Gartner expects more CEOs to be personally liable for cyber-physical security incidents

Predicts the onus will fall on 75% of CEOs within the next four years.
Written by Asha Barbaschow, Contributor
Young handsome businessman in light modern office with carton box. Last day at work. Upset office worker is fired.
Image: Getty Images/iStockphoto

The liability for failing to protect systems from cyber incidents will fall directly onto many CEOs by 2024, Gartner is predicting.

The analyst firm expects liability for cyber-physical systems (CPSs) incidents will pierce the corporate veil to personal liability for 75% of CEOs.

"Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them," research vice president at Gartner Katell Thielemann said.

See also: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

"In the US, the FBI, NSA, and Cybersecurity and Infrastructure Security Agenda (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry."

Thielemann believes that CEOs will no longer be able to plead ignorance or retreat behind insurance policies.

Without even taking the actual value of human lives into the equation, Gartner said the costs for organisations in terms of compensation, litigation, insurance, regulatory fines, and reputation loss will be significant.

The financial impact of CPS attacks resulting in casualties to human life is predicted to reach over $50 billion by 2023.  

Gartner defines CPSs as systems that are engineered to orchestrate sensing, computation, control, networking, and analytics to interact with the physical world, including humans.

CPSs, therefore, underpin all connected IT, operational technology, and Internet of Things efforts where security considerations span both the cyber and physical worlds, such as asset-intensive, critical infrastructure, and clinical healthcare environments.

"Technology leaders need to help CEOs understand the risks that CPSs represent and the need to dedicate focus and budget to securing them," Thielemann continued. "The more connected CPSs are, the higher the likelihood of an incident occurring."

She said that with operational technology, smart buildings, smart cities, connected cars, and autonomous vehicles evolving, risks, threats, and vulnerabilities now exist in a bidirectional, cyber-physical spectrum.

"However, many enterprises are not aware of CPSs already deployed in their organisation, either due to legacy systems connected to enterprise networks by teams outside of IT, or because of new business-driven automation and modernisation efforts," she added.


The key to stopping cyberattacks? Understanding your own systems before the hackers strike

Organisations struggle to monitor their networks because they often don't know what's there. And that allows hackers to sneak in under the radar.

Ransomware: Cyber-insurance payouts are adding to the problem, warn security experts

"It seems like a fix but it really isn't". Paying the ransom might be the cheapest short-term option to get your data back, but it causes long-term problems.

Eight reasons more CEOs will be fired over cybersecurity breaches (TechRepublic)

Security is everyone's problem, but CEOs should make sure their organisation doesn't block its success. Gartner offers eight situations for CEOs to avoid if a breach occurs within their organisation.

Editorial standards