In 2026, the legal liability for Chief Information Security Officers (CISOs) has become a major focus of corporate governance. While historically seen as a technical role, recent high-profile legal cases and new regulations (such as the updated SEC cybersecurity disclosure rules in the U.S.) have increased the personal risk for CISOs. A CISO can be held legally liable—and even face criminal charges—if they are found to have willfully misled investors, concealed significant data breaches, or displayed "gross negligence" in their duties. For example, failing to disclose a material breach in a timely manner as required by law can lead to personal lawsuits or regulatory fines. However, for standard "good faith" security failures, the corporation typically provides indemnification. To mitigate this risk, many CISOs now negotiate for "Directors and Officers" (D&O) insurance coverage and clear "duty to report" protocols to ensure they are protected when making difficult decisions about disclosing vulnerabilities or responding to sophisticated, AI-driven cyberattacks.