If You're on the Board and Your Company Gets Breached: Are You Personally Liable?

In 2025, cybersecurity is no longer just an IT issue. It’s a boardroom concern—a governance issue that, in the Philippines, could soon carry real legal consequences for directors and C-level executives who fail to act.

Why This Matters Now

The Data Privacy Act of 2012 has matured. The National Privacy Commission (NPC) has increasingly emphasized accountability, not just in the operational trenches, but at the top. Combine this with tightening SEC guidelines on ESG governance and the rise of shareholder activism, and you have a perfect storm brewing for corporate boards that treat cybersecurity as a checkbox.

Add to this the surge in sophisticated cyberattacks in the Philippines, including on banks, hospitals, logistics platforms, and even local government portals, and the question is no longer "What if we get breached?" but "When?"

Real Consequences for Philippine Executives

In recent cases handled by the NPC, companies that experienced data breaches faced not just reputational damage but also:

• Financial penalties.

• Legal action from data subjects.

• Executive censure for lack of documented data protection measures.

While the law does not currently prescribe personal financial liability for directors, gross negligence or failure to establish adequate controls can result in:

• Disqualification from holding future board positions.

• Criminal charges in severe cases.

• Shareholder lawsuits or derivative actions.

What Boards Should Be Doing in 2025

1. Treat Cyber as a Standing Agenda Item

   Cyber risk should be discussed every board meeting, with clear metrics (e.g. open vulnerabilities, mean time to detect/respond, security audit status).

2. Demand a Cyber Risk Appetite Statement

   Just like financial and operational risks, define what cyber risks the company is willing to accept—and what it's not.

3. Appoint a Cybersecurity Liaison on the Board

   This person doesn't need to be technical but should take point on ensuring that board members are informed and engaged on cyber issues.

4. Ensure Documentation Exists

   Can your DPO or CIO provide:

   1. Incident response plans?

   2. Regular penetration testing reports?

   3. Board-level cybersecurity policy approvals? If not, you have a governance gap.

5. Engage in Simulated Breach Exercises

   Have you rehearsed what happens in the first 72 hours of a breach? Many boards haven’t. A tabletop exercise exposes blind spots and helps define roles before crisis strikes.

   
   

Key Questions Directors Should Be Asking Right Now

• Are we covered by cyber insurance? What are the exclusions?

• What is our most valuable data? Where does it live? Who has access?

• When was our last vulnerability assessment or penetration test?

• Do we have third-party risk assessments in place for vendors?

  
  

The Upside: Cyber-Savvy Boards Are Market Leaders

Boardrooms that lead on cybersecurity don't just avoid risk—they earn trust. Investors increasingly view cyber resilience as a proxy for competent governance. Customers, partners, and regulators look to cyber maturity as a reason to engage.

Final Thought: Your Name Is on the Line

In an era where breach disclosure is becoming mandatory and public, your name, your leadership, and your board's oversight will be scrutinized. Cybersecurity is no longer technical debt—it is reputational equity.

At VEKTOR, we help boards and executive teams build cybersecurity governance that protects both digital assets and leadership credibility. If you're ready to assess your board's readiness, contact us today.