crum & Forster policy also covers consulting done for the organization and subsidiaries, as well as moonlighting and pro bono security work.

“CISOs are in a no-win situation. If everything goes right, that’s what people expect. If something goes wrong, they’re [CISO] the person that everybody looks at and they’re left holding the bag.” Nick Economidis, Crum & Forster (via CyberScoop)

Insurance is just one component of managing liability. CISOs should be proactive about creating a system record , where every action relating to a potential security incident is recorded with a detailed description, recommends Nicole Sundin, chief product officer at Axio. Those who don't keep a record of events and why they were taken will be the ones who "take the fall," Sundin says.

Dark Reading in Plaintext is brought to you by CyberArk

Expanded Capabilities in Machine Identity Security

Digital transformation, cloud adoption and AI are driving increases in machine identities, including TLS (Transport Layer Security) certificates and secrets. Learn how to solve more use cases faster!

Cybercrime Arrests. This week, the Department of Justice unsealed criminal charges against five alleged members of Scattered Spider, a cybercrime group suspected of hacking into dozens of companies to steal confidential information and cryptocurrency. Scattered Spider, which gained notoriety by attacking multiple US-based casinos , has often collaborated with ransomware-as-a-service groups. The group used social engineering techniques to target enterprise call centers and extensive SMS phishing campaigns to compromise major organizations last year. The phishing text messages often stated the employees' accounts were about to be deactivated and included links to sites designed to lure recipients into providing information such as account login credentials, the DoJ said.

"This is a nice win for law enforcement that over time has significantly hampered the group's fast-paced tempo this year. We hope this sends a message to the other actors they collaborate with that they aren't immune to consequences," said Charles Carmakal , Mandiant Consulting CTO, Google Cloud.

What We Are Reading

• [CyberArk ] A New Era of Machine Identity Security
• Africa's Reliance on Foreign Suppliers : What Does it Mean for Security?
• From Lucas Moody How CISOs Can Lead the Responsible AI Charge
• AI & LLMs Show Promise in Squashing Software Bugs
• [Dark Reading Confidential ] Episode 4: Quantum Has Landed, So Now What?

What We Heard On-Air

Tune in to our on-demand webinar?“Threat Hunting: Tools and Techniques to Stay a Step Ahead of Cybercriminals .”

“Logs are cheaper than lawyers.” — Brittany Deaton , solutions engineer, Sophos

From Our Library

Check out some of the latest reports from our?Dark Reading Library .

• [CyberArk ] The New Identity Security Paradigm
• Tech Insight: Building Blocks for Next-Gen Security Operations
• Dark Reading Reports: State of Vulnerability Management in the Enterprise
• Dark Reading Reports: State of Artificial Intelligence and Machine Learning in Cybersecurity
• Tech Insight: Digging Out of Your Organization's Technical Debt

On That Note

It's a perennial question for entrepreneurs and fledgling businesses: when is the right time to make the first security hire? Rami McCarthy has an insightful piece and a summary graphic (see below) addressing this question. Here is a rule of thumb: "Hire your first security person when security is an unavoidable distraction from scaling your business." What does "unavoidable distraction" mean for you?

Dark Reading in Plaintext is brought to you by CyberArk