Directors Should Face Criminal Liability for Cyber Security Negligence. Here's Why.
Yesterday's case study showed a UK board losing £2.4 million because they thought risk registers were overkill. The directors are now facing civil litigation. But civil suits aren't enough.
Directors who fail to implement basic cyber security governance, despite overwhelming evidence and freely available guidance, should face criminal liability. Not civil penalties. Not regulatory fines paid by the company. Personal criminal prosecution with potential imprisonment.
This will be deeply unpopular with business leaders. Good. It should be. Because what we're doing now demonstrably doesn't work.
The HSE Precedent: When Directors Go to Prison for Negligence
The UK already has a framework for holding directors criminally liable when their negligence kills people. It's called the Health and Safety at Work Act 1974, and it works.
Section 37 of the Act establishes that if a company commits a health and safety offence due to the consent, connivance, or neglect of a director, that director can be prosecuted personally. Not the company. The individual.
Directors have gone to prison for health and safety failures. Real prison sentences, not suspended sentences or fines. In 2016, a director received 20 months imprisonment for gross negligence manslaughter after a worker died in a fall that proper safety equipment would have prevented. In 2019, another director got 12 months for failing to implement basic safety measures that led to a fatal accident.
These weren't malicious directors deliberately causing harm. They were busy business leaders who thought health and safety regulations were bureaucratic overkill. Who believed their company was too small for formal risk assessments. Who delegated safety to someone else and assumed it was handled.
They were wrong. People died. The directors went to prison.
The threat of personal criminal liability transformed UK workplace safety. Directors suddenly became very interested in safety risk assessments. Safety committees started getting proper board attention. Safety budgets stopped being the first thing cut. Because directors who face personal imprisonment tend to take obligations seriously.
Cyber security should work the same way.
Why Criminal Liability Is Necessary
Civil liability isn't working. We know this because 73% of UK businesses still don't have board-level responsibility for cyber security, four years after the proportion started declining from 38% in 2021. Despite 43% of businesses getting breached annually. Despite 28% of SMEs reporting an attack could close them. Despite government guidance, free resources, industry warnings, and insurance requirements.
The current framework relies on:
Corporate fines: Which get paid from company funds, not director personal assets. The company suffers, not the negligent directors. And fines are usually trivial compared to business turnover.
Civil litigation: Which drags on for years, often settles confidentially with insurance covering most costs, and provides no meaningful deterrent to other directors.
Regulatory action: ICO can fine companies for data breaches, but rarely does in amounts that change behaviour. The average ICO fine is far less than the cost of implementing proper governance.
Reputational damage: Doesn't work when most breaches go unreported (only 34% report externally per government data) and media coverage is brief.
Market forces: Clearly insufficient when 73% of boards still don't have cyber security responsibility despite overwhelming evidence.
What we don't have is personal criminal liability for directors who fail to exercise reasonable care in managing cyber risk. So directors continue delegating cyber security downward, assuming it's handled, and discovering otherwise only after catastrophic breaches.
Friday's case study showed a board losing £3.337 million because they didn't spend £90 on FIDO2 keys and enable free MFA. The directors are facing civil litigation. But they're not facing criminal prosecution for gross negligence, despite their failure to implement basic, widely known, freely available controls costing employees their jobs and nearly destroying an 87-person company.
That's not adequate deterrent.
What Criminal Liability Would Look Like
I'm not proposing we prosecute directors for every breach. Breaches happen even with good security. Determined attackers with sufficient resources can compromise even well-defended organisations.
Criminal liability should apply when directors fail to exercise reasonable care in governance, despite clear evidence of material risk and available guidance.
Specifically, directors should face criminal prosecution when:
They fail to conduct documented cyber security risk assessment despite government statistics showing 43% annual breach rate making cyber risk material to business operations.
They fail to implement widely recognised basic controls (MFA, backups, patch management, security awareness training) despite NCSC guidance, insurance requirements, and industry standards.
They fail to assign board-level responsibility for cyber security despite regulatory expectations and government recommendations.
They fail to review cyber security risks at board meetings despite those risks being material to business survival.
Their negligence results in serious harm: Business closure affecting employees, major financial loss affecting creditors and suppliers, or data breaches affecting customers or citizens.
The test would be: Did the directors exercise the reasonable care, skill and diligence that a reasonably competent director would exercise in these circumstances? The Companies Act 2006 already establishes this standard. We'd just need to clarify that cyber security governance falls within its scope and create criminal penalties for breach.
The Objections (And Why They're Wrong)
Objection 1: "This is too harsh. Directors aren't technical experts."
Response: Directors aren't fire safety experts either, but they're still liable if they don't implement fire safety measures. Directors aren't financial experts, but they're liable for financial mismanagement. Directors aren't HR experts, but they're liable for employment law violations.
Directors don't need to be cyber security experts. They need to:
Understand it's a material risk (government publishes comprehensive statistics annually)
Ensure someone competent is managing it (assign responsibility)
Review it systematically (board meetings, documented risk assessments)
Implement basic widely-recommended controls (NCSC guidance is free and comprehensive)
This doesn't require technical expertise. It requires basic governance competence.
Objection 2: "Small businesses can't afford this."
Response: The cost argument is nonsense. Friday's case study showed prevention costing £90 versus £3.337 million in losses. Tuesday's technical guide showed ten critical controls costing £150-300 per user per year. One prevented breach pays for years of protection.
Small businesses can't afford NOT to do this. 28% of SMEs say an attack could close them. Creating a risk register takes two hours. If you can't spare two hours on governance every quarter, you're not running a business. You're gambling.
And we don't accept "can't afford it" for health and safety. If you can't afford proper fire exits, you can't operate. If you can't afford proper electrical safety, you can't operate. Cyber security is now equivalently critical to business survival.
Objection 3: "This will drive directors away from small business boards."
Response: Good. If directors aren't willing to exercise reasonable care in governance, they shouldn't be directors. The Companies Act already requires reasonable care, skill and diligence. We're just clarifying that cyber security governance falls within that obligation.
Qualified, competent directors who take governance seriously will continue serving on boards. Those who see directorship as a title rather than a responsibility should resign.
Objection 4: "Cyber security is too technical and complex for criminal law."
Response: The HSE successfully prosecutes directors for highly technical failures in engineering, chemical safety, electrical systems, structural integrity, and dozens of other complex domains. Technical complexity doesn't prevent criminal prosecution when negligence causes serious harm.
The test isn't "did the directors personally understand the technical details of email authentication protocols." The test is "did the directors exercise reasonable care in ensuring competent people were managing the risk, did they review that risk systematically, and did they implement widely-recognised controls."
That's not technical. That's governance.
Objection 5: "This is overreach. Cyber security isn't life-threatening like health and safety."
Response: Tell that to the 28% of UK SMEs who say an attack could close them permanently. Tell that to the employees who lose jobs when companies go bankrupt after breaches. Tell that to the suppliers who don't get paid. Tell that to the customers whose data gets stolen.
Cyber security failures destroy businesses, cost jobs, harm stakeholders, and compromise sensitive data affecting thousands of people. The consequences are severe and material. Criminal liability is proportionate to the harm caused by negligence.
The Specific Legislation Required
Here's what Parliament should pass:
Cyber Security Governance Act 2026
Section 1: Every company with 10 or more employees must:
Conduct documented cyber security risk assessment annually
Assign named director with explicit board-level responsibility for cyber security
Review cyber security risks at board meetings at least quarterly
Implement controls addressing identified high-priority risks
Test critical controls at least annually
Maintain incident response capability
Section 2: Where a company suffers serious cyber security incident resulting in:
Business closure affecting employees
Financial loss exceeding £50,000 affecting creditors
Data breach affecting more than 100 individuals
Disruption to critical services affecting the public
And investigation determines the board failed to comply with Section 1 requirements, directors who consented to, connived in, or were negligent regarding that failure may be prosecuted personally.
Section 3: Penalties:
Summary conviction: Maximum 12 months imprisonment and/or unlimited fine
Conviction on indictment: Maximum 2 years imprisonment and/or unlimited fine
Section 4: Defence available where director can demonstrate they:
Took reasonable steps to ensure compliance
Did not know and had no reasonable grounds to believe the failure existed
Exercised all due diligence to prevent the failure
Section 5: The NCSC provides freely available guidance on compliance with Section 1 requirements. Courts will consider whether directors consulted and followed that guidance when assessing reasonable care.
That's it. Not complex. Not requiring technical expertise. Just basic governance obligations with criminal liability when negligence causes serious harm.
What Would Change
If this legislation passed, here's what would happen:
Week 1: Every director would suddenly become very interested in whether their company has a cyber risk register. Board meetings would add cyber security as standing agenda item. Finance directors would stop pushing back on security budgets.
Month 1: Companies would be implementing MFA, enabling logging, testing backups, deploying EDR, running security awareness training. Not because consultants recommend it. Because directors face potential imprisonment for negligence.
Quarter 1: Cyber security consultants would be overwhelmed with work. The NCSC Board Toolkit would see massive uptake. Cyber Essentials certification would become standard for any company with employees.
Year 1: The 73% of businesses without board-level cyber security responsibility would drop to perhaps 10%. The 43% breach rate would decline as basic controls get implemented widely. The 28% closure risk would decrease as businesses become more resilient.
Year 5: First prosecution. Director of medium-sized company ignored all guidance, didn't implement basic controls, suffered major breach causing business closure and 50 redundancies. Investigation showed no documented risk assessment, no board discussion of cyber security for three years, no implementation of NCSC-recommended controls despite them being free or low-cost.
Director convicted. 18-month sentence. Highly publicised.
The remaining directors who were coasting suddenly become extremely diligent about governance.
Why This Won't Happen (But Should)
This legislation won't pass. Business lobbying groups will oppose it viciously. Directors' associations will claim it's draconian. Trade bodies will argue it's unfair to small businesses. The government will backpedal under pressure.
We'll continue with the current approach: voluntary guidance, minimal enforcement, civil liability that rarely materialises, corporate fines that don't change behaviour, and directors who face no personal consequences for negligence.
And every year, thousands more UK businesses will get breached. Hundreds will close permanently. Thousands of jobs will be lost. Billions of pounds will be wasted. All because directors won't spend two hours creating risk registers and implementing £90 worth of security controls.
Until we're willing to hold directors personally, criminally liable for cyber security governance failures, nothing will fundamentally change. The statistics will remain dismal. The breach rate will stay high. The business closure rate will continue. Because directors respond to personal consequences, and currently there aren't any.
The Moral Argument
Here's the fundamental question: If a director's negligence causes 87 people to lose their jobs because the company goes bankrupt after a preventable breach, should that director face any personal criminal consequence?
If a director ignores all available guidance, implements none of the recommended free or low-cost controls, fails to assess risks, fails to assign responsibility, fails to review threats systematically, and that negligence directly leads to serious harm affecting dozens or hundreds of people, should that director face criminal prosecution?
I think yes. The harm caused by cyber security governance negligence is real, material, and often preventable through basic diligence. The guidance is freely available. The statistics are undeniable. The controls are affordable. The time investment is minimal.
Directors who fail to exercise reasonable care despite all of this, and cause serious harm through that negligence, should face criminal liability. Not because we want to punish people. Because personal criminal liability is the only thing that consistently changes director behaviour at scale.
We know this because it worked for health and safety. Before the HSE had teeth, workplace deaths were common and directors shrugged them off as "accidents." After directors started facing potential imprisonment, workplace safety transformed. Deaths declined dramatically. Risk assessments became standard. Safety became a board priority.
Cyber security governance needs the same transformation. And it won't happen through voluntary guidance and civil liability. It requires criminal liability for directors who fail in their basic governance duties.
The Challenge to Directors
If you're reading this as a director and you're angry, good. You should be angry. Because I'm arguing you should face potential criminal prosecution if your negligence causes serious harm to your employees, creditors, and customers.
But before you dismiss this as unreasonable, ask yourself:
Have you conducted a documented cyber security risk assessment in the last 12 months?
Does your board discuss cyber security risks at meetings?
Do you know what your company's top five cyber risks are?
Have you implemented the NCSC's recommended basic controls?
Can you demonstrate you've exercised reasonable care in governance?
If you can't answer yes to these questions, you're not being diligent. You're gambling. And when the breach happens, you'll have nobody to blame but yourself.
The only question is whether you should face criminal prosecution for that negligence when it causes serious harm. I think you should. Because nothing else is working. And the harm is real, material, and preventable.
Change my mind.
Source Table
| Claim | Source | Date | URL |
|---|---|---|---|
| 73% lack board-level cyber responsibility | DSIT Cyber Security Breaches Survey 2025 (inverse of 27%) | April 2025 | gov.uk/government/statistics/cyber-security-breaches-survey-2025 |
| Down from 38% in 2021 | DSIT Cyber Security Breaches Survey 2025 | April 2025 | gov.uk/government/statistics/cyber-security-breaches-survey-2025 |
| 43% breach rate | DSIT Cyber Security Breaches Survey 2025 | April 2025 | gov.uk/government/statistics/cyber-security-breaches-survey-2025 |
| 28% of SMEs say attack could close them | Vodafone Business / WPI Strategy Report | April 2025 | vodafone.co.uk/newscentre/wp-content/uploads/2025/04/Vodafone-SME-Cybersecurity-April-2025.pdf |
| 34% report breaches externally | DSIT Cyber Security Breaches Survey 2025 | April 2025 | gov.uk/government/statistics/cyber-security-breaches-survey-2025 |
| Health and Safety at Work Act Section 37 | UK Health and Safety at Work Act 1974 | 1974 | legislation.gov.uk/ukpga/1974/37 |
| Companies Act Section 174 director duties | UK Companies Act 2006 | 2006 | legislation.gov.uk/ukpga/2006/46/section/174 |
| HSE prosecution cases | HSE Prosecution Database | Various | hse.gov.uk/prosecutions |
