Back to Posts

Executive Liability Guide for Cyber Accountability Laws

Nov. 13, 2025

Executive reviewing cybersecurity compliance certification documents

Cybersecurity failures now carry personal consequences for executives. When you sign a certification document, you are not simply acknowledging receipt of information. You are attesting to facts under penalty of law. If those facts are wrong, incomplete, or misleading, regulators can pursue enforcement actions against you individually, separate from any corporate penalties.

This shift represents a fundamental change in how cybersecurity risk is distributed. The buck no longer stops with the IT department. It stops with the C-suite. State and federal agencies have made clear that executives who certify compliance without conducting proper due diligence will face personal liability.

California Privacy Protection Agency: Personal Certification by 2028

The California Privacy Protection Agency (CCPA), which enforces the California Consumer Privacy Act (CCPA), has published regulations that will require annual cybersecurity audits for businesses meeting specific thresholds. These thresholds include companies with $50 million or more in annual revenue, those processing personal information of 250,000 or more California consumers annually, or businesses that derive 50 percent or more of their annual revenue from selling or sharing personal information.

Starting in 2028, these audits must include personal certification by an executive officer or board member. The certification must attest that the audit was conducted, that findings were reviewed, and that the business has implemented appropriate security measures. False certification exposes executives to civil penalties under California law, which allows for fines up to $7,500 per violation for intentional breaches.

This is not a rubber-stamp requirement. The CPPA expects executives to understand what they are certifying. If an audit identifies vulnerabilities that are not addressed, and a breach occurs, the executive who signed the certification may face personal liability for failure to remediate known risks. The agency has enforcement authority to pursue both the business and the individual who provided false attestation.

The reach of California law extends beyond state borders. Any company that meets the revenue or data processing thresholds and serves California consumers must comply, regardless of where the business is headquartered. This means a Michigan-based manufacturer selling to California customers could face CPPA enforcement actions if the CEO certifies an incomplete audit.

New York Financial Services: Senior Officers on the Line

The New York Department of Financial Services (NYDFS) Cybersecurity Regulation, codified as 23 NYCRR Part 500, applies to any financial institution licensed in New York. This includes banks, insurance companies, mortgage lenders, and other financial services firms operating in the state. The regulation does not care where your headquarters are located. If you hold a New York license, you must comply.

The regulation requires an annual certification of compliance signed by a senior officer, typically the CEO or equivalent. This certification must confirm that the business has reviewed its cybersecurity program, assessed its effectiveness, and maintains controls that comply with Part 500 requirements. The certification is not pro forma. It requires the senior officer to personally attest to the adequacy of the program.

NYDFS has demonstrated its willingness to pursue enforcement actions when certifications prove inaccurate. In recent years, the agency has imposed multi-million-dollar penalties on firms for cybersecurity deficiencies discovered after senior officers certified compliance. These enforcement actions frequently include findings that the certifying officer failed to exercise appropriate oversight or relied on incomplete information when signing.

The regulation also mandates board-level involvement in cybersecurity governance. The board or a board committee must receive regular reports on the cybersecurity program and approve the firm's cybersecurity policies. This creates a chain of accountability that extends from the board to senior management to the CISO. When breaches occur, regulators examine whether board members and executives fulfilled their oversight responsibilities. Directors and officers who failed to ask appropriate questions or demand adequate reporting may face scrutiny.

Part 500 requires specific technical controls including multi-factor authentication (MFA), encryption of sensitive data, and annual penetration testing. It also mandates vendor risk management programs. Executives cannot delegate away liability by outsourcing IT functions. They remain responsible for ensuring vendors meet security standards and for monitoring vendor performance.

SEC Disclosure Rules Say Incidents Must Be Reported Within Days

The Securities and Exchange Commission adopted final rules in July 2023 that require public companies to disclose material cybersecurity incidents on Form 8-K within four business days of determining materiality. The rules also require annual disclosure in Form 10-K describing the company's cybersecurity risk management, strategy, and governance.

The four-day clock starts when the company determines an incident is material, not when the incident occurs. This creates pressure on executives to make rapid assessments while still gathering facts. The determination of materiality is a judgment call, and executives who delay reporting while downplaying an incident's significance may face enforcement.

Recent SEC enforcement actions demonstrate the personal stakes. In October 2024, the SEC announced settlements with Unisys Corporation ($4 million penalty) and Avaya Holdings ($1 million penalty) for making materially misleading disclosures about cybersecurity risks. The SEC found that both companies minimized the scope and impact of breaches in their public disclosures. Executives at both firms had been briefed on the actual extent of the incidents but approved disclosures that understated the facts.

These cases establish an important precedent. Executives cannot rely solely on what their IT teams tell them. They must ask probing questions, demand complete information, and ensure disclosures reflect the full scope of known facts. Officers who sign inaccurate disclosures, even if they claim they were misinformed by subordinates, face potential liability for violating federal securities laws.

The SEC has made clear that cybersecurity is a board-level issue. Directors are expected to receive regular briefings, understand the company's risk profile, and ensure management maintains appropriate controls. Directors who rubber-stamp cybersecurity reports without asking substantive questions may be deemed to have breached their fiduciary duties if a material incident occurs.

FTC Safeguards Rule: Personal Penalties Up to $10K Per Violation

The Federal Trade Commission's Safeguards Rule applies to non-bank financial institutions including mortgage brokers, automobile dealers, tax preparers, and consumer finance companies. The rule requires these businesses to develop, implement, and maintain a comprehensive information security program.

The Safeguards Rule includes a critical provision that many executives overlook. The rule designates a "qualified individual" who must oversee the security program. This person is personally responsible for program implementation and annual reporting to the board or senior management. If the security program fails, the qualified individual faces direct liability.

The FTC can impose civil penalties up to $100,000 per violation for businesses and up to $10,000 per violation for individuals. These individual penalties apply to owners, officers, and the designated qualified individual. Each instance of non-compliance constitutes a separate violation, meaning penalties can accumulate rapidly.

For businesses experiencing data breaches affecting 500 or more consumers, the Safeguards Rule requires notification to the FTC. Failure to notify within the required timeframe is itself a violation that can trigger both corporate and individual penalties. Executives who attempt to conceal breaches or delay notification to minimize reputational damage may face enhanced penalties for obstruction.

The FTC has broad authority to pursue individuals who engage in unfair or deceptive practices. If an executive makes public statements minimizing cybersecurity risks that later prove inaccurate, or if the executive claims compliance with security standards the business does not actually meet, the FTC can bring enforcement actions for deceptive practices. These actions often name both the business and individual officers.

Michigan Cybersecurity Laws: State-Level Executive Accountability

Michigan has adopted several laws that create accountability for cybersecurity failures. The state implemented the Insurance Data Security Model Law, which applies to all insurers and insurance producers licensed in Michigan.

The Model Law requires insurers to develop comprehensive information security programs based on risk assessments. Each insurer must designate a qualified individual responsible for the program. Senior management or the board must approve the security program in writing. Most significantly, the law requires annual certification filed with the Michigan Department of Insurance and Financial Services. This certification must be signed by a board member or senior officer attesting that the insurer has complied with the law's requirements.

Michigan insurers who fail to maintain adequate programs or who provide false certifications face regulatory sanctions including license suspension or revocation. The individual who signed a false certification may be personally sanctioned, including being prohibited from serving in executive or board positions for other insurers.

Michigan's Identity Theft Protection Act requires any business that owns or licenses personal information about Michigan residents to notify affected individuals following a breach. Notification must occur without unreasonable delay. The law does not create explicit personal liability for executives, but Michigan's Consumer Protection Act allows the attorney general to pursue individuals who engage in unfair, unconscious, or deceptive business practices. An executive who conceals a breach or delays notification could face action under the Consumer Protection Act.

The Michigan Data Privacy Act, which takes effect in January 2026, will impose new requirements on businesses processing personal data of 100,000 or more Michigan residents annually. The law requires privacy governance frameworks, data security safeguards, and regular risk assessments. While the law does not yet include explicit certification requirements, the trend toward personal accountability suggests future amendments may follow California's model.

Michigan businesses should recognize that state law accountability will only increase. The legislature has shown willingness to strengthen data protection requirements, and national trends favor holding executives personally responsible for security failures.

Why Outsourcing Does Not Eliminate Executive Liability

Many executives believe that hiring a Managed Service Provider (MSP) transfers cybersecurity liability to the vendor. This is incorrect. While MSPs manage technical infrastructure and implement security controls, legal accountability remains with the business and its leadership.

Regulators view outsourcing as a risk management decision that executives must oversee. When you engage an MSP, you remain responsible for conducting due diligence before selecting the vendor, defining clear service level agreements and security requirements, monitoring vendor performance through regular reviews and audits, maintaining oversight of vendor access to your systems and data, ensuring the vendor maintains adequate cyber insurance and breach response capabilities, and having contingency plans if the vendor fails or the relationship terminates.

Regulators consistently hold that executives who delegate security to an MSP without maintaining active oversight have failed in their duty of care. In enforcement actions, agencies examine the level of board and executive involvement in vendor management. Executives who cannot demonstrate they asked probing questions about vendor capabilities, reviewed vendor performance metrics, or conducted periodic audits face findings of inadequate oversight.

The liability risk is especially acute when breaches occur due to vendor failures. If your MSP fails to patch a known vulnerability and your systems are compromised, you cannot simply point to the vendor and claim ignorance. Regulators will ask whether you had systems to monitor vendor performance, whether you received reports on patching status, and whether you took action when deficiencies were identified. If you cannot affirmatively answer these questions, you face potential personal liability for failing to exercise appropriate oversight.

What Personal Liability Actually Means for Executives

Personal liability in the cybersecurity context takes several forms that executives must understand.

Civil penalties assessed directly against individuals represent the most common form of liability. Federal and state agencies can impose fines on individual officers who certify false compliance statements or who fail to maintain required security programs. These penalties are separate from corporate fines and cannot be paid by the company or covered by insurance in many cases.

SEC enforcement actions for misleading disclosures can target both companies and individuals. Officers who sign false or incomplete cybersecurity disclosures may face disgorgement of bonuses or stock profits, civil penalties, and bars from serving as officers or directors of public companies. These consequences end careers.

Criminal prosecution remains possible in egregious cases. While rare, executives who knowingly conceal breaches, destroy evidence, or provide false statements to regulators face potential criminal charges. The Justice Department has indicated that cybersecurity failures combined with obstruction of justice will be prosecuted.

Shareholder derivative suits allow investors to sue corporate officers for breach of fiduciary duty when cybersecurity failures cause financial harm. These suits claim officers failed to implement reasonable security measures or failed to properly oversee the company's risk management. Directors and officers insurance may provide coverage, but policies often exclude claims arising from fraudulent or criminal acts.

Professional reputation damage can be severe. Executives who face regulatory sanctions or who become associated with major breaches find their career opportunities limited. Board positions evaporate, and executive recruiters avoid candidates with regulatory history.

What Executives Must Do Now

Personal accountability requires personal action. Executives cannot rely solely on reports from subordinates. You must take active steps to understand your cybersecurity posture and document your oversight.

Establish direct reporting lines from your CISO or head of IT security to the CEO and board. Security leaders should brief executives monthly on threat landscape changes, incident trends, and control deficiencies. These briefings should be documented in writing with action items and follow-up dates.

Create a board-level risk committee or cybersecurity committee if you do not already have one. This committee should meet quarterly to review security program effectiveness, major incidents, audit findings, and vendor performance. Committee members should receive training on cybersecurity fundamentals so they can ask informed questions.

Document every significant risk decision. When you decide to accept a risk rather than remediate a vulnerability, document the business rationale, the risk assessment that supported the decision, and any compensating controls. This documentation provides evidence of informed decision-making if regulators later question your judgment.

Conduct internal audits at least annually, and more frequently for high-risk processes. Do not wait for external auditors or regulators to identify problems. Use internal audit findings to drive remediation before certifications are signed.

Review your cyber liability insurance and directors and officers insurance to understand what coverage exists for personal liability. Many policies exclude fines and penalties imposed by regulators. Understand your coverage gaps and consider supplemental policies if necessary.

Engage outside counsel to review your cybersecurity governance structure and certification processes. Outside counsel can provide objective assessment of whether your oversight mechanisms meet regulatory expectations and can identify areas of heightened risk.

Personally review the cybersecurity policies, incident response plans, and vendor management procedures that you will be certifying. Do not sign certifications based solely on summaries from subordinates. Read the underlying documents and ask questions about anything you do not understand.

Test your incident response plan through tabletop exercises at least annually. These exercises should include executive participation and should simulate realistic scenarios including vendor failures, ransomware attacks, and data breaches. Document lessons learned and update plans accordingly.

The New Reality of Executive Accountability

The era of treating cybersecurity as someone else's problem has ended. Whether you lead a Fortune 500 company, a regional bank, or a small manufacturing firm, if you handle sensitive data or operate in a regulated sector, you face personal liability for cybersecurity failures.

The laws described in this article are not theoretical. They are actively enforced. Companies have already paid millions in penalties, and executives have been sanctioned. More enforcement actions are coming as agencies build expertise and as the new disclosure and certification requirements take effect.

The executives who will successfully navigate this environment are those who recognize that their signature on a compliance document is a personal guarantee. They will invest time in understanding their security posture, will demand transparency from their security teams and vendors, and will document their oversight activities. They will treat cybersecurity as a board-level governance issue, not a technical problem to be delegated.

STACK Cybersecurity helps executives understand and meet their personal compliance obligations. Our Compliance Solutions provide the frameworks, documentation, and oversight mechanisms needed to demonstrate due diligence. Contact Us to discuss how we can help you navigate the new reality of executive accountability.

Cybersecurity Risk Assessment

Do you know if your company is secure against cyber threats? Do you have the right security policies, tools, and practices in place to protect your data, reputation, and productivity? If you're not sure, it's time for a cybersecurity risk assessment (CSRA). STACK Cyber's CSRA will meticulously identify and evaluate vulnerabilities and risks within your IT environment. We'll assess your network, systems, applications, and devices, and provide you a detailed report and action plan to improve your security posture. Don't wait until it's too late.

Schedule a Consultation Learn More