2026 Cyber Risk Reset: Liability Is the New Attack Surface
The cyber risk landscape has fundamentally shifted. In 2026, the primary attack surface is no longer technical infrastructure — it is personal liability. As regulators across the EU, UK, and US enforce individual accountability provisions under DORA, NIS2, and SEC cyber disclosure rules, directors and CISOs face unprecedented personal exposure.
This paper examines the convergence of regulatory enforcement, litigation trends, and insurance market dynamics that have made liability the defining risk vector. It provides a practical framework for boards to quantify, manage, and transfer liability risk, including analysis of D&O insurance gaps, indemnification structures, and the emerging market for cyber-specific executive protection. Drawing on enforcement actions from 2024-2026 across multiple jurisdictions, the paper maps the liability landscape and provides actionable strategies for risk mitigation.
- 01The Liability Paradigm Shift
- 02Regulatory Enforcement Trends 2024-2026
- 03Personal Liability Under DORA and NIS2
- 04SEC Cyber Disclosure and Director Exposure
- 05D&O Insurance Gaps in Cyber Events
- 06Quantifying Board-Level Cyber Liability
- 07Indemnification and Protection Structures
- 08Strategic Risk Transfer Framework