Should CEOs Be Held Personally Accountable for Cyber Attacks?

https://www.cybersecurity-insiders.com/should-ceos-be-held-personally-accountable-for-cyber-attacks/

Publish Date: 2026-06-13 08:41:00

Source Domain: www.cybersecurity-insiders.com

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

When a major cyber attack strikes, attention often turns immediately to the IT department. Questions are asked about firewalls, patches, endpoint protection, and whether security teams could have done more to prevent the breach. However, as cyber incidents increasingly threaten business continuity, reputation, shareholder value, and even national economic stability, a more important question is emerging: should CEOs and boards be held personally accountable when their organisations fall victim to a cyber attack?
The answer is increasingly yes.
Cyber Security Is a Boardroom Issue
Cyber security is no longer simply a technical issue. It is a business resilience issue. Decisions about investment, risk appetite, governance, operational resilience, and crisis preparedness are made in the boardroom, not the server room. If organisations are expected to treat cyber risk with the seriousness it deserves, accountability must ultimately sit with those responsible for leading the business.
That does not mean CEOs should be blamed every time an attack occurs. No organisation can guarantee perfect security. Even the most mature organisations with substantial security budgets can fall victim to sophisticated threat actors. The question is not whether a cyber attack happens, but whether leadership took appropriate and proportionate steps to reduce risk and prepare for inevitable incidents.
The JLR Cyber Attack: A Leadership Lesson
The recent cyber attack on Jaguar Land Rover (JLR) provides a powerful example. The disruption forced production shutdowns across multiple sites, impacted employees, and created knock-on effects throughout the supply chain. Importantly, JLR responded quickly by shutting down affected systems to contain the threat and prevent further damage. While this caused immediate operational disruption, it demonstrated decisive leadership and an understanding that rapid containment is often essential during a cyber crisis.
The incident also highlighted a broader reality facing many industries. Cyber attacks are no longer confined to traditional IT environments. Manufacturers, critical infrastructure operators, and organisations reliant on operational technology (OT) are increasingly targeted because disruption to operations can create significant commercial pressure. In sectors where production downtime directly impacts revenue, cyber security becomes inseparable from operational resilience.
What Boards Should Be Responsible For
This is precisely why cyber governance belongs at board level.
At Avella, we advise executive boards to focus on several core responsibilities when governing cyber risk. The first is risk management and prioritisation. Boards must understand which assets, systems, and business processes are most critical and ensure that security investments align with strategic business objectives.
Second is governance of emerging technologies, particularly artificial intelligence. Boards must establish clear expectations around responsible technology use and ensure governance objectives are embedded within executive performance measures.
Third is operational resilience. Security and resilience are fundamentally linked. Boards should ensure incident response plans are tested regularly through tabletop exercises, simulations, and crisis rehearsals so decision-makers can act quickly when real incidents occur.
Supply chain assurance is equally important. Modern organisations depend on complex ecosystems of third-party suppliers, service providers, and technology partners. Boards must maintain visibility over cyber risks extending beyond their own networks and understand the security maturity of critical suppliers.
Finally, leaders must consider future threats. Forward-thinking boards are already assessing long-term risks such as quantum computing and planning transitions to post-quantum cryptography where appropriate.
Accountability Without Blame
The challenge, however, is determining where accountability should end. Organisations should not be punished simply because they were targeted by a sophisticated attacker. The reality is that determined adversaries will occasionally succeed despite strong security controls.
A useful comparison can be found in GDPR. The regulation does not require organisations to guarantee perfect protection of personal data. Instead, it requires them to implement “appropriate technical and organisational measures” based on the risks they face. Regulators assess whether reasonable precautions were taken, whether risks were understood, and whether controls were proportionate.
Cyber accountability should follow a similar principle.
Boards and executives should be judged on whether they understood the cyber risks facing the organisation, invested appropriately in resilience, maintained effective governance structures, and ensured the business was prepared to respond when incidents occurred. If these responsibilities have been neglected, personal accountability becomes far more justifiable.
Why Stakeholders Are Paying Closer Attention
This approach also reflects growing expectations from regulators, investors, insurers, and customers. Increasingly, cyber governance is being viewed as a measure of leadership effectiveness. Stakeholders want assurance that cyber risk receives the same attention as financial governance, health and safety, regulatory compliance, and operational risk.
Ultimately, cyber resilience should be viewed through exactly the same lens. Leaders are not expected to prevent every incident. They are expected to demonstrate due diligence, informed decision-making, and responsible stewardship of organisational risk.
The Future of Cyber Accountability
As cyber threats continue to evolve, the role of boards and CEOs must evolve with them. The future of cyber resilience will not be determined solely by technology. It will be determined by leadership. Organisations that recognise this reality and embed cyber governance into their boardroom agenda will be far better positioned to withstand the inevitable challenges ahead.