AXIO360 PLATFORM
SERVICES
SOLUTIONS BY ROLE
ABOUT
PARTNERS
RESOURCES
Defensible Beats Perfect: Notes From our CISO D&O Webinar Panel
On June 10, we brought four people into the same conversation who don’t often share a stage: a sitting CISO, a litigator, an underwriter, and a CRQ-platform founder. The topic — the personal liability landscape facing security leaders in 2026, and what to do about it — turned out to need every one of those perspectives.
Here’s what we heard.
Governance has become the defining responsibility of the CISO role
Adam Palmer, CISO at First Hawaiian Bank, opened with a clear-eyed observation: a decade ago, CISOs talked firewalls and vulnerabilities. Today, they talk enterprise risk, regulatory expectations, and board-level decision support. “Boards don’t fund vulnerabilities,” he said. “They want to fund evidence of business risk reduction.” The questions regulators ask after an incident aren’t usually about the technical root cause. They’re about whether the risk was understood, whether it was communicated, and whether leadership and the board were informed.
The mindset shift: ‘reasonable,’ not ‘perfect’
Jena Valdetero, Co-Chair of Greenberg Traurig’s U.S. Data, Privacy & Cybersecurity Practice, laid out the legal frame. The standard isn’t strict liability — it’s whether the security leader acted in accordance with a reasonable standard of care. That distinction matters. It’s why documentation, board reporting, and the rationale behind risk decisions have become the load-bearing wall of a CISO’s personal defensibility. Jena’s working mantra echoed Adam’s: “If you don’t document it, I don’t believe it happened.”
She also flagged the practical reality that federal enforcement may have cooled under the current administration, but state regulators — Massachusetts WISP, NY DFS Reg 500, the SHIELD Act, the new CCPA cybersecurity audit requirements — are filling the gap. And shareholder derivative suits don’t care which administration is in office.
The coverage gap is real — and structural
Jeff Hirsch, President of AegisExec (a K2 Insurance Services brand), explained why standard corporate D&O policies often leave CISOs exposed. Many policies were never written with cybersecurity events in mind; some include explicit cyber exclusions. And the definitional question of whether a CISO is an “officer” can hinge on something as arbitrary as reporting lines. A CISO who reports to the CEO is one conversation. A CISO two layers down under the CIO or CTO is another.
Why we built this with AegisExec
What Axio cares about — translating cyber risk into business terms, quantifying exposure, and giving boards a defensible record — is the same evidence trail a CISO needs if their personal decisions are ever questioned. That alignment is the foundation of our new CISO D&O coverage, arranged through AegisExec in partnership with Underwriters at Lloyd’s of London.
Eligible Axio360 customers can access $1M of baseline coverage with options up to $5M, with two simple requirements: an active Axio license, and quarterly board reporting through the platform — the same reporting most security leaders already want to produce.
Closing thoughts
We’ll leave you with the line that may have stuck with us the most. Asked what separates the most defensible organizations from the rest, Adam said: “They’re not necessarily the ones with the fewest risks. They’re the ones that can effectively demonstrate that they understand and manage them.”
Defensible beats perfect. That’s the through-line.
To learn more about CISO D&O coverage for Axio360 customers, contact us at [email protected].
