Featured
I am tired of watching preventable disasters kill people while executives walk away with bonuses intact.
A patient died because Synnovis did not enable free multi-factor authentication. Nobody will face criminal prosecution.
If a construction director failed to provide hard hats and a worker died, that director would go to prison.
Yet when healthcare executives fail to enable free security controls and a patient dies, nothing happens. This is not justice. This is not accountability.
This is a broken system that treats cybersecurity negligence as an acceptable cost of doing business. It needs to stop. Here is why directors should face prison time for gross cyber negligence.
On 3 June 2024, a patient arrived at a London hospital A&E feeling unwell. A blood test was ordered. The patient waited. The medics waited. They all waited some more. The patient died. Why? Ransomware had shut down blood testing at Synnovis, the NHS pathology provider.
The security control that would have stopped it? Multi-factor authentication. Completely free. Built into every platform. The consequences for executives who chose not to enable it?
Nothing. In this episode, we ask the uncomfortable question: what if directors faced prison time for gross cybersecurity negligence, just like they do for health and safety failures?
This week, we established why directors should face criminal prosecution for gross cybersecurity negligence. We examined the Synnovis case where a patient died because free MFA was not enabled. We provided technical analysis, psychological examination, and practical implementation guides. Saturday's opinion piece argued forcefully for criminal liability. Next week, we move from "why" to "how."
What would a Corporate Cyber Negligence Act actually say? What are the thresholds between bad luck and criminal negligence? How do we protect small businesses while targeting genuine negligence? What defences exist? How would enforcement work? We are designing the solution. Join us Monday.