Executive Liability for Ignoring Cybersecurity Is Here

Home
Executive Liability for Ignoring Cybersecurity Is Here

New Trends in Corporate Leadership Are Moving Accountability for Non-action to the Very Top

By Jack Wagnon, Principal Consultant, SIM

We’ve entered a new era of accountability. Cybersecurity governance gaps now expose executive leadership to real liability- financial, career, even criminal. Clearly, there’s a new theme in Corporate America developing: “Treat cyber risk like any other material business risk, or your leadership team will carry the cost.”

Bonuses clawed back for cyber failures.
In September 2025, Qantas cut short-term bonuses for senior leadership by 15%—including a ~A$250,000 reduction for CEO Vanessa Hudson—after a breach exposed data for roughly 5.7–6.0 million customers. The board tied pay to the cyber event’s impact on customers and disclosure obligations.

Criminal liability for security leaders who conceal incidents.
Uber’s former CSO Joe Sullivan was convicted (Oct. 2022) and sentenced to three years’ probation and a $50,000 fine (May 2023) for obstructing justice and misprision of felony in connection with a breach he tried to cover up. The Ninth Circuit affirmed the conviction in March 2025.

Personal accountability orders for CEOs.
The FTC’s Drizly case binds the CEO personally to implement a security program after a breach affecting ~2.5M consumers—explicitly signaling that leadership will be held to account when they “preside over” unlawful practices.

SEC Actions for Misleading or Delayed Cyber Disclosures

  • ICE/NYSE parent paid $10M in 2024 for failing to timely inform the SEC of a cyber intrusion under Reg SCI—an enforcement posture that makes “delay” itself the violation. SEC+1
  • In Oct. 2024 the SEC charged four public companies (settlements $990k–$4M) over materially misleading cyber disclosures—the first wave tied to SolarWinds-related impacts. SEC+2Cleary Gottlieb+2
  • The SolarWinds matter shows personal exposure for CISOs when disclosures and internal assurances don’t match reality; while a judge in 2024 dismissed most SEC claims, the case still illustrates how the Commission will press officers it believes downplayed known risks. SEC+2SEC+2

Sector regulators are writing the playbook for “failure to act.”
Under NYDFS Part 500, firms have paid multi-million-dollar penalties where basic controls (MFA, access limits, data disposal) and executive certifications were deficient—e.g., EyeMed: $4.5M plus mandated remediation.

Global data-protection regimes impose nine-figure hits that boards feel.
UK ICO fines for British Airways (£20m) and Marriott (£18.4m) remain board-level cautionary tales; cumulative GDPR penalties have surged into the billions of euros, with regulators broadening targets beyond “Big Tech.”

Impacts on Boards, CEOs and Business Unit Leaders

This is not theory. It’s happening—across jurisdictions and industries—with clear patterns:

  1. Speed and accuracy of disclosure are as material as prevention. The ICE action shows that delay itself draws penalties, even where operations weren’t disrupted. Build “disclose-ready” processes and decision trees before you need them.
  2. Personal accountability is expanding. FTC’s Drizly order attaches directly to the CEO; Uber’s case shows prosecutors will pursue individuals when they mislead investigators or regulators. Expect more naming of officers and certification-based liability.
  3. Misalignment between internal risk reality and public statements invites enforcement. The SEC’s SolarWinds filings (and the 2024 settled cases) target the gap between what leaders knew and what they said. Ensure risk registers, board minutes, and external disclosures stay in lockstep.
  4. Controls still matter. NYDFS actions are blunt: lack of MFA, weak passwords, poor data retention, and faulty executive certifications equal cash penalties and mandated remediation.
  5. Compensation is now a lever. Qantas demonstrates that boards will dock bonuses for cyber governance failures—not just for safety incidents or financial underperformance. Expect more explicit cyber KPIs in executive scorecards.

Practical Board-level Action

  • Budget to your risk, not to last year’s spend. Fund GRC programs with line-of-sight to regulatory obligations (SEC, FTC, NYDFS, GDPR, sector rules). Tie budget to measurable control maturity and disclosure readiness.
  • Establish disclosure governance. Pre-approve materiality criteria, escalation paths, counsel engagement, and draft templates for Form 8-Ks/market notices. Rehearse them.
  • Demand evidence, not assurances. Require quarterly artifacts: MFA deployment coverage, privileged-access reviews, tested backups, incident drill results, SBOM/patch SLAs, and third-party risk attestations.
  • Align statements with risk reality. Audit the consistency across board decks, risk registers, SOC reports, and public filings. Fix gaps before the regulator does.
  • Tie pay to cyber outcomes. Incorporate objective security KPIs (e.g., time-to-detect, time-to-contain, critical-patch SLA, phishing fail rate, disclosure timeliness).
  • Name an accountable owner. Clarify who certifies controls (CISO, CIO) and who certifies disclosure readiness (GC, CFO). Put it in charters and minutes.
Treat cyber like credit, safety, and liquidity risk: budget it, prioritize it, and own it at the top.

The Bottom Line for Corporate Boards and Executives

The real risk isn’t only a compromised network; it’s leadership accountability for failure to act. Treat cyber like credit, safety, and liquidity risk: budget it, prioritize it, and own it at the top—or regulators, courts, and your own compensation committee will make the point for you.

References

  • U.S. SEC. “SEC Charges SolarWinds and Chief Information Security Officer With Fraud,” Oct. 30, 2023 (and complaint PDF). SEC+1
  • White & Case. “Judge Rejects SEC’s Aggressive Approach to Cybersecurity Enforcement,” Jul. 29, 2024 (SolarWinds partial dismissal). White & Case
  • U.S. DOJ. “Former Chief Security Officer of Uber Sentenced,” May 5, 2023; Ninth Circuit affirmation, Mar. 13, 2025. Department of Justice+1
  • FTC. “Takes Action Against Drizly and Its CEO,” Oct. 24, 2022; Final Order Jan. 10, 2023. Federal Trade Commission+1
  • U.S. SEC. “Intercontinental Exchange to Pay $10 Million Over Delayed Cyber Disclosures,” Jul. 2, 2024; Reuters coverage May 22, 2024. SEC+1
  • U.S. SEC. “Charges Four Companies With Misleading Cyber Disclosures,” Oct. 22, 2024; Cleary Gottlieb summary Oct. 31, 2024. SEC+1
  • NYDFS. “EyeMed Vision Care LLC – $4.5M Cybersecurity Settlement,” Oct. 18, 2022 (Consent Order). Department of Financial Services+1
  • UK ICO/coverage: British Airways (£20m); Marriott (£18.4m) GDPR fines (2020). Morgan Lewis+1
  • Qantas bonus reductions tied to 2025 breach (board and press coverage). Reuters+1

Recent Posts