Designing the Corporate Cyber Negligence Act (What Accountability Looks Like)

PodcastPolicyAccountability
Written By Noel Bradford

This week, we discussed the need to hold directors accountable for serious cybersecurity oversights. We looked into the Synnovis ransomware incident that resulted in a patient's death. We explained in technical terms how implementing MFA could have prevented this attack. We also reflected on the psychological factors behind security negligence. Additionally, we shared practical steps for businesses to adopt MFA. Finally, on Saturday, I firmly stated that directors should face prison if preventable security failures cause significant harm.

However, simply arguing for accountability is not sufficient. We must develop a practical, enforceable system that addresses genuine negligence, safeguards small businesses, and prevents compliance theatre.

Next week, Episode 28 of the podcast and accompanying content will address the tough questions: what could a Corporate Cyber Negligence Act actually look like?

What We Are Designing

Next week's episode and content will provide a detailed legislative framework covering:

Defining Gross Negligence: What specific criteria distinguish ordinary negligence from criminal negligence? How do we establish clear thresholds that directors can understand and courts can apply consistently? What evidence would prosecutors need to secure a conviction?

Proportionate Standards: How do we scale expectations sensibly? What security measures are appropriate for a five-person business compared to a healthcare provider and a FTSE 100 company? How can we prevent small businesses from being burdened with impossible standards while ensuring that vital organisations cannot hide behind claims of disproportionate burden?

Defences and Justifications: What legitimate defences are available? When is it reasonable to refrain from implementing a specific control? How do directors record good-faith security decisions? What occurs when you establish robust security measures but still suffer a breach?

Enforcement mechanisms: Who investigates? Who prosecutes? What powers are necessary? How do we prevent this from becoming another toothless regulator issuing reports nobody reads?

International Comparisons: What lessons can we learn from other jurisdictions? How effective is Singapore's approach in practice? What are the implications of the EU's NIS2 Directive? Where have other countries succeeded or failed in establishing personal liability for cybersecurity breaches?

Avoiding Compliance Theatre: How can we ensure this genuinely enhances security instead of just spawning a new certification industry? How do we prioritise outcomes (are systems secure?) over procedures (do you have security policies?).

Transitional Provisions: How do we implement this without harming businesses that are currently vulnerable? What grace periods are available? How do we support organisations in enhancing security during the transition?

The Small Business Question is perhaps the most crucial issue. How do we safeguard small businesses from unreasonable liability while ensuring that "I am a small business" cannot be used as an excuse for clear negligence?

This will be uncomfortable reading for some in the profession. I do not care.

Why This Matters

This is not an academic exercise. The Synnovis death proves that current approaches are not working. We need systemic reform.

But reform requires detailed proposals, not just angry opinions. Next week provides the blueprint for legislative change. We will design the framework that could prevent the next preventable death.

If you are a business owner, next week's content will help you understand what reasonable security looks like and how to protect yourself from liability.

If you are in government or policy, next week provides detailed legislative language you can use.

If you are in cybersecurity, the following week challenges you to think beyond compliance and consider what genuine accountability looks like.

Your Input Needed

We want this to be practical and implementable. That means learning from you.

Questions for Small Business Owners:

  • What security measures feel achievable?

  • What would constitute an unreasonable burden?

  • What support would you need to comply?

  • What fears do you have about criminal liability?

Questions for Large Organisation Leaders:

  • What organisational structures complicate individual accountability?

  • How do you currently document security decisions?

  • What defences feel legitimate versus excuses?

  • How would this change your approach to security?

Questions for Legal Professionals:

  • What evidentiary challenges do you foresee?

  • How would you establish criminal intent or gross negligence?

  • What international precedents are most relevant?

  • What constitutional or human rights issues arise?

Questions for Cybersecurity Professionals:

  • What technical standards should constitute reasonable care?

  • How do we evaluate the "sophistication" of attacks?

  • What role should certifications play?

  • How do we avoid compliance theatre?

Comment below, email us, or share your thoughts on LinkedIn. We will incorporate your feedback into next week's framework.

The Big Picture

This fortnight of content (this week and next) is designed to shift the conversation from "cybersecurity is hard" to "negligence is unacceptable."

Week 1 (This Week):

  • Established that preventable failures are killing people

  • Provided technical proof that basic controls work

  • Examined why intelligent people make fatal decisions

  • Gave practical implementation guides

  • Argued forcefully for criminal liability

Week 2 (Next Week):

  • Designing the practical legislative framework

  • Creating proportionate standards

  • Addressing legitimate concerns

  • Learning from international examples

  • Building the case for political action

By the end of next week, we will have a complete proposal for cybersecurity accountability reform. Not vague principles. Not aspirational goals. Actual detailed legislative language that could be introduced in Parliament.

How to Follow Along

Monday: Listen to Episode 28 as soon as it drops. We will outline what we would like to see as the whole framework and discuss the details.

Throughout the week, check the blog daily for supporting content expanding on specific aspects of the proposal.

At the end of the week, we will compile everything into a comprehensive policy document that you can share with MPs, regulators, and industry bodies.

The Challenge

Creating effective accountability legislation is hard. It requires balancing:

  • Public safety versus business viability

  • Individual liability versus organisational responsibility

  • Deterrence versus fairness

  • Security improvement versus compliance burden

  • Technical accuracy versus legal clarity

We will not get everything right. There will be gaps, problems, and unintended consequences in our proposal. That is fine. The goal is not perfection. The goal is to start a serious conversation about accountability that goes beyond "more awareness training" and "better compliance frameworks."

A patient is dead because free security controls were not enabled. Nobody will face prosecution under the current law. We need a new law.

Next week, we will design it.

See You Monday

Episode 28 launches Monday, 24th of November 2025 at Noon GMT. "Designing the Corporate Cyber Negligence Act: What Accountability Actually Looks Like."

Mauven and I will walk through the complete legislative framework, debate the difficult questions, and propose solutions to seemingly intractable problems.

This is the most important episode we have ever recorded. Be there.

Subscribe to the podcast: Here

Join the conversation:

A patient died because nobody could be bothered to enable multi-factor authentication. Let us design the system that prevents the next preventable death.

Stay secure. Stay accountable. See you Monday.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Next

Enough. It Is Time to Send Negligent Directors to Prison for Cyber Failures.