Time to talk about executive cyber liability risks. Managing cybersecurity and compliance at a senior level carries more significant personal risks than ever. Regulators worldwide are increasingly holding individual executives, such as Chief Information Security Officers (CISOs) and Chief Compliance Officers (CCOs), personally responsible when organisations fail to handle cybersecurity incidents correctly or transparently. Rather than just imposing fines on companies, authorities now often target individual senior executives directly.

Recent high-profile cases in both the United States and Europe highlight the seriousness of these executive cyber liability risks. At the same time, new European regulations, such as the NIS2 Directive, the Digital Operational Resilience Act (DORA), the Cyber Resilience Act (CRA), and the EU Artificial Intelligence Act (EU AI Act), place additional personal responsibility on executives.

This article explains why executive cyber liability risks have become so important, illustrates this trend with real-world examples, reviews relevant regulations, and provides practical steps to reduce your risk as an executive.

Why regulators are now starting to target executives personally

Previously, regulators punished companies by imposing significant fines when cybersecurity or compliance failures occurred. However, these fines often hurt shareholders, customers, or employees rather than changing senior-level behaviour. Regulators now prefer to hold individual executives accountable, believing this approach is a stronger deterrent and encourages better personal responsibility.

Real-world cases demonstrating executive cyber liability risks

The case of Joe Sullivan, for example, former Chief Security Officer at Uber, illustrates this shift clearly. In 2022, the United States Department of Justice (DOJ) prosecuted Sullivan for hiding a significant data breach by paying hackers through Uber’s bug bounty programme. Although they did not send Sullivan to prison (he received three years of probation because he had no previous criminal history and presented numerous character references), the judge warned that future cases would not receive the same leniency. This decision highlights the growing seriousness of executive cyber liability risks and sets a clear warning: executives who fail to report cybersecurity incidents honestly can face personal legal action.

Carlos Abarca was the Chief Information Officer at TSB Bank in the UK. Regulators fined him personally after he misled the bank’s board about problems during a major IT migration project. His online professional profile, which exaggerated his expertise, was also used against him, showing that executives must accurately represent their abilities and responsibilities.

In 2023, Tim Brown, the CISO at SolarWinds, faced action from the US Securities and Exchange Commission (SEC) after a significant cybersecurity breach at his company. Although the SEC dismissed most of the charges, Brown continues to face allegations that he misled investors about the company’s cybersecurity risks. The case demonstrates that even executives without malicious intent can face personal legal risks from cybersecurity failures.

New European regulations increasing executive cyber liability risks

European regulations are increasingly focused on individual accountability, significantly raising executive cyber liability risks:

  • NIS2 Directive (Directive (EU) 2022/2555) — The NIS2 Directive sets strict cybersecurity standards for essential sectors like energy, transport, finance, and healthcare. Senior executives must ensure organisations follow these rules, including implementing robust risk management and incident reporting. If an organisation fails, individual managers can face personal responsibility.
  • Digital Operational Resilience Act (DORA) — This law targets European financial services organisations and places clear responsibilities on senior executives to oversee cybersecurity management. Individuals who do not fulfil these duties properly can face personal liability.
  • Cyber Resilience Act (CRA) — The CRA will require manufacturers and importers of digital products to build cybersecurity into their products from the design stage. Executives at these companies can be personally liable if products fail cybersecurity standards.
  • EU Artificial Intelligence Act (EU Act) — The EU Act introduces strict rules for organisations that use high-risk AI technologies. Senior executives must oversee risk management, incident handling, and protection against cyber threats involving AI systems. Again, individuals can face personal consequences if the organisation does not meet these standards.

Practical steps to reduce executive cyber liability risks

Senior executives should take practical action to protect themselves:

  • Check carefully before taking a job — Investigate the organisation’s compliance and cybersecurity history. Strong governance and ethical standards at the board level reduce your risk.
  • Clarify your role and responsibilities — Ensure your job description clearly states oversight rather than operational responsibility. This clarity helps limit personal liability.
  • Secure adequate legal protection — Ensure your contract includes ‘Directors and Officers’ (D&O) insurance coverage, clear indemnity clauses, and clearly defines your reporting relationships and resources.
  • Establish formal internal reporting — Avoid informal emails or chats when discussing cybersecurity or compliance concerns. Instead, encourage structured internal reporting, incident response drills, and regular documentation of all cybersecurity activities.
  • Regularly update compliance policies — Review your organisation’s cybersecurity policies to match evolving regulations like NIS2 and DORA. This shows regulators your proactive commitment to compliance.

Why executive cyber liability risks matter now more than ever

Executive cyber liability risks have fundamentally changed the role of CISOs, CCOs, and other senior compliance or cybersecurity managers. The recent legal cases and European regulatory developments we have discussed above demonstrate that personal accountability is no longer theoretical — it’s very real. The personal consequences of regulatory action are significant, potentially damaging careers and reputations even when an executive is ultimately not at fault.

Actions you can take next

Executives must proactively manage their risks by clearly defining their roles, understanding legal responsibilities, and regularly updating their organisation’s cybersecurity and compliance frameworks. Doing so will protect executives personally and strengthen their organisation’s cybersecurity posture overall. As an executive, you can:

  • Lower your executive cyber liability risks by thoroughly investigating a company’s compliance record before accepting a senior cybersecurity or compliance role. We can help you with due diligence and cybersecurity due diligence.
  • Protect your career by ensuring your job description and employment contract clearly define your oversight responsibilities and include adequate legal protection. Contact us to assist you with this and other labour and employment law issues.
  • Read relevant rules, codes and standards by examining the NIS2 Directive, DORA, Cyber Resilience Act, and EU AI Act.
  • Strengthen your organisation’s compliance by regularly updating your internal cybersecurity policies and procedures to align with current regulations. Have a look at our cybersecurity law focus area for more information.