New Zealand is advancing regulatory proposals that would hold company directors personally liable, through direct financial penalties, for cybersecurity failures or mishandled breach disclosures at critical infrastructure operators. Legislative specifics, including a formal bill number, are not yet confirmed from available sources; confidence on details is low. This follows a documented global trend: the U.S. SEC finalized board-level cybersecurity disclosure rules (17 CFR 229.106, Item 1C) in 2023 and pursued enforcement against SolarWinds that same year, signaling that director accountability for cyber risk is an active regulatory priority across jurisdictions.