Industry gets ‘first’ CIRM warranty

Everyone needs somebody to lean on: Batman has Robin, Calvin has Hobbes, and Beavis has Butthead. Now, CISOs can soon join that list, with a new partner-in-crime that can support them during security incidents.

Earlier this month, BreachRx announced the launch of a cybersecurity incident response management (CIRM) warranty, which it claims is the “industry’s first contractually backed financial safeguard” for CISOs and other organization leaders.

Warranty FAQ. The warranty will be available to enterprises who purchase BreachRx’s product plans at the beginning of next month. When CISOs and other executives use BreachRx’s platform during the incident response and recovery process, they can get warranty-backed coverage of up to $3 million to use toward costs that would have fallen on them or their companies, like fines or regulatory defense costs. BreachRx’s warranty is intended to supplement directors and officers (D&O) insurance, which CISOs tend to lack coverage under since they are often not regarded as corporate officers.

Anderson Lunsford, co-founder and CEO of BreachRx, told IT Brew that BreachRx’s platform is intended to remove some of the personal liability that may fall on a professional’s shoulders following an incident. With the new warranty, the company will “put its money where its mouth is” to give leaders and enterprises an extra “financial backstop” in the event that it is needed.

“Not many CISOs or other execs in general are setting aside personal funds to defend themselves from what might be asked of them afterwards when it comes to investigation or regulatory action associated with an incident,” Lunsford said.

The time is now. Lunsford said it was important for BreachRx to roll out its warranty offering after a few high-profile events—including now dismissed SEC charges against SolarWinds CISO Tim Brown and the 2022 federal charges against former Uber CSO Joe Sullivan—that shook the industry (Joe Sullivan is a senior advisor of BreachRx). According to a recent Splunk report, more than three-fourths (78%) of CISOs worry about being held liable during a security incident, up from 56% last year.

“I’ve talked to…many other CISOs that run into some of the stuff that doesn’t make the headlines about having to be named or having to get deposed,” he said.

Warranty guaranteed? IT Brew caught up with Scott Giordano, partner and co-founder of the CISO Law Firm, to understand the potential impact of a warranty for CISOs in crisis. While Giordano told IT Brew this is the first time he has seen an offering like BreachRx’s CIRM warranty, he had a few concerns.

For example, he wondered what constituted an incident covered via the BreachRX platform, and which events, such as out-of-band communications, might fall outside coverage.

“What does that mean, handled through the [BreachRX] platform?” Giordano said. “If the CISO calls me on his cell phone, is that handling it outside of the platform? And if so, then what, does that void this?”

Lunsford clarified that BreachRx’s CIRM has an out-of-band communication channel built into the platform. Cody Wamsley, VP and general counsel at BreachRx, added that the warranty doesn’t kick in for an incident, but rather when there’s a regulatory event or lawsuit based on how that incident was handled.

Giordano added that although BreachRx says its warranty can be used to cover regulatory fines, state laws will ultimately determine whether a troubled CISO can actually do so.

“If a state law says, ‘No, that’s not allowed, insurance cannot be used to cover regulatory fines for penalties,’ then that’s void,” Giordano said.

Wamsley said this shouldn’t be a problem for users due to the nature of the warranty. “The way that our terms are crafted are designed to make sure that everybody that applies for the warranties is in full compliance with the law of whatever their jurisdiction is,” he told IT Brew.

Long way to go? Overall, Giordano said the industry still has a long way to go before it gets a better grip on the personal liability problem facing CISOs, even suggesting legislation that would heighten accountability practices in the industry: “They simply have to have a Sarbanes-Oxley for cyber…Otherwise, this problem is not going to go away.”