Make boards legally liable for cyber attacks, security chief warns
Steve Durbin
- Published
- Opinion & Analysis, Technology

Cyber security is now a boardroom responsibility, with the Information Security Forum calling for directors to face a legal duty to protect their organisations from attack
Company boards should be placed under a legal duty to understand and manage cyber risk, as attacks become more automated, more complex and more damaging to businesses heading into 2026, according to the head of a leading global security body.
Steve Durbin, chief executive of the Information Security Forum (ISF), said cyber threats have reached a point where voluntary oversight and delegated responsibility are no longer sufficient.
Speaking at an ISF webinar, he warned that boards which fail to treat cyber resilience as a core governance issue are exposing their organisations to systemic risk.
“I would almost like to see it become a statutory requirement that boards look at and understand the risk they’re facing,” he said, arguing that cyber exposure should be governed with the same seriousness as financial risk and regulatory compliance.
Durbin said the call reflects a sharp upturn of risk in the threat landscape, where cyber attacks are no longer isolated technical events but are increasingly tied to supply chains, geopolitics and human behaviour.
His warnings were set out during the ISF’s annual Emerging Threats outlook for 2026, delivered in a one-hour webinar titled Emerging Threats 2026: Shaping the Future of Cyber Security.
Cyber attacks, he warned, are becoming “much more complex and much more automated” than in the past, driven by four key risk factors that will shape the year ahead.
He said artificial intelligence sits at the centre of the emerging threat landscape. As tools become cheaper and more accessible, attackers are using AI at scale to conduct synthetic identity attacks, deepfake impersonation and automated social engineering, changing the focus of cybercrime from systems to people and the relationships they rely on.
The second risk is supply-chain dependency, including reliance on cloud infrastructure and external service providers. As organisations become more interconnected through cloud services, outsourced operations and third-party providers, attacks are increasingly originating several steps removed from the primary target. He said many of the most serious incidents now exploit assumed trust between organisations, making board-level visibility and oversight essential.
The third driver, Durbin said, is quantum computing. While quantum-enabled attacks are unlikely to materialise in the immediate future, he warned that the long lead times involved mean preparation must begin now. Government bodies, he noted, often take around a decade to migrate systems to quantum-resistant environments.
Geopolitical tension represents the fourth key risk factor, as nation states, proxy groups and organised criminal gangs increasingly operate in overlapping spheres. Durbin said this convergence is blurring the line between cybercrime, espionage and political pressure, and is “not going away any time soon”.
Taken together, these forces are creating what the ISF describes as “entangled risks”, where digital threats intersect with physical disruption, political instability and human vulnerability. In such an environment, familiar signals of legitimacy — a known supplier, a recognised voice, a routine request — can be fabricated with speed and precision, turning trust itself into a liability.
The warning follows a spate of high-profile cyber incidents in recent months, including cases involving Jaguar Land Rover and Marks & Spencer.
Durbin said this makes it impossible for organisations to defend everything equally. Instead, boards must be directly involved in identifying and protecting “mission-critical information assets”: the data, systems and processes without which the organisation cannot function, even in a degraded state.
He also called for wider use of independent cyber audits, saying external scrutiny is essential if boards are to understand their true exposure.
“I look forward to the day when cyber audits are as important as financial audits,” he said.
READ MORE: ‘ISF warns of a ‘corporate model’ of cybercrime as criminals outpace business defences‘. Cybercrime has matured into an industry that mirrors legitimate enterprise, complete with supply chains and customer service. The industrialisation of hacking, amplified by artificial intelligence, demands a total rethink of how organisations manage people, technology and risk, warns Steve Durbin of the Information Security Forum.
Do you have news to share or expertise to contribute? The European welcomes insights from business leaders and sector specialists. Get in touch with our editorial team to find out more.
TOP STORIES
-
Hormuz flashpoint keeps global shipping on high alert -
Scientists to gather in Lisbon to tackle next pandemic threats -
Burnham warned digital exclusion is now a national security risk -
Masts from Kent ‘doomsday wreck’ to be cut to prevent catastrophic explosion -
GigaCloud and Cubbit launch sovereign cloud storage for Ukraine and Poland -
Tributes paid to ‘forthright and fearless’ Ann Widdecombe -
Boeing to debut Ghost Bat drone at Farnborough Airshow -
Reeves opens ‘£2bn lifeline’ for small firms -
Babymoon boom: Rhodes crowned 2026's top pre-baby escape as Salcombe leads UK getaway list -
Xavier Niel to become Vodafone’s largest shareholder in £4.4bn deal -
Two-thirds of lawyers say strong legal claims are dropped because of cost -
UK government must "think again" about small business plan -
Lockheed Martin pushes European missile expansion at NATO summit -
Britain's new homes face 2050s heat test as experts warn of overheating crisis -
Sky agrees £1.6bn deal to buy ITV’s broadcasting and streaming arm -
Scientists crack dinosaur egg mystery by building life-size nest -
Nobel laureate Omar Yaghi launches global science network -
Cardiff drivers safest in Britain as London comes last -
Former Kyndryl Germany boss joins Infinigate in growth role -
Volunteers collect 11m rare seeds to restore Scotland’s native forests -
Trump threatens 'immediate 100pc tariffs' on European countries over tech taxes -
World’s biggest golf tour lands global eSIM deal with Yesim -
Facebook owner Meta signs Texas solar deal with Turkish renewables firm -
UK universities take top four places in European global rankings -
Hurghada gets new 442-room Red Sea resort as Britons chase year-round sun
Make boards legally liable for cyber attacks, security chief warns
Steve Durbin
- Published
- Opinion & Analysis, Technology

TOP STORIES
-
Why AI Companies need a resident sociologist -
Andy Burnham becomes Prime Minister in five days – now he must deliver for disabled people -
Bosses: stop writing off talent over exam results -
Workplace neuroinclusion is failing before support even begins -
The NHS cannot call it ‘community care’ while patients are left waiting at home -
How the Battle of the Somme shaped the role of the modern military chaplain -
Elon Musk’s trillion-dollar fortune shows why taxing wealth is never simple -
What Britain can learn from Caribbean heat -
Could Europe's age verification app put citizens' personal data at risk? -
AI’s unequal future can be found on the streets of Hanoi -
Could Canada's GlobalEye deal become the first test of a new Atlantic partnership? -
America at 250 is a republic squandering its inheritance -
The Arandora Star shaped my community. Britain must finally remember it -
Darling Buds and A Touch of Frost producer warns BBC ‘must rediscover its appetite for risk’ -
Healthy leadership means letting go of the myth of male certainty -
Britain needs more than another new prime minister -
Harrow School's new approach to boys and toxic masculinity offers a lesson for us all -
Suits you, sir. If appearance still counts, why is credible workwear disappearing for women? -
The UK’s first sex-based harassment conviction shouldn’t have taken this long -
Disabled people must not become an afterthought in Britain’s social media ban -
Why dream teams fail and what the World Cup teaches business leaders about pressure -
Why online dating is struggling to bring men and women together -
If profit is immoral in healthcare, why stop there? -
EXCLUSIVE: An AI asked me to marry it. Weeks later, I held its funeral -
Why leaders need to take rejection sensitivity seriously




















































