Last year, I watched a seasoned Chief Security Officer get convicted of federal crimes. Not for hacking. Not for stealing data. For how he handled a breach at his company, or more accurately, how he failed to disclose it.
Joe Sullivan spent his early career prosecuting cybercriminals for the Department of Justice. He later became the CSO at Facebook, then Uber. In October 2022, he became the first security executive in U.S. history to face criminal conviction over a cybersecurity incident. The charge? Covering up Uber's 2016 data breach that exposed 57 million user records while the FTC was actively investigating the company's security practices.
Sullivan was sentenced to three years of probation and fined $50,000. More importantly, his name is now permanently attached to a landmark case that sent shockwaves through every C-suite in America.
This isn't happening in a vacuum.
For decades, cybersecurity was treated as an IT problem. Something technical. Something you hired smart people to handle so you didn't have to think about it. That era is over.
Regulators, boards, and courts have made it clear: when things go wrong, they're coming after leadership. Not just the company. You personally.
In late 2023, the SEC took an unprecedented step by charging SolarWinds' CISO, Timothy Brown, with fraud over how the company disclosed its cybersecurity risks before the massive 2020 supply chain attack. It was the first time the SEC had ever charged a CISO with securities violations. The case sparked fierce debate in the security community, with many arguing the SEC was overreaching and setting a dangerous precedent that would discourage transparency.
They had a point. In July 2024, a federal judge dismissed most of the charges, calling the SEC's approach speculative and based on hindsight. But here's what matters: the SEC filed those charges in the first place. They're willing to go after individual executives, even if courts push back. The message is loud and clear. Cybersecurity failures are now governance failures, and regulators expect C-level accountability.
Just a few months ago, Qantas made headlines for a different reason. After hackers accessed customer data for nearly 6 million people in June 2024, the airline's board did something rare: they cut executive bonuses by 15%. CEO Vanessa Hudson took a $250,000 hit. The board explicitly tied the pay cuts to "shared accountability" for the breach.
Think about that for a second. A profitable company, performing well financially, still docked executive pay because of a security incident. That's not punishment. It's a recognition that cyber risk is now a core business metric, not an IT afterthought.
There are a few forces converging here, and they're not slowing down.
Regulators have decided to make examples of people. The FTC, SEC, and Department of Justice are increasingly naming individuals, not just companies, in enforcement actions. They want deterrence, and the fastest way to get boardroom attention is to put individual careers and bank accounts at risk.
Boards are under pressure from shareholders. Investors want to know who's accountable when millions are spent on incident response, stock prices drop, and customer trust evaporates. Shareholders are asking hard questions: "Who knew? When did they know? What did they do about it?"
The headlines don't blame servers. They blame leaders. When a breach makes the news, reporters don't write "Misconfigured database exposes records." They write "CEO failed to protect customer data." Google never forgets, and neither do hiring committees.
Deals are falling apart over security. I've seen acquisitions delayed or killed entirely when due diligence uncovers security gaps. Partnerships evaporate. Funding rounds collapse. Security posture is now a dealbreaker, not a checkbox.
The impact goes way beyond bad press. We're talking about:
Even if you're not personally liable, the stress of navigating an incident while regulators circle and your board demands answers? That alone is career-altering.
You can't outsource accountability. But you can manage it intelligently. Here's where to start:
Stop treating cyber risk like an IT problem. If you're not getting regular, board-level updates on your security posture (vulnerabilities, threats, risk exposure), you're flying blind. Cyber risk belongs in the same conversation as financial risk, operational risk, and compliance risk.
Tie security to business outcomes. Forget the checkbox compliance mindset. Measure security by what actually matters: Can we keep operating if we're hit? Can we close deals without customers balking at our security practices? Are we protecting what actually drives revenue?
Review your cyber insurance carefully. Does it cover executive liability? Does it include breach response, legal fees, regulatory fines? Most policies have gaps that only become obvious when you need them. Get an expert to review what you actually have versus what you think you have.
Build an incident response plan before you need it. And I don't mean a dusty PDF on a shared drive. I mean a clear decision-making framework: Who communicates externally? Who has authority to make calls? How do we inform the board, customers, regulators? Practice it. Test it. Update it.
Invest in your own education. You don't need to become a CISO, but you should understand the threat landscape and how it applies to your business. Boards and executives who participate in security training signal to investors, regulators, and customers that they take this seriously.
Here's the uncomfortable truth: a cyber incident at your company is likely inevitable at some point. What's not inevitable is whether you'll be the one blamed for it.
The executives who come out of these situations intact are the ones who treated cybersecurity as a business priority long before something went wrong. They asked hard questions. They invested appropriately. They built accountability into their governance structure. They weren't perfect (nobody is), but they demonstrated that they took the risk seriously.
The ones who struggle? They're the ones who dismissed it as "an IT issue" until it became a board crisis, a regulatory investigation, and a personal liability problem.
You get to choose which group you're in. But the decision needs to happen now, not after the breach makes headlines.