Personal Accountability for Directors: UK Government Shows Private Sector What's Coming

I've been advocating for director liability for cybersecurity for ages.

Personal accountability. HSE-style enforcement. Making board members personally responsible for security failures the same way they're responsible for health and safety.

And I've been told, repeatedly, that it'll never happen. Too complicated. Can't prove culpability. Not how UK corporate governance works.

Well, guess what? The UK government just implemented exactly that for itself.

The Government Cyber Action Plan, published last week, doesn't just admit comprehensive failure in public sector cybersecurity. It establishes a framework of personal accountability for senior officials that should terrify every Accounting Officer in government, and serve as a very clear signal to private sector directors about what's coming.

Let's break down what the government has just done, why it matters, and why you need to prepare for this, extending to your business.

What Government Actually Implemented

The plan is explicit: Accounting Officers have "personal accountability for the cyber risk of that organisation."

Not corporate accountability. Not "the CISO's problem." Not "the IT department handles that." Personal accountability.

An Accounting Officer is the Permanent Secretary (for departments) or CEO (for other public bodies). This is the most senior official in the organisation. And they are now personally accountable for cybersecurity.

Here's what that actually means in practice. Every Accounting Officer must now:

Set a cyber risk strategy, including risk appetite. You can't delegate this. You can't say, "IT will handle it." You personally set the strategy and appetite.

Appoint an informed board member with cyber expertise. Someone who actually understands cyber risk, not just "has heard of ransomware."

Appoint senior, capable individuals to manage cyber security (CISO) and digital resilience.

Ensure escalation of risks outside the defined risk appetite to the Government Technology Risk Owner.

Ensure routine reporting to the board on the current state and progress of cyber risk across the organisation, ALBs, and supply chain.

And here's the kicker: they'll be held to account by the Technology Risk Group. There are actual consequences for failure to meet these responsibilities.

This isn't guidance. This isn't best practice. This is mandatory accountability with governance oversight.

Why This Changes Everything

For decades, UK cyber security has operated on voluntary compliance. Organisations would follow NCSC guidance if they felt like it. They'd implement Cyber Essentials only if it were required for a contract. They'd treat security as an IT problem that IT would solve.

His Majesty’s government has just admitted that voluntary compliance doesn't work.

By making accountability mandatory for the public sector, they're proving what security professionals have known for years: if you don't make someone personally responsible, it doesn't get done.

This is the same pattern we saw with health and safety. Before the Health and Safety at Work Act 1974, workplace safety was voluntary. Guidance existed. Best practices were available. Compliance was terrible.

Then they made directors personally liable. Suddenly, safety became a board-level priority. Accidents decreased. Compliance improved. Because when your personal liability is on the line, you pay attention.

The government is now doing the same thing for cybersecurity. Starting with themselves.

The Governance Framework

The accountability isn't just personal responsibility in abstract terms. There's a detailed governance framework to enforce it.

At the top: The DSIT Permanent Secretary, as Government Technology Risk Owner, owns cross-government cyber risk. The Government Cyber Unit manages this on their behalf.

Below that: The Technology Risk Group, chaired by the Government Technology Risk Owner, discusses aggregate risk across government, generates recommendations, and holds Accounting Officers to account for appropriate management of organisational cyber risk.

At the organisation level: Each Accounting Officer manages their cyber risk within the government-wide risk appetite. They report up. They escalate risks outside their appetite. They're accountable for performance.

The enforcement mechanism: Organisations not managing risk appropriately "will be held to account by the TRG, with the Civil Service Operations Board facilitating further decision making and escalation when required."

That's not "we'll have a chat about it." That's formal escalation to the highest levels of civil service governance.

What Happens When You Fail

The document doesn't spell out specific penalties, but the implications are clear. If you're an Accounting Officer who fails to appropriately manage cyber risk:

• You'll be called before the Technology Risk Group to explain the failure

• Your performance will be escalated to Civil Service Operations Board

• Your organisation's failures become a matter of permanent record in government

• Future incidents will be assessed against whether you met your accountability responsibilities

For senior civil servants, this is career-affecting stuff. Your performance on cybersecurity is now tracked, reported, and held to account at the highest levels.

And if a major breach occurs in your organisation, the first question will be:

• Did the Accounting Officer set an appropriate strategy?

• Did they ensure board-level expertise? Did they receive adequate reporting?

• Did they escalate risks?

If the answers are no, you're personally accountable for the consequences.

Why the Private Sector Should Pay Attention

Right, that's all very interesting for the government, but why should private sector directors care?

Because this is a pilot programme for what's coming to your business.

The pattern is always the same:

1. The government identifies a systemic problem

2. The government tests solutions in the public sector

3. Government extends proven solutions to the private sector through regulation

We saw it with data protection. GDPR applied to public bodies first, and then was extended. We saw it with modern slavery reporting. We saw it with gender pay gap reporting. We've seen it repeatedly across decades of regulation.

The Cyber Security and Resilience Bill is already working through Parliament. It will require "essential and digital services" to implement appropriate cybersecurity measures. That includes healthcare, water, transport, energy, and more.

Right now, the Bill focuses on organisational requirements. But the government's experience with voluntary compliance and the accountability frameworks they're testing in the public sector will inform future regulation.

Director accountability for cybersecurity in the private sector is coming. The only question is when, not if.

What Directors Should Do Now

Smart directors won't wait for mandatory compliance. They'll implement accountability frameworks now and get ahead of regulation.

Here's what that looks like in practice:

1. Make Cybersecurity a Board-Level Responsibility

Stop treating this as an IT problem. Cyber risk is business risk. It affects operations, reputation, finance, legal liability, and strategic goals.

Assign clear ownership at the board level. Not "the board collectively owns it." One named board member with responsibility. That person ensures cyber risk is appropriately managed and reported.

2. Get Actual Cyber Expertise on the Board

Government now requires public bodies to have "an informed board member with expertise in cybersecurity and resilience, who understands risks to business objectives."

You should require the same. Not someone who's done a cyber awareness course. Someone with genuine expertise who can assess whether your security posture is adequate.

If you can't justify a full board member with cyber expertise, appoint an advisor who reports to the board on cyber risk.

3. Establish Risk Appetite and Escalation Routes

Define what level of cyber risk is acceptable to your organisation. Not "zero risk" because that's impossible. Actual, realistic risk appetite based on your business model, risk tolerance, and resources.

Then establish clear escalation routes.

• What risks must be escalated to the board?

• What decisions require board approval?

• How often does the board receive cyber risk reporting?

4. Ensure Adequate Reporting

Government requires "routine reporting to the departmental board from CISO and CDIO on the current state and progress of cyber risk."

Implement the same. Regular reporting, not just "we're fine." Actual risk reporting: current posture, risks outside appetite, incidents, near-misses, mitigation plans, resource needs.

5. Account for Your Supply Chain

Government accountability extends to supply chains. Accounting Officers are responsible for the cybersecurity of their suppliers.

You should be, too. If a supplier breach compromises your business, "we trusted them" isn't going to cut it. You need evidence of supply chain assurance.

How to Sell This to Your Board

Your board needs to understand three things:

First, the government's implementation of director accountability proves that voluntary compliance doesn't work. If it worked, the government wouldn't need mandatory accountability. This is evidence-based policy responding to actual failures.

Second, regulation is coming. The Cyber Security and Resilience Bill is already in Parliament. Director accountability frameworks tested in public sector will inform private sector requirements. You can either prepare now or scramble later.

Third, this is simply good governance. Boards oversee financial risk, operational risk, legal risk. Why wouldn't they oversee cyber risk? It affects all of those areas.

The cost of implementing these governance frameworks now is minimal compared to the cost of responding to a major breach without adequate oversight.

The Competitive Advantage Play

Here's something the government won't tell you, but I will: implementing these accountability frameworks now creates competitive advantage.

For regulated sectors: You'll be ahead of compliance requirements. When accountability becomes mandatory, you'll already have frameworks in place while competitors are building them.

For enterprise contracts: Customers increasingly require evidence of security governance. Board-level accountability demonstrates a mature security posture.

For government contracts: Supply chain security requirements are coming (Part 3 of this series will detail that). Board-level accountability helps you meet those requirements.

For investor confidence: Particularly relevant for tech companies and scale-ups. Investors want to see that cyber risk is properly governed at the board level.

For insurance: Cyber insurance increasingly requires evidence of security governance. Board accountability helps you get better terms and lower premiums.

What About Liability?

The obvious question: if I implement director accountability, am I increasing my personal liability?

The answer is more nuanced than yes or no.

Without accountability frameworks: If a major breach occurs, you'll be asked if the board provided adequate oversight. If you can't demonstrate that you did, you're exposed to criticism and potential liability anyway.

With accountability frameworks, You have evidence that the board took cyber risk seriously, received appropriate reporting, set clear strategies, and made informed decisions. That's a defence, not a liability.

The liability comes from failing to exercise appropriate oversight, not from establishing oversight structures.

Think of it like health and safety. Directors are personally liable for safety failures, but having robust safety governance is a defence, not an admission of liability.

The Bottom Line

The government has just implemented personal accountability for cybersecurity at the most senior levels of the public sector.

This isn't theoretical. This is the policy in force right now with governance structures and enforcement mechanisms.

It's a pilot programme for what's coming to the private sector. Because the government has proven, through its own comprehensive failures, that voluntary compliance doesn't work.

Smart directors will implement these frameworks now:

• Make cybersecurity a board-level responsibility

• Get actual cyber expertise on the board

• Establish risk appetite and escalation routes

• Ensure adequate reporting

• Account for supply chain security

When accountability becomes mandatory, and it will, you'll already be compliant. Your competitors won't be.

And more importantly, you'll actually have appropriate governance of cyber risk. This protects your business, your customers, and your personal liability.

Because the next major breach could be yours. And when it is, the first question will be: Did the board exercise appropriate oversight?

Make sure the answer is yes.

This is Part 2 of a three-part series analysing the Government Cyber Action Plan 2026. Part 1 examined the shocking statistics and admissions. Part 3 will detail the new supply chain security requirements and timelines.

Read the full Government Cyber Action Plan: Link 🔗

Related posts:

• Part 1

• Director liability

• Compliance Theatre