15 June 2026
When a known vulnerability is exploited, organisations may face fines, legal liability, and regulatory action because the issue is considered preventable if a fix was available.
Cybersecurity incidents aren’t just technical problems—they’re increasingly legal and regulatory issues. When a known vulnerability is exploited, the question quickly shifts from “how did this happen?” to “who is responsible?”
That shift is becoming more explicit at the highest levels of government. As highlighted in a recent City A.M. article on cyber crackdown and AI threats:
“Cyber-resilience isn’t just a technical issue; it’s a board responsibility… We’re asking every boardroom in Britain to prove they treat it as one.”
This framing is critical. It reinforces that cyber risk—and specifically vulnerability management—is no longer an IT concern. It is a board-level accountability issue.
What Is a Known Vulnerability and Why Does It Matter Legally?
A known vulnerability is one that has already been publicly disclosed—often with a fix or mitigation available. These are tracked in databases like the MITRE CVE list, and prioritised using frameworks such as the FIRST EPSS scoring system.
From a legal standpoint, once a vulnerability is known, organisations are generally expected to take reasonable steps to remediate it. This expectation is reinforced across multiple regulations and standards:
-
Under GDPR, organisations must implement “appropriate technical and organisational measures” to protect data.
-
ISO 27001 requires ongoing risk management and vulnerability remediation.
-
Frameworks like NIST Cybersecurity Framework emphasise continuous identification and mitigation of risks.
If a breach occurs due to an unpatched, known vulnerability, regulators may view this as negligence, not bad luck.
What Legal Obligations Do Organisations Have?
Failure to act on known vulnerabilities can lead to significant penalties:
-
Under GDPR, fines can reach up to €20 million or 4% of global annual turnover.
-
Regulators may impose additional sanctions, including:
-
Mandatory audits
-
Enforcement notices
-
Restrictions on data processing
-
Beyond fines, organisations often face lawsuits, reputational damage, and loss of customer trust. If a breach occurs due to an unpatched, known vulnerability, regulators may view this as negligence rather than an unavoidable incident.
How Do Policy Breaches and Contracts Increase Risk?
Most organisations already have internal security policies that require:
- Timely patching
- Risk-based vulnerability management
- Regular security updates
If a known vulnerability is exploited, it can trigger:
- Internal policy violations
- Breach of customer contracts or SLAs
- Issues with cyber insurance claims (many policies require “reasonable security controls”)
In some cases, insurers may refuse to pay out if basic patching practices were not followed.
Who Is Liable: The Company or Individuals?
Liability typically sits with the organisation - but individual accountability is increasing.
- Companies are usually held accountable through fines, lawsuits, and regulatory action.
- Executives and directors can face scrutiny if they failed in their duty of care.
- In certain jurisdictions, regulators are increasingly targeting individual accountability, especially where there is clear negligence or misrepresentation.
Failing to act on critical vulnerabilities despite clear risk may be interpreted as a failure of governance, not just IT operations.
What About Zero-Day Attacks?
Zero-day vulnerabilities reduce direct liability because they are unknown at the time—but organisations must still demonstrate strong security practices.
A zero-day vulnerability is one that is not publicly known and has no available fix at the time of exploitation.
Does a Zero-Day Attack Remove Liability?
No—liability is reduced, but responsibility remains. Because the vulnerability is unknown, organisations are generally not held liable for failing to patch it.
However, they are still expected to demonstrate good security practices, such as:
- Layered security controls
- Monitoring and detection capabilities
- Incident response readiness
If a zero-day attack succeeds, regulators will ask:
- Were reasonable preventative measures in place?
- Was the attack detected and responded to quickly?
- Could the impact have been reduced?
What is the “Reasonable Security” test?
Even in zero-day scenarios, organisations are judged against a “reasonable security” standard.
For example:
- If an attacker exploits a zero-day but gains excessive access due to poor identity controls, that’s still a failure.
- If logging and monitoring were insufficient to detect the breach, that may also be considered negligence.
Key Takeaways
- Known vulnerability exploited = high legal risk
Often viewed as preventable, leading to fines and liability. - Zero-day exploited = lower direct liability
But still requires strong security posture to defend your position. - Regulators care about process, not perfection
Can you demonstrate that you took reasonable, risk-based action? - Security is now a governance issue
Not just technical—boards and executives are increasingly accountable.
FAQs
What happens if a company ignores a known vulnerability?
If a company fails to patch a known vulnerability and it is exploited, regulators may treat the incident as negligence, leading to fines, enforcement action, and legal liability.
How quickly should known vulnerabilities be patched?
There is no fixed timeframe, but organisations are expected to act within a reasonable, risk-based period, with critical vulnerabilities addressed urgently.
Can GDPR fines apply to unpatched vulnerabilities?
Yes. If an unpatched vulnerability leads to a data breach, organisations can face fines of up to €20 million or 4% of global turnover.
Are executives personally responsible for cyber incidents?
In some cases, yes. Regulators are increasingly holding directors and executives accountable for failing to manage cyber risk effectively.
Are zero-day attacks considered negligence?
Not typically—but organisations must still prove they had appropriate security controls and response capabilities in place.
Can cyber insurance claims be denied after a breach?
Yes. If basic security practices like patching were not followed, insurers may refuse to pay out.
