Phronia Counsel

CISO Liability: Your Survival Contract

Competence protects the company. Contracts protect you. Build the survival contract before the breach, not after.

By Howard Holton · Phronia Counsel

If you're a CISO without a survival contract, you're volunteering to fall.

This isn't about compliance frameworks or technical standards. This is about the six things you need locked down in writing with your organization before the next breach lands. Because when forensics starts, the only thing that saves you is what was agreed to on paper.

The SolarWinds case taught us that. The SEC case was about disclosure, what the company said publicly versus what the security leadership knew internally. But underneath that was a simple question. Who was responsible for what? And what protection did that responsibility come with?

That's what your survival contract answers.

Pillar 1: Know your formal status

Most CISOs aren't officers. They're senior employees. And that distinction matters more than you think.

Officer status isn't created by having "Chief" in your title. It's created by board resolution and bylaws. You either are an officer, or you aren't. And you need to know which one you are.

Why does it matter? Because officer status changes both your exposure and your protection. If you're an officer, you have formal fiduciary duties to the company. That creates risk. But it also creates access to corporate protections: D&O coverage, indemnification, legal defense at company expense.

If you're not an officer, you're a senior employee. That means lower exposure in some ways (you don't have formal fiduciary duties to shareholders). But it also means lower protection (you might not be automatically covered under D&O, and you might not be indemnified).

Get this in writing. Have a conversation with the General Counsel. Ask them directly: "What is my formal status?" Get the answer in writing. Then ask the next question: "What coverage and protections come with that status?"

Pillar 2: Get D&O coverage (and verify your name is on it)

Directors and Officers insurance is supposed to cover you. The word "Directors" is right there in the name.

But here's what most CISOs don't know. Just because your company has D&O coverage doesn't mean you're covered. You have to be explicitly named as an "Insured Person." And 38% of CISOs aren't.

This is insane. You need D&O coverage. And you need to know that you're listed.

Call the broker. Ask for the D&O policy. Find the "Insured Persons" section. Look for your name. If it says "all directors and officers appointed by the board," you might be covered if the board appointed you as an officer. If it says "directors and officers," you're probably not covered if you're not formally an officer.

Then ask the harder question: "What exclusions apply to cybersecurity liability?" D&O carriers have been tightening exclusions around cyber liability. Some policies now exclude coverage for claims related to cybersecurity breaches or disclosure failures. Get the answer in writing.

And finally: "What's the retention?" That's the deductible. It can be $100k, $500k, or $1M and up. If you have a big retention, your personal legal costs come out of your pocket first. Get the full picture.

Then, most importantly, verify that the company is actually paying the premium. D&O is expensive. Some CFOs skip it in lean years or let it lapse. If the policy isn't paid, the coverage is gone.

Pillar 3: Get a written indemnification agreement

Your company is supposed to defend you and pay your legal costs if you're sued for things you did as part of your job. That protection is called indemnification. And it needs to be in writing.

Most CISOs don't have this. They assume it's automatic. It's not.

You need a standalone indemnification agreement. Not a buried clause in your employment contract. An actual agreement that says: "The company will defend and indemnify the CISO for costs incurred in legal proceedings arising from actions taken within the scope of employment."

Make sure it covers:

Get this in writing. Have the General Counsel sign it. Have a board resolution authorizing it. Then make sure the company's insurance and legal budget actually covers it.

Pillar 4: Document your escalations and decisions

Every critical conversation needs to be followed by an email. Every decision that gets rejected needs to be acknowledged.

"As we discussed in the board audit committee meeting on March 10, 2026, I recommended prioritizing the network segmentation project. The committee approved a six-month implementation timeline with budget of $500k."

"Per the CFO's decision on March 12, 2026, to defer the data loss prevention tool implementation, I'm documenting the residual risk as moderate to high. Security team recommends this decision be revisited in Q2 2026."

"I provided the CISO assessment to the CEO on March 14, 2026, indicating that the current backup recovery time objective is 8 hours, which exceeds the business requirement of 4 hours. The CEO indicated this will be addressed in the next budget cycle."

You're not being paranoid. You're being a professional. You're creating a record of what you knew, what you recommended, and what the organization decided to do about it.

The SolarWinds case was about the gap between internal knowledge and external disclosure. Close that gap by documenting what you knew and told leadership. Then when forensics starts, you have a record.

Pillar 5: Clarify your authority and accountability

You can't be accountable for outcomes you don't control. So you need clarity on what you actually control and what you don't.

"I am accountable for the security of systems within the security team's operational domain, including the SIEM, the EDR platform, and the incident response playbook. I am NOT accountable for the security of systems operated by the infrastructure team, the application development team, or third-party vendors."

"My authority includes: hiring and firing security staff, purchasing security tools up to $100k, recommending policy changes to the policy committee, and escalating critical incidents to the board audit committee. I do NOT have authority to: hire or fire personnel outside the security team, make decisions about systems operated by other teams, or commit budget above $100k without CFO approval."

"The IT operations team is accountable for implementing security controls I recommend. If they delay implementation, I can escalate to the CIO, and then to the board audit committee. But I am not personally accountable for implementation delays caused by resource constraints in IT operations."

Get this in writing. Have a conversation with your CFO, CIO, and General Counsel about where your authority actually ends. Then get it documented in your role definition, your board charter, or a separate authority agreement.

If you don't have this clarity, you're accepting accountability for outcomes you don't control. And that's exactly where liability lives.

Pillar 6: Get compensation commensurate with risk

Compensation isn't just salary. It includes D&O coverage, legal defense agreements, indemnification, and the ability to buy personal umbrella liability insurance.

When you're negotiating your CISO role, you need to negotiate the full package. Base salary commensurate with your experience and market rates. Annual bonus tied to security metrics, not business revenue, so you're not incentivized to downplay risk for business objectives. Sign-on bonus, because you're taking personal liability. Severance that covers at least 12 months if you're forced out for a security incident, because you'll need that to pay your personal lawyers while you transition to a new role. D&O coverage confirmation by name. Indemnification agreement. Permission to purchase personal umbrella liability insurance up to $5M, paid for by the company. Stock options vesting over 4 years, so you have incentive to stay but aren't locked in.

And most importantly: a buyout clause if the company is acquired or the risk profile changes significantly. Because mergers create liability exposure (you don't know what you're inheriting), and leadership changes create risk (a new CEO might scapegoat you).

This isn't greed. This is the cost of standing in the line of fire.

The hard truth: competence isn't protection

There's a mistake CISOs make. They think competence protects them. "If I'm really good at my job, I won't end up in legal trouble."

That's false.

The best CISO in the world can still be named in an SEC enforcement action. The best CISO in the world can still be blamed for a breach they didn't cause. The best CISO in the world can still be sued because the CFO ignored their recommendations.

Competence doesn't protect you. Documentation protects you. Clarity protects you. Written agreements protect you.

The survival contract isn't about being a good CISO. It's about being a protected CISO.

The bottom line

You're either protected, or you're expendable. There's no middle ground.

If you're a CISO without D&O coverage in your name, without a written indemnification agreement, without documented escalations, without clarity on your authority, and without compensation that reflects your risk, then you've told the organization that you're willing to fall.

The next breach is coming. The next regulatory action is coming. The next lawsuit is coming. The only question is whether you'll have protection when it does.

Have the conversations this week. Get the agreements in writing. Lock down the coverage. Document the decisions.

Because the survival contract isn't something you build after the breach. It's something you build before it.