The Debate: Should CEOs be held personally accountable for cyberattacks?
Is bad management to blame for cyberattacks? And even if not, should bosses be held accountable? We hear the case for both sides in this week’s Debate
YES: I’d go further, they should be sacked
CEOs should absolutely be held accountable for a cyberattack. In fact, I would go even further: when there’s a breach, defined as a system being compromised or data being stolen, the CEO should be automatically fired as a result.
It sounds dramatic, but CEOs have avoided consequences while security leaders serve as ‘bullet fodder’. Security leaders don’t set the budget, determine the risk threshold for the business, or decide whether other business units comply. They surface risk and recommend action, but leadership decides whether to act. Over the last year, we’ve seen that a breach can have a catastrophic impact on customers, employees, the business and its supply chains.
When leadership ignores security issues or underfunds security budgets, that’s a choice. True leadership means CEOs own that risk, just like any other function within the business.
We should treat catastrophic cyber events like any other form of executive negligence. Boards should define clear thresholds for material breach impact, after which CEO dismissal is automatic and non-negotiable.
Incentives also matter. Resilience and risk reduction need to be embedded in how success is measured. For example, when security impacts employees’ bonuses, it becomes a priority for everybody.
It’s the CEO’s responsibility to set those incentives, and without personal consequence at the top, incentives drift, and cybersecurity becomes a secondary issue.
When failure carries no personal cost for leadership, accountability shifts downward. Personal accountability at CEO level restores seriousness to cyber risk and aligns decision-making with real-world consequences for all stakeholders.
The American President, Harry Truman, had a desk sign that read ‘The Buck Stops Here.’ That should be on every CEO’s desk.
John Kindervag is the creator of the ‘Zero Trust’ cybersecurity model and is ‘chief evangelist’ at Illumio
NO: This would potentially incentivise dangerous cover-ups
Given the different forms that cyber attacks can take, and the various avenues through which attacks can be made, it is invidious to single out any one category of individual within an organisation to take personal responsibility. But there are specific reasons why it would increase the risks posed by cyber-attacks for the CEO to be made personally accountable for them.
Cyber attacks can happen in minutes and can proliferate through networks, contaminating a business’s systems before moving on to those of their suppliers, customers or wider ecosystem if unchecked. In the moments after an attack is discovered, everyone’s focus needs to be on containing it as rapidly as possible, and communicating openly and transparently to anyone else who might have been affected. In those circumstances, it is highly risky to incentivise a key decision-maker in that process to cover up the nature or extent of the incident out of concern for the personal implications for them.
Assuming that the consequences for a CEO are serious enough, the possibility of personal exposure also creates a new threat vector for attackers, who might seek to extort a payment from the CEO in order to avoid publicity around the incident. That point underscores an important reality – while individuals (be they customers, patients, students or employees) are often the most directly affected when a cyber-attack happens, companies and their officers are also the injured parties in these scenarios. The focus should be on identifying and penalising the perpetrators, not the victims.
Will Richmond-Coggan is partner and head of cyber disputes at Freeths
THE VERDICT
Marks and Spencer boss Stuart Machin may not have been personally responsible for the cyber attack that halted the company’s online operations for 46 days, but he has certainly paid a price. The company’s annual report released this week revealed he’s taken a 40 per cent pay hit as a result, with the company’s bonus scheme scrapped due to the incident. But as the threat of cyberattacks becomes ever greater for businesses, should companies go further?
Of course, cyberattacks are unlikely to have been directly caused by the chief executive – in the case of M&S, it was an employee who was tricked into giving out sensitive information – but of course that’s not the point. Responsibility is arguably the key thing that sets CEOs apart – if that’s why they should earn the most when the going is good, surely it’s also why they should bear the biggest cost when it goes the other way? So thinks Mr Kindervag, at least, who rightly argues that to make cybersecurity a first-rate priority, you need first-rate incentives.
The argument is alluring but ultimately we must side with Mr Richmond-Coggan, who speaks not of righteous justice but of sobering practicality. And he is right, holding CEOs personally accountable by rule is more likely to incentivise corruption than it is cybersecurity workshops. Besides, as we have seen with Mr Machin, the CEO will usually pay a price anyway.