Your CISO Isn't the One Who Should Be Worried. You Are.

There's a new insurance product on the market. CYGNVS, a cybersecurity incident management company, recently launched a liability insurance policy designed specifically for CISOs. Not for companies. For individual Chief Information Security Officers, personally.

That should scare you — not because of what it says about CISOs, but because of what it says about where regulators are looking next.

The Numbers Are Stark

A survey of more than 625 CISOs by Hitch Partners found that 74% lack personal liability protection. Three out of four of the people responsible for your organization's security posture have no coverage if a regulator decides they didn't do enough.

And regulators are deciding exactly that, more often. The SEC, DOJ, and international regulators are now targeting individual executives who knowingly omit or distort cyber risk information. Individual executives. The areas of exposure include inadequate asset inventories, gaps in third-party risk management, misleading board communications about risk posture, and delayed or incomplete breach reporting.

Read that list again. That's Tuesday for most organizations.

The Fall Guy Problem

GovInfoSecurity published a piece recently with a title that says it all: "When Liability Turns the CISO Into the Fall Guy." CBS19 ran research calling personal liability — not hackers — cybersecurity's biggest threat in 2026.

This framing is exactly backward. The CISO is usually the person who's been saying the right things to the wrong audience, in the wrong format, with the wrong expectations about what would happen when they did.

Consider how this typically plays out: A CISO presents risk to the board. The board nods. Nobody asks follow-up questions. The presentation goes into a folder nobody opens again. Six months later, the breach happens. The board says they weren't adequately informed. The CISO says they presented the risks clearly. The lawyers pull up the board minutes, and what they find is a PowerPoint deck full of green-yellow-red dashboards that communicated nothing actionable.

The communication structure failed. And when regulators show up, they look at what the board did with the information — the minutes and the resource allocation decisions that followed.

This Is a Board Problem

The instinct right now is for CISOs to buy insurance and hope for the best. That's rational, given the environment. But if you're a CEO or a board director, the CISO buying liability insurance should be a red flag about your governance structure, not a problem for HR.

Ask yourself: When was the last time your board received a cybersecurity briefing that resulted in a specific decision — a vote, a budget reallocation? Can you point to the board minutes that document it?

If your CISO is presenting risk and your board is receiving it as information rather than acting on it as governance, you have a liability gap. And that gap doesn't belong to the CISO. It belongs to the directors whose fiduciary duty includes overseeing risk.

The SEC knows this. Their FY2026 examination priorities explicitly call out AI-driven threats to data integrity and are considering enhanced disclosure requirements for AI governance. They're not asking whether your CISO filed the right report. They're asking whether your board understood the risk and governed accordingly.

What Changes This

More dashboards won't fix this. A different kind of conversation will. I cover the mechanics of this conversation in Cyber Risk Is Business Risk — here's the short version:

Document decisions, not briefings. Board minutes should reflect what was decided, not what was presented. "The board received a cybersecurity update" is legally useless. "The board approved a $2.1M investment in endpoint detection based on the CISO's assessment of ransomware exposure in the manufacturing division" is governance.

Give the CISO a seat at the table, not a slot on the agenda. A growing body of research — and now the NACD's 2026 Director's Handbook on Cyber-Risk Oversight — argues that CISOs need direct reporting lines to the CEO and regular, substantive board engagement. Not a quarterly 15-minute slot after the compensation committee runs long.

Stop conflating compliance with security. You can be fully compliant and completely vulnerable at the same time. The HBR article "Boards Are Falling Short on Cybersecurity" identified this as one of three reasons boards are getting worse at cyber governance even as they spend more on it. Compliance tells you whether you checked the boxes. Security tells you whether the boxes mattered.

The CISO liability crisis is real. But the governance structure that created the gap is where the fix has to happen — and that structure reports to you.