The Liability Question Nobody Wants to Ask in the Boardroom
South Korea enacted a rewrite of its national privacy law on March 10, 2026, with a fine ceiling of 10% of total company turnover and direct legal accountability that runs straight to the CEO—effective September 11, 2026. This didn't come from regulatory zeal. With CMMC 2.0 requiring executives to personally certify supply chain security, NIS2 holding management bodies liable for 'gross negligence,' DORA enabling individual penalties for ICT governance failures, and the SEC cementing precedent through cases like SolarWinds, regulators have shifted the burden of cyber accountability onto the people signing the forms, not the organizations behind them.
I've spent 25 years optimizing IT operations and risk within boards' comfort zones. What's happening now is different. The comfort zone is closing.
Your Role Is Changing; Your Liability Isn't
Here's the hard truth: CIO risk management now encompasses personal liability questions—what level of personal liability does the CIO have, and could they be held personally liable for a breach? This isn't hypothetical. A Fastly report of 1,800 IT leaders shows 93% of organizations have updated policies to address CISO liability, with 41% involving CISOs more deeply in strategic board decisions, 38% providing increased legal support for security teams, and 38% imposing additional scrutiny on security disclosures from regulators.
The gap is that those protections are mostly around cybersecurity. The CIO role is broader—data governance, AI strategy, compliance architecture, supply chain risk, operational resilience. Accountability for AI-driven decisions is emerging as a critical risk, with organizations required to demonstrate who made decisions to deploy AI systems, how those systems operate and what oversight mechanisms exist. That sits squarely in the CIO's domain, yet the legal and governance frameworks haven't caught up.
The Approval Problem
Many boards operate on a consent model: "The CIO proposed this architecture. The board approved it. Risk is managed." That logic no longer holds. Regulators have explicitly identified the pattern where financial exposure lands on legal teams and privacy officers while the C-suite remains insulated. South Korea's amendment addresses this head-on, designating the CEO as the person ultimately responsible for data processing and protection—a statutory supervisory duty, not a best-practice recommendation. Senior executives who have managed privacy risk by delegating it downward will find the amended law forecloses that approach.
What applies to privacy is migrating across governance. CIOs need rapid materiality assessments, regulator-ready reporting and integrated governance with legal and finance. It's no longer about alerts; it's about response speed, resilience and accountability.
The Board Conversation You Need to Have
This isn't a security hardening conversation or a technology investment pitch. This is a governance structure conversation, and it should happen before the next breach or enforcement action.
First, clarify personal accountability. Accountability boundaries remain blurred—CIOs own platforms and data, CISOs own cyber defense, but business leaders own outcomes. That's a problem if regulators ask who was responsible for a decision and the answer bounces between three people. You need explicit, documented ownership—who signs for data governance? Who certifies AI deployment? Who owns breach response decisions?
Second, establish the CISO reporting line. CISOs should have direct, unmediated access to the board. When the security leader reports through a CIO or CFO who filters the message through a budget or operational lens, risk communication becomes distorted. It is unreasonable to hold someone accountable for a risk they were not allowed to report accurately. This isn't about turf. It's about ensuring the board hears risk signals without institutional filtering.
Third, demand transparency on your own liability insurance. Getting a balance between board expectations and personal liability is critical. Have your legal team review your D&O policy with fresh eyes. Are CIO roles covered? Are there carve-outs for intentional misstatement? What happens if regulators argue you knew about a risk and didn't disclose it? These questions feel uncomfortable in the boardroom. They're more uncomfortable in a deposition.
The Real Leverage Point
You don't need to fear personal liability to act on it. You need to use it to reset governance that's been broken for years. The CIO mandate has undergone a fundamental shift. Technology is no longer evaluated as an enabler, a cost center, or even a transformation program—it is now assessed as a direct driver of enterprise outcomes, with explicit accountability for value realization, risk, resilience, and speed.
That's actually your opening. If the board is going to hold you personally accountable, then they need to give you the authority to execute that accountability—budget alignment, hiring control, architectural decisions, supply chain veto power. The liability conversation, handled right, is a lever for building real operating authority.
Regulators aren't done rewriting the rules. Neither should you be rewriting your governance model. Do it now, on your terms, with your legal counsel and your board partners. The alternative is doing it in a crisis, reactive and exposed.