“We’re a software vendor and we sell to financial institutions and we sell to the government and in a lot of cases, the requirements of those organizations get passed to us,” says Lindner, who is covered under his company’s D&O policy. “So, while we’re not a public company, we still have to abide by breach laws and notifications. And if something happens and we don’t and they want to sue us, we have to have some coverage there.”

Lisa Hall, CISO at privately held Safebase, agrees that CISOs at all companies should be covered under their organizations’ D&O insurance policies, particularly in light of these new regulations. “I do think adding CISOs to D&O insurance will be more and more of a thing, and there is, for sure, more chatter in my CISO groups about how companies are handling this,” she says. “A lot of CISOs are also taking out errors and omissions insurance personally. I have that just for the consulting and advisory work I do.”

Hall says that as a community, CISOs want to feel that they can be transparent and make the right decisions for their companies. “A lot of CISOs are thinking about this, especially after SolarWinds,” she says. “And if we feel that we’re not 100% protected for any decision we make, and we can be personally liable for a breach or possible incident even if we do the right thing, it’s really pushing CISOs to say, ‘Hey, company, I’ll join if you cover me or give me a different title.’ “