In the US it’s a legal battle currently being fought. CISOs have been charged by the SEC and other agencies, with varied success. Some cases have been deemed over-reach, some have not. And other were a case of a CISO doing ostensibly illegal things in their capacity (in some cases paying ransom demands have been interpreted as such, especially when disguised as other things).