First CIRM warranty protecting employees from breach liability announced

BreachRx announced the first cyber incident response management (CIRM) warranty providing up to $3 million in coverage for employees held liable after cybersecurity incidents.

The warranty, which was announced Tuesday and will become available to both new and existing customers on April 2, 2026, is designed to protect both individuals and organizations in the event of a lawsuit or regulatory action stemming from a breach.

“Its protection not only applies to CISOs, CEOs, and General Counsels, but also to any other employee who may be personally named in investigations or enforcement actions, as well as to the organization itself in cases where regulatory penalties or related liabilities arise,” BreachRx CEO and Co-founder Andy Lunsford told SC Media in an email.

CIRM solutions are designed to handle every aspect of cyber incident response, not just the technical aspects of detection, remediation and recovery. This includes documentation, compliance reporting and coordination between security, IT, legal and executive leadership teams.

While cybersecurity warranties have existed for more than a decade, with WhiteHat Security announcing up to $250,000 in reimbursement for breach costs in 2014 according to Coalition, the first CIRM warranty focuses specifically on increasing regulatory scrutiny and penalties stemming from how organizations handle an incident.

 “As accountability moves closer to individuals, we believe vendors should also be held accountable by offering tools that have a performance warranty,” Lunsford said.

In an article this week, BreachRx noted increasing scrutiny and shorter deadlines imposed by more than 200 global regulations including the SEC’s four-day disclosure deadline for material cyber incidents, which went into effect in 2024.

This liability can extend not only to a breached organization itself but to individual employees, as seen when the U.S. Securities and Exchange Commission (SEC) charged SolarWinds CISO Tim Brown in relation to 2020 Orion Sunburst supply chain attacks, although the case was ultimately dismissed.  

"Personal liability for security related failures, including compliance, will remain a critical and escalating concern through 2026, fundamentally reshaping the CISO role. 93% of companies in a recent poll reported that they have introduced policy changes over the past 12 months to address rising CISO personal liability risks," noted Noma Security CISO Diana Kelley in an email to SC Media.

Lunsford says BreachRx’s CIRM warranty is contractually tied to an organization’s use of BreachRx as the system of record for incident response, applies without a retention requirement and can even cover individuals who are no longer employed at the covered organization. He said the warranty could help fill gaps in cybersecurity insurance policies that may exclude personal penalties for security leaders from coverage.

“The CIRM Warranty is designed to complement cyber insurance, not replace it. Think of cyber insurance as a form of financial recovery. The warranty is financial protection tied to the responsibility with which the response was executed,” Lunsford explained.