The liability for failing to protect systems from cyber incidents will fall directly onto many CEOs by 2024, Gartner is predicting.
The analyst firm expects liability for cyber-physical systems (CPSs) incidents will pierce the corporate veil to personal liability for 75% of CEOs.
"Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them," research vice president at Gartner Katell Thielemann said.
"In the US, the FBI, NSA, and Cybersecurity and Infrastructure Security Agenda (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry."
Thielemann believes that CEOs will no longer be able to plead ignorance or retreat behind insurance policies.
Without even taking the actual value of human lives into the equation, Gartner said the costs for organisations in terms of compensation, litigation, insurance, regulatory fines, and reputation loss will be significant.
The financial impact of CPS attacks resulting in casualties to human life is predicted to reach over $50 billion by 2023.
Gartner defines CPSs as systems that are engineered to orchestrate sensing, computation, control, networking, and analytics to interact with the physical world, including humans.
CPSs, therefore, underpin all connected IT, operational technology, and Internet of Things efforts where security considerations span both the cyber and physical worlds, such as asset-intensive, critical infrastructure, and clinical healthcare environments.
"Technology leaders need to help CEOs understand the risks that CPSs represent and the need to dedicate focus and budget to securing them," Thielemann continued. "The more connected CPSs are, the higher the likelihood of an incident occurring."
She said that with operational technology, smart buildings, smart cities, connected cars, and autonomous vehicles evolving, risks, threats, and vulnerabilities now exist in a bidirectional, cyber-physical spectrum.
"However, many enterprises are not aware of CPSs already deployed in their organisation, either due to legacy systems connected to enterprise networks by teams outside of IT, or because of new business-driven automation and modernisation efforts," she added.