Board cyber liability laws urged as attacks escalate

Cyber security is now a boardroom responsibility, with the Information Security Forum calling for directors to face a legal duty to protect their organisations from attack

Company boards should be placed under a legal duty to understand and manage cyber risk, as attacks become more automated, more complex and more damaging to businesses heading into 2026, according to the head of a leading global security body.

Steve Durbin, chief executive of the Information Security Forum (ISF), said cyber threats have reached a point where voluntary oversight and delegated responsibility are no longer sufficient.

Speaking at an ISF webinar, he warned that boards which fail to treat cyber resilience as a core governance issue are exposing their organisations to systemic risk.

“I would almost like to see it become a statutory requirement that boards look at and understand the risk they’re facing,” he said, arguing that cyber exposure should be governed with the same seriousness as financial risk and regulatory compliance.

Durbin said the call reflects a sharp upturn of risk in the threat landscape, where cyber attacks are no longer isolated technical events but are increasingly tied to supply chains, geopolitics and human behaviour.

His warnings were set out during the ISF’s annual Emerging Threats outlook for 2026, delivered in a one-hour webinar titled Emerging Threats 2026: Shaping the Future of Cyber Security.

Cyber attacks, he warned, are becoming “much more complex and much more automated” than in the past, driven by four key risk factors that will shape the year ahead.

He said artificial intelligence sits at the centre of the emerging threat landscape. As tools become cheaper and more accessible, attackers are using AI at scale to conduct synthetic identity attacks, deepfake impersonation and automated social engineering, changing the focus of cybercrime from systems to people and the relationships they rely on.

The second risk is supply-chain dependency, including reliance on cloud infrastructure and external service providers. As organisations become more interconnected through cloud services, outsourced operations and third-party providers, attacks are increasingly originating several steps removed from the primary target. He said many of the most serious incidents now exploit assumed trust between organisations, making board-level visibility and oversight essential.

The third driver, Durbin said, is quantum computing. While quantum-enabled attacks are unlikely to materialise in the immediate future, he warned that the long lead times involved mean preparation must begin now. Government bodies, he noted, often take around a decade to migrate systems to quantum-resistant environments.

Geopolitical tension represents the fourth key risk factor, as nation states, proxy groups and organised criminal gangs increasingly operate in overlapping spheres. Durbin said this convergence is blurring the line between cybercrime, espionage and political pressure, and is “not going away any time soon”.

Taken together, these forces are creating what the ISF describes as “entangled risks”, where digital threats intersect with physical disruption, political instability and human vulnerability. In such an environment, familiar signals of legitimacy — a known supplier, a recognised voice, a routine request — can be fabricated with speed and precision, turning trust itself into a liability.

The warning follows a spate of high-profile cyber incidents in recent months, including cases involving Jaguar Land Rover and Marks & Spencer.

Durbin said this makes it impossible for organisations to defend everything equally. Instead, boards must be directly involved in identifying and protecting “mission-critical information assets”: the data, systems and processes without which the organisation cannot function, even in a degraded state.

He also called for wider use of independent cyber audits, saying external scrutiny is essential if boards are to understand their true exposure.

“I look forward to the day when cyber audits are as important as financial audits,” he said.

READ MORE: ‘ISF warns of a ‘corporate model’ of cybercrime as criminals outpace business defences‘. Cybercrime has matured into an industry that mirrors legitimate enterprise, complete with supply chains and customer service. The industrialisation of hacking, amplified by artificial intelligence, demands a total rethink of how organisations manage people, technology and risk, warns Steve Durbin of the Information Security Forum.

Do you have news to share or expertise to contribute? The European welcomes insights from business leaders and sector specialists. Get in touch with our editorial team to find out more.