Cyber Insights 2026: What CISOs Can Expect in 2026 and Beyond

By Kevin Townsend for SecurityWeek
Monday, January 12, 2026

• 376
• More

In November 2025, the SEC dropped its litigation against SolarWinds and its CISO. Many hope that this may signal a reduction in the potential for personal liability. Indeed, a SolarWinds spokesperson said at the time, “We hope this resolution eases the concerns many CISOs have voiced about this case and the potential chilling effect it threatened to impose on their work.”

But don’t bank on it, warns Ilia Kolochenko, CEO at Immuniweb, and cybersecurity practice lead at Platt Law. He believes the SEC’s action was strategic, suggesting it is maintaining the precedent of legal action for future cases while avoiding the possibility of losing this specific case. “It would be imprudent to believe that the risk of personal liability for data breaches has now vanished,” he says.

Indeed, Kolochenko suggests the threat of liability goes beyond the regulators, with individual lawyers weaponizing the issue. “I recently witnessed several cases where CISOs and key cybersecurity professionals in their teams were personally threatened by creative lawyers after a data breach.”

These threats aren’t necessarily seeking criminal prosecution of the individuals, but are looking for information about the breached company, with CISOs cajoled into discussing problems such as insufficient budgets, understaffed teams, unrealistic goals, and lack of cybersecurity knowledge in management and the board of directors.

“For plaintiffs’ lawyers, such admissions are a treasure trove to either settle with the breached or misbehaved company for a record amount, or to get punitive damages in court when permitted by law, possibly making even more money… If you don’t have your personal lawyer and legal insurance in place,” he adds, “get them without delay.” Read Full Article