Executive Guide for Cyber Accountability Laws

Updated May 15, 2026

Cybersecurity failures now carry personal consequences for executives. When you sign a certification document, you're not simply acknowledging receipt of information. You're attesting to facts under penalty of law. If those facts are wrong, incomplete, or misleading, regulators can pursue enforcement action against you individually, separate from any corporate penalties.

This shift represents a fundamental change in how cybersecurity risk is distributed. The buck no longer stops with the IT department. It stops with the C-suite. State and federal agencies have made clear that executives who certify compliance without conducting proper due diligence will face personal liability. And as the cost of cybersecurity failures continues to climb, the financial stakes of inaction have never been higher.

New York Mandates Annual Certs

The New York Department of Financial Services (NYDFS) Cybersecurity Regulation, codified as 23 NYCRR Part 500, applies to any financial institution licensed in New York. This includes banks, insurance companies, mortgage lenders, and other financial services firms operating in the state. The regulation doesn't care where your headquarters are located. If you hold a New York license, you must comply.

The regulation requires an annual certification of compliance signed by a senior officer, typically the CEO or equivalent. This certification must confirm the business has reviewed its cybersecurity program, assessed its effectiveness, and maintains controls that comply with Part 500 requirements. The senior officer must personally attest to the adequacy of the program.

NYDFS has demonstrated its willingness to pursue enforcement action when certifications prove inaccurate. In recent years, the agency has imposed multi-million-dollar penalties on firms for cybersecurity deficiencies discovered after senior officers certified compliance. These enforcement actions frequently include findings that the certifying officer failed to exercise appropriate oversight or relied on incomplete information when signing.

The regulation also mandates board-level involvement in cybersecurity governance. The board or a board committee must receive regular reports on the cybersecurity program and approve cybersecurity policies. This creates a chain of accountability that extends from the board to senior management to the CISO. When breaches occur, regulators examine whether board members and executives fulfilled their oversight responsibilities. Directors and officers who didn't ask appropriate questions or demand adequate reporting may face scrutiny.

Part 500 requires specific technical controls including multi-factor authentication (MFA), encryption of sensitive data, and annual penetration testing. It also mandates vendor risk management programs, including oversight of cyber liability insurance requirements for third-party service providers. Executives can't delegate away liability by outsourcing IT functions. They remain responsible for ensuring vendors meet security standards and for monitoring vendor performance.

SEC Requires Cyber Incident Reports Within Days

The Securities and Exchange Commission (SEC) adopted final rules (PDF) in July 2023 that require public companies to disclose material cybersecurity incidents on Form 8-K within four business days of determining materiality. The rules also require annual disclosure in Form 10-K describing the company's cybersecurity risk management, strategy, and governance. Those rules remain in force.

The four-day clock starts when the company determines an incident is material, not when the incident occurs. This creates pressure on executives to make rapid assessments while still gathering facts. The determination of materiality is a judgment call, and executives who delay reporting while downplaying an incident's significance may face enforcement.

The SEC's October 2024 settlements with Unisys Corporation ($4 million penalty) and Avaya Holdings ($1 million penalty) established that executives can't approve disclosures that understate the scope or impact of a known breach. Both companies had executives who were briefed on the actual extent of incidents but approved disclosures that understated the facts.

It's worth noting that the SEC's enforcement posture shifted in 2025. The agency dismissed its landmark case against SolarWinds and its CISO in November 2025, and under Chair Paul Atkins, confirmed April 2025, the SEC has signaled it will focus cybersecurity enforcement on affirmative misrepresentation and deliberate concealment rather than disclosure judgment calls. The four-business-day disclosure rules remain operative, but executives facing nuanced characterization questions have somewhat more breathing room than they did under the prior administration. That said, a company that knowingly minimizes a breach in its public filings still faces real enforcement risk.

The SEC also amended Regulation S-P in 2024, requiring investment advisers and broker-dealers to adopt written policies for detecting, responding to, and recovering from unauthorized access to customer information. Larger firms faced a compliance deadline of Dec. 3, 2025. Smaller firms must comply by June 3, 2026.

The SEC has made clear cybersecurity is a board-level issue. Directors are expected to receive regular briefings, understand the company's risk profile, and ensure management maintains appropriate controls. Leaders who rubber-stamp cybersecurity reports without asking substantive questions may be deemed to have breached their fiduciary duties if a material incident occurs.

FTC Safeguards Rule

The Federal Trade Commission's Safeguards Rule applies to non-bank financial institutions including mortgage brokers, automobile dealers, tax preparers, and consumer finance companies. The rule requires these businesses to develop, implement, and maintain a comprehensive information security program.

The Safeguards Rule designates a "qualified individual" who must oversee the security program. This person is personally responsible for program implementation and annual reporting to the board or senior management. If the security program fails, the qualified individual faces direct liability.

Civil penalties under the FTC Act are inflation-adjusted annually. The FTC's 2025 adjustment raised the maximum civil penalty to $53,088 per violation. Due to a federal cancellation of cost-of-living adjustments across agencies for 2026 stemming from a temporary lapse in data collection, this $53,088 limit remains active and in effect throughout 2026. Each instance of non-compliance constitutes a separate violation, meaning penalties can accumulate rapidly across multiple deficiencies or days of non-compliance..

For businesses experiencing data breaches affecting 500 or more consumers, the Safeguards Rule requires notification to the FTC within 30 days of discovery. Failure to notify within the required timeframe is itself a violation that can trigger additional penalties. Executives who attempt to conceal breaches or delay notification to minimize reputational damage may face enhanced penalties for obstruction.

The FTC has broad authority to pursue individuals who engage in unfair or deceptive practices. If an executive makes public statements minimizing cybersecurity risks that later prove inaccurate, or claims compliance with security standards the business doesn't actually meet, the FTC can bring enforcement actions for deceptive practices. These actions often name both the business and individual officers.

Michigan Cybersecurity Laws

Michigan has adopted several laws that create accountability for cybersecurity failures. The state implemented the Insurance Data Security Law, which applies to all insurers and insurance producers licensed in Michigan.

The law, codified in MCL 500.555, requires insurance licensees to establish and maintain a comprehensive written information security program proportionate to the size, complexity, and risk profile of the business. The law mandates administrative, technical, and physical safeguards to protect nonpublic information, including data held by third-party service providers. Each insurer must designate a qualified individual responsible for the program.

Senior management or the board must approve the security program in writing. Most significantly, the law requires annual certification filed with the Michigan Department of Insurance and Financial Services. This certification must be signed by a board member or senior officer attesting the insurer has complied with the law's requirements.

Michigan insurers who fail to maintain adequate programs or who provide false certifications face regulatory sanctions including license suspension or revocation. The individual who signed a false certification may be personally sanctioned, including being prohibited from serving in executive or board positions for other insurers.

Michigan's Identity Theft Protection Act (PDF) requires any business that owns or licenses personal information about Michigan residents to notify affected individuals following a breach. Notification must occur without unreasonable delay. The law doesn't create explicit personal liability for executives, but Michigan's Consumer Protection Act (PDF) allows the attorney general to pursue individuals who engage in unfair or deceptive business practices. An executive who conceals a breach or delays notification could face action under the Consumer Protection Act.

Michigan's broader consumer privacy legislation, Senate Bill 359 of 2025, remains pending as of this writing. The bill passed the Michigan Senate and has been referred to the House for consideration. It would establish the state's first comprehensive consumer privacy framework, requiring privacy governance frameworks, data security safeguards, and regular risk assessments for businesses processing personal data of 100,000 or more Michigan residents annually. It must pass both chambers and be signed by the governor before it becomes law. Michigan businesses should monitor its progress, as the trend toward personal executive accountability at the state level is accelerating. Tracking state-level regulatory developments has become a compliance necessity for businesses operating across multiple jurisdictions.

Michigan businesses should recognize that state law accountability will only increase. The legislature has shown willingness to strengthen data protection requirements, and national trends favor holding executives personally responsible for security failures.

Outsourcing Doesn't Remove Executive Liability

Many executives believe that hiring a Managed Service Provider (MSP) transfers cybersecurity liability to the vendor. This isn't correct. While MSPs manage technical infrastructure and implement security controls, legal accountability remains with the business and its leadership. When a breach occurs through a vendor failure and claims are denied, executives quickly discover that cybersecurity insurance denials often trace back to inadequate oversight of the very vendors they trusted to protect them.

Regulators view outsourcing as a risk management decision that executives must oversee. When you engage an MSP, you remain responsible for conducting due diligence before selecting the vendor, defining clear service level agreements and security requirements, monitoring vendor performance through regular reviews and audits, maintaining oversight of vendor access to your systems and data, ensuring the vendor maintains adequate cyber insurance and breach response capabilities, and having contingency plans if the vendor fails or the relationship terminates.

Regulators consistently hold that executives who delegate security to an MSP without maintaining active oversight have failed in their duty of care. In enforcement actions, agencies examine the level of board and executive involvement in vendor management. Executives who can't demonstrate they asked probing questions about vendor capabilities, reviewed vendor performance metrics, or conducted periodic audits face findings of inadequate oversight.

The liability risk is especially acute when breaches occur due to vendor failures. If your MSP fails to patch a known vulnerability and your systems are compromised, you can't simply point to the vendor and claim ignorance. Regulators will ask whether you had systems to monitor vendor performance, whether you received reports on patching status, and whether you took action when deficiencies were identified. If you can't affirmatively answer these questions, you face potential personal liability for failing to exercise appropriate oversight.

What Personal Liability Means for Execs

Personal liability in the cybersecurity context takes several forms that executives must understand.

Civil penalties assessed directly against individuals represent the most common form of liability. Federal and state agencies can impose fines on individual officers who certify false compliance statements or who fail to maintain required security programs. These penalties are separate from corporate fines and can't be paid by the company or covered by insurance in many cases.

SEC enforcement actions for misleading disclosures can target both companies and individuals. Officers who sign false or incomplete cybersecurity disclosures may face disgorgement of bonuses or stock profits, civil penalties, and bars from serving as officers or directors of public companies. These consequences end careers.

Criminal prosecution remains possible in egregious cases. While rare, executives who knowingly conceal breaches, destroy evidence, or provide false statements to regulators face potential criminal charges. The Justice Department has indicated that cybersecurity failures combined with obstruction of justice will be prosecuted.

Shareholder derivative suits allow investors to sue corporate officers for breach of fiduciary duty when cybersecurity failures cause financial harm. These suits claim officers failed to implement reasonable security measures or failed to properly oversee the company's risk management. Directors and officers insurance may provide coverage, but policies often exclude claims arising from fraudulent or criminal acts.

Professional reputation damage can be severe. Executives who face regulatory sanctions or who become associated with major breaches find their career opportunities limited. Board positions evaporate, and executive recruiters avoid candidates with regulatory history.

How Execs Can Reduce Liability

Personal accountability requires personal action. Executives can't rely solely on reports from subordinates. They must take active steps to understand their cybersecurity posture and document their oversight. Here are concrete steps to take now to protect yourself and your company.

Establish direct reporting lines from your CISO or head of IT security to the CEO and board. Security leaders should brief executives monthly on threat landscape changes, incident trends, and control deficiencies. These briefings should be documented in writing with action items and follow-up dates.

Create a board-level risk committee or cybersecurity committee if you don't already have one. This committee should meet quarterly to review security program effectiveness, major incidents, audit findings, and vendor performance. Committee members should receive training on cybersecurity fundamentals so they can ask informed questions.

Document every significant risk decision. When you decide to accept a risk rather than remediate a vulnerability, document the business rationale, the risk assessment that supported the decision, and any compensating controls. This documentation provides evidence of informed decision-making if regulators later question your judgment.

Conduct internal audits at least annually, and more frequently for high-risk processes. Don't wait for external auditors or regulators to identify problems. Use internal audit findings to drive remediation before certifications are signed.

Review your cyber liability insurance and directors and officers insurance to understand what coverage exists for personal liability. Many policies exclude fines and penalties imposed by regulators, and cybersecurity insurance denials are increasingly common when security controls don't meet policy requirements. Understand your coverage gaps and consider supplemental policies if necessary.

Engage outside counsel to review your cybersecurity governance structure and certification processes. Outside counsel can provide objective assessment of whether your oversight mechanisms meet regulatory expectations and can identify areas of heightened risk.

Personally review the cybersecurity policies, incident response plans, and vendor management procedures that you'll be certifying. Don't sign certifications based solely on summaries from subordinates. Read the underlying documents and ask questions about anything you don't understand.

Test your incident response plan through tabletop exercises at least annually. These exercises should include executive participation and should simulate realistic scenarios including vendor failures, ransomware attacks, and data breaches. Reviewing incident response best practices before an exercise ensures your team is working from current standards, not outdated playbooks. Document lessons learned and update plans accordingly.

New Reality of Executive Accountability

The era of treating cybersecurity as someone else's problem has ended. Whether you lead a Fortune 500 company, a regional bank, or a small manufacturing firm, if you handle sensitive data or operate in a regulated sector, you face personal liability for cybersecurity failures.

The laws described in this article aren't theoretical. They're actively enforced. Companies have already paid millions in penalties, and executives have been sanctioned. More enforcement actions are coming as agencies build expertise and as the new disclosure and certification requirements take effect. For a broader look at how the threat and regulatory landscape is evolving, see STACK's overview of cybersecurity risks in 2026.

The executives who'll successfully navigate this environment are those who recognize that their signature on a compliance document is a personal guarantee. They'll invest time in understanding their security posture, demand transparency from their security teams and vendors, and document their oversight activities. They'll treat cybersecurity as a board-level governance issue, not a technical problem to be delegated.