Sharing the pain: should executives be penalised for cyber incidents?

"the Board decided to reduce annual bonuses by 15 percentage points as a result of the impact the cyber incident had on our customers"
Qantas Annual Report 2025

In what's been described as a 'once-a-decade event', Qantas, the flag-carrier airline of Australia, made headlines last week when it announced that executives would share accountability for a June 2025 data breach that exposed up to six million customer profiles.

In the media release for the latest annual report, the airline stated that "The Board recognised the impact the recent cyber incident had on customers and decided to reduce short term incentives for the Group CEO and executive team by 15 percentage points. This equates to a $250,000 reduction for the Group CEO. "

The Australian Federal Police, Australian Cyber Security Centre and the Office of the Australian Information Commissioner were all notified once analomalous activity in a third-party customer service platform used by contact cebntre staff was detected.

It was just the latest high profile mega breach to take place in the country after a string of incidents and data losses impacting well-known companies across all sectors, reflective of the ongoing battle that companies face to secure systems and data.

Who should pay the penalty?

It's rare for a named executive to suffer such a public penalty for a corporate cyber incident and the airline's announcement generated headlines globally for the symbolic action:

Executive accountability has historically been rare for data breaches with most penalties targeted at the company rather than specific individuals.

One well known example dates back to May 2014, when retailer Target’s chairman and chief executive Gregg Steinhafel was ousted by the company's Board as part of an effort to win back customer and investor trust, five months after a massive data breach that compromised the personal details of approximately 110 million shoppers.

And it should be noted that Qantas CEO Vanessa Hudson will still receive A$6.3m/US$4.09m in renumeration.

Evolving accountability for cyber failures

Many countries impose explicit penalties on companies for cyber incidents or data breaches. These include significant financial fines, management liability, criminal consequences, regulatory enforcement, and operational restrictions if there is concern about corporate capability.

The most stringent frameworks exist in the EU, the UK via the ICO's substantial data protection penalities, Switzerland, and the United States with both federal and state level regimes inclluding CIRCIA and NERC CIP amongst them.

Probably the most worrying recent example in the UK was nuclear energy facility Sellafield pleading guilty to breaches under the Nuclear Industries Security Regulations and was ordered to pay almost £400,000.

Whilst no cyber breach was noted to have occurred or data exfiltrated, the company "left information that could threaten national security exposed for four years" at Britain’s most hazardous nuclear site.

The company's CEO, Euan Hutton, apologised for the failings, but no individual executives were fined.

In May 2023, Joseph Sullivan, the former chief security officer (CSO) of Uber, was sentenced to three years of probation and ordered to pay a $50,000 for covering up a 2016 data breach at the rideshare company - the charges reflecting false representations to US regulator, the FTC.

Under the new NIS 2 directive, European executives may soon face similar outcomes. Penalties up to €10 m or 2% of turnover, additional governance measures and liability for managers have concerned some parties where courts can potentially suspend CEOs for non-compliance.

Resulting guidance for executives and Boards remains clear - ensure that sufficient resources are being invested into security and compliance programmes to avoid media attention and potential long tail penalties from both regulators and class action lawsuits.